We are trying to create a separate Admin role to assign to users to be able to call the Google Classroom API (domain). If we set them to be 'super admin' it works but we do not want to give these users super admin permissions. Anyone knows any guide or the settings to set on this?
Answer:
There is no role apart from Super Admin that will let a user make all these actions. You can check that by assigning custom admin roles to the user. Even if all possible privileges are checked, if the user is not a Super Admin, the user cannot act as a domain administrator in Classroom API.
What non-Super Admins can do:
Non-super admin users can only access courses they are part of (as teachers, or students), not all courses in the domain.
They can remove students and other teachers from courses they own directly via courses.teachers.delete and courses.students.delete, but they cannot directly add new students and teachers to their courses via courses.teachers.create and courses.students.create. Only domain administrators (Super Admins) can do that. Non-admins must first send an invitation via invitations.create(), and obtain the user's consent.
Update: Service Accounts:
You can also make your application use a Service Account in order to impersonate a Super Admin, so that this account can act on behalf of this admin, and do what the admin can do. To do this, you would have to create the Service Account and delegate domain-wide authority to it, by visiting the Admin console and following the steps specified here.
Beware, granting domain-wide delegation is a very powerful tool, since it gives the Service Account the ability to act on behalf of any user in the domain, so it could be easily abused if not managed carefully (without domain-wide delegation, a Service Account is similar to a regular account, and it can only access resources that have been created by it, shared with it, etc., like a regular account).
Anyway, once the domain-wide delegation is created, using the Service Account in your application is very similar to using a regular account. In the application, you have to build the credentials and then specify which user should be impersonated by the account by writing the user's email address. I don't know which language are you using, but you can find code snippets to do this in Java and Python here, or with Node here.
Reference:
Create custom administrator roles
Manage Teachers and Students
Related
When I login to google classrooms as a SuperAdmin, I can view all classrooms and also assign teachers. I need to delegate these responsibilities, so is there a way I can provision a "school principal" account, that can create classrooms and assist teachers in any classroom activity (be a co-teacher)? My hesitation with sharing the Super Admin account is that the user would full control over the domain.
Is there anything that can be done in the role privileges to customize this experience?
You don't need to grant a super admin role to a user to manage classroom as an admin. Instead, you can grant a restricted admin role to one of your users either by using a pre-built admin role or by creating a custom admin role with the permissions you would like to grant the user. Therefore, you could grant a restricted admin role to your principal so that he can manage Google Classroom and other limited features of your domain. I tested this using Help Desk Admin and Services Admin roles.
This is a list of the admin permissions that exist. Here you can find more information about setting up administrator roles to other users.
However, it seems from the Original Poster reply and from my own testing that this new Classroom admin cannot modify or add teachers to other classrooms unless he is invited to the other admin's class. So you should invite your new admin to all your classes as a teacher and then he will be able to edit and add teachers to this class.
I'm using this site for testing:
https://developers.google.com/classroom/reference/rest/v1/courses/list
I have a project setup with a service account:
The account was created with read only domain access.
A project was setup after the fact.
I then added the account after the fact.
I then enabled the Classroom API in that project.
I added the courses scope at the site linked above to domain wide delegation for the service account.
My admin account gets a 200 response with a full list of courses. My service account gets an empty 200 response. If I grant the service account domain admin it returns a full list of courses. I'm happy to provide sanitized screen shots if needed but does anyone know what rights a service account needs short of domain admin to be able to access Google classroom data through the APIs?
Impersonating an account in the domain:
A service account that has been granted domain-wide authority can access the same data than the account it is impersonating.
As explained in this answer, only domain administrators can access all the courses in the domain. The rest of users can only access the courses they are part of (as teachers, students, etc.).
So the only way for a service account to retrieve all courses in the domain is to impersonate a domain admin (or have another account added to each course in the domain).
Service account by itself:
On the other side, a service account that has not been granted domain-wide authority or that is not using this authority to impersonate another account, will only have access to the courses it has been added to.
And since a service account is technically not part of the domain, it cannot be added to a course in the domain (only accounts within the domain can be added to a course – what sense would it make, anyway, to have a service account as a teacher or a student of a course?).
So, a call to courses.list cannot return any course in the domain: it will return any courses that the service account might have created on its own, which are not part of the domain.
Reference:
Using OAuth 2.0 for Server to Server Applications
Assume we have an app on G Suite Marketplace, and a G Suite domain administrator wants to delegate domain-wide access to the domain's users' data (as explained here).
For signup purposes, the 3rd service itself needs to know the domain name and the username of the administrator who performed domain-wide delegation of authority. This is needed to be able to use the Directory API (see note here)
I can easily get the domain name (by using Universal Navigation Extension, and adding ${DOMAIN_NAME} to the callback URL, as explained here). However, I didn't find a way to programmatically access the username of the administrator who performed DWD.
Any hints how to do that? Or if that is possible at all?
Thanks in advance!
Method 1:
When the user clicks in the launcher link (or just during installation with the configuration link you can configure) you need to do the OAuth2 flow and obtain the user email. Then you use the email assuming it is from an admin and it usually should be. If not, just return an error and wait for the admin login.
Method 2: ONLY TO GET THE DOMAIN, not the user.
Use the Marketplace License API https://developers.google.com/gsuite/marketplace/v2/reference
You can periodically use the list endpoint and find the user that installs (or removes) your application.
In any case you should store the list of domain super admins to be used when necessary.
The Directory API throws a 'Not Authorized to access this resource/api' error when I try to list the groups in a domain as a non-admin. But gmail autocompletes the group names (which means it is able to retrieve the list of groups) for non-admin users as well. Is there a way to get the list of groups or search from the list of groups in a domain without being an admin?
The best way to do if you are not an admin user, is to impersonate the admin by using a service account. You need to enable domain-wide delegation for your service account to impersonate a domain admin when making a request. See this SO post and another discussion for this github post.
I'm looking to do an integration that makes use of a shared calendar for the domain my app is installed on. My initial plan was to create the calendar under the domain admin that is shared with the rest of the users on the domain. My concern though is what happens if the domain admin changes?
It seems like that calendar could potentially be lost. What are the best practices in this circumstance? Should I be making an admin account for myself at the time of install? Or should I be creating calendars under my service account?
When admin is changed for a domain, before changing, another admin should be assigned. It cannot happen domain with no admin. So, the new admin gets all the rights to the calendar.
If you want to maintain a single calendar and share with all the users in the domain better go with Admin account.
If you want to have individual calendars to all the users and want to access their calendars, go with service account. With service account you have to do domain wide delegation means sharing your service account to the calendar. Also, users initially should give access to the service account to access the information.
Check this link and this link for calendar sharing options.