Terminus has multiple, powerful G Suite integrations to help make implementation easy. This article outlines those, the scopes & permissions required, and how you can securely connect them to your organization.
Authentication
Connecting Email Experiences to G Suite is done through a standard OAuth 2.0 connection, which must be performed by a Super Admin user (or service account) in the desired G Suite instance. As a result, Terminus only retains an authorization token from G Suite, and will never see/store your actual Super Admin credentials.
Level of Access
While this connection is performed by a Super Admin user (or service account), Terminus does not receive Super Admin-like access to G Suite or any of its applications (Gmail, Calendar, Drive, Sites, Marketplace Apps, etc).
Terminus only receives the ability to perform API actions in G Suite, as defined by the requested scopes. These scopes are reviewable during the OAuth connection workflow and are listed below.
Points of Integration
Terminus provides granular control over the access you decide to provide. The three integration points described below can be enabled on an as-needed basis.
Terminus takes an only-as-needed approach to all integrations, to ensure only the minimum level of access is required.
Below are the Scopes requested from G Suite, and Google's description of each.
1. Signature Syncing - "Email Experiences for G Suite"
This integration point is only required to control Gmail signatures on behalf of users.
It excludes permissions for reading user data.
View your email address
https://www.googleapis.com/auth/userinfo.email
See your personal info, including any personal info you've made publicly available
https://www.googleapis.com/auth/userinfo.profile
Manage your basic mail settings
https://www.googleapis.com/auth/gmail.settings.basic
Manage your sensitive mail settings, including who can manage your mail
https://www.googleapis.com/auth/gmail.settings.sharing
2. Importing User Data - "Email Experiences for G Suite"
This integration point contains the same permission set as the G Suite Signature Sync, with an added permission if you want Terminus to create users from your G Suite Directory.
Permissions from "Email Experiences Signatures for G Suite", plus...
View users on your domain
https://www.googleapis.com/auth/admin.directory.user.readonly
3. Email Experiences Relationships - "Email Experiences Collector for G Suite"
This integration point is only required if you want to make use of Relationship Scores, Intent Scores, and Location Analytics. This is NOT required for email signature management.
View users on your domain
https://www.googleapis.com/auth/admin.directory.user.readonly
See, edit, share, and permanently delete all the calendars you can access using Google Calendar
https://www.googleapis.com/auth/calendar
View your email messages and settings
https://www.googleapis.com/auth/gmail.readonly
Send email on your behalf
https://www.googleapis.com/auth/gmail.send
View your email address
https://www.googleapis.com/auth/userinfo.email
See your personal info, including any personal info you've made publicly available
https://www.googleapis.com/auth/userinfo.profile
Integration Security FAQs
Why is a Super Admin User Required to Connect?
Super Admin users in G Suite have the ability to perform what Google calls "domain-wide delegation". This gives 3rd party applications like Email Experiences the ability to take action on behalf of end-users. Terminus uses domain-wide delegation to perform an email signature update in Gmail so that your employees can get an Email Experiences signature without having to be bothered to do anything on their own.
Do I Have to Leave the G Suite Signature Sync Connected Persistently?
No. The Signature Sync integration is only used to update the HTML email signature of each user who should be using Email Experiences. If desired, you may revoke this access through G Suite and/or your Email Experiences Account Settings. This connectivity can be temporarily re-established any time you need to push a new signature to an employee.
Are there Alternatives to the G Suite Integration for Controlling Signatures?
Yes. If you don't want to provide Terminus access to manage email signatures, users are able to log into Email Experiences' Install Page, where they can copy their personalized signature & campaign banner, and paste them into Gmail settings individually. While this is still fully compatible with dynamic, targeted Campaigns and Alternate Banner selection (provided by Terminus' Chrome Extension), it does miss out on the benefit of being able to centrally control signatures.
Comments
0 comments
Please sign in to leave a comment.