...
A security constraint can also require that the user be a registered administrator for the application. This makes it easy to build administrator-only sections of the site, without having to implement a separate authorization mechanism.
Notes on Authorization
From:
http://www.google.com/support/a/bin/answer.py?answer=61017&hl=en
With Google Apps for Business and Education, administrators can use two-legged OAuth for
domain-wide delegation of authority. An application that has the OAuth consumer key and
secret (roughly equivalent to a role account username and password) is allowed to act as
any user in the domain when accessing Google Data APIs. Unlike three-legged OAuth, users
do not need to give consent on an individual basis, as this decision is made on their behalf
by the administrator.
This is one of the admin screens in sagebionetworks.com for authorization:
https://www.google.com/a/cpanel/sagebionetworks.com/ManageOauthClients
From:
http://www.google.com/support/forum/p/apps-apis/thread?tid=21d4f55e584e3970&hl=en
Also, for access control, your SSO solution can create a cookie for the user storing
his username. When a specific website page is requested, you can again use Provisioning
API to determine if the username stored in cookie is part of the required Google group
and authorize him.