Google Classrooms Principal Account - google-classroom

When I login to google classrooms as a SuperAdmin, I can view all classrooms and also assign teachers. I need to delegate these responsibilities, so is there a way I can provision a "school principal" account, that can create classrooms and assist teachers in any classroom activity (be a co-teacher)? My hesitation with sharing the Super Admin account is that the user would full control over the domain.
Is there anything that can be done in the role privileges to customize this experience?

You don't need to grant a super admin role to a user to manage classroom as an admin. Instead, you can grant a restricted admin role to one of your users either by using a pre-built admin role or by creating a custom admin role with the permissions you would like to grant the user. Therefore, you could grant a restricted admin role to your principal so that he can manage Google Classroom and other limited features of your domain. I tested this using Help Desk Admin and Services Admin roles.
This is a list of the admin permissions that exist. Here you can find more information about setting up administrator roles to other users.
However, it seems from the Original Poster reply and from my own testing that this new Classroom admin cannot modify or add teachers to other classrooms unless he is invited to the other admin's class. So you should invite your new admin to all your classes as a teacher and then he will be able to edit and add teachers to this class.

Related

On which entities do any user have read access when access is given to crm org?

I wanted to know on which entities does an user have by default a read access initially when no security role is assigned to the user?
I wanted to know because any user who do not have any security role can still access case & accounts entity through advanced find! Is this expected behavior? If yes then is this documented any where?
All users must be assigned to at least one security role in order to have access to Dynamics 365. The security roles can be assigned to the user directly or to the access team he belongs to.
Can you double-check the security roles assigned to the user and verify team's security roles ?
The user has to have a security role assigned to get into CRM. Check existing teams to see if the user is a member of and also he/she will have access to the records shared to him/her. Which entities user can access to are based on the roles/team he/she has been assigned. Check role/team setting for details.

Google Classroom API Access requirements

I'm using this site for testing:
https://developers.google.com/classroom/reference/rest/v1/courses/list
I have a project setup with a service account:
The account was created with read only domain access.
A project was setup after the fact.
I then added the account after the fact.
I then enabled the Classroom API in that project.
I added the courses scope at the site linked above to domain wide delegation for the service account.
My admin account gets a 200 response with a full list of courses. My service account gets an empty 200 response. If I grant the service account domain admin it returns a full list of courses. I'm happy to provide sanitized screen shots if needed but does anyone know what rights a service account needs short of domain admin to be able to access Google classroom data through the APIs?
Impersonating an account in the domain:
A service account that has been granted domain-wide authority can access the same data than the account it is impersonating.
As explained in this answer, only domain administrators can access all the courses in the domain. The rest of users can only access the courses they are part of (as teachers, students, etc.).
So the only way for a service account to retrieve all courses in the domain is to impersonate a domain admin (or have another account added to each course in the domain).
Service account by itself:
On the other side, a service account that has not been granted domain-wide authority or that is not using this authority to impersonate another account, will only have access to the courses it has been added to.
And since a service account is technically not part of the domain, it cannot be added to a course in the domain (only accounts within the domain can be added to a course – what sense would it make, anyway, to have a service account as a teacher or a student of a course?).
So, a call to courses.list cannot return any course in the domain: it will return any courses that the service account might have created on its own, which are not part of the domain.
Reference:
Using OAuth 2.0 for Server to Server Applications

What Admin Roles settings to set to be able to access Google Classroom API for the domain?

We are trying to create a separate Admin role to assign to users to be able to call the Google Classroom API (domain). If we set them to be 'super admin' it works but we do not want to give these users super admin permissions. Anyone knows any guide or the settings to set on this?
Answer:
There is no role apart from Super Admin that will let a user make all these actions. You can check that by assigning custom admin roles to the user. Even if all possible privileges are checked, if the user is not a Super Admin, the user cannot act as a domain administrator in Classroom API.
What non-Super Admins can do:
Non-super admin users can only access courses they are part of (as teachers, or students), not all courses in the domain.
They can remove students and other teachers from courses they own directly via courses.teachers.delete and courses.students.delete, but they cannot directly add new students and teachers to their courses via courses.teachers.create and courses.students.create. Only domain administrators (Super Admins) can do that. Non-admins must first send an invitation via invitations.create(), and obtain the user's consent.
Update: Service Accounts:
You can also make your application use a Service Account in order to impersonate a Super Admin, so that this account can act on behalf of this admin, and do what the admin can do. To do this, you would have to create the Service Account and delegate domain-wide authority to it, by visiting the Admin console and following the steps specified here.
Beware, granting domain-wide delegation is a very powerful tool, since it gives the Service Account the ability to act on behalf of any user in the domain, so it could be easily abused if not managed carefully (without domain-wide delegation, a Service Account is similar to a regular account, and it can only access resources that have been created by it, shared with it, etc., like a regular account).
Anyway, once the domain-wide delegation is created, using the Service Account in your application is very similar to using a regular account. In the application, you have to build the credentials and then specify which user should be impersonated by the account by writing the user's email address. I don't know which language are you using, but you can find code snippets to do this in Java and Python here, or with Node here.
Reference:
Create custom administrator roles
Manage Teachers and Students

Spark: Assigning Roles to Invited Users

Using Laravel Spark, is there a way to -- either via UI or programmatically -- assign a team role to an invited user?
That is, Laravel Spark doesn't allow admins to create users. Instead, a owner user invites them. This creates an entry in the invitations table, and sends an email URL to the potential user. Users can then follow this URL, and sign up for a user account. Once they've signed up, an admin can change their role via UI.
Laravel Spark lets you set a default role for all invited users. What I want to know is: Does Laravel Spark provide a mechanism that would let me invite user A and have them end up with role B, and invite user C and have them end up with role D.
I can think of a number of ways to achieve this myself with custom code, but before I do that I want to know if this wheel's been invented.
Spark Roles is useful as it will allow you to assign user roles/permissions as the user signs up and/or is assigned to a team. https://github.com/centrality-labs/spark-roles

Creating a security role to be able to only create roles and users without having system admin role

CRM 2015: I want to be able to create a role for local IT to be able to add user accounts and assign roles.
Regarding the 'adding roles' portion, is it simple enough just to create a role for local IT to 'write' to 'security' roles in the'business management' tab of 'security roles' at the user level?
No, this is not that simple. User cannot give another user privilege higher than he has (it would be a serious security hole). So for example you have role to edit Security roles and you have Read access for Accounts in your Business Units. If somebody in your Business unit has no Read access and only User access, you can add him Read access for Business Unit (the same you have), but you will not be able to give him Organizational access (so higher than yours). You could imagine that if this would be possible, you will be able to basically give yourself Admin privilege and do whatever you want in CRM.
Knowing that, it should be possible for you to create a role that for example have full access to Accounts, Contacts, Custom entities etc. and Security Roles. This role would be able to modify other users access levels to Accounts, Contacts etc. but no other entities that they don't have privilege to.
Exactly the same logic applies to assigning the Security Roles. So user A cannot assign a Security Role to user B, if it gives user B privileges higher than has User A.
In the end, it is very hard to properly implement the scenario that you described, because there are so many privileges and user needs to have a lot of them to even use the CRM. I've tried this once but could not satisfy the business requirement - it always ended up with using System Admin role, because there was always some scenario that could have not been handled by a user only with this "specific" security modification role.
Assigning 'System Administrator' security role and changing Access Mode in user record to 'Administrative' helped me to achieve this. User still cannot access any transaction data. So, I think you can go for this approach.

Resources