Rule A - Auto Create Google Calendar Event Upon User Creation is disabled by a critical error.

88 views
Skip to first unread message

David Heath

unread,
Jan 9, 2024, 11:40:37 AMJan 9
to Foresight Community
I am getting this error message when denerating a calendar item on user creation.

Rule A - Auto Create Google Calendar Event Upon User Creation is disabled by a critical error. Your connected Google account lost admin privileges. Check with your super admin if your admin privileges were revoked.

I have full admin privileges that have not been revoked.

On checking the rule, nothing says that I do not have the appropriate permissions.

How can I fix him, please?


Jason Huang

unread,
Jan 9, 2024, 12:52:53 PMJan 9
to Foresight Community, d.h...@cheerfultwentyfirst.com
Hello, 

The User created trigger asked for Google account permissions of View users on your domain and View organization units on your domain. You may have granted the permissions to Foresight.
However, apart from the permissions, your associated Google account must also have the Admin API administrative privileges of Users > Read and Organizational Units > Read (All organizational units) to perform the trigger. The Super Admin has all the privileges but other admin roles (prebuilt roles or custom roles) may not cover these privileges. 
screenshot_2024-01-09_09-39-43.jpg

First, verify your admin role misses the required admin privileges. If so, please add them and have a test again. Alternatively, assign the Google account a Super Admin role. 

I hope it helps. 
Thank you.

N A

unread,
Jan 9, 2024, 5:39:45 PMJan 9
to Foresight Community, Jason Huang, d.h...@cheerfultwentyfirst.com
We are having the exact same problem here as well.  Our rules were executing just fine and then one day recently stopped.  We can enable our rules and they will run several times without issue according to the notifications as you can see in my attachment.  I have verified the account being used by foresight is a super administrator and has all of its rights and does not exist in any other admin role group.  We desperately need this working, any ideas?

rules.JPG 

Jason Huang

unread,
Jan 9, 2024, 6:35:00 PMJan 9
to Foresight Community, neil.a...@tulsatech.edu, Jason Huang, d.h...@cheerfultwentyfirst.com
Thank you for your feedback. 

For this issue, we took a step back to review. Google Admin API sends Foresight error messages, which suggested the associated admin Google account does not have the administrative privileges to retrieve the new user's information. It caused the Used created trigger to be disabled. 
To help us troubleshoot the issue, we would appreciate if you can share some information. 
  • Were there changes in your Google Admin between the last successful rule execution and rule disabled time, e.g. Reconfigured Foresight, disabled the super admin account? Checking the Admin log events would help you figure out the admin activities during the period. 
  • Re-enable the rule. Create another new test user based on your User created trigger condition. Does the new test user trigger the rule again? Or would the rule get disabled again?
Thanks again.

N A

unread,
Jan 9, 2024, 6:48:19 PMJan 9
to Foresight Community, Jason Huang, neil.a...@tulsatech.edu, d.h...@cheerfultwentyfirst.com
Just so I understand, you want another one of our super user accounts to login to foresight and recreate the rules we have?  It dosen't appear any of our other accounts can login to foresight since it is attached to our current admin user.  What else do you suggest we do and please be extremely specific.  Thanks!

Jason Huang

unread,
Jan 9, 2024, 6:56:57 PMJan 9
to Foresight Community, neil.a...@tulsatech.edu, Jason Huang, d.h...@cheerfultwentyfirst.com
Sorry for the confusion. It's not needed to sign up for another Foresight account. Just use the same Foresight account and same rule.
Here are detailed instructions.
  1. Sign into the same Foresight account. 
  2. Re-enable your rule that was disabled by this critical error. 
    screenshot_2024-01-09_15-51-05.jpg
  3. After you enable the rule, go to your Google Admin Console.
  4. Create a new test Google user. Make sure the new test user can trigger the rule based on your User created trigger's conditions. 
  5. Wait momentarily to see if the rule is disabled again or is triggered for the new test user. 
Thank you.

N A

unread,
Jan 9, 2024, 7:03:17 PMJan 9
to Foresight Community, Jason Huang, neil.a...@tulsatech.edu, d.h...@cheerfultwentyfirst.com
Thanks for the walk through!  I did exactly what you said and the rule executed perfectly just like it has for days now after we re-enable it.  At some point though it is going to disable itself again with the error shown in my first post.

