I have a data studio report that will show different data based on different users. I developed appscript and expose it as Community Connector so that I can control type of data to return back to data studio.
In my appscript, I'm using Session.getActiveUser() to track the current user. When I tried to open up the data studio report link using different gmail account, my appscript log shows that Session.getActiveUser() always returns the same email.
I even deployed the appscript as
Web APP > execute as user accessing the app
Add On
Library
How can appscript Session.getActiveUser() can return detect the current user who is access the data studio report link? Or is it the right way to do it?
According to the documentation, you'll need to use Session.getEffectiveUser to determine the user's identity.
https://developers.google.com/datastudio/solution/blocks/user-identity
This answer also describes what to expect depending of if the data source is set to 'Owner's credentials' or 'Viewer's credentials'
Related
I would like to get the email address of the current viewer of a google data studio dashboard and use it as a Dimension in every chart so that the user will only be able to view data that is relevant to him/her. Is that possible in Data studio?
It's not straightforward but it's possible using views (see link) in BigQuery and then using Viewer's Credentials in Data Studio when creating the data source (Owners Credentials are selected by default)
Row-level permissions
Trying to dev a community connector for Datastudio, I'd like to retrieve, from my getData function, the user currently using the report (not the creator of the report).
When I log the Session.getEffectiveUser().getEmail() or Session.getActiveUser().getEmail(), it is not the name of the user. I tried setting auth mode to NONE or OAUTH2: same result.
Any idea if that's possible?
If the data source is using Owner's credentials, Session.getEffectiveUser().getEmail() will give you the data source owner's (i.e. creator) email address. If someone else views the report, you cannot get their identity in the connector.
If the data source is using Viewer's credentials, Session.getEffectiveUser().getEmail() will give you the viewer's identity. However, with Viewer's credentials, the viewer will have to authorize the connector first. Otherwise viewers will see error when they view the dashboard.
This is not a real answer but a way to help on solving this question. When you check scope authorization in the user account for the data source, we can see the userinfo.email scope validated, good point.
If you are in testing mode (step 13 in this code lab for example https://codelabs.developers.google.com/codelabs/community-connectors) if you add the Session.getEffectiveUser().getEmail() in a console.log for the getData() function you will get user email.
=> For that as you are in testing mode you have to share the script code in read only for anyone with the link.
If the script is not shared you will not get email and generate an error when you try to access community connector.
The question now is to know if once the connector is published if you still need to keep you file shared publicly with anyone with the link.
My guess is not.
I'm able to create a user specifically for integrations and enter the corresponding credentials when configuring my WSS send port. This works fine, however, as expected, when I view the document in SharePoint, the "Modified By" user on the document is the integration user.
Is there a way that I can set the modified by field in SharePoint dynamically? That is, the user that actually initiates the integration? (I have the user's information available when the adapter sends the document to SharePoint, I'm just unsure of how to tell SharePoint to impersonate the integration as a specific user).
I am trying to upload some documents on Google drive, i want to run a cron script which is executed at mid night every day and the files generated as a result of it should be uploaded on the uses Google drive.
I tried the standalone script, which uploads document on Google drive, but for that i have to every time do allow access via browser.
However my purpose is to run a cron and upload the files, at the time the cron executes there will be no browser access.
Is there any way i can do the authentication process without manual intervention.
any help in this case would be really appreciated.
THanks,
you can authorize your App(script) with Google Drive.
Here, you mentioned you are writing a script which upload docs to your Google Drive.
I suggest you register a app in Google Cloud Console to get client ID and client Secret firstly,
and turn on Drive API for you registered App.
Then use this client ID and Secret to run oauth flow in your script to get an access token and refresh token, the access token's lifespan is about 3600s, and if it's expired, you can also get a new one with the refresh token.
User's interaction(consent) is required only in the first time you request access token.
In this way, your script can work in "a real script way".
Here are some reference:
https://developers.google.com/drive/about-auth
https://developers.google.com/accounts/docs/OAuth2InstalledApp?hl=zh-CN
I am assuming its only one user drive account you are uploading to. Have you considered using a service account fo this? https://developers.google.com/drive/service-accounts
If its not a single user account you are uploading you can just save the refresh token some place and use that to get a new authtoken every night.
Hi i figured the problem,
i was generating refresh token from oauthplayground and was trying to integrate it in the php script....which was invalid......
I then printed the refresh token returned for the first time when a user allows access and used that for future generation of access token and it works like charm. thanks All for help
I've created a Google App Script that handle 2 different OAuth connections.
1- Google itself to send mail on behalf of the user and access google docs (google api console used to get keys, secret)
2- gtraxapp wich is a timesheet cloud-based app. (Script is registered, got a key/secret, etc.)
The script is published as a web app. It works perfectly for my user.
When logged on a different user name, I can authorize Google OAuth without providing different key/secret, and emails will be sent from the actual user.
Problem happens with the 2nd app (gTrax).
Authorization seems to work. Running the function inside the script to authorize lead to a screen asking for permission, gtrax then appears in the account as a registered app (could revoke access if needed).
But, when running the app, I get a message saying I need permission to do this action (UrlFetchApp / simple get)
My question is :
Is this possible that I need to register each user to get a key/secret for everyone (and dealing with that in the script)...
Or do OAuth can be registered with 1 key/secret ?
In other word, are (should) key/secret linked to a single user or are they only a kind of RSA-like key pairs that, when verified, can be used to authorize any user.
My understanding is this. When you use built-in Apps Script functions, like MailApp.sendEmail, the Google Apps Script "environment" takes care for you to ask authorization for the user (1st time he access your app) and save and manage the oAuth tokens for you, so it all runs smoothly.
When you call an external service using UrlFetchApp, Apps Script oAuth authorization process works differently. The authorization is just a strange popup you get on the script editor, when you actually make the fetch call. It is not processed at "compile time" and asked before you run anything like the other services. But you also do this step only once.
The "gotcha" is that this different authorization process does not work when a user is running the app as a webapp. AFAIK it only works from the script editor itself or running directly from a spreadsheet.
If your users are just a known few, you could advise everybody to open the script editor (or a spreadsheet that contains it) and run an specific function that will just attempt the UrlFetchApp.fetch call so the popup shows up and they authorize it. Once this step is done, they can use the webapp normally. Apps Script will do the magic for you after that.
But if you plan to share this broadly, say at the Chrome Web Store, and don't want to ask every user to do this somewhat strange step, then you'll need to manage all the authorization process yourself. It means, you'll have to register your app with the third party service (if it's Google's, it's at the API Console), where you will receive a client id and a client secret. With those you'll have to place a "Authorize" submit button on your app html that will redirect the users to the 3rd party authorization url, providing the correct scope, etc. When they authorize it, the 3rd party will redirect the user back to your app providing a code token as URL parameter. You'll use this code to call the 3rd party oAuth service to get the real access and possibly refresh tokens that you'll have to use on your UrlFetch calls. You'll be responsible to save these tokens, refresh them when they expire and so on. Not a very simple procedure :-/
Oh, and although your app have only one id and secret, the tokens are per user. Which makes sense, since each call you do must be on behalf of a specific user and he *must* have authorized it.
I hope this helps.