GAM Read/Write Files in Specific OU

[Jim Van Fleet]

Hello, GAM!

I'd like to create an instance of GAM where only the necessary scopes are granted to read and write files on Google Drive for a user in a specific OU. I think it's possible?

I want to put this on a computer where the power of the GAM is throttled way down from just granting super admin access!

What is the workflow needed for this sort of thing? I am still wrapping my head around the various aspect of projects, service accounts, and oAuth consent.

Right now I'm not sure how to go about service account access, in particular the Domain-Wide Delegation. In the past using a super admin with full blown credentials gets everything to PASS for sure, but now I'm looking to drastically limit the scope to files for a particular user.

Currently everything is failing and going the following URL brings up a 403 page for the service account user: to https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=....

So I'm sure this is a permissions problem in the Google Admin Admin Role...looking through the privileges, I'm not sure what to grant to limit scope to a particular OU for the service account to manipulate files for only a user in the OU...or something like that?

I hope I've explained everything clearly enough to get some help and guidance...if I can get this working, I have some fun ideas to try out ;)

Thanks,

JVF

[Rance Hall]

When I setup google admin I always do it automagically as I am bound to forget something.

 

There is nothing wrong with creating a servie account with full access and then choosing the api scopes and limiting a specific gam project to only a few.  Then create a full functioning gam project that can do it all.

 

This approach is a little more open that your example (open as in more privileges and possibilities) but much easier to manage and maintain.

 

Just my $0.02

 

-- 

 

Rance Hall

Application Specialist

ESU 10

308-698-1919

 

Some days are better, some days are worse.

Look for the blessing instead of the curse.

 

 

 

 

 

 

From: google-ap...@googlegroups.com <google-ap...@googlegroups.com> on behalf of Jim Van Fleet <jvan...@hallhighschool502.com>
Date: Friday, March 4, 2022 at 10:47 AM
To: GAM for Google Workspace <google-ap...@googlegroups.com>
Subject: [GAM] GAM Read/Write Files in Specific OU

[EXTERNAL EMAIL]

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/df9519e2-ac98-45e8-9447-7c98fcee4638n%40googlegroups.com.

[Jim Van Fleet]

I'm wondering if what I am trying to achieve is not possible...I mean, it is "Domain wide delegation" after all.

So I might even be barking up the wrong tree with GAM...My ultimate goal is to be able to write some scripts that can read and write files from Google Drive, which I've done with GAM in the past. But because of how I want to use this, I'm reluctant to deploy with too much power on our overall domain and want to limit the scope.

[Ross Scroggs]

JIm,

For Advanced GAM see: https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#configure-limited-access

Ross

--

ross.s...@gmail.com

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/8f1a0c87-88ca-41b1-a0a4-47d6ceb38da1n%40googlegroups.com.

[Jim Van Fleet]

Oh man...documentation! I'll read it right now. Thank you so much....you are quite the resource ;)

-JVF

You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/tDwYL_oYTOs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/356341F8-C57B-4DF6-BEFD-1B8C57D80A3B%40gmail.com.