I'm attempting to allow all users to add themselves to my Google Group via js + html form. I'm using the group to send out newsletters. I currently don't have access to the admin user account for G Suite so I'm unable to see what options are available, but I'm getting confused with the OAuth 2.0 protocol.
If I make a request to insert member (https://developers.google.com/admin-sdk/directory/v1/reference/groups/insert) with the G Suite SDK Directory API, will a consent screen be presented to all users who fill out the form (with the goal of being added to the group).
I've read through this documentation but still am a bit confused:
https://developers.google.com/admin-sdk/directory/v1/guides/authorizing
https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow
The members insert method of the G Suite Admin SDK will allow you to add members to an existing group and also attribute them a group role and mail delivery options.
This will not require the new members to pass through a consent screen to be added (note also that they must belong to the same organization).
I hope this has helped you. Let me know if you need anything else or if you did not understood something. :)
Related
I want to give GSAs direct access to modify Google users. I can't find current docs on this so assuming it's not possible right now?
It looks like this is only possible for working with groups:
https://workspaceupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I need to give a GSA access to read group membership and also modify user attributes.
Right now I:
create an admin a G Suite user
create a GSA with domain wide auth with these scopes
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user
Impersonate the G Suite user with the GSA and modify user attributes like this:
service = create_directory_service("G SUITE USER")
service.users().update(userKey=uKey, body=myAttributes).execute()
Do I still need domain wide delegation to modify user attributes? Or is it supported now as well?
You can follow this guide to create a Service Account, turning on the Admin SDK API (which allows the service account to provision/manage the users), and authorizing it.
The Service Account created can be used then to provision/manage the G-Suite users, here is a guide on how to manage user accounts using the Directory API, which is part of the Admin SDK.
In short, yes it is possible to manage users too, by using Service Accounts, not just groups.
Sorry if my English is weird.
I would like to know how a non-admin account can use the Admin SDK.
If you have any suggestions, please let me know.
I'm developing an add-on for an elementary school using Google app script.
I want to limit the API by student, teacher, grade, etc. So I need to get the organization information.
There were a few other similar questions, and apparently it would be impossible to try to do it normally.
When using the Admin SDK, Google will display an acceptance confirmation screen to the user.
Once the user agrees, Google gives the app an access token that is valid for a short period of time. I'm thinking that I can do this by using that access token. Is this approach dangerous from a security point of view?
I'm sorry for the lack of explanation.
I'm currently developing a google slides add-on for an elementary school.
It's supposed to display a SPA made with vuejs in the sidebar and let you manipulate it.
For example, we can manage a whitelist of organizations that can use this application in advance, and not allow organizations that do not match the whitelist to use it.
If the organization is managed by school unit, access control can be done by domain, but in some areas, the organization is managed by city, so access control by school unit cannot be realized...
Also.We want to do the following if we match the whitelist.
The functions that can be used by teachers and students are
different.
The buttons can be changed depending on the grade level of the
students.
Automatically enter student names and class names on slides.
Use an organizational structure to manage the school and students. (https://support.google.com/a/answer/4352075?ref_topic=4390186&hl=en)
We think we can achieve this by using the Admin SDK to get organization information
Answer
It is not possible to use Admin SDK with a non-admin account as Google says in the documentation: This API gives administrators of Google Workspace domains (including resellers) the ability to manage devices, groups, users, and other entities in their domains.
However there are two workarounds for your problem, but you would need to use an admin account to configure the scenario.
Initial approach
Get the user that is running the application with the class Session and the method getActiveUser and getEmail: var email = Session.getActiveUser().getEmail();
Get the organizational unit that each user belongs to. With this information you will be able to filter users and display different options in the add-on. The main problem is that you need to use AdminDirectory.Users.get(userEmail) to get the organizational unit, and it needs the following authorization scope: https://www.googleapis.com/auth/admin.directory.user.readonly.
Solution 1
Create a Spreadsheet with all the users that are going to use the add-on and its organizational unit
Use List all users to get all the users in a domain and write each email in the first column.
Use AdminDirectory.Users.get(email).orgUnitPath to get the organizational unit and write it in the next column
Finally, when users use the add-on, search the email of the active user (Session.getActiveUser().getEmail()) in the Spreadsheet, take the row number and get the value of the organizational unit that is in the second column.
