UserManager.createUser() gives me the "You do not have permission to perform that action" error, but I'm already able to create new domain users under the same apps account (non-paid) manually as a super admin. Any reasons why running it through a script would throw this error?
Google Apps Control Panel > Domain settings > User Settings > Select the checkbox enabling the Provisioning API > Save your changes. That needs to happen first.
as a complement to Bryan's answer :
from the doc :
Class UserManager
This class allows administrators to create, update, retrieve and delete users in a Google Apps domain. To use this class you have first to enable the Provisioning API on your domain. For a next-generation control panel, enable the API by logging in to your admin account, and select Domain settings and the User settings tab to select the checkbox enabling the Provisioning API. If your control panel is not Next generation, enable the API by logging in to your admin account, and clicking the Users and groups tab. Then click the Settings subtab, select the checkbox to enable the Provisioning API and save your changes.
Related
probrem
I am Google workspace user and using Google Compute Engine. I enabled OS login for our project, then login username changed to username_with_domain_suffix.
Now I would like to change my username as username with enabled-OS login, so I checked following document and ask workspace admin to turn checkbox [OS Login API and Include domain suffix in user names generated by the OS Login API ] off in Google Admin Console.
Although our admin change settings, my login user does not change and still being username_with_domain_suffix. Are there any other settings required to login with user without domain suffix? Thanks.
reference
change / set gcloud os login username?
Even the check box turned off at Google admin, previously created username won't change. Only the new os-login user will be affected. I think this is because the (posix) username is created at first use of os-login and do not change after that.
In this case, you can use Google Directory API to update your existing posix account information stored at Google Directory.
I had exact same issue and was able to update my posix username with that.
Reference: https://cloud.google.com/compute/docs/oslogin/manage-oslogin-in-an-org#modify-users
API: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/update
You'd need to be a Google Workspace Admin(not GCP) to update it. I used "Try this method" in the API link. No need to write a code. But be careful, you may ruin your account info there.
I have created an App in Google AppMaker and have shared the Deployment to Anyone with the link can view (No sign-in required).
Application Access in Deployment Settings is set to "Do not restrict access to this application".
Application is set to runs with Developer Account.
However, if someone try to access the app with the..
..Deployment URL (https://script.google.com/macros/.../exec), they get redirected to login screen (https://accounts.google.com/signin/...),
the app does open correctly after signing in, but the sign-in shouldn't be required.
..Link to share (https://drive.google.com/file/.../view), they get: No preview available
I switched once to "Application set to runs with User Account", but results remains same. Actually, I reset this setting as I consider "Application set to runs with User Account" to require User authentication in order to load their assigned permission.
I most probably missed something on the way of sharing my app.
Can someone please help?
Let me know if you require more details about this case.
Thanks!!
You can't.
Note: App Maker apps are only available to users in your G Suite domain. You can't share them with external users.
To make sure only users on your domain can access it, users need to sign-in.
For several clients we created websites with a Google Maps included. From July 1st you need an API key to keep those maps working on the website. On https://cloud.google.com/maps-platform/ I can create a new API key. But when I enter a new project name an click on next, I get an error screen, with just an icon with and no additional text, just a close button.
I've searched the web and found Google Cloud Platform with an error message: Google Cloud Platform service has been disabled. Please contact your administrator to restore service in G Suite Admin console. So I've searched de Admin settings (I'm an admin) but couldn't find a wrong setting and everything is enabled for API.
Does anyone have a clou where to search or with settings to adjust?
UPDATE: I've had contact with Google Support and it was a setting that was disabled. Thats why I couldn't create a project.
GOOGLE ADMIN > APPS > ADDITIONAL GOOGLE SERVICES > GOOGLE DEVELPERS CONSOLE (This setting was disabled and when enabled I was allowed to create a project an later add an billing account)
These are the steps I took to be able to enable billing.
Login to Google with the sys admin email address of the 'G Suite' account
Go here https://console.cloud.google.com/iam-admin/iam/organization
click on the identity tab on the left menu. (it created an identity)
click on the 'IAM' option on the left menu
Add billing account roles to the sys admin email by clicking on the pencil icon to the right of that user name. (I assume you could probably add another user here from the organisation and assign the billing roles to them instead)
Go to the Gsuite admin: https://admin.google.com/ and click on 'Apps'
Then click on 'Additional Google services' and enable 'Google developers console'
Then go to https://console.cloud.google.com/billing
select your organization from the 'Select an organization:' dropdown box
click on the 'add billing account' button in the middle of the screen
I have no idea how many of those steps are necessary, but at the end of it, it let me create a billing account
Background:
This is about using a Gmail Addon created using Google App Script.
When the user installs the addon, there is the OAuth Consent Screen where user provides his consent to allow the "Product name shown to users" (as configured in the OAuth Screen) to allow the access specified.
Now, I read : https://developers.google.com/identity/protocols/CrossClientAuth
which states :
When a user grants access to your app for a particular scope, the user
is looking at the user consent screen, which includes project-level
product branding that you set up in the Google API Console. (For
information about setting up the consent screen, see Setting up OAuth
2.0 in the API Console help.) Therefore, Google considers that when a user has granted access to a particular scope to any client ID in a
project, the grant indicates the user's trust in the whole application
for that scope.
Now, I have a server web component (a lambda) (belonging to the same product) that needs access to the user's email same access that the user provided after installing the addon ("Authorized Access" button).
Question(s) :
Is there a way to have cross-client (a backend server and a gmail addon) in my case to have the backend to just get access to user's data without triggering additional (basically whatever the user has provided consent to)?
Note: Using an additional authorization screen triggered manually using the GAS OAuth library I was able to get the "Auth Code" which I pass to the server using which the server now has access to the consented data (we have used the same client id and secret). However, the problem with this approach is :
User gets 2 emails about the permissions granted. Addon and Manually triggered flow.
User has to authorize the gmail addons for first access and then another which I trigger manually.
Even if there was a way I could get the "Auth Code" when the user installs the addon that would also do.
Apologize in advance there is a lot of scattered documentation and though I went through many it is likely I may have missed something.
We only issue one authorization code (refresh token) in exchange for one user authorization/approval. Your app can get new access tokens on android or web without a user approval. But if it needs a refresh token again, user still need to approve the request.
So if the addon can talk to your server, you could give it a short lived access token or will need to user authorization.
I was trying to run the sample script of Google Apps Script here:
https://github.com/googlesamples/apps-script-oauth2/blob/master/samples/GoogleServiceAccount.gs
I believe I set PRIVATE_KEY, CLIENT_EMAIL and USER_EMAIL correctly from JSON file downloaded from Google Developer Console. Also I enabled Google Drive API on the project. But still I get an error in the dialog "Error: invalid_client\n no application name".
Is there any code I should add / change to run this sample script correctly?
In case you are using the correct settings (PRIVATE_KEY,CLIENT_EMAIL and a valid USER_EMAIL), the error could also be related to the permission granted to the application from the domain admin.
Since this example uses domain wide delegation of authority to impersonate the account from the USER_EMAIL, first the domain admin has to grant permissions to the application to perform this kind of operations.
To grant this permissions to the app you can do it by going to: your Admin Console -> Security -> Advanced Settings -> Manage API client access
There you will add the service account CLIENT_ID in the field "Client Name" and in the second field you will add your project scopes separated by commas. These scope should match the scopes that the application uses. In this case id Drive scope and any other you may be using.
Click the button "Authorize" and if everything goes well, then you will be able to impersonate users in your domain with that project.
Here is the related documentation. I hope this helps.