My org uses Google Groups for Drive and site access for external parties. I need to make sure that all members from a specific domain are removed from all the groups they may be in.
I've tried finding an appropriate report or audit in Workspace Admin but I can't find one that would give a complete picture.
I'm sure there's a way to do this through the API but I'm not a developer and my ability to interact with it is limited to the little example operations they give you on the SDK page.
Even if I could just get an exhaustive list of all members and their groups, I could complete this task. Add-ons would be a nice tool if there are any quality, trusted group manager add-ons out there.
I created the following sample script using Google Apps Script that accomplishes what you are looking for. All you need is to change the domain variable so that it contains the domain of the users that you want to delete.
What the script does is to get the list of users from all the groups, then compares which users have the specified domain in their email address and removes them from the group.
Here is the code:
function removeExternals()
{
let domain = "domain.com";
let groups;
let users;
let externalUsers = [];
groups = AdminDirectory.Groups.list({"customer": "my_customer"});
let groupsIds = [groups.groups.length];
for(let i=0; i< groups.groups.length; i++)
{
groupsIds[i] = groups.groups[i].id;
users = AdminDirectory.Members.list(groupsIds[i]);
for(let x=0; x< groups.groups[i].directMembersCount;x++)
{
try
{
if(users.members[x].email.search(domain)!=-1)
{
//externalUsers.push(users.members[x].email);
AdminDirectory.Members.remove(groupsIds[i], users.members[x].email);
Logger.log(`Deleted: ${users.members[x].email}`);
}
}
catch{};
}
}
}
To test it out you can just create a project in Google Apps Script, paste the code there and change the domain variable (make sure at least one user with that domain is part of a group). You also need to add the Admin SDK API service to Google Apps Script first by clicking Services then click Admin SDK API and then click Add.
References:
groups.list
members.delete
Related
Sorry if my English is weird.
I would like to know how a non-admin account can use the Admin SDK.
If you have any suggestions, please let me know.
I'm developing an add-on for an elementary school using Google app script.
I want to limit the API by student, teacher, grade, etc. So I need to get the organization information.
There were a few other similar questions, and apparently it would be impossible to try to do it normally.
When using the Admin SDK, Google will display an acceptance confirmation screen to the user.
Once the user agrees, Google gives the app an access token that is valid for a short period of time. I'm thinking that I can do this by using that access token. Is this approach dangerous from a security point of view?
I'm sorry for the lack of explanation.
I'm currently developing a google slides add-on for an elementary school.
It's supposed to display a SPA made with vuejs in the sidebar and let you manipulate it.
For example, we can manage a whitelist of organizations that can use this application in advance, and not allow organizations that do not match the whitelist to use it.
If the organization is managed by school unit, access control can be done by domain, but in some areas, the organization is managed by city, so access control by school unit cannot be realized...
Also.We want to do the following if we match the whitelist.
The functions that can be used by teachers and students are
different.
The buttons can be changed depending on the grade level of the
students.
Automatically enter student names and class names on slides.
Use an organizational structure to manage the school and students. (https://support.google.com/a/answer/4352075?ref_topic=4390186&hl=en)
We think we can achieve this by using the Admin SDK to get organization information
Answer
It is not possible to use Admin SDK with a non-admin account as Google says in the documentation: This API gives administrators of Google Workspace domains (including resellers) the ability to manage devices, groups, users, and other entities in their domains.
However there are two workarounds for your problem, but you would need to use an admin account to configure the scenario.
Initial approach
Get the user that is running the application with the class Session and the method getActiveUser and getEmail: var email = Session.getActiveUser().getEmail();
Get the organizational unit that each user belongs to. With this information you will be able to filter users and display different options in the add-on. The main problem is that you need to use AdminDirectory.Users.get(userEmail) to get the organizational unit, and it needs the following authorization scope: https://www.googleapis.com/auth/admin.directory.user.readonly.
Solution 1
Create a Spreadsheet with all the users that are going to use the add-on and its organizational unit
Use List all users to get all the users in a domain and write each email in the first column.
Use AdminDirectory.Users.get(email).orgUnitPath to get the organizational unit and write it in the next column
Finally, when users use the add-on, search the email of the active user (Session.getActiveUser().getEmail()) in the Spreadsheet, take the row number and get the value of the organizational unit that is in the second column.
Solution 2
Create a custom admin role and assign it to every user that is going to use the add-on. You must be signed in as a super administrator for this task. You can do it here and select Users -> Read,
Assign the new role to each user creating a role assignment
Finally, users will be able to use var organization = AdminDirectory.Users.get(email).orgUnitPath
I am Making a wpf app that shows some data from redmine using Redmine.Net.Api.
I just want to display users that belong to redmine Groups.
I can get all groups
Redminemanager manager = new RedmineManager(Config.host, Config.apiKey);
var groups = manager.GetObjects<Group>();
I get groups names right, but the users are always Null.