Jason Huang

unread,
Jan 9, 2024, 7:15:30 PMJan 9
to Foresight Community, neil.a...@tulsatech.edu, Jason Huang, d.h...@cheerfultwentyfirst.com
Thank you for the quick testing. 

Based on your experiments and description, it's most likely an intermittent issue. Google randomly informed Foresight that the admin Google account lost the access to retrieve user information. 
We'll need to consult Google to explain the error messages further and find solutions. 

Please allow us investigate the issue and get back you in this thread. 
Thanks.

N A

unread,
Jan 9, 2024, 7:16:32 PMJan 9
to Foresight Community, Jason Huang, neil.a...@tulsatech.edu, d.h...@cheerfultwentyfirst.com
I appreciate the quick responses and look forward to hearing from you! :)

David Heath

unread,
Jan 10, 2024, 5:24:01 AMJan 10
to Jason Huang, Foresight Community
Hello,

I confirmed that the account running the rule has the necessary permissions. I also added another account, used the free trial, and tried again, and the same thing happened, despite the fact that they, too, had the required permissions set.

What do you suggest, please?

Cheers,

David Heath
IT Manager
he/him
Cheerful Twentyfirst Website
​Direct: 
​‪+44 207 074 9929‬
Mobile: 
+44 7919 333 644
Company: 
+44 207 291 0444
​87 New Cavendish Street, London, W1W 6XD
cheerfultwentyfirst.com
Cheerful Twentyfirst Website
Cheerful Twentyfirst is the trading name of Aeorema Ltd (company number 3071929 registered in England and Wales). Registered address: 101 New Cavendish Street, London W1W 6XH. VAT No. 792289777.
 
The content of this e-mail may contain confidential information. If you are not the addressee or authorised to receive this, you must not use, store, copy, disclose or take any action based on this message. If you have received this message in error, please advise the sender immediately by reply and delete this message.
3246394629934298362432

Jason Huang

unread,
Jan 10, 2024, 2:46:07 PMJan 10
to Foresight Community, d.h...@cheerfultwentyfirst.com, Foresight Community, Jason Huang
Hello David, 

If none of new users trigger the rule and the rule is disabled, then this may be a different case from the intermittently rule disabled issue. While you grant the permissions to Foresight, the Google accounts still need admin privileges to access user information.
To have a permission test, please follow these steps.
  1. Open https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/get from the same Google user connected with Foresight.
  2. On the right panel of Try this method, in the userKey field, enter a user in your Google Workspace domain.
  3. Click Execute. A dialog will pop up to ask permissions, grant the permissions.
  4. Check the box below. Is it a green header with 200, or a red header with 403? 
  5. Let me know the result in the box.
I attached 2 screenshots for your references.

Please make sure to wipe out confidential information if you need to paste the result, since this discussion thread is public. 
Thank you.
error result.jpg
Admin API test.jpg

N A

unread,
Jan 10, 2024, 3:05:16 PMJan 10
to Foresight Community, Jason Huang, neil.a...@tulsatech.edu, d.h...@cheerfultwentyfirst.com
Update on rules disabling.  I created a copy of the "Student account move to Single Sign-On" rule last night to see if it would get disabled like Staff and Student do.  I created it from scratch but the rule is identical other than it's name.  Notice that Delete Suspended Users is enabled but we just discovered that it isn't actually working despite being enabled. So for some reason none of our rules are working but only Staff and Student rules are reporting permissions errors and disabling themselves as shown in the screen shot in the messages above and below.  Thanks again!



rules.JPG

Jason Huang

unread,
Jan 10, 2024, 3:26:15 PMJan 10
to Foresight Community, neil.a...@tulsatech.edu, Jason Huang, d.h...@cheerfultwentyfirst.com
Hello N A, 

Thank you for testing. 

For the Delete Suspended Users rule, kindly reach to us sup...@xfanatical.com separately. We think the User suspended trigger is operating correctly, which triggers when a user is suspended in Google Admin.

