I'm developing a Gmail Add On with Google Apps Script, which is intended to be used only by enterprise accounts (Google Workspace Accounts).
One of the requirements of the app is that when the Admin installs the app for all its users, they have to configure some organization wide configuration values (a license key for example).
I tried with the following code:
const userProperties = PropertiesService.getUserProperties();
userProperties.setProperty('licenseKey', '[TOKEN]');
But when I do this, the data is only accessible for the current user (and therefore I would need every user to know this key in order to save it on the configuration variables). I'm looking for an option in that a user saves this setting variable and then everyone on the domain can read the saved value.
Related
Using the app script properties service I can allow users to store some settings information. I understand that these are stored for a given user for a given script. As the admin is there anyway for me to review all the users properties?
Also does anyone know if you are allowing the script to run as you (the publisher) does the user properties store as the user accessing the script. I know that the session data is for the actual user and not the publishing user(even when running as the publishing user).
Thanks
I'd like to suggest storing the user properties in Firebase. This will give you full access to them as needed, and they load really fast for the user. My two go to docs for this are this one to get the library and this one to as for details. If this is not possible, an alternative could be to append a row to a google sheet each time the user updates their users properties. I use both of these approaches for also tracking detailed app usages.
I have developed a few small apps that connect to our google domain. However each time I have to authorize one of these apps I need to add a different
Authorized API client by using it's "Client Name". Is there a way to set this client name to something of my choosing? It would make it much easier to quickly understand what apps are OK to remove from the list later on.
Thanks!
...edit...
I may not have been specific enough, here is an image of where I want to change the value. This is from the google admin console for google apps under Security -> Show More -> Advanced Settings -> Manage API Client Access
CLient Name Field
For all the apps I've developed so far my Client Name(which I pull from the google developers console) is either a seemingly random string of only numbers or a random string of numbers and letters follow by "apps.googleusercontent.com". Yet I've seen other apps that somehow have their company name listed there. How can I choose my own Client Name as I've seen in other apps?
You can set client name and the scope by goinog on the Manage client API access page. Register your client in the Authorize a new API client settings.
Enter the client name provided by the third-party vendor and specify the scope. Add a new client by entering the client name (OAuth consumer key) and API scope and clicking "Authorize". You should verify that the client is known to you and that they have an appropriately small scope of access.
For each client, you can specify multiple APIs, separated by commas. For example, to allow access to both the Contacts and Documents List APIs: "http://www.google.com/m8/feeds/, http://www.google.com/feeds/". The list of clients is unique, and cannot have two entries in the list for one OAuth client. You can use any of the Google APIs that currently support two-legged OAuth for Google Apps domains
Authorized API Clients
Add your APIs from the list of approved clients and their scope.
After the client has been added, you can remove a client that has a specified API scope by clicking the "Remove" link. If the client is the OAuth consumer key for your Google Apps domain, you'll see the link, "Manage". Clicking this link takes you to the Manage OAuth key and secret for this domain page where you can edit the client (for example, turn off global API scope access).
For more information about OAuth, please follow this link: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
In case you meant how to set the application name when you connect with the php api client, you can use:
$client->setApplicationName('App Name Here');
Participating Components:
(all in the same project)
Android App
Web App
Service Account
The users have authorized the app on their Android devices with Cross Client Identity:
oauth2:server:client_id:[web_app_id].apps.googleusercontent.com scopes ...
Flow:
Several users request the creation of the same file through the Android app ( a file for every user is not desired, see "Known workaround" )
A service account then creates that file ( service account is owner )
Service account shares that file (by link and explicit with users)
User authorized drive service / or service account that impersonates a user tries to copy that file to the user's Google Drive ( User has to be the owner of that copy in the end)
Error:
This fails with scope drive.file ( and also drive.readonly ):
Error Message:
The authenticated user has not granted the app [project_id] write access to the file [file_id]
(btw: why write access is needed with copy()? giving users write access to the file does not change this error)
Known workaround:
It works with full drive scope
( but: my app does not need to see files it has not created - so i want to avoid it)
Same result can also be achieved by re-inserting the file instead of copying it
(this overhead is important for my app though, cause same file might be requested by multiple users)
An explicit interaction with a file from a UI Picker or so will propably not work as the file will have to be created after requesting it. also i can't think of a way how to do that without decreasing usability of the Android app.
