Hello everyone,
Here’s the situation. We currently only use Google Cloud Console for an OAuth2 app that allows Gmail users to connect their email accounts to our accounting software so they can send invoices on their own behalf. This app is verified and works wonderfully for several thousand users.
However, I am currently concerned about the way in which the domain was verified. Other people from the marketing department and external agencies also have access to the property in Google Search Console for SEO purposes. Some of these people are also verified owners.
Here are my questions:
-
What happens to app verification if another domain owner, e.g. an SEO representative, revokes our domain ownerships and no project owner is property owner any more? Does the verification remain valid for the time being, or does the app then revert to an unverified status?
-
As a verified property owner, can I really remove the verified ownership of other people? According to the documentation, verified ownership is linked to the token (DNS record) used for verification. However, in Google Search Console, I am shown the option to revoke the access rights of other verified owners (I don’t dare to test this).
-
For me and my project team, ownership of the property in Google Search Console is not really necessary. We don’t need any extended rights there. Is there no alternative on the Google Cloud Console side to fulfil the principle of least privilege and remove this person binding?
It is not entirely unreasonable that an SEO person might see developers’ names in Google Search Console and revoke their rights because they do not know what they are doing there. We want to assess this risk and, of course, mitigate it.
Thank you!