We are developing an application, in that we need to get all the files of all users in the domain. We have enabled service account with domain-wide delegation already, but whenever we tried to access all user's drive, it is required to get each user access token separately after setting each user id using google credential object method (e.g. googleCredentialBuilder.setServiceAccountUser({email_id})). We are using Drive API client library for Java and admin SDK for getting all the users in the domain.
So, our concern is to get all users to drive files using a super admin access token. Is there any alternate way to get all users to drive files using domain/admin-level access token. Kindly help me in this regard.
To obtain all the Drive files in the domain, you have to use delegation as follows:
Use the Directory API users.list() API call to determine all users in the Google Apps domain.
For each user obtained in step 1, do:
2.1. Call files.list with the parameter q set to "me" in owners to get a list of all files the user owns.
To do all of this you don't necessarily need a superadmin account. You just need to set up credentials with domain-wide delegation enabled. You can read more about how to do it here.
Related
Is there a way to get list of users requesting permission for a file/folder using Google Drive API.
I have seen API to grant permission to an email address using the API but couldn't find any endpoint to get list of users requesting access to a file/folder.
Ideally I want to fetch get all the users requesting permissions for my shared folders and approve/deny them.
This is not possible with current Drive API, but you could use Gmail API as a workaround:
list email by labels (add filter to those emails requesting access)
parse it
grant access to users you want with Drive API
Good luck,
How to test safely an app that reads and writes to Google Drive using the API?
I created an app that runs on a server, that basically copies a template google doc to another directory, and then edits this new file.
In order to do that I:
created a service account,
delegated domain-wide authority to this service account
(https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority),
Then the app impersonates a user of the domain (always the same user) to access the API resources.
This app works, but it has 2 problems:
the service account has access to too many things. Ideally, I'd like it to have RW access to one folder only,
I'd like to create test credentials that would have access to another specific folder only, or even better, another drive.
Thanks!
Drive does not have permissions based on folders. The closest you can get is by creating an additional Service Account and then share the folder(s) to that SA.
You can also change the sharing setting for just one organisational unit,doing that all the folders whose owners are part of that OU will be able to share it outside or your domain making that the SA have only access to those folders.
I have created a web app which is making use of Google Drive API/ REST v2 (https://developers.google.com/drive/v2/web/about-sdk) to perform actions such as create/update/rename/delete of documents etc.
I am authorizing requests with OAuth 2.0 (client side - that means every access token is valid for ~1h and then silently I am getting a new token) and then perform previous actions using that token.
I have a new requirement for the authorized user to share his/her documents for writing/updating them (I found out that API has option for inserting permissions (https://developers.google.com/drive/v2/reference/permissions/insert : role: writer, type: anyone).
Is it possible for a non-authenticated user to be able to write/update documents (programmatically - via Google Drive API v2 or another API?) that have been created from the authenticated user that shared these? (something that is similar to google docs/ sharing when a user is sharing his document and offline users are able to edit it?
Thanks.
Is it possible for a non-authenticated user to be able to write/update documents (programmatically - via Google Drive API v2 or another API?) that have been created from the authenticated user that shared these? (something that is similar to google docs/ sharing when a user is sharing his document and offline users are able to edit it?
What you are describing here is something called a service account. Service accounts are like dummy users. You can share a file on your Google drive account with the service accounts email address and the service account will then have access to that file. Assuming that you gave them edit permissions it will be able to read and write to it without authenticating.
Note: service accounts do not work client sided you will need to use a server sided language to use service accounts.
As an admin of G suite account, is there a way to access a domain user's G Drive data with Google Drive API, but with by passing the authorization screen?
In other words, the OAuth2.0 is setup for each user without need the user to interact with Google directly.
If possible a web code sample in C# would help.
Thanks
B
Using a service account with domain-wide delegation is exactly what you're looking for.
Service accounts are used for impersonating a user, avoiding their human interaction for authorizarion.
Depending on the scopes you use, you'll be able to define the level of access you want for your app.
You may find a sample here.
I'm looking for a way to impersonate users of a google app domain using a admin user. I could do it easily with google data document list api but I cant find a way to do it with the new Drive API.
Precisely, what I want to do is authenticate my admin user using Oauth2 (i've already done this), retrieve a list of the users of my domain and then impersonate my users, or at least be able to access files and docs from the Drive of those users.
In the administrative panel of google apps, there are Oauth consumer key and Oauth consumer secret, but these are used in Oauth1 2LO, not Oauth2.
Is there a proper way/workaround/hack to implement what I want ?
Best regards,
Jérôme
I've only been looking at the google-api-ruby-client as an example but you should be able to do this with a service account that is permitted access through the admin panel -> Advanced tools -> manage third party oauath clients. Once permitted you can follow the example for a service account here http://code.google.com/p/google-api-ruby-client/source/browse/service_account/analytics.rb?repo=samples but instead of authorizing with
client.authorization = asserter.authorize()
you can use
client.authorization = asserter.authorize("id#domain.com")
I haven't done a lot with this yet but after authenticating in this method I've been able to list all documents owned by a user on my domain.
Thanks to James Woodward, i've been able to impersonate user. I post an answer to provide Java specific details.
Create a service account in the API console. 3 important resources are created :
Client ID : used to authorize the app on the Google Apps domain
Email address : used to authorize the requests of the app
.p12 key file : used to authorize the requests of the app
Authorize the app on the Google Apps Administrative panel, providing it with Service account client ID, and all the scopes the app will need.
Create GoogleCredential this way :
GoogleCredential serviceCred = new GoogleCredential.Builder().setTransport(HTTP_TRANSPORT)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(SERVICE_ID)
.setServiceAccountScopes(Arrays.asList(SCOPES))
.setServiceAccountUser("impersonated.user#domain.com")
.setServiceAccountPrivateKeyFromP12File("key.p12")
.build();
Those credentials can now be used to authenticate the requests made by the app on any scope authorized.