exclude subset of users from domain wide delegation (service account)

Question

I'm working with the Google+ Domains API using a service account for domain wide delegation. Unfortunately, we're having difficulties with our client regarding the authorization model, because in theory we have access to all G+ data (even from the CEO etc..), while they would like to exclude a group of people.

Is this possible? Otherwise, only thing is to expect the developers to not abuse of their rights?

Answer 1

Not possible. You could use regular 3legged during development (store each user's permissions) and switch to domain-wide at the end under client supervission. Then leave the appengine without any developers on your side, only one client account that has control and gives you permission to develop as needed later.