Today I have a very specific problem.
I have four accounts in my organization:
Account_000 - normal account
Account_001 - normal account child
Account_002 - Administrative Account
Account_003 - Root account
I have set set up a cross account Role in Account_002 (administrative) with following permissions:
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListRoots",
"organizations:ListTagsForResource",
"organizations:DescribeOrganizationalUnit",
"account:GetContactInformation">
The Account_001 has a lambda function that uses the cross account role from Account_002 to pull data about all accounts (except root account) into the organization. It pulls following information: tags, account ID, join type, join time, account ARN number and Contact Information
When I execute function on Account_001 lambda gets error not authorized to get contact information.
I can get contact information from each of the accounts in organization using CLI from the root account.
I am unable to get contact information from any of the accounts using any other account than root.
How do I make sure that the Administrative account can access contact information about other accounts?
How do I make sure that the lambda function in Account_001 can access contact information from other accounts?
This will hopefully help to demonstrate what I am trying to accomplish.
Related
Im trying to make some API calls for Zoho, like Email API.
But i am not able to make a valid request due to not knowing my Account Id.
Note that i know my User Id which i can find from my profile section in Zoho.
How can I find my Account Id?
Notes:
I tried calling this API, but getting an error.
http://mail.zoho.com/api/accounts
The error I get:
{"data":{"errorCode":"INVALID_TICKET","moreInfo":"Invalid ticket"},"status":{"code":400,"description":"Invalid Input"}}
Thanks!
Zoho's documentation explanation of account id:
"Each user might have more than just one account associated with their Zoho Mail account. They might have added several POP accounts that can be accessed from the Zoho Mail interface. Each account that you associate with a Zoho account will have a separate Account ID. You'll need the account ID while passing several user and account related API requests. The account ID for each account associated with a Zoho account can be retrieved using the Organization User Details API. You will need the OrgID to fetch the User account details using this API."
And the organization user details api mentioned is this
https://www.zoho.com/mail/help/api/get-org-users-details.html
And here you can see you get the account id
enter image description here
When I login to google classrooms as a SuperAdmin, I can view all classrooms and also assign teachers. I need to delegate these responsibilities, so is there a way I can provision a "school principal" account, that can create classrooms and assist teachers in any classroom activity (be a co-teacher)? My hesitation with sharing the Super Admin account is that the user would full control over the domain.
Is there anything that can be done in the role privileges to customize this experience?
You don't need to grant a super admin role to a user to manage classroom as an admin. Instead, you can grant a restricted admin role to one of your users either by using a pre-built admin role or by creating a custom admin role with the permissions you would like to grant the user. Therefore, you could grant a restricted admin role to your principal so that he can manage Google Classroom and other limited features of your domain. I tested this using Help Desk Admin and Services Admin roles.
This is a list of the admin permissions that exist. Here you can find more information about setting up administrator roles to other users.
However, it seems from the Original Poster reply and from my own testing that this new Classroom admin cannot modify or add teachers to other classrooms unless he is invited to the other admin's class. So you should invite your new admin to all your classes as a teacher and then he will be able to edit and add teachers to this class.
I'm using this site for testing:
https://developers.google.com/classroom/reference/rest/v1/courses/list
I have a project setup with a service account:
The account was created with read only domain access.
A project was setup after the fact.
I then added the account after the fact.
I then enabled the Classroom API in that project.
I added the courses scope at the site linked above to domain wide delegation for the service account.
My admin account gets a 200 response with a full list of courses. My service account gets an empty 200 response. If I grant the service account domain admin it returns a full list of courses. I'm happy to provide sanitized screen shots if needed but does anyone know what rights a service account needs short of domain admin to be able to access Google classroom data through the APIs?
Impersonating an account in the domain:
A service account that has been granted domain-wide authority can access the same data than the account it is impersonating.
As explained in this answer, only domain administrators can access all the courses in the domain. The rest of users can only access the courses they are part of (as teachers, students, etc.).
So the only way for a service account to retrieve all courses in the domain is to impersonate a domain admin (or have another account added to each course in the domain).
Service account by itself:
On the other side, a service account that has not been granted domain-wide authority or that is not using this authority to impersonate another account, will only have access to the courses it has been added to.
And since a service account is technically not part of the domain, it cannot be added to a course in the domain (only accounts within the domain can be added to a course – what sense would it make, anyway, to have a service account as a teacher or a student of a course?).
So, a call to courses.list cannot return any course in the domain: it will return any courses that the service account might have created on its own, which are not part of the domain.
Reference:
Using OAuth 2.0 for Server to Server Applications
We are trying to create a separate Admin role to assign to users to be able to call the Google Classroom API (domain). If we set them to be 'super admin' it works but we do not want to give these users super admin permissions. Anyone knows any guide or the settings to set on this?
Answer:
There is no role apart from Super Admin that will let a user make all these actions. You can check that by assigning custom admin roles to the user. Even if all possible privileges are checked, if the user is not a Super Admin, the user cannot act as a domain administrator in Classroom API.
What non-Super Admins can do:
Non-super admin users can only access courses they are part of (as teachers, or students), not all courses in the domain.
They can remove students and other teachers from courses they own directly via courses.teachers.delete and courses.students.delete, but they cannot directly add new students and teachers to their courses via courses.teachers.create and courses.students.create. Only domain administrators (Super Admins) can do that. Non-admins must first send an invitation via invitations.create(), and obtain the user's consent.
Update: Service Accounts:
You can also make your application use a Service Account in order to impersonate a Super Admin, so that this account can act on behalf of this admin, and do what the admin can do. To do this, you would have to create the Service Account and delegate domain-wide authority to it, by visiting the Admin console and following the steps specified here.
Beware, granting domain-wide delegation is a very powerful tool, since it gives the Service Account the ability to act on behalf of any user in the domain, so it could be easily abused if not managed carefully (without domain-wide delegation, a Service Account is similar to a regular account, and it can only access resources that have been created by it, shared with it, etc., like a regular account).
Anyway, once the domain-wide delegation is created, using the Service Account in your application is very similar to using a regular account. In the application, you have to build the credentials and then specify which user should be impersonated by the account by writing the user's email address. I don't know which language are you using, but you can find code snippets to do this in Java and Python here, or with Node here.
Reference:
Create custom administrator roles
Manage Teachers and Students
We have created a new user account with CAL Access Mode: Administrative and Security Role: System Administrator just for managing the user accounts in CRM 2015 on premise. But this user account doesn't have access to read or select the Position while creating user accounts. Since we have some business logic based on the selected position, we do not want to create user accounts without position. I am curious to know why Administrative account cannot access Position which is system entity.
Appreciate if you have any solution for this issue.
Thanks