I have been experimenting with better options to manage delegation access to our business's service accounts. The current process requires that I take a service account, we'll call it "customerfeedback@..." and in order to add delegates who can monitor that inbox, I need to reset that account's password from the admin console, login as "customerfeedback@..." and add the individual delegates from that account's settings in Gmail. This is not an ideal solution as requires a lot of manual password management as we do not want to have any shared passwords from a data hygiene best practice. So this means that the task of inbox delegation for our service accounts is bottlenecked at one person since our accounts also enforce a 2FA requirement.

An option I've been exploring has been granting our service accounts the ability to add Groups as delegates on the OU level. I have a "Service Accounts" OU where group delegation has been enabled. So now, I can login to "customerfeedback@..." and grant delegation access to a group called "inbox_customerfeedback@..." where that groups members gain delegation access from their personal accounts. It's much easier for me to share group management rights with other admins on my team who can manage delegates by adding and removing members. No more reseting passwords for "customerfeedback@..." logging into that account and adding delegates.

The problem with this solution is that the Gmail delegation setting to allow groups to be added as delegates must be applied to the member's OU as well. Enabling individual users the ability to add groups as delegates to their own personal email. We do not want this and would consider this a major privacy/security risk. Let's say someone goes on leave and grants delegation access to a group for their personal inbox. Maybe that person is careless and is not aware of each and every member of that group to which they've just exposed their inbox. Really bad idea.

I'm curious if anyone has come up with other solutions to this problem?