TL/DR Is it possible to grant a service account access to the auto-generated Family calendar?
Adding a service account to a google calendar is usually achieved by adding the service account in the Share with specific people card in the calendar setting.
On a Family calendar, which is created when one creates a family at https://families.google.com/families that card is replaced by a Permissions settings card which states Events added to this calendar will be shared with all family members. with a link to manage family membership.
I have tried adding the service account to the family membership page but that is not granting the explicit permissions that one typically sees with a service account.
Related
I want to access the entire events existing in a calendar of a gsuite domain. I tried using domain deligation with service account and it allows me to assume a user and get all of its events but i want to fetch the entire events in a gsuite account.
In order to achieve your task, you should create a service account which impersonates the admin of the domain.
Afterwards, you can retrieve the users of the domain by making use of the Admin SDK.
GET https://admin.googleapis.com/admin/directory/v1/users
Based on the list you get, you can get the events from the calendar of each user.
GET https://www.googleapis.com/calendar/v3/calendars/calendarId/events
Where, calendarId is the email of one of the users from the domain.
Reference
Admin SDK users.list;
Calendar API events.list.
I'm using this site for testing:
https://developers.google.com/classroom/reference/rest/v1/courses/list
I have a project setup with a service account:
The account was created with read only domain access.
A project was setup after the fact.
I then added the account after the fact.
I then enabled the Classroom API in that project.
I added the courses scope at the site linked above to domain wide delegation for the service account.
My admin account gets a 200 response with a full list of courses. My service account gets an empty 200 response. If I grant the service account domain admin it returns a full list of courses. I'm happy to provide sanitized screen shots if needed but does anyone know what rights a service account needs short of domain admin to be able to access Google classroom data through the APIs?
Impersonating an account in the domain:
A service account that has been granted domain-wide authority can access the same data than the account it is impersonating.
As explained in this answer, only domain administrators can access all the courses in the domain. The rest of users can only access the courses they are part of (as teachers, students, etc.).
So the only way for a service account to retrieve all courses in the domain is to impersonate a domain admin (or have another account added to each course in the domain).
Service account by itself:
On the other side, a service account that has not been granted domain-wide authority or that is not using this authority to impersonate another account, will only have access to the courses it has been added to.
And since a service account is technically not part of the domain, it cannot be added to a course in the domain (only accounts within the domain can be added to a course – what sense would it make, anyway, to have a service account as a teacher or a student of a course?).
So, a call to courses.list cannot return any course in the domain: it will return any courses that the service account might have created on its own, which are not part of the domain.
Reference:
Using OAuth 2.0 for Server to Server Applications
I'm working on one school app. I'm able to create events using google calender API with NodeJS. I created the clientID and secretID on the school google account. Every time event is created, only the admin has access to start the meeting. But I want teachers(who are creating the event) to be the organizer. How can I achieve this?
The organizer field of an event is a read-only field. You can use the move action to move the event and change the organizer but this can only be done if the authenticated user has write access to the destination calendar.
A solution would be to use a service account and perform domain wide delegation. In this way you will be able to impersonate the user in question and organize the event wanted.
According to the Service accounts documentation:
A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls.
As for performing domain-wide delegation, you might want to take a look into this:
In enterprise applications you may want to programmatically access users data without any manual authorization on their part. In G Suite domains, the domain administrator can grant to third party applications domain-wide access to its users' data — this is referred as domain-wide delegation of authority. To delegate authority this way, domain administrators can use service accounts with OAuth 2.0.
Reference
Calendar API - Events:move;
Service Accounts;
Calendar API - Perform G Suite Domain-Wide Delegation of Authority;
Using OAuth 2.0 for Server to Server Applications.
I have an app using s2s connection with google calendar api. I need to create an event in different users calendars. To make it possible the user should go to the calendar's settings and share their calendar to the service account.
But I would like to simplify this for the user - so that they don't need to go to their calendar settings. I don't have an interface for the user interaction - it's a bot.
How can I access the user's calendar in another way?
Maybe you can change the role set by the user to the calendar. According to this documentation, the owners of a calendar can share the calendar by giving access to other users. The sharing settings of a given calendar are represented by the ACL collection (access control list) of that calendar. Each resource in the ACL collection grants a specified grantee a certain access role. So the user can make you the writer or owner of their calendar, so that you can access it.
Another way is by using Delegating domain-wide authority to the service account,
If you have a Google Apps domain—if you use Google Apps for Work, for
example—an administrator of the Google Apps domain can authorize an
application to access user data on behalf of users in the Google Apps
domain. For example, an application that uses the Google Calendar API
to add events to the calendars of all users in a Google Apps domain
would use a service account to access the Google Calendar API on
behalf of users. Authorizing a service account to access data on
behalf of users in a domain is sometimes referred to as "delegating
domain-wide authority" to a service account
I'm looking to do an integration that makes use of a shared calendar for the domain my app is installed on. My initial plan was to create the calendar under the domain admin that is shared with the rest of the users on the domain. My concern though is what happens if the domain admin changes?
It seems like that calendar could potentially be lost. What are the best practices in this circumstance? Should I be making an admin account for myself at the time of install? Or should I be creating calendars under my service account?
When admin is changed for a domain, before changing, another admin should be assigned. It cannot happen domain with no admin. So, the new admin gets all the rights to the calendar.
If you want to maintain a single calendar and share with all the users in the domain better go with Admin account.
If you want to have individual calendars to all the users and want to access their calendars, go with service account. With service account you have to do domain wide delegation means sharing your service account to the calendar. Also, users initially should give access to the service account to access the information.
Check this link and this link for calendar sharing options.