I’m new to google classroom api. I want to create a process that will query all classes, students, assignments etc. It will run unattended.
So, my questions are:
will offline scope allow the process to query the api unattended?
can only an admin user see all classes, students, assignments?
or, can a g-suite user be created with limited read-only permissions to certain resources?
Thanks
Since this is an unattended batch process and Google OAuth access tokens expire after 1 hour, you will likely need offline access. You can do this by adding the parameter access_type=offline in the authorization URL.
In terms of actually acquiring all classes, students, assignments, etc., here are a few things to note:
If you're a domain administrator, you can retrieve courses, students, assignments, invitations, etc. in their domain and will not need each teacher to authorize these requests.
If you don't have domain administrator access and want to retrieve all these items, you will have to have each teacher authorize your request(s).
As for your last question, I'm not entirely sure what you mean -- could you clarify? Are you asking is if one workaround would be to create a G Suite user that has read access to all these resources and then use that account to make all the requests?
You can create a service account and use it to query all data on behalf of users-
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
Related
As a freelancer, I used opencart for my clients, one table called users, another table called customers.
I tried wordpress + woocommerce, that's only one user system. I haven't really used this, just test.
If we use only one user system, I have a question. What/how account should the employee/staff use? Use the private email, like peter#gmail.com? This maybe not easy to manage. Any characters could be the email. like haha123#gmail.com. then we don't know who is who.
Or create a company's account like peter#nike.com, force the staff to use the real name.
But when a staff have two accounts, he login as staff at work time. And he buys things for himself. Then he resigned, leave the company. His work email is canceled, frozen, inactivated. Which means that he cannot access his own order records. And maybe the private order is still ongoing, haven't received, not paid yet. This caused problems.
What solution should we use?
WordPress is based on the Roles and Capabilities system. Users will have a role while Each role will have different capabilities assigned.
Whenever WordPress code performs an action as a logged-in user, it basically checks if the user has the capabilities to perform that action or not.
As you explained in your use case, in that case, a staff member will be assigned a role(let's call it manager) that will allow them to do some staff-related things and he can also use that account to make orders and buy things.
If he resigns then the site manager/admin will change his role as a customer and will allow him to use the website and buy things but he won't be able to staff related things, because the custom role will not have those capabilities.
And in some cases, his connection with any data that should be only assigned to staff will be removed and assigned to someone else.
In short, capabilities do all the magic here and instead of assigning multiple capabilities to each user, WordPress creates a role with a set of capabilities to make it simple, and we can assign that role to a user and change it anytime, to revoke or grant more capabilities.
I have a custom application for internal use only where currently users are created by a super admin. Some of the users are from within the business and some external e.g. suppliers/customers.
I'm looking for a way to integrate MS Active Directory as a login option but want to be able to restrict which users from the business can actually use this method.
I have search through all the MS docs and have all the documentation on the different oauth approaches but not sure which one would be suitable for my needs.
I am thinking that perhaps i need to give the admin a way to browse the AD and select the users that can login which then creates inactive user accounts in the mysql database with some sort of MS user ID. Then provide a 'Sign in with MS' button that does the usual auth redirection process to MS and back to the site. At that point I can check an ID and if that matches an allowed user account and if so, sync the rest of the data e.g. name, email, phone etc..
Links I've already found:
https://learn.microsoft.com/en-gb/azure/active-directory/develop/authentication-scenarios
https://learn.microsoft.com/en-gb/graph/tutorials/php
https://github.com/microsoftgraph/msgraph-training-phpapp/tree/master/Demos/03-add-msgraph
Your first order of business is enabling a user to sign in to the Laravel-based app. For this, I strongly recommend not trying to re-invent the wheel (at least not completely), and make use of an existing Laravel package. Laravel Socialite is probably the best place to start, since it has a long list of existing community-provided Socialite providers, including three which work with Azure AD already: Microsoft, Microsoft-Graph and Microsoft-Azure. (Note: Though I haven't tested any of these myself, the first two seem to be the most promising, as they use the newer v2 endpoint.)
When it comes to authorization (controlling access), you have two options:
Control at Azure AD
Once you've got the app integrated with Azure AD, you can configure the app in Azure AD to require user assignment, and then control access to the app by assigning (or not) users to the app. Users who are not assigned won't even make it past the sign-in page.
