Google Authorization
Google Authorization in OnSpend
Onix respects the privacy of all users an is committed to maintaining and securing the confidentiality of all data that we collect. We will never ask you for your account password, nor will we ask for any information that is not absolutely necessary for providing you with the services offered by OnSpend. We want to be transparent with how we use your data and request access to data only when access is required to provide the OnSpend services.
When you sign-in to OnSpend using your Google account you will be prompted to grant OnSpend access to your account. The amount or scope of access that is required is defined below. Certain access is only required when using specific features. OnSpend will only prompt you for feature-level access when those features are utilized. You can revoke OnSpend's access to your Google account at any time by visiting https://security.google.com and selecting Manage third-party access. Note: Revoking access to OnSpend may cause certain features to stop working. If you have any questions or concerns about OnSpend's use of your data or access to your account, please contact us.
Sample Google Consent Prompt
Google OAuth Permission Scopes
OnSpend uses an incremental authorization approach. This means you will only be prompted to grant OnSpend access to your account when additional access is required to use a specific feature. The following table describes all of the permission scopes and the corresponding feature that requires that level of access.
| Permission | Description |
|---|---|
| View your email address: https://www.googleapis.com/auth/userinfo.email | Verify user identity and to send email communications. |
| View your basic profile info: https://www.googleapis.com/auth/userinfo.profile | Basic profile information is used for a more personalized and richer user experience. Profile information allows users to find other users easier by searching by name and identifying users by profile photo. Names are also used for more personalized email communications. |
| View and manage Google Drive files and folders that you have opened or created with this app: https://www.googleapis.com/auth/drive.file | Drive file access is required in order to create and write reports from OnSpend to Google Spreadsheets. Access to Drive is also required for users that wish to attach Drive documents to budgets in OnSpend. The Drive file picker is rendered for file selection. |
| View and manage your Google Cloud Platform billing accounts: https://www.googleapis.com/auth/cloud-billing | Billing access is required when adding billing accounts to OnSpend that are not billed through Onix. Billing access is also used by OnSpend to automatically synchronize GCP billing accounts and billing projects with the app. OnSpend administrators can also disable Google Cloud billing directly through the app. This access is also required to manage projects and billing accounts and link to new billing accounts via the billing view in OnSpend. |
| Manage your Cloud projects: https://www.googleapis.com/auth/cloudplatformprojects | Access to manage Cloud Platform Projects is required in order to automatically grant the app access to GCP project resources via IAM policy updates. OnSpend access is delegated through use of the OnSpend service account. Project level access is required for setting up new billing export tables through BigQuery as well as for Pub/Sub publishing for alerts configured with Pub/Sub topics. This access can also be used to provide the app project details such as name and number. |
| View your Cloud Platform projects: https://www.googleapis.com/auth/cloudplatformprojects.readonly | Read-only access to Google Cloud projects is required when additional configuration is not required and only project details such as name and number needs to be provided to the app. This access is also required to manage projects and billing accounts and link to new billing accounts via the billing view in OnSpend. |
| View and manage Pub/Sub topics and subscriptions: https://www.googleapis.com/auth/pubsub | Pub/Sub access is required if users would like to have the app publish messages to a Pub/Sub topic when certain events in the app take place. OnSpend is granted publisher role and needs to be able to view topics for user selection. |
| Manage your Google API service configuration: https://www.googleapis.com/auth/service.management | When completing setup of billing accounts not billed through Onix, the app automatically verifies the BigQuery service is enable or enables it if needed, for a richer user experience. This is required for the app to run jobs and queries against the billing data in BigQuery. |
| View and manage your data in Google BigQuery: https://www.googleapis.com/auth/bigquery | When completing setup of billing accounts not billed through Onix, BigQuery access is required. The app guides a user through connecting a BigQuery table to the app and needs to be able to manage datasets and tables. Access to a billing export dataset in BigQuery is required for running queries and executing jobs in the app. BigQuery access is also required when configuring automated billing reports or data exports to be delivered to a BigQuery table. |
| Manage your data in Google Cloud Storage: https://www.googleapis.com/auth/devstorage.read_write | Access to Google Cloud Storage is required When configuring automated billing reports or data exports to be delivered to a Cloud Storage bucket. |
All granted OAuth Scopes can be viewed in the User Settings view.
Service Accounts
When granting OnSpend access to your data, you may see the OnSpend service account (onspend@appspot.gserviceaccount.com) as an authorized service on your Google Cloud projects, or resources. Service accounts are treated similarly to how user access is delegated to projects and resources. The service account is granted appropriate access only with your consent. You may remove the service account access by navigating to the IAM & admin view in the Google Cloud Console. Keep in mind that removing or changing the OnSpend service account's access within the Google Cloud Console may cause certain features to stop working.