41 Periodic access recertification
A quarterly cycle in which every grant class — admin roles, group memberships, shared-drive membership, OAuth grants, mailbox delegates — is enumerated into one attestation sheet, sent to its named owner, and revoked unless the owner re-affirms it. The default on no reply is revoke. The signed sheet, not the enumeration script, is the audit evidence.
Documentation: Security checklist for medium and large businesses (100+ users) ↗
Caveats
Setup steps
-
gam print admins gam print group-members gam print shareddrives gam all users print tokens gam all users print delegatesControl which apps access Google Workspace data ↗ Let users delegate access to a Gmail account ↗
- open ↗

https://admin.google.com/ac/list/roles · captured 2026-07-15
Account › Admin rolesCompare direct-assignment row count to gam print admins; group-inherited role assignments will not appear in the console list
- open ↗

https://admin.google.com/ac/groups · captured 2026-07-15
Quarterly cycle; no reply within 10 working days = revoke
- open ↗

https://admin.google.com/ac/owl/list?tab=configuredApps · captured 2026-07-15
gam delete admin <roleAssignmentId> / gam update group <group> remove member <user> / gam user <user> delete token clientid <clientid>
Ongoing maintenance
- automatable: script Quarterly: run the enumeration and send attestation requests.
- requires a human Quarterly: chase non-responses and execute default-revoke.
How to verify
Check the latest signed attestation sheet is no older than one cycle and its revocations were executed — spot-check one revoked grant is actually gone.
gam print admins # revoked role must be absent
Further screens
Screen 1 of 1: Directory > Users (accounts, suspension state, delegates)
open ↗
v0.1.3Assure policy #29 · #28, #12 ↗