I tried too the Groups under User class:
Redminemanager manager = new RedmineManager(Config.host, Config.apiKey);
var redmineUsers = manager.GetObjects<User>()
Groups there are always null too.
I don't get this, I hope someone can help.
Thanks in advance.
It's about how the Redmine REST API works: by default, listing a group WONT retrieve the users.
The Redmine REST API documentation, GET Groups section, says:
GET
Returns details of a group.
This endpoint requires admin privileges.
Parameters:
include (optional): a coma separated list of associations to include in the response:
users
memberships
I tried a GET /groups/1.json on my local Redmine installation without the include=users and actually doesn't retrieve the users. When I add the ?include=users it works like a charm
On the official Redmine.Net.API Wiki on Github there is an example using these include parameters.
It's something like this:
var group = manager.GetObject<Group>(groupId,
new NameValueCollection() { { RedmineKeys.INCLUDE, RedmineKeys.USERS } });
Good luck.
I have found lots of information on the internet about adding Members to a Group in Googlegroups, but I cant manage to get any of it to work.
I am working in Python-DJango.
Using a bussiness account, I manage to add them using Provisioning API, but I could not do it with the new Directory API.
The problem is the group I want to add people to is not a business one, it's an ordinary googlegroups one:
group_name#googlegroups.com
From what I have found, and what I did for the business group I have the following code:
groupClient = gdata.apps.groups.client.GroupsProvisioningClient(domain=domain)
groupClient.ClientLogin(email="user#gmail.com", password="xxx", source='apps')
groupClient.AddMemberToGroup("group_name#googlegroups.com", "newUser#gmail.com")
I wanted to know what I have to put in the domain field. With the business account it was the business domain, but being a normal googlegroups one I am not sure. I have tried googlegroups.com and doesn't work, as I always get a invalid domain error.
Any help would be appreciated
Thanks!
The Provisioning API (deprecated) and the new Admin SDK are both designed to work with Google Apps for Business and EDU and only work against Google Groups for Business (groups with a custom #yourdomain.com address).
You cannot use these APIs with consumer Google Groups that have #googlegroups.com email addresses. For these groups, your only option is to manage membership via the web interface.
I want my web application allow to import user contacts (particularly addresses) from iCloud contacts.
Something similar to what Google People API provides for Google Contacts.
The scenario is that, a user comes to my site using a desktop browser and imports all their contacts.
So the user should not waste time on typing all their contacts to be able to use them on the site.
I'm trying to use CloudKit JS for the issue.
It looks like .discoverAllUserIdentities is what I need according to this:
GET users/discover: Fetches all user identities in the current user’s address book, described in Discovering All User Identities (GET users/discover)
However, I'm getting the empty set:
{"users":[]}
It seems like the web application doesn't have the permissions to get the contacts. If it's so, how to request the permissions?
Or may be I'm on completely wrong way, then please point me on the right direction if the issue is solvable.
Updated Answer
Since you're not building a native web app, you can't request access to a users iCloud contacts. This would be a security nightmare if websites were allowed access to users data. There are tools like ShuttleCloud that offer an API for migrating users contacts. This is what Google uses for their own Gmail service.
So no, you can't request direct access to contacts through the browser, but there are tools out there to make importing things easier.
Old Answer
You need to ask iOS for permission. You can do so by viewing Apple's documentation.
Example
#import <AddressBookUI/AddressBookUI.h>
// Request authorization to Address Book
ABAddressBookRef addressBookRef = ABAddressBookCreateWithOptions(NULL, NULL);
if (ABAddressBookGetAuthorizationStatus() == kABAuthorizationStatusNotDetermined) {
ABAddressBookRequestAccessWithCompletion(addressBookRef, ^(bool granted, CFErrorRef error) {
if (granted) {
// First time access has been granted, add the contact
[self _addContactToAddressBook];
} else {
// User denied access
// Display an alert telling user the contact could not be added
}
});
}
else if (ABAddressBookGetAuthorizationStatus() == kABAuthorizationStatusAuthorized) {
// The user has previously given access, add the contact
[self _addContactToAddressBook];
}
else {
// The user has previously denied access
// Send an alert telling user to change privacy setting in settings app
}
Document from apple:
Discussion
Use this method to retrieve information about other users of the app. This method returns information about those users who meet the following criteria:
The user must be in the current user’s address book.
The user must
have run the app.
The user must have granted the permission to be
discovered for this container.
Guide of discoverAllUserIdentities
I want to change the group settings (oGrp.OnlyAllowMembersViewMembership = false) for all the site groups present in my site. I have to use web services to perform this function and not the object model.
Until now I have worked on the object model mostly so I'm not very sure of web services. Please let me know if anyone has ideas on how to go about it.
I don't believe this is possible using the web services. They have a more limited set of functionality than the object model. It is possible to add and remove users from groups but there is little that allows you to change a group's settings. UpdateGroupInfo is the closest I know of which doesn't do what you want.
Your best option is to write your own custom web service and deploy that. You can then use the SPGroup.OnlyAllowMembersViewMembership property from the object model to configure the groups.