Get general information about google workspace organization - google-admin-sdk

My goal is to have some information about a Google Workspace organization in particular I would need:
main domain/domains
Organization name
Logo of the organization
And maybe other similar info.
I'm trying to use the SDK offered by google to make queries for what I need, in particular I'm using the DirectoryApi.
But it seems I can't find any resource that gives me those infos about the Google workspace of my admin account.
Directory API ref: https://developers.google.com/admin-sdk/directory/reference/rest
Thanks for help in advance.

In order to get the domain you can use the domains.list method. With this method you can also check if it is the primary domain or not.
For the organization name you need the customers.get method. It returns the organization's name as you can see here.
Now, I think there is no API to get the organization's logo. The closest thing would be the users profile picture using the users.photo.get method.

Related

Google Oauth wrong name

I want to publish my app but Google is telling me that the app name is against theirs Data Policy.
Based on the information you sent us, it looks like your project my-app-name doesn't show its identity to Google users when asking to access Google user data.
Specifically, there's a problem with your project's app name. This violates Google API Services: User Data Policy.
My name in Oauth contain word "YouTube"/ the project is related to YouTube.
So this is the problem? I can't use the word in my app name? So can I use something like u2b? What kind of names are allowed?
I can't find it in the TOS/data privacy.
Thanks!
my-app-name is not a valid name for your application.
You application name should clearly identifie your brand name as the company who created the application.
I would almost expect it to for example contain your domain name.
My could mean anyone again it needs to clearly identify your company or brand.
so no you can't name your app my-app-name and have it verified.
You also can't use any registered trademark names in your name unless you own the trademark
Stay away from anything remotely resembling a google product or potential google product

This app is blocked This app tried to access sensitive info in your Google Account

I am having trouble with the error shown in the image. Does anyone know how to solve this problem?
I would like to obtain a refresh token to use the "YouTube Data API v3".
I tried the following behavior.
Create a WEB type Client ID in the GCP console in advance.
Access https://developers.google.com/oauthplayground/, set the client ID and client secret in "1.", select https://www...../youtube and https://www...../youtube.upload from YouTube Data API v3, and then Authorize APIs execution.
When asked which account to use for OAuth
If you select my brand account, Google will block it as shown in the image.
[What I tried to solve]
The newly created Google account was able to obtain a token.
→ However, I really need to use the Youtube API with a branded account I already have.
I have tried turning on "Less secure app access" in the security settings of my branded account, but this did not solve the problem.
The target brand account is not managed by GoogleWorkspace.
Any information would be appreciated, I will provide any information needed, so if anyone knows anything, please help me.

I would like to know how a non-admin account can use the Admin SDK

Sorry if my English is weird.
I would like to know how a non-admin account can use the Admin SDK.
If you have any suggestions, please let me know.
I'm developing an add-on for an elementary school using Google app script.
I want to limit the API by student, teacher, grade, etc. So I need to get the organization information.
There were a few other similar questions, and apparently it would be impossible to try to do it normally.
When using the Admin SDK, Google will display an acceptance confirmation screen to the user.
Once the user agrees, Google gives the app an access token that is valid for a short period of time. I'm thinking that I can do this by using that access token. Is this approach dangerous from a security point of view?
I'm sorry for the lack of explanation.
I'm currently developing a google slides add-on for an elementary school.
It's supposed to display a SPA made with vuejs in the sidebar and let you manipulate it.
For example, we can manage a whitelist of organizations that can use this application in advance, and not allow organizations that do not match the whitelist to use it.
If the organization is managed by school unit, access control can be done by domain, but in some areas, the organization is managed by city, so access control by school unit cannot be realized...
Also.We want to do the following if we match the whitelist.
The functions that can be used by teachers and students are
different.
The buttons can be changed depending on the grade level of the
students.
Automatically enter student names and class names on slides.
Use an organizational structure to manage the school and students. (https://support.google.com/a/answer/4352075?ref_topic=4390186&hl=en)
We think we can achieve this by using the Admin SDK to get organization information
Answer
It is not possible to use Admin SDK with a non-admin account as Google says in the documentation: This API gives administrators of Google Workspace domains (including resellers) the ability to manage devices, groups, users, and other entities in their domains.
However there are two workarounds for your problem, but you would need to use an admin account to configure the scenario.
Initial approach
Get the user that is running the application with the class Session and the method getActiveUser and getEmail: var email = Session.getActiveUser().getEmail();
Get the organizational unit that each user belongs to. With this information you will be able to filter users and display different options in the add-on. The main problem is that you need to use AdminDirectory.Users.get(userEmail) to get the organizational unit, and it needs the following authorization scope: https://www.googleapis.com/auth/admin.directory.user.readonly.
Solution 1
Create a Spreadsheet with all the users that are going to use the add-on and its organizational unit
Use List all users to get all the users in a domain and write each email in the first column.
Use AdminDirectory.Users.get(email).orgUnitPath to get the organizational unit and write it in the next column
Finally, when users use the add-on, search the email of the active user (Session.getActiveUser().getEmail()) in the Spreadsheet, take the row number and get the value of the organizational unit that is in the second column.
Solution 2
Create a custom admin role and assign it to every user that is going to use the add-on. You must be signed in as a super administrator for this task. You can do it here and select Users -> Read,
Assign the new role to each user creating a role assignment
Finally, users will be able to use var organization = AdminDirectory.Users.get(email).orgUnitPath

Any way to get "Employee Details" from Google API?

Is anyone aware of any Google API with the user scope (NOT the Admin API in the Directory SDK) that allows you to retrieve the custom employee attributes?
The G+ API seems to skip these
https://developers.google.com/+/web/api/rest/latest/people#resource
Our issue is that we don't want to grant access to the developer console, but rather do this PER-USER. I.E. a user logs into our app and we display to her the custom attributes for her G Suite account, but we do this as her (not as an approved API scope via the dev console).
Leaving this answer for anyone like me who finds this question.
The Directory API allows a user to query the custom attributes for their account even without any admin permissions at all.
https://developers.google.com/admin-sdk/directory/v1/reference/users/get
You need to ensure that projection is set to full and viewType is set to domain_public.
You may need to check the permissions for reading the custom attributes to ensure that a user is allowed to see theirs. We do this in the Google Cloud Directory Sync.

Admin SDK Customer Report API - how to specify a customer domain (as a reseller)

I read that the Admin SDK works for Google Apps resellers, but I'm having one specific problem.
I want to use the following request to get the number of user licenses in use on one of my customer's domains.
https://www.googleapis.com/admin/reports/v1/usage/dates/%s?parameters=accounts:num_users
But there's no way that I can find to specify the customer's domain name that I want to get the usage report for. Tried a few different ways.
There must be a way that is hiding from me because this was possible with the old deprecated API.
Thanks.
Using the Reports API for this is not advisable because it can be delayed by 48+ hours. It's also not possible for reseller users to run reports for customers at this time. Rather, you should use the Google Apps Reseller API to list subscription counts that should be fully up to date.
Looks like this API here will do the trick:
https://developers.google.com/admin-sdk/admin-settings/#retrieving_the_current_number_of_users_in_a_domain