1. 技术文章
  2. Non-admin read-only access to Google Admin SDK

Non-admin read-only access to Google Admin SDK

别说谁变了你拦得住时间么 提交于 2019-12-07 16:26:46

问题


In a post on the Google Developers blog from September 23, 2014, it says:

Read access to all domain users

Historically, only admins have been able to access the data in the Admin SDK. Beginning today, any user (not just admins) will now be able to call the Directory API to read the profile of any user on the domain (of course, we will respect ACLing settings and profile sharing settings).

However, despite checking every Google Apps Admin setting I can find, my calls calls to the Directory API fail for non-admin users. Condensed code:

params = {
  client_id: XXXXXX, 
  scope: 'https://www.googleapis.com/auth/admin.directory.user.readonly', 
  response_type: 'token id_token', 
  immediate: true
};
gapi.auth.authorize(params, gHandleAuthResult);
var request = gapi.client.request({
  'path': '/admin/directory/v1/users',
  'params': {
     'customer': 'my_customer',
  }
});
request.then(function (response) {
  var users = response.result.users;
  if (!!users && users.length > 0) {
    users.forEach(function (user) {
      newMember.id = user.id || '';
    }
  }
}

This is using the Google API Client Library for JavaScript. I've tried this on multiple Google Apps accounts, it always works for admin accounts, never for non-admins, for whom I get the response "Not Authorized to access this resource/api".

A previous post asked about this and received a response that you have to use a service account, but that was from June 2014, before the blog post. I have succeeded in making the call using a service account, but would rather not have to do so as it requires a server to act as a bridge.

The Google developer docs say that "Google engineers monitor and answer against the tag google-admin-sdk", so hoping for an answer from Google here.


回答1:


Try:

var request = gapi.client.request({
  'path': '/admin/directory/v1/users',
  'viewType': 'domain_public'
  'params': {
  'customer': 'my_customer',
  }
});

viewType=domain_public is needed to perform Directory operations as a non-admin as described in the reference documentation. There's also a bit more explanation in the user accounts docs.



来源:https://stackoverflow.com/questions/30267606/non-admin-read-only-access-to-google-admin-sdk

标签
google-apps
google-admin-sdk
google-directory-api
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!