Expected result:
www.googleapis.com/auth/drive.file: Per-file access to files created or opened by the app
It seems to me this should be enough.
As the file is created/owned/shared by my app's service account.
and copied by my app on behalf of the user.
www.googleapis.com/auth/drive.readonly Allows read-only access to file metadata and file content
At least this one should work as it should give read access to all files which should be enough to copy a "shared with user" file created by an "authorized by user" app.
Question:
the Web Application and the Service Account are in the same project.
Can the Web Application act like a Service Account on behalf of a user? if so - i don't know how. Would that make a difference anyway?
This seems like a Bug to me in this special use case, as the same result can be achieved with a workaround. At least scope drive.readonly should allow my app to copy app owned files to the user's drive.
Making a copy through the plain Service Account and then changing the owner of that copy to the User would be another workaround, but that fails too.
I must be missing something simple.
Please guide me.
Thank you.
I had the same problem and resolved it using the drive.metadata in combination with the drive.file scopes. Related question
What are the distinct consequences of setting readwrite or readcreate as values of access property for permissions entry in the manifest of a Firefox OS app?
Those permission access values in the manifest are used currently by two APIs, Contacts and Device Storage. For example if your app needs to only read the phone contacts, you have to set "readonly" access. If you set "readwrite" for no good reason (your app doesn't need this higher level of access), your app might fail the review for being added in a marketplace. Another example is if your app just needs to export a contact and save it to the phone contact list. In this case you need to set "createonly". With this setting in your manifest, trying to read or modify an existing phone contact will fail. "readwrite" will allow you to both read, modify and create contacts. "readcreate" will allow you to just read and create contacts.
With those permissions set, the user will be prompted if he wants to allow the corresponding operation. The access levels methods are fine-gained so that the user has more control over what the application can do with his contacts/files.
We have a google corporate account and need to transfer ALL of a user's google drive files to another account in certain instances. We want to do what is described at the following link for "all files" but programatically via the latest Drive API http://support.google.com/a/bin/answer.py?hl=en&answer=1247799
We are currently using the following API version(s) below, coupled with domain wide authority delegation as described at https://developers.google.com/drive/delegation and are able to see a user's files, iterate over them etc.
google-api-services-drive 1.14.2-beta
google-api-client 1.14.1-beta
My question is this: it appears that the only way to change permissions is by fileId by fileId etc. Instead of having to traverse and iterate over an entire set of user's files, if we just want to transfer ALL of a user's files to another particular user: is there a way in the API to do this (ownership transfer for ALL files) rather than individual requests file/by file?
Also when transferring ownershisp, must the transferee be in the same #domain or can it be another #domain we manage? I read somewhere that you can only transfer to owners in the same domain. Does this still hold true? For instance we manage #myCompany.com and have our corporate account registered under that, however that shell account has several sub-domains within it. We would like to transfer files from users in the sub-domains to a central user in the #myCompany domain.
You need to change permissions file by file, there is no updateAll type of functionality at the moment.
You cant transfer the ownership to another domain's user. Ownership can only be transferred to another user in the same domain as the current owner.
This answer doesn't directly answer your question, but it could be helpful for both you and future visitors.
As of now, you can mass transfer files to new users with Google's new Admin console. It doesn't let you filter for specific folders, but it does allow you to transfer all of one user's Drive files to a second user.
I know you were trying to create something which uses the API to iterate through folders and files, and you probably have a very specific use-case in mind. However, in the case where you have employees leaving, or you need to transfer everything, using the following method is fast and simple.
Open the Google Admin console
Go to Google Apps > Drive
Click on "Transfer ownership"
Fill out both user fields and submit
This process will even email both users once the process is completed.
You can do this with a single call to the Data Transfer API
Exactly what is needed but only with API!
Open the Google Admin console
Go to Google Apps > Drive
Click on "Transfer ownership"
Fill out both user fields and submit
This process will even email both users once the process is completed.
If this is not possible via API calls, then there is no point deleting a user using API.