API Permissions for Delegation, and checking forwarding addresses
222 views
Skip to first unread message
James Dushay
Jul 24, 2023, 1:40:09 PM7/24/23
to GAM for Google Workspace
My company has super admins & a helpdesk role. I've created our helpdesk role but the helpdesk users are unable to check/add/remote delegations and forwarding addresses. I can't figure out what API permissions are required so I wanted to ask the community.
1. Does anyone know the required API Permissions for those two settings to work?
2. Do my users need to re-auth the scopes in gam, if so how? I've already added more scopes in the past weeks but I'm not sure if the users need to do something after I do that.
Thanks all
Jay Lee
Jul 24, 2023, 2:04:57 PM7/24/23
to google-ap...@googlegroups.com
Delegation isn't an admin privilege, it's done via domain-wide delegation (DwD). GAM's service account needs authorization to call Gmail API as the end user.
From the delegations.create() doc, the specific scope needed is https://www.googleapis.com/auth/gmail.settings.sharing.
I'd seriously reconsider if you want to give helpdesk-level users this kind of power. They'll be able to delegate ANYONE's mailbox to themselves. It's not hard to imagine worst case scenarios involving CEO snooping here...
Assuming you really do want to move forward, for each helpdesk user's GAM install run:
gam user som...@yourcompany.com check serviceaccount
and ensure at least the https://www.googleapis.com/auth/gmail.settings.sharing scope is passing.
Jay Lee
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/a003df81-cb55-401a-8cb9-294218e36c47n%40googlegroups.com.
James Dushay
Jul 24, 2023, 3:15:09 PM7/24/23
to google-ap...@googlegroups.com
Thanks Jay,
I agree that perhaps the point of a helpdesk role is pointless if we are giving access to delegate to ANYONE. I'll check with our team internally. I appreciate your reply. + Ross
You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/JZWfr-QesjU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp8QofC%3DwmO%2BSXgR2de1LhqGxszO_j%3DM9ZfzPrBu4o1E%2BQ%40mail.gmail.com.
Ross Scroggs
Jul 24, 2023, 3:42:06 PM7/24/23
to google-ap...@googlegroups.com
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAC9Qdx3ccF-mpqjzN0bqk30u7JnwDhUvyKKJg_Z%2BybSR%2Bwr55Q%40mail.gmail.com.
Ross Scroggs
Reply all
Reply to author
Forward
0 new messages