Solution 2
Create a custom admin role and assign it to every user that is going to use the add-on. You must be signed in as a super administrator for this task. You can do it here and select Users -> Read,
Assign the new role to each user creating a role assignment
Finally, users will be able to use var organization = AdminDirectory.Users.get(email).orgUnitPath
I have a FB page that is a member of about 10 groups (all related to the same topic), and sometimes when I post I share the post to these groups.
Since it's so tedious to manually share the post to each group, I thought maybe using the API could be a better way to share my post into these specific groups my page is a member of. But FB seems to require that I enter some business details for a business that doesn't exist.
I don't own a business, this is a page to share educational tips and such. So I created an app (kept it in dev mode) and I'm the only administrator. I don't plan to make my app public, create an interface or have anyone else use it, and I don't intend to use it with any pages other than mine. Plus, I've already provided my personal ID so I am verified as an individual:
But still, if I want to get manage_pages permission I'm required to go through some business verification and show FB how I'll use the API in a video, when I don't have any of this. In the verification page I'm requested to upload an icon, a privacy policy link and confirm commercial use:
Should I just make up some fake business information so I can give them what they want? Is there not a way to use the API for personal use?
I'd be happy with just being able to send a couple cURLs to share my post through a terminal instead of having to do it via the FB GUI.
The only requirement to complete review by business verification is to manage more than 3 pages per user, otherwise you can complete via individual verification. However you say pages and groups so it's not clear if you refer to publishing to a page feed or to a group (which requires additional permissions/features besides only manage_pages). And no, you shouldn't fake official documents just to complete business verification if you don't have a business...
Is anyone aware of any Google API with the user scope (NOT the Admin API in the Directory SDK) that allows you to retrieve the custom employee attributes?
The G+ API seems to skip these
https://developers.google.com/+/web/api/rest/latest/people#resource
Our issue is that we don't want to grant access to the developer console, but rather do this PER-USER. I.E. a user logs into our app and we display to her the custom attributes for her G Suite account, but we do this as her (not as an approved API scope via the dev console).
Leaving this answer for anyone like me who finds this question.
The Directory API allows a user to query the custom attributes for their account even without any admin permissions at all.
https://developers.google.com/admin-sdk/directory/v1/reference/users/get
You need to ensure that projection is set to full and viewType is set to domain_public.
You may need to check the permissions for reading the custom attributes to ensure that a user is allowed to see theirs. We do this in the Google Cloud Directory Sync.
The flow I'm going for is:
User signs in with Facebook to our site.
User pays a fee using PayPal or some similar service.
User is allowed access to a particular Facebook group.
I'm not particularly fussy about how the process works, but I'd like to avoid a manual step if possible.
I know I can't invite them using the Graph API (as they're not an admin, developer or tester of the app). But is there some other way round? A button that allows them to request access that I then confirm using the API? An automatic way of emailing an invite?
Or is there a way of making it easier to do the manual step? Some way of listing the new users with an "invite to group" button? A friend request button for the user to press?
With facebook API you can't do this with a normal group, but you can use app groups instead. To create an app group, you have to do a POST request to this url:
http://graph.facebook.com/{your-app-id}/groups
with the following informations:
valid app access token
name: the name of the group
description: the description of the group
privacy: enum, it can be open or closed
admin: admin's user id
Then you will recive a gropu ID. You can get info about your group ith a GET request to this URL:
http://graph.facebook.com/{group-id}
EDITED: You can no longer add members with POST request, but there is an another way.
New solution
You can use a client-side dialog to add members to groups. You can find the documentation here: https://developers.facebook.com/docs/games/app-game-groups/v2.0#add_user
I tested it with a user who wasn't a tester, andd it works fine.
Old solution (no longer available)
You can add members to this group with a POST request to this URL:
http://graph.facebook.com/{group-id}/members
You have to post:
valid app access token
member: user ID of the person to invite
The person will recive something like this image:
(source: edemmester.hu)
I tested it, it works fine.
More info about app groups: https://developers.facebook.com/docs/graph-api/reference/v2.0/app/groups
IMPORTANT! You have to use app access tokens here, not user access tokens.
I don't think it's possible to invite people without writing a browser extension that has access to the cookies etc. of the logged-in group admin.
Anyway, you cannot simply add people to a group if you're not friends with them, but need to invite them by email. So probably it's easiest if you ask them for their email-address and then invite them by email.