I use google compute engine in an organisation of ~100 people. How do I make sure that all the accounts I add to a compute engine project have two factor auth enabled?
I searched google documentation for (enforce|ensure|mandatory) two factor (gcloud|gce|google cloud) but didn't find anything that answered my question.
This question is only partially answered. It is possible with Gsuite. It remains unknown if this can be done without Gsuite.
There is a new service called Cloud Identity.
Cloud Identity provides free, managed Google Accounts to users who don’t need G Suite Services, such as Gmail or Drive.
Relevant for you:
Directory and account security:
Create and manage users.
Create and manage groups.
Manage account security by setting up basic 2SV or enhanced 2SV using security keys.
etc...
Follow the instructions here to make 2-Step Verification mandatory in G Suite:
If you will require 2-Step Verification of all users in the domain
or within an existing organizational unit (OU), you may skip this
step. If you need to have a different 2-Step Verification setting
for a select group of users within an organization, create an
admin-managed group containing all such users. See Use exception
groups for detailed instructions on creating custom groups.
On the dashboard, click Reports, then select Security. Confirm that
all users to be forced into 2-Step Verification are already enrolled
in it, indicated by "Enrolled" in the 2-Step Verification Enrollment
column.
On the dashboard, click Security > Basic settings > Enforce 2-Step
Verification on users.
Select the organization where you wish to make 2-Step Verification
mandatory. Then select Turn on enforcement. 2-Step Verification will
become mandatory within 24 to 48 hours after turning on enforcement.
To have a suborganization inherit the 2-Step Verification setting
from its parent organization, click the Use inherited button that
appears near the right margin when you hover over the Authentication
pane.
If you would like to exempt a group of users, select the group name
(created in step 1) on the right-hand side keeping the organization
selected on the left-hand side of the page and select Turn off
enforcement. This will apply 2-Step Verification to all users in the
selected organization except the users in the exception group.
Save your changes.
All users of the selected organization are now required to enter a secondary code from their mobile device.
Reference: https://support.google.com/a/answer/2548882?hl=en
Related
I want to give GSAs direct access to modify Google users. I can't find current docs on this so assuming it's not possible right now?
It looks like this is only possible for working with groups:
https://workspaceupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I need to give a GSA access to read group membership and also modify user attributes.
Right now I:
create an admin a G Suite user
create a GSA with domain wide auth with these scopes
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.user
Impersonate the G Suite user with the GSA and modify user attributes like this:
service = create_directory_service("G SUITE USER")
service.users().update(userKey=uKey, body=myAttributes).execute()
Do I still need domain wide delegation to modify user attributes? Or is it supported now as well?
You can follow this guide to create a Service Account, turning on the Admin SDK API (which allows the service account to provision/manage the users), and authorizing it.
The Service Account created can be used then to provision/manage the G-Suite users, here is a guide on how to manage user accounts using the Directory API, which is part of the Admin SDK.
In short, yes it is possible to manage users too, by using Service Accounts, not just groups.
Sorry if my English is weird.
I would like to know how a non-admin account can use the Admin SDK.
If you have any suggestions, please let me know.
I'm developing an add-on for an elementary school using Google app script.
I want to limit the API by student, teacher, grade, etc. So I need to get the organization information.
There were a few other similar questions, and apparently it would be impossible to try to do it normally.
When using the Admin SDK, Google will display an acceptance confirmation screen to the user.
Once the user agrees, Google gives the app an access token that is valid for a short period of time. I'm thinking that I can do this by using that access token. Is this approach dangerous from a security point of view?
I'm sorry for the lack of explanation.
I'm currently developing a google slides add-on for an elementary school.
It's supposed to display a SPA made with vuejs in the sidebar and let you manipulate it.
For example, we can manage a whitelist of organizations that can use this application in advance, and not allow organizations that do not match the whitelist to use it.
If the organization is managed by school unit, access control can be done by domain, but in some areas, the organization is managed by city, so access control by school unit cannot be realized...
Also.We want to do the following if we match the whitelist.
The functions that can be used by teachers and students are
different.
The buttons can be changed depending on the grade level of the
students.
Automatically enter student names and class names on slides.
Use an organizational structure to manage the school and students. (https://support.google.com/a/answer/4352075?ref_topic=4390186&hl=en)
We think we can achieve this by using the Admin SDK to get organization information
Answer
It is not possible to use Admin SDK with a non-admin account as Google says in the documentation: This API gives administrators of Google Workspace domains (including resellers) the ability to manage devices, groups, users, and other entities in their domains.
However there are two workarounds for your problem, but you would need to use an admin account to configure the scenario.
Initial approach
Get the user that is running the application with the class Session and the method getActiveUser and getEmail: var email = Session.getActiveUser().getEmail();
Get the organizational unit that each user belongs to. With this information you will be able to filter users and display different options in the add-on. The main problem is that you need to use AdminDirectory.Users.get(userEmail) to get the organizational unit, and it needs the following authorization scope: https://www.googleapis.com/auth/admin.directory.user.readonly.
