Admin manages the Users from Admin google page (admin.google.com) and I are curious whether there is any API document like Rest API's available. Purpose: Admin can manage the users (like add user, delete user, fetch users list) from Postman using this Rest API's.
You can use G Suite Admin SDK's Directory API to manage users and groups as you intend. For a precise description of each resource representation, have a look at the API reference, for example here for the User resource.
Related
I want to give GSAs direct access to modify Google users. I can't find current docs on this so assuming it's not possible right now?
It looks like this is only possible for working with groups:
https://workspaceupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I need to give a GSA access to read group membership and also modify user attributes.
Right now I:
create an admin a G Suite user
create a GSA with domain wide auth with these scopes
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user
Impersonate the G Suite user with the GSA and modify user attributes like this:
service = create_directory_service("G SUITE USER")
service.users().update(userKey=uKey, body=myAttributes).execute()
Do I still need domain wide delegation to modify user attributes? Or is it supported now as well?
You can follow this guide to create a Service Account, turning on the Admin SDK API (which allows the service account to provision/manage the users), and authorizing it.
The Service Account created can be used then to provision/manage the G-Suite users, here is a guide on how to manage user accounts using the Directory API, which is part of the Admin SDK.
In short, yes it is possible to manage users too, by using Service Accounts, not just groups.
I am creating a flask app to be used internally in my company. I would like to restrict what a user can do it based on its login ID. I read a lot about using LDAP3 but I don't think I can do what want which send the login ID to the server. There I would have a table which will register which part of the system has the permition to edit. If it try to change somenthing not permited the app will retrieve a warning message.
I won't to do that to avoid having to create a separate login functionality just for this app. I read that I should use AD authentication but I am not very familiarized with that and I would also like to avoid having to ask our IT department to create user groups there for each part of my system.
I know that I can do that using ASP .NET (at least I did once).
Any guidance will be apreciated.
I think you are looking for Role-based Authorization.
In order to use this functionality you will need to implement roles on your model file per the Data-models documentation.
This will allow you to assign users a role when they are created, and you can use a decorator on your routes to 'require' the user to have the role you want them to have before they access the endpoint.
I am using aws cognito sdk with .net core 3.1 webapi. The issue is, I have to display users info as well as user groups. ListUserApi https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html doesn't return users group information. According to the docs I have to call other api ListUserInGroups (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsersInGroup.html) but as I need both information on single table. This call would be really expensive for me. Is there any other api which returns user's profile info as well as user group info. I tried to find one but couldn't
Also one other question do aws cognito api provied sorting functionality? Like sort by name of email? I can only see filtering option but not sorting.
I am trying to create a new interface for wso2is for my specific requirement. I only need some specific functionalities (add user, add roles etc) from wso2, I go through several documentation in wso2 website and find:
this document
this post
but never got a complete documentation.
Is it possible to get the postman collections for the same?
The documentation you have referred to is relevant to the admin services for user and role management. They are implemented using SOAP. But since you have some basic requirements as add user delete user add roles you can use the SCIM2 REST API's[1][2]
[1].https://docs.wso2.com/display/IS570/Using+the+SCIM+2.0+REST+APIs
[2].https://medium.com/#vindulajayawardana/scim-2-0-api-for-wso2-identity-server-5-3-0-fc5dcaad9e44
Is anyone aware of any Google API with the user scope (NOT the Admin API in the Directory SDK) that allows you to retrieve the custom employee attributes?
The G+ API seems to skip these
https://developers.google.com/+/web/api/rest/latest/people#resource
Our issue is that we don't want to grant access to the developer console, but rather do this PER-USER. I.E. a user logs into our app and we display to her the custom attributes for her G Suite account, but we do this as her (not as an approved API scope via the dev console).
Leaving this answer for anyone like me who finds this question.
The Directory API allows a user to query the custom attributes for their account even without any admin permissions at all.
https://developers.google.com/admin-sdk/directory/v1/reference/users/get
You need to ensure that projection is set to full and viewType is set to domain_public.
You may need to check the permissions for reading the custom attributes to ensure that a user is allowed to see theirs. We do this in the Google Cloud Directory Sync.