Organization members can authorize any connected app to act on their behalf.
Connected Apps for Organization Administrators
As an organization administrator, you are the only user who can view and manage connected apps in Access Management. You can use authorization policies to dictate which apps can be authorized to access user data, and you can whitelist apps that users want to use. To manage your connected apps, navigate to Access Management and select the Connected Apps tab. You can add apps in the Owned Apps section and manage app access in the Authorizations section. For more information about the Owned Apps section, see the documentation for app developers.
You can use the Authorizations section to manage which apps are authorized to access your users' data. Click the … icon next to an application to view more details or to remove the app from your organization. When you revoke an app’s access, the app’s OAuth 2.0 access tokens and refresh tokens are revoked, and the app can no longer access user data.
You can configure one of two types of authorization policies for your users:
Only connected apps that are whitelisted by an administrator can be authorized by organization members to act on their behalf.
By default, the Unrestricted policy is enabled. If you change the policy to Restricted, the application whitelist is enabled, and all existing application authorizations are added automatically. When using the Restricted policy, you may disable auto-approval of all internal apps, in which case each internal app must be added to the whitelist like any other connected app.
When the whitelist is enabled, organization users can use only whitelisted applications. If a user attempts to authorize a non-whitelisted app, they are prompted to contact their organization administrator.
Organization administrators are able to add the app to the whitelist by following the link given to them by the end user.
Sometimes, apps start to ask for additional scopes. This happens when app developers add new features to their products and need to access more data in your organization. Previously whitelisted apps must be whitelisted again with the new set of scopes before your users can grant those additional scopes to the app.
Existing authorizations continue to work if the app is not whitelisted again. New authorizations using the already-whitelisted set of scopes are also allowed. Apps that remove scopes do not need to be whitelisted again.
Applications created by users in the same organization are marked as internal apps and do not need to be whitelisted manually.
By default, connected apps are configured at the root organization level, not at the business group (sub-organization) levels.
When you create a connected app to act on its own behalf using client credentials, you can choose which root organization or business groups to enable it in after you choose scopes.
A connected app that acts on behalf of a user receives its own access and permissions based on the scopes, organizations, and business groups to which the user has access.