This rule detects instances of domain-wide delegation of authority being granted to service accounts within Google Workspace. Domain-wide delegation allows specified applications to access user data across the Google Workspace environment, potentially allowing adversaries access to sensitive information if abused. Only super admins can grant these privileges, and this rule captures successful authorization events for API client access, highlighting potential malicious activities like command and control establishment. The rule specifies common false positives, investigation steps for ensuring proper authorization, and response actions in case of unauthorized changes to API access. It emphasizes the need for appropriate logging and auditing practices to enhance detection and incident responses.