Provisioning API Group Access - always requires Administrator?

[Charles Cooke]

Hi,

We are developing an application which is using OpenID+OAuth (successfully) to authenticate & retrieve Groups for a user via the Provisioning API.

However, if I authenticate & try to access with a non-administrator I get "You are not authorized to access this API.".  The user has access to "Groups".  If I use an Administrator, it works fine.

It appears that ANY access to the Provisioning API requires an Administrative user.  Is this true?

If so, is there any other way to retrieve Groups for a user?  It seems like this should be available somewhere but I can't find it.

Thanks
Charles

[Mally Mclane]

Charles

Yes, it is. Devolved users in the control panel don't have access to the API - you need to be a superuser.

Hopefully Google do see this a big security hole and fix it soon...

Mally

> --
> You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/JZfGu0YZRWMJ.
> To post to this group, send email to google-app...@googlegroups.com.
> To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
>

[Charles Cooke]

Hi Mally,

Thanks for the reply.  That's too bad, we don't want to give full admin access to the user just to see the Groups.

It looks like there is indeed an enhancement request open for this:
http://code.google.com/a/google.com/p/apps-api-issues/issues/detail?id=2454

[Claudio Cherubino]

Hi Mally and Charles,

The Google Apps Domain Management APIs were designed as tools for administrators to configure and manage their domains.

These APIs are meant to emulate the features available to administrators only in the control panel and your security concerns should be addressed by the authentication and authorization mechanism (OpenId+OAuth).

With that being said, we are open to discussion about how to improve our APIs and the developer experience and we are already considering the feature request that you linked.

By starring the issue you'll automatically get all the relevant updates and please add detailed information about your use cases to it so that we can prioritize the feature.

Thanks

Claudio

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/zLDBei1rn7IJ.

[Rufus]

Hello,

There is one additional special case: if your application is installed
as a Marketplace App then your application can get read-only access to
the Provisioning API. The user in this case does not need to log in
as an administrator, and your app does not need to store administrator
credentials.

So your application can read the list of Groups for everyone or for a
particular user.

Please see http://code.google.com/googleapps/marketplace/manifest.html#supported_scopes
for the specific scope to request in your Application Manifest.

When you've configured your app manifest for Provisioning API access,
then as the administrator installs your app, the installation process
requests the admin to grant read-only access. If they accept, then
your app can read all of the domain's provisioning information through
user, group, and/or nickname feeds. You can't write back or make
provisioning changes with this kind of access, but you could make
decisions based on the user's groups. The customer never gets
prompted for access because that was granted by their system
administrator during installation.

This may be the kind of carefully-scoped access you were looking for.

/Rufus