You can use Azure AD's existing experiences for managing user and role assignment for the app, or you could go all-out and build this experience directly into the Laravel-based app itself, making use of the Azure AD Graph API to create the [app role assignments](https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#approleassignment-entity and user picker experience.
Hint: In either case, remember that you can make the app "superuser" an "owner" of the app in Azure AD (Azure AD > Enterprise apps > (app) > Owners), which will allow them to assign users without needing to give them any additional privileges in Azure AD.
Control at the app
In this approach, you allow all users to sign in to the app with Azure AD, but then you use your app's own authorization logic to decide who makes it any further, and what roles they get in the app.
In reality, you will most likely find the best approach is to use a combination of the two, with some of the authorization enforced by Azure AD and the next level enforced by the app itself.
If you would do it in this way, it will be necessary that the super-admin has always this permissions in the AAD. From my point of view it is less practical.
I would perfer such app-assigments with help of Service Principal. You assign a role (look for app roles) to the user and then your business logic must decide which permissions the user has. If you would use the app roles feature, then you can restrict access to the role with it's help. All the user can login, but only users with a specific role would be able to see a content of the app.
I hope this hints can help to find a right direction, but there is no silver bullet solution... :/
I've created a service account in G-Suite and delegated it domain wide authorization so that I can collect information on all the Drives within the suite.
The problem I've come across is that I need a list of all the users within the domain. To do so I can call the Directory API, but the problem is that I actually need to do that as one of the admins. The problem is that I can't know who the admins are without using one of the admins(or users? I confirmed the call to the directory API with a superadmin account). Is there a way to call the Directory API without a user email? Or is there a way to as the service account to get a list of the admins so that I can make API calls on their behalf?
To use Directory API, you must** impersonate one of the admins of the domain, as you say. There really isn't any way around it (as far as I'm aware) - you must ask the admin who's installing your app to provide their email address.
** For some activities, like listing all users, you can impersonate an end user, but that doesn't solve your problem.
We are trying to integrate our platform with Pipedrive. As far as we have researched, in a pipedrive account, there is one admin and he can add multiple users. And the users later can login in their respective accounts.
What we are trying to make sure is that once a Pipedrive account is integrated with our platform, the same account should not be integrated twice. So, I need a unique identifier, that lets me know whether the account has already been integrated.
My initial approach was to check the api key. But it was not successful, since every users in an account have different API Keys.
After a bit of research, I found out that there is an identifier called company_id which is common for all the users in an account. But I could not find anything regarding it in documentation. So, I am not 100% confident to go ahead and implement it in our code.
Does anyone have an idea about this?
Pipedrive support rep here.
The most sure-fire way to ensure this is to make a GET request against http://api.pipedrive.com/v1/users?api_token=your_token_here.
You are correct in assuming the company_id in the additional_data object in the response is static and won't change across any users on the account.
Note that a Pipedrive account may have more than one admin, and that non-admins (regular users) might have visibility (and editing) restrictions in place, which may cause some of your GET, PUT and DELETE requests to fail.
In case you're not doing this already, I'd thus advise filtering the data array from the abovementioned endpoint for user.is_you to equal true and check whether the is_admin property is set to 1 during "registration" to ensure the user setting up the integration is an admin.
Hope this helps!
I'm not quite sure what you're asking for. Are you looking for a unique identifier for each user?
Each user has an id, you can get all users by calling
https://api.pipedrive.com/v1/users?api_token=____
This will return a JSON Object with data on your users, including their names and associated IDs. Admins are just users with different privilege levels. All admins are users, but not all users are admins. All users are part of a company, the company is identified by the first part of the Pipedrive account url ie.
https://FooCompany.pipedrive.com
Are you trying to see if a certain company has been integrated already?
Is it possible to manage multiple calendars from a single program? The task is to add events for different users in a domain, but do it from single program without knowing all users domain passwords. What type of authentication should be used to connect EWS? Is there any admin account exists? How to specify which calendar to update on each operation?
sure is this possible. You will have to create an ExchangeService-instance for each user and set the ImpersonatedUserId property to the mailbox of the user you want to the appointment or whatever you want to add.
have a look at http://msdn.microsoft.com/en-us/library/exchange/dd633680(v=exchg.80).aspx there you can find how to work with impersonation and also have a look at http://msdn.microsoft.com/en-us/library/bb204095.aspx where you can see how to set the rights your user needs to impersonate.
hope that answers your questions...