Install and run Google apps script from domain administartor account - google-apps-script

is it possible to install and run my Google apps script to all users within the domain as a domain admin?

No, it isn't. AFAIK anyway.
What you can do is, on most Google APIs, using Apps Script UrlFetch instead of the built-in services, you can impersonate the users if you're running from the domain admin account.

Related

How to Publish Google App Sccript Gmail add-on for Google Workspace Marketplace SDK

I have developed a Google Appscript gmail addon which users can report spam emails.
I followed the exact steps mentioned in here to publish the add-on.
Setup GCP project and linked it with App Script
Configure OAuth screen and submit it for verification.
I am using following scopes.
OAuth Scopes
Since I am using sensitive scopes, I have to submit it for OAuth
verifcation. I was asked to verify all domains and then I verified all
domains and now all are showing as verified in search console .
I communicated it with the OAuth verification team and still OAuth
verification status is showing as "Pending developer action". I tried
to get some advice from OAuth verification team and I did not get any
response from them.
OAuth verification status
Enable and configure the Google Workspace Marketplace SDK
Create a store listing.
Since Gmail add-on needs to be available for all domains, I have
submitted the GCP for store listing as well. Status is shown as "Under
Review".
I need to publish the Add-on to Google Workspace Marketplace ASAP.
Can some one advice me to continue the publish process?

How to give users access to app script managed by a GCP Project

I have an app script linked to a spreadsheet that has a few functions to automate some processes for users. I recently updated the project to be linked to a standard GCP project I created so I could create OAuth credentials for an unrelated process in this script. However, now when users go to run the functions, they get a 403. Is there a place in the GCP console where I can give them access? I am not using any OAuth credentials for these functions. Just the standard app script interactions with the Google Sheet.
I think when you move to GCP you are required to use OAuth and they have to enter their credentials again. Found in the docs.
You have to configure the OAuth Consent Screen as is explained in the official docs about link a Google Apps Script project to a standard Google Cloud Project --> https://developers.google.com/apps-script/guides/cloud-platform-projects

Gmail add-on connecting to non-Google Services without oAuth

Is it possible to authenticate to third-party service in G-Suite (Gmail) Add-ons, but without oAuth. The service I want to authenticate works on REST API and has no oAuth support.
The best for me would be to open a new window (as with oAuth), login there and return token to the Gmail add-on frame. If that won't be possible, I'd go with giving a username and password in dedicated Card in add-on, but I'm not sure it that solution will pass Google verification when publishing in Marketplace.
I'll be grateful for all the suggestions.
Unfortunately no. When connecting your add-on to third party services(ex. your application server), Gmail forces you to set up a separate authentication process for user to go through to use your services.
However, if the non-Google service does require authorization, you'll have to configure OAuth for that service. You can make this process easier by using the OAuth2 for Apps Script library (there is also an OAuth1 version).
Your service can still use Google OAuth to authenticate the user, you just need to set it up separately from your Gmail add-on.
You can read more on it here: https://developers.google.com/gmail/add-ons/how-tos/non-google-services
Also in my post I explain the process of connecting your non-google services to gmail add-on in more detail

Using Advanced Google Services with Service Account

I am developing an application using Google Apps Script and using some Advanced Services such as Admin SDK (Directory API) and Reseller API.
It seems like these API's are being called by my WebApp under context of user who is accessing my WebApp (it's deployed with 'Execute the app as 'User accessing the webapp').
Ideally, I would like these API's calls to be authenticated with some Service Account under my project (in Dev Console). Is it possible? How?
When your scripts are ran as 'User accessing the webapp' it runs off the users data against your quota. If you want to run it against your data you need to change the settings to execute the app as "me".
If you need to do a mixed authentication model where the app needs to access the data of two different accounts, you have some options. Either way one account gets to access the built in Apps Script services and the other will use the REST interfaces to the APIs to access their data.
You can run the app as "me" then manage your own Oauth for the user. This can be done with an OAuth Library such as:
https://github.com/googlesamples/apps-script-oauth2
Or you can run the app as the user and use a service account for your server. Here is a library I put together for using service accounts in Apps Script:
https://github.com/Spencer-Easton/Apps-Script-GSApp-Library

Google App Script LDAP Access Control

Is there a way to restrict access to an application built on Google App Script using LDAP? Can Google App Script access LDAP?
There are a couple of ways to look at this problem.
Apps Script cannot directly access your LDAP system. Apps Script has ability make HTTP calls to REST/SOAP services, make JDBC calls to external databases but it doesn't have built in support for the LDAP directory.
However, if you are using Apps Script w/in a Google Apps domain then you can tie in Google user accounts to LDAP using Google Apps Directory Sync. Once this is setup, you can deploy your Apps Script to only allow people w/in your domain and Google will make them login before they can access the Apps Script.
Hope this helps.