Is it possible to retrieve the list of users in a Google Apps Domain with a non-admin account?
Non-admin users can call users.list(viewType=domain_public) which offers the same amount of details that the users see in the domain contacts directory.
Depends on what you think an admin account is.
Long ago the user roles were just "regular" and "admin". Now you can choose from a fine-grained set of permissions and define a role name for them. "Superadmin" is now a built-in role that has every permission possible.
So, if you define a role which can retrieve the user list and assign it to a user I wouldn't call it an admin account.
You need to be a true admin to do that, though :)
As a complement to the other (excellent) answer, what I do in our domain is to create a full list of domain users in a spreadsheet with all necessary informations and run a script every night that updates the spreadsheet automatically. When I make a change (add or remove user) I can run the script manually to avoid temporary differences.
This script runs as "me" but any domain user has access to the list (I invite them to this shared doc when I create their account so it shows up in their drive/shared with me folder). With this solution I don't need to give special rights to any users.
Related
I would like to have an access to objects on a shared disks created by other users using SA accounts.
I discovered that by making a call to https://www.googleapis.com/drive/v3/files with the following query:
q=mimeType!='application/vnd.google-apps.folder' and 'GOOGLE_DRIVE_FOLDER_ID' in parents and trashed=false&supportsTeamDrives=true&teamDriveId=GOOGLE_TEAM_DRIVE_ID&fields=files(id ,name ,webViewLink ,webContentLink)
I get different results depending on the account. If I am using access token generated for service account we get different result than if I am using access token generated for a user account.
Service account "sees" only files that were create by that particular service account whereas regular users "see" all the files created by other users as well.
Anyone had similar issue and know any solution or workaround?
I get different results depending on the account. If I am using access token generated for service account we get different result than if I am using access token generated for a user account.
What you need to understand is that you can only see the files that you have permission to see. If you are logged in on a normal user account you will only be able to see the files that you own, or have access to. The same goes for a service account, think of a service account as a dummy user. The service account can only see the files it has been granted access to.
Assuming that your shared disks that you are talking about is gsuite then you can have the gsuite admin set up domain wide delegation on the service account and grant it access to the files on the domain.
permissions
If you dont have gsuite or dont want to give the service account full access to the domain you. You might also want to try having the owner of the drive run a permissions.create and add the service account.
Using the app script properties service I can allow users to store some settings information. I understand that these are stored for a given user for a given script. As the admin is there anyway for me to review all the users properties?
Also does anyone know if you are allowing the script to run as you (the publisher) does the user properties store as the user accessing the script. I know that the session data is for the actual user and not the publishing user(even when running as the publishing user).
Thanks
I'd like to suggest storing the user properties in Firebase. This will give you full access to them as needed, and they load really fast for the user. My two go to docs for this are this one to get the library and this one to as for details. If this is not possible, an alternative could be to append a row to a google sheet each time the user updates their users properties. I use both of these approaches for also tracking detailed app usages.
There's one special folder that I need everyone as collaborators. I can add all existing members but would like it be automatically done for all future new members.
I know I could write an app using Box API to check for new members and then add collaboration through API, but just want to know if there's a simpler solution - just create a folder and apply some settings, then new members could be automatically invited.
Thanks a lot!
Is your account enabled for single sign on? If so you can pass the group membership via SAML and assign the folder you wish all users to be collaborated on to that group.
For instance you could create an "All Users" group on Box (Admin Cosole >> Users and Groups) and then assign it your "All Users Default Folder" then pass this "All Users" group name as an attribute in your SAML assertion.
If you do not have single sign on enabled I would still recommend collaborating new users by group membership but you will need to perform two steps
1. Create a new user
2. Add the user to the "All Users" group
These functions can both be done via the API. It just depends how you are currently provisioning seats to your Box account.
I would like to use Google Forms as a means for the users of my system to enter their login credentials to various system tools.
The reason this is important is because as their admin, I will need to manage various aspects of their tools.
Users are (rightly so) anxious of entering passwords in clear text boxes. What is the best method for retrieving such information in a safe and user-friendly manner?
You should NEVER collect user credentials for 3rd party services, e.g. collecting username/password to Google accounts. Not even if this is a Google Apps account belonging to your organisation (note that google gives admins the ability to reset password but not to view it). Also, a lot of users are now using two-step verification, so collecting user credentials will not work.
If you need to access Google services in the name of the user, than you should look into OAuth.
I have a web app in php mysql, I want to use one google drive account for my app.
Can I use my app's accounts instead of google users for privilages.
I read in SDK I can use service account to login without promting user, but I don't know how to share or give permissions files for custom users.
In api reference I found this:
"The user is not necessarily yet a Google user (e.g. if a file or folder is shared with an email address that does not yet have an associated Google account). Example: 1111459233037698895607".
How a custom user in my app should get a token for own privilages.
I am not exactly sure what you want to achieve here, but if you want to use your own permission system, you can't. You can, however, apply read/write/owner permissions to files to mirror your own permissions.
If I have totally got the wrong idea, please explain.