Drive Connect’s use of Google service accounts
Drive Connect was designed with security in mind. It has been intentionally architected to require as minimal access to a user’s Google Drive data as possible in order to deliver its functionality. Drive Connect intentionally utilizes one of the most restrictive Google Drive API scopes (as recommended by Google):
Google categorizes the drive.file scope as “Recommended” (versus the more expansive scope categorizations of “Sensitive” and “Restricted”). When an app uses the drive.file scope it grants access on a per-user and per-file basis only. In addition, users are limited to only accessing files they created through the app using the Google Drive API or have interacted with using the Google picker.
In certain instances Drive Connect may leverage a Google service account to overcome limitations of the drive.file scope in order to execute the intentions of a user. A Google service account is a special kind of account used by an application. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation.
One of the implications of Drive Connect using the drive.file scope is that when a user wants to create a new file from a template file originally created by another user they are unable to do so because they do not have the required access. To overcome this, Drive Connect uses a Google service account to execute the intent of the user that created the template file and perform the action on the behalf of the creator of the template file.
In the future, Drive Connect may have the ability to utilize a Google service account to perform other automation activities on behalf of its users.