We have multiple Facebook applications and each has multiple roles (administrators, developers, testers and analytics users).
We want to export all the emails of the users with any of the above roles, but we can't find a way to do it with the developer graph API.
Can we do it with only administrator access to the applications or do we must use the Business Manager API?
You can get all users that have a role in the app via the /{app-id}/roles endpoint.
https://developers.facebook.com/docs/graph-api/reference/v6.0/app/roles
That will only give you their app-scoped user ids though.
Requesting their e-mail would have to happen separately, after you got the IDs - and will likely require that the user granted your app the email permission beforehand.
Related
I am making my first microservice application and the only thing that is not clear to me is user management. I want to have a login page on my web application where users can login. Based on the role that you got you can go to a user management page and see the list of all the users with their according role. An admin should be able to update or delete users.
What I can't seem to figure out is how I would access this user list to perform CRUD operations from the web application on the users persistend in Cognito?
Can someone give me a link or explain to me how this would happen, or how I can make it possible?
IAP allows you to protect apps on AppEngine by defining which principal has access using roles/iap.httpsResourceAccessor. If I have a group in IAM called participants and I add external people (personal gmail accounts & contractors) to that group, will these people have access to my application?
Or do I have to submit the application for verification even though I want to limit the access to our employees and a few dozen customers taking part in a workshop?
So in other words, does IAP define "people in your organisation" as people who have a #myorg.com email address only or as people who are part of a group that has IAM permission?
"People in your organization" are users who have been granted permission in your Google Cloud Project or Organization. This includes #gmail.com accounts, which can have roles granted and can be added to groups.
For an internal application you do not need to verify the app, but you will need an internal OAuth page.
You can find more information in this documentation.
Does Facebook allow to create anything like a Service accounts in Google Cloud Platform?
I need automated access to our FB Page via API, currently i can create User Access Token, but it is directly connected with my Personal account. I know, I can generate Page Access Token, but it still covered by my User Access Token – then I revoke it, the Page Access Token is revoked too (live example).
Is here way to create something like Service account which was not been directly connected to any User's profile?
My reason is: I want to create app to my employer which is connect to Page in non-user context (it's reading Page's events), that must still live when I leave the company
(and revoke my personal User Access Token) or when my Personal Account was disabled (for any reason).
I wanted to implement similar feature for azure as mentioned in below aws url-
https://aws.amazon.com/blogs/desktop-and-application-streaming/enabling-federation-with-azure-ad-single-sign-on-and-amazon-appstream-2-0/
I want to register external user on the fly to access azure portal with limited access and a expiry. Can someone help me figuring out a workaround for same.
You can use RBAC(Role-based access control ) for this.
RBAC allows the flexibility of owning one Azure subscription managed by the administrator account (service administrator role at a subscription level) and have multiple users invited to work under the same subscription but without any administrative rights for it.
There are two common examples when RBAC is used (but not limited to):
Having external users from the organizations (not part of the admin
user's Azure Active Directory tenant) invited to manage certain
resources or the whole subscription.
Working with users inside the organization (they are part of the
user's Azure Active Directory tenant) but part of different teams or
groups that need granular access either to the whole subscription or
to certain resource groups or resource scopes in the environment.
Follow the step by step instruction to Grant access at a subscription level for a user outside of Azure Active Directory.
Hope this will help.
For your requirement :
Consider Add Azure Active Directory B2B collaboration users in the Azure portal
In this a user who is assigned any of the limited administrator directory roles, can use the Azure portal to invite B2B collaboration users. You can invite guest users to the directory, to a group, or to an application.After you add a guest user to the directory, you can either send the guest user a direct link to a shared app, or the guest user can click the redemption URL in the invitation email.
Also consider Add Google as an identity provider for B2B guest users
By setting up federation with Google, you can allow invited users to sign in to your shared apps and resources with their own Google accounts, without having to create Microsoft Accounts (MSAs) or Azure AD accounts.
I have set up an integration using GSuite Domain wide delegation + service account which allows us to act as any user within our domain.
Currently this method isn't a very "user friendly" option for our customers at rulerr.com and I'm seeking to run through the Oauth2 consent process for other domains outside of our Organization.
Ideally they would be able to consent as an admin (known as admin consent) and then we can access all user data (calendars/mail/drive) by simply retrieving a token or two.
This is possible via Microsoft Graph with application and delegated permissions (see https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/)
Can anyone tell me if this is possible in GSuite? I cannot find any information other than for service accounts for a single Organization.
For anyone looking for an answer to this question with more detail than what is available in the Google API documentation, this page helped me a lot: http://youdontneedacrm.tumblr.com/post/81479000201/tutorial-create-your-application-in-google-marketplace
"Admin consent" is given when the admin of rulerr.com authorizes the client_id of your API Service Account in their G Suite domain. This can be done two ways:
Admin of rulerr.com adds your client_id to the Security-->Manage API Client Access section of the G Suite admin site. This grants your API client access to all accounts in their domain instance for the scopes authorized.
If you enable the Marketplace SDK in your API project and create/deploy a marketplace app, their admins can install that app to their domain which grants consent for all users, except they can OU limit it so that it is only granted for users in the OUs they choose.