Solution 1
Create a Spreadsheet with all the users that are going to use the add-on and its organizational unit
Use List all users to get all the users in a domain and write each email in the first column.
Use AdminDirectory.Users.get(email).orgUnitPath to get the organizational unit and write it in the next column
Finally, when users use the add-on, search the email of the active user (Session.getActiveUser().getEmail()) in the Spreadsheet, take the row number and get the value of the organizational unit that is in the second column.
Solution 2
Create a custom admin role and assign it to every user that is going to use the add-on. You must be signed in as a super administrator for this task. You can do it here and select Users -> Read,
Assign the new role to each user creating a role assignment
Finally, users will be able to use var organization = AdminDirectory.Users.get(email).orgUnitPath
my Google Cloud Platform App is in Test mode in order to be later submitted to Google for approvation.
This App was proviously in production, so there are more that 100 accounts authenticated to the APP.
This means that I'm above the limit for 100 max users in Test mode and I cannot add new account i need to make some test.
I'm not able to find a way to list the currently authenticated users and remove them.
Anyone could help?
limit of 100 users reacher
There is no way to list the users who have authorized your application, there is also no way for you to remove them. You need to wait for verification of your application before you can add new users.
option one
If you have refresh tokens for the users you can try to revoke them and see if that grants you another additional users. However my research says this will not help as the 100 limit appears to be the number of users who have granted your application authorization not the number of users who currently are authorized by your application.
option two
You could also create new project and go though the verification process again, this time taking care not to gather have to many users before the verification process has been completed.
How can we check to see if 2-factor authentication is enabled for all users, and if not, how can it be enabled for all users?
Since recently there are 2 new fields isEnforcedIn2Sv, isEnrolledIn2Sv (both read-only) returned in the Directory API users.list() / get().
This one should be more accurate due to the big delay in UserUsageReport.
To check programmatically: The is_2sv_enrolled property of a user account's UserUsageReport will be true if the user has 2FA turned on.
To turn on for a user: You CANNOT turn it on programmatically for a user. A user needs to do this themselves.
Best practice for a large domain is to turn on Enforcement for 2-Step Verification. This can be done org unit by org unit and on a timeline with a deadline (that you can move) and allows exception groups. Users will gradually be provoked to enroll with interstitial prompt flows during login.
I'm building a lightweight web interface to SSRS where web app users are mapped to web app roles, which in turn are mapped to SSRS users.
The reason for this convoluted scheme is not up for debate: In short, AD groups can't be used, the site uses Forms auth and there are a fixed number of roles.
Web Role | SSRS User
Admin | AdminUser
Supervisor | SuperUser
User | BasicUser
Guest | GuestUser
The goal is to enumerate all reports a user has permission to view, and allow the user to view the report with the ReportViewer control.
More importantly, it's to simplify the UX for users, both admins and the rest: preventing admins from having to use the Report Manager website (ie, selecting checkboxes rather than hand-typing which web-role-users have access to which reports), and providing a simple UI from which users can see and execute all their reports.
Everything works OK when the user is the AdminUser.
However, I'm having difficulty calling the web service when the user isn't included in a Policy on the Home/Root folder with at least the Browser SSRS role. (The permissions granted to user 'computer\username' are insufficient for performing this operation.)
This is problematic for a couple reasons:
If every user must be a Browser to connect to the web service and enumerate reports they have access to view/execute, then all users will have access to all new reports/folders by default. (Children automatically inherit new permissions)
If a report exists in a nested folder that does not inherit permissions and the user is not a browser of, but the user is a Browser on the nested report, ListChildren() will not return that report.
It seems this leaves me with 2 less than ideal options:
Don't call the web service with the different users. Instead, enumerate reports with ListChildren() using only the admin user. Then, for each report, call GetPolicies(), and from that collection of policies, determine what reports the user is able to view.
Make the call with different users. Live with the pitfalls of newly-published reports being accessible to everyone by default, until permissions are changed. Also live with the pitfalls of nested reports not showing unless the user has access to that path. If an admin wants a nested report within a folder with explicit permissions to be available to a user who can't see that folder, the policies on all ancestor folders and their children must be modified.
#1 is obviously very unwieldy and inefficient. But #2 has significant drawbacks and becomes just as onerous & inefficient when setting permissions in certain situations.
Is there a better way? Have I missed something obvious?
[edit]
A 3rd option is to query the ReportServer database directly using a query like this. This has the benefit of returning everything the user has access to, regardless of whether or not it exists in a subfolder the user cannot access (aka, cannot use the web service's ListChildren method to retrieve). However, if using AD groups, I would have to know which groups the user is a member of, whereas the web service would do this for me. This option feels like a bit of a hack to me, but it could work.
As it turns out, we ran an end-route around this issue by dropping the requirement to restrict report access by web role, and made the path we query in the web service a web.config setting that can change, thus allowing report authors to 'hide' reports in a parent folder if the need arises in the future.
The best solution would have been to query the ReportServer database directly.
However, the client changed their mind & didn't want to restrict reports based on web user role in the end, so problem solved!