We will continue investigating the User created trigger being disabled issue. We received Google's developer response. They recommend 2 options, first try the API explorer; Second submit a Google Workspace support case from your domain with us (sup...@xfanatical.com) CC'd. 
Let's try the first option. Please follow the same steps to have a API test as my last email.
    1. Open https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/get from the same Google user connected with Foresight.
    1. On the right panel of Try this method, in the userKey field, enter a newly created user in your Google Workspace domain. 
    1. Click Execute. A dialog will pop up to ask permissions, grant the permissions.
    2. Check the box below. Is it a green header with 200, or a red header with 403? 
    3. Let me know the result in the box.
    1. If possible, test for multiple users in the userKey field.
    Please make sure to wipe out confidential information if you need to paste the result, since this discussion thread is public. 
    Thank you.

    N A

    unread,
    Jan 10, 2024, 3:39:56 PMJan 10
    to Foresight Community, Jason Huang, neil.a...@tulsatech.edu, d.h...@cheerfultwentyfirst.com
    I get only this when I try to sign in at the link you provided " We are sorry, but you do not have access to Google Developers. Please log in to your Admin Console to enable it." So I can't sign in with our account that uses foresight to "try this method".

    Jason Huang

    unread,
    Jan 10, 2024, 3:48:40 PMJan 10
    to Foresight Community, neil.a...@tulsatech.edu, Jason Huang, d.h...@cheerfultwentyfirst.com
    Hello N A, 

    No problem. This is likely your domain has disabled the Google Developers service for the admin user's OU. 
    If you can enable the service for that OU, you shall be able to access the Google Developers page.

    We notice this issue has affected many of our customers' rules with the User created trigger. This leads to our assumption of a Google Admin API outage. 
    We'll check with Google to investigate this issue and keep you posted. Sorry for the inconveniences. 
    Thank you.

    N A

    unread,
    Jan 10, 2024, 4:11:09 PMJan 10
    to Foresight Community, Jason Huang, neil.a...@tulsatech.edu
    We currently do not have an OU for our admin accounts.  Could there be issues or vulnerabilities to enabling Google Developers for the Master OU or do we just need our admins to have that enabled?

    Jason Huang

    unread,
    Jan 10, 2024, 4:45:23 PMJan 10
    to Foresight Community, neil.a...@tulsatech.edu, Jason Huang
    You can create a separate sub-OU, move the test admin user into the sub-OU and enable the Google Developers service specifically for the sub-OU. This allows your admin user to access while interrupting other users. Thank you.

    Jason Huang

    unread,
    Jan 11, 2024, 3:12:47 PMJan 11
    to Foresight Community, Jason Huang, neil.a...@tulsatech.edu
    I'd like to share good news regarding this issue. This issue impacted many of our customers' rules with the User created trigger, so it's not from a single Google Workspace domain.
    With communications with Google developers and our engineers' effort, we discovered the Google Admin API behaved unusually recently, that result in your rules with the User created trigger being disabled unexpectedly.
    The error returned from Google Admin API indicated your admin user has lost administrative privileges, but in fact it's not the case. It's caused by technical issues after new Google users are created.
    We've updated the User created trigger with a workaround, and will monitor the fix in the upcoming days. 

    You can re-enable the rules. If you still experience the issue, please follow up this thread. 
    Thank you again for your feedback and support. 

    N A

    unread,
    Sep 4, 2024, 1:18:59 PMSep 4
    to xFanatical Foresight Community, Jason Huang, neil.a...@tulsatech.edu
    This is back to being an issue for us.  I have been having to go and manually move either 50 users at a time once I get notified they can't get to what they need or in the case of today I had to export 1800+ users and do a mass edit on the CSV and upload it to google admin.  This has been such an issue we don't plan on renewing once our subscription is up and have come up with an in house solution.

    Jason Huang

    unread,
    Sep 4, 2024, 5:17:02 PMSep 4
    to xFanatical Foresight Community, neil.a...@tulsatech.edu, Jason Huang
    Hello, 

    I'm sorry to hear the inconvenience. This issue of "rules with the User created trigger is disabled by a critical error" has been addressed back in January 2024. 
    Apart from this issue, xFanatical Foresight will disable automation rules for other reasons, e.g. monthly action quota depleted, lost admin privileges or permission revoked. For example, when your xFanatical Foresight account's monthly action quota is depleted, your automation rules would be disabled and you will be notified by an email. In case of your rules being disabled, please check notification emails in your associated Google account inbox from xFanatical Foresight. The emails will include the causes and possible solutions.

    If you have questions, please contact sup...@xfanatical.com and we'll troubleshoot for you in detail.
    Thank you.
    Reply all
    Reply to author
    Forward
    0 new messages