I installed the official app Google Cloud to manage and monitor my Google Cloud ressources. I then logged in using an account with an Owner role on the top structure My Organization and an Owner role on all its sub-projects as well. I am super-admin in Google Workspace.
However, I can't seem to access/list any project or ressource in the app. Basically it tells me I lack permissions.
I tried looking for specific IAM permissions for this scenario but without luck.
What am I missing?
To get the permissions that you need to manage access to a project, folder, or organization in Google official cloud you need to have following IAM roles on the resource that you want to manage access for (project, folder, or organization):
To manage access to a project: Project IAM Admin
(roles/resourcemanager.projectIamAdmin)
To manage access to a folder: Folder Admin
(roles/resourcemanager.folderAdmin)
To manage access to projects, folders, and organizations:
Organization Admin (roles/resourcemanager.organizationAdmin)
To manage access to almost all Google Cloud resources: Security Admin
(roles/iam.securityAdmin)
For more information about granting roles, see Required permissions and Manage access and check these roles.
I found the solution:
In Google Workspace Admin console, you must activate the service named Additional services without individual control.
Menu 'Apps' > 'Additional Google services' > 'CHANGE' next to 'Access to additional services without individual control for all organisational units is turned Off' (info icon in the upper zone) > 'ON for everyone'
Related
We are working on a Migration App for Google Drive (Google Workspace) and are relatively new to Google APIs. I read that administrator need to grant domain-wide delegation of authority to third-party and internal applications so that they can access users' data such as read Google Drive files.
Control API access with domain-wide delegation: https://support.google.com/a/answer/162106
For delegating domain-wide authority to service account, a super administrator of the Google Workspace domain must complete 6 steps as described in the documentation link below:
Delegating domain-wide authority to the service account: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority
As I understand these 6 steps have to be manually performed by Super Admin of the Google Workspace. I would like the super administrator should be able to do these steps easily and quickly. Can this process be automated or guided using some sort of Consent Grant screen in Web Portal.
Instead of using service accounts, can we use OAuth 2.0 Client ID (created within third party app's Google workspace) and consent of Administrator to provide delegated access of their Google Workspace to third party application.
I am asking this because I would need to get list of all users in that Google workspace and have read access to their google Drive files.
Directory API: Authorize Requests" using Admin SDK: https://developers.google.com/admin-sdk/directory/v1/guides/authorizing
Scope for only retrieving users or user aliases: https://www.googleapis.com/auth/admin.directory.user.readonly
Thanks!
I am afraid it is not possible at this moment to manage the domain wide delegation settings through APIs or any different way to automate the process. The Google Workspace Directory API is the only possible way you can use to manage Admin console related settings using the Google APIs, however there is no API method that can make changes like this.
Now, about this:
Instead of using service accounts, can we use OAuth 2.0 Client ID (created within third party app's Google workspace) and consent of Administrator to provide delegated access of their Google Workspace to third party application.
The only possible way is by adding the application to the domain wide delegation settings, but again, only the admin can add the app manually to their Google Workspace admin console.
Since this is a feature that is not available yet, you could submit a feature request in the Directory API to suggest this as an actual feature and maybe Google can make it available in the near future.
Reference:
Admin SDK: Directory API
Feature request
I have a specific SharePoint site that I have been asked to integrate my web based application with in a read-only fashion using my backend server.
I currently have an app with Default Directory only (Single tenant) access
which I am modifying Application API permissions to also require Sites.Selected, however this one is requiring that I obtain Admin consent
I have had an absolute atrocious time trying to figure out how to obtain access to my specific site and not grant access to every single site in my tenant
I'm working on a dummy azure account prior to asking my ops team for the real permissions from the real ecosystem, but I dont have a sharepoint site to test on because I dont know how to set it up, the IT department team who manages it is very slow to answer so its difficult to move the ball forward without knowing exactly what I need before asking.
Under "Enterprise Applications" > {My Application Name } > Permissions (left sidebar), i see a big blue button that I read about in some docs, but i'm scared to grant the permissions because it says I give my app access to the default directory which I don't want to do, and it provides nowhere for me to specify my "selected" site
does anyone have more information on how I can grant a specific site to my app?
every article I run to talks about admin confirmation but neglects to tell me specifically how it's done
Default Directory is just a default name for your tenant, and not related to any default collection of sites. See my tenant name v6pz1 in the image
For this Sites.Selected permission, it's a 2-step process for giving your app access to the sites.
