Authorization & admin access information

This document contains API-specific authorization information. Before reading this document, be sure to read the general authentication and authorization information at Develop on Google Workspace.

OAuth scopes

Requests that interact with labels and their Google Drive item metadata require the correct OAuth scopes.

Scopes for label metadata on Drive items

The following OAuth scopes can be used to read, search, and modify label metadata applied Drive items:

Scope Meaning
  • https://www.googleapis.com/auth/drive
  • https://www.googleapis.com/auth/drive.file
  • https://www.googleapis.com/auth/drive.metadata
Read, search, and modify label metadata applied to Drive items.
  • https://www.googleapis.com/auth/drive.readonly
  • https://www.googleapis.com/auth/drive.metadata.readonly
Read and search label metadata applied to Drive items authorized for the application.

For more information, see Drive API OAuth 2.0 Scopes and Drive API-specific authorization.

Scopes for labels

The following OAuth scopes can be used to view and manage labels:

Scope Meaning
https://www.googleapis.com/auth/drive.labels View, use, and manage Drive labels.
  • This scope allows user access, and is required for write operations when use_admin_access is not set.
  • Write operations with this scope are valid for labels with the SHARED label type.
https://www.googleapis.com/auth/drive.labels.readonly View and use Drive labels.
  • This scope allows user access, and is required for read operations when use_admin_access is not set.
https://www.googleapis.com/auth/drive.admin.labels View, edit, create, and delete all Drive labels in your organization, and view your organization's label-related administration policies.
  • This scope allows admin access, and is required for write operations when use_admin_access is set. This scope also grants read access.
  • Write operations with this scope are valid for labels with the SHARED or ADMIN label type.
https://www.googleapis.com/auth/drive.admin.labels.readonly View all Drive labels and label-related administration policies in your organization.
  • This scope allows admin access, and is required for read operations when use_admin_access is set.
  • Write operations with this scope are valid for labels with the SHARED or ADMIN label type.

Administrator access

To manage ADMIN labels, you must specify:

  • useAdminAccess is true to use the user's administrator credentials.
  • Account administrators with the Manage Labels privilege.

useAdminAccess

Administrators must set the useAdminAccess parameter to invoke their admin privileges. Setting useAdminAccess allows viewing and editing of any label owned by a customer. This includes both ADMIN and SHARED Labels.

When useAdminAccess is not set, write requests are allowed only for labels with both a SHARED label type and for users with the appropriate EDITOR role for this label.

For more information, see Create access credentials.