Skip to main content

Scope Categories Explained

This article helps clarify what each scope category does.

Updated today

What is a Google “Scope”

A Google scope is a permission granted to an application.

When an app is approved, it is given access to specific parts of your Google Workspace environment, such as email, files, or student data.

Approving an app means trusting it with that level of access.

Risk Levels Explained

Low Risk
Access to basic, non-sensitive information.

Medium Risk
Read access to potentially sensitive data, with limited modification ability.

High Risk
Read, modify, or delete sensitive data such as emails, files, or student records.

Critical Risk
Administrative or full-environment control.

K-12 Guidance
Any access to student data, email, or files should be treated as high risk.

Scope Categories

Gmail Scopes

Access to: Email data

Capabilities

  • Read, send, delete, and manage emails

Risk Level: High

Risk Explanation
Email often contains sensitive student and staff information.

Example Risk
An app reads inboxes and extracts confidential communications.

Google Drive Scopes

Access to: All files in Drive

Capabilities

  • View, edit, delete, and share files

Risk Level: High

Example Risk
Bulk download of student records or assignments.

Google Docs / Sheets / Slides Scopes

Access to: Individual document types

Capabilities

  • Read and modify structured documents

Risk Level: High

Example Risk
Modification of grading spreadsheets.

Google Forms (Survey API) Scopes

Access to: Forms and responses

Capabilities

  • Read responses, edit forms, export data

Risk Level: Medium to High

Example Risk
Exporting student assessment results.

Google Classroom Scopes

Access to: Classroom data

Capabilities

  • View rosters, assignments, grades, submissions

Risk Level: High

Example Risk
Access to all student coursework and grades.

Google Calendar Scopes

Access to: Calendar data

Capabilities

  • View and manage events

Risk Level: Low to Medium

Example Risk
Exposure of staff/student schedules.

Admin SDK Scopes

Access to: Domain administration

Capabilities

  • Manage users, groups, devices, roles, and settings

Risk Level: Critical

Example Risk
Full takeover of domain accounts.

Google Sites Scopes

Access to: Google Sites content

Capabilities

  • Read and modify sites

Risk Level: Medium

Example Risk
Injecting malicious content into school websites.

Google Chat / Spaces Scopes

Access to: Chat messages

Capabilities

  • Read and send messages

Risk Level: Medium to High

Example Risk
Monitoring or impersonating users in conversations.

Google Meet Scopes

Access to: Meeting data

Capabilities

  • Manage meetings and metadata

Risk Level: Low to Medium

Contacts Scopes

Access to: Contact lists

Capabilities

  • Read and modify contacts

Risk Level: Medium

Example Risk
Exporting contact lists for phishing.

Directory / User Profile Scopes

Access to: Basic user information

Capabilities

  • View names, emails, profile data

Risk Level: Low

Google Groups Scopes

Access to: Google Groups data

Capabilities

  • View and manage group membership and settings

Risk Level: High

Example Risk
Adding external users to sensitive groups.

Google Tasks Scopes

Access to: User task lists

Capabilities

  • Read and manage tasks

Risk Level: Low

Google Keep Scopes

Access to: Notes and saved content

Capabilities

  • Read and modify notes

Risk Level: Medium

Example Risk
Access to personal or staff notes.

Google Vault Scopes

Access to: Archived data (eDiscovery)

Capabilities

  • Search and export retained emails/files

Risk Level: Critical

Example Risk
Access to historical student and staff communications.

Google Cloud Platform (GCP) Scopes

Access to: Cloud resources

Capabilities

  • Manage compute, storage, logging, and services

Risk Level: Critical

Example Risk
Access to backend systems and stored data.

Firebase Scopes

Access to: Firebase apps and databases

Capabilities

  • Read/write app data

Risk Level: High

Google Analytics Scopes

Access to: Analytics data

Capabilities

  • View and manage usage data

Risk Level: Medium

Google Ads Scopes

Access to: Advertising accounts

Capabilities

  • Manage campaigns and billing

Risk Level: Medium

Google Photos Scopes

Access to: Photo libraries

Capabilities

  • Read and upload images

Risk Level: Medium

Example Risk
Access to student-uploaded images.

YouTube Scopes

Access to: YouTube accounts

Capabilities

  • Manage videos and channels

Risk Level: Medium

Chrome Management Scopes

Access to: Managed Chrome devices and browsers

Capabilities

  • Manage device policies and configurations

Risk Level: High

Google Play / Android Management Scopes

Access to: Managed apps/devices

Capabilities

  • Manage app deployment and device policies

Risk Level: High

Google Workspace Alerts / Security Center Scopes

Access to: Security alerts and investigation tools

Capabilities

  • View alerts and security findings

Risk Level: High

Data Loss Prevention (DLP) / Security Scopes

Access to: Sensitive data detection systems

Capabilities

  • View or manage DLP findings

Risk Level: High

Licensing / Billing Scopes

Access to: Subscription and billing data

Capabilities

  • Manage licenses and billing

Risk Level: Medium to High

Reseller API Scopes

Access to: Customer subscription management

Capabilities

  • Manage customer accounts

Risk Level: High

Domain-Wide Delegation / Service Account Scopes

Access to: Impersonation across users

Capabilities

  • Act as any user in the domain

Risk Level: Critical

Example Risk
An app can access all user data without individual consent.

Broad / Full Access Scopes

Access to: Entire service without restriction

Capabilities

  • Full control within a product (Drive, Gmail, etc.)

Risk Level: Critical

Quick Reference Table

Category

Access Type

Risk Level

Gmail

Email

High

Drive

Files

High

Docs/Sheets/Slides

Documents

High

Forms

Surveys

Medium to High

Classroom

Coursework

High

Calendar

Schedules

Low to Medium

Admin SDK

Domain control

Critical

Sites

Websites

Medium

Chat

Messaging

Medium to High

Meet

Meetings

Low to Medium

Contacts

Directory data

Medium

Profile

Basic info

Low

Groups

Group membership

High

Vault

Archived data

Critical

GCP

Cloud infrastructure

Critical

Chrome Mgmt

Devices

High

Security Center

Alerts

High

Delegation

User impersonation

Critical

Did this answer your question?