The app needs to be given permission to the site at the SharePoint level
The app needs to be granted admin consent to access the sites through the Graph API
You see this described in the MS Graph permissions reference table as well.
Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online.
To actually grant your app the SharePoint permission to a site, you can use the MS Graph endpoint to create permissions
I'm currently developing a gmail add-on and am hoping to allow a few users internal to my team to test out the add-on prior to a public release. I was following the documentation here from google that states
You can allow other users to test the add-on by sharing the Apps Script project with their account (read access is required) and then prompting the users to follow the above steps.
I assume that 'read' access is equivalent to 'view' access, and have given a user 'view' access to the project.
The problem I'm running into is that even with 'view' permissions, users aren't able to do a test deployment and install the add-on to their gmail account. The blue 'Deploy' button simply isn't visible. Any ideas on how to get my add-on into a few users hands before publishing, but without giving them edit privileges?
One way to do it is to have the users copy your script and deploy it.
Another is to publish the Add-On privately and you would have control over what version of the Add-On your test users are seeing. For this your users should be of the same Google Workspace domain
I have created an app in https://apps.dev.microsoft.com portal with name GroupsApp and I have given couple of permissions as below:
I have created client id and secret to use in my application. I am using asp.net MVC (with 4.5.1 .net framework) web application.
I am getting some groups info and displaying on the screen. If I am logged with my account it is working fine. But if I logged in as another user then it is giving me issue as below:
I have formatted url as below: https://login.microsoftonline.com/948894dc-c0e2-43e5-a7e6-1d21dd183c9d/oauth2/authorize?client_id=75acb700-e675-4dc4-9deb-d3f68f6911a1&response_type=code&redirect_uri=http://localhost:34280&prompt=admin_consent and trying to granted the permission. Here I have logged in as admin and given permissions.
Now if I check with normal user same issue is happening.
How should I give the permissions to this application.
I am not able to find any option to approve the permissions from the Azure portal.
Now if I check with normal user same issue is happening.
How should I give the permissions to this application.
I am not able to find any option to approve the permissions from the Azure portal.
I could encounter the same issue according to your settings. I assumed that you may hit the Admin-restricted scopes of AAD v2.0 as follows:
Some high-privilege permissions in the Microsoft ecosystem can be set to admin-restricted. Examples of these kinds of scopes include the following permissions:
Read an organization's directory data by using Directory.Read
Write data to an organization's directory by using Directory.ReadWrite
Read security groups in an organization's directory by using Groups.Read.All
Although a consumer user might grant an application access to this kind of data, organizational users are restricted from granting access to the same set of sensitive company data. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they are not authorized to consent to your app's permissions.
You could Using the admin consent endpoint and follow this Build an app with admin restricted scopes using the v2.0 endpoint github code sample to ensure your app can gather permissions for all users in a tenant, including admin-restricted scopes.
I've been reading on Google Drive's API which seems straight-forward enough, but I'd like to use it a bit differently.
Instead of a client-side application, I need to be able to batch copy files in a given directory on a server to a specific Google Drive account which I have control over. To elaborate, I'm implementing a scan-to-email feature in which a user can scan a document on our copier which is then copied to that Google Drive account.
This is done for internal users, so the accounts would be generic and there would be no reasons to change the passwords. Is this possible at all?
I would recommend you go with a service account. Think of a service account as a user, a service account will have its own drive account. You will be able to upload the files to it, and your application wont be required to login as it will have the login built into it. You will not be able to login and see the files for this account via the web interface.
In order for the users to access the files again you have a few options.
You can then set the permissions on the files to allow the different users to access the files via there google drive accounts. Google drive api permissions
you could create your own interface and use files list to list the files that are currently stored on the service account.
Heads up:
You will at some point want to know how much space the service account drive has left. use about.get
Google has a number of client libs that can make doing all of this quite easy. but you haven't said what language you are planning on doing this in.
You could rely on the insert method of the "File" resource within the API. This will allow you to create a Google Drive File with the file type based on the scanned file. Refer to this document for examples and further assistance: https://developers.google.com/drive/v2/reference/files/insert#examples
https://developers.google.com/drive/web/manage-uploads