Defined Custom Role for Grab N Go Admin

41 views
Skip to first unread message

Eric Landrum

unread,
Jun 20, 2019, 8:48:23 AM6/20/19
to loa...@googlegroups.com
Hi Group,

Do we have a list of the exact G Suite admin permissions required for the GnG loaner-role account?  At the moment the roles that are recommended are:

Services Admin
User Management Admin
Groups Admin

Even though this account is never supposed to be accessible by a human being, Enterprise/SMB security teams will/have deny this level of access because its more than the account actually needs and creates additional risk.  A custom "GnG Admin" role is required.

Before I jump into testing permissions, just wanted to ask the group.  I have also opened an issue ticket with the GnG Github project.

Thank you Group

Maven Wave
Eric Landrum
ManagerDeployment Leadership
Mobile  +1.859.462.6127
Email  eric.l...@mavenwave.com
Website  www.mavenwave.com
- Sent from my Google Chromebook.
- Chrome OS, a better way to work.

Steve Larsen

unread,
Aug 12, 2019, 1:27:09 PM8/12/19
to Grab n Go Loaners
Although it's not a perfect answer, to further minimise exposure on this account I am creating these with just Cloud Identity Free licenses so that an account does not have access to core g suite services. Combine that with placing this user in an OU with all additional google services and others disabled it can help minimise that overall risk.


On Thursday, 20 June 2019 07:48:23 UTC-5, Eric Landrum wrote:
Hi Group,

Do we have a list of the exact G Suite admin permissions required for the GnG loaner-role account?  At the moment the roles that are recommended are:

Services Admin
User Management Admin
Groups Admin

Even though this account is never supposed to be accessible by a human being, Enterprise/SMB security teams will/have deny this level of access because its more than the account actually needs and creates additional risk.  A custom "GnG Admin" role is required.

Before I jump into testing permissions, just wanted to ask the group.  I have also opened an issue ticket with the GnG Github project.

Thank you Group

Maven Wave
Eric Landrum
ManagerDeployment Leadership
Mobile  +1.859.462.6127
Email  eric....@mavenwave.com
Website  www.mavenwave.com

DJNinNZ

unread,
Nov 24, 2019, 3:26:10 AM11/24/19
to Grab n Go Loaners
Hi there,
I'm in the process of testing this but looking at the API scopes that need to be allowed when you authorise the web app client id in the admin console (GnG setup part 1) and thinking what tje app must do  then the custom admin role must:
  • read the OU structure
  • read the user information
  • read group membership
  • Manage/move chrome devices between OUs
  • Manage chrome settings by enabling/disabling guest mode 
I'm currently testing the following custom admin role privileges
  • OUs - Read
  • Users - Read,
  • Chrome Management - Manage Devices+Manage Device Settings
  • API Permissions: Groups - Read
Regards

On Friday, 21 June 2019 00:48:23 UTC+12, Eric Landrum wrote:
Hi Group,

Do we have a list of the exact G Suite admin permissions required for the GnG loaner-role account?  At the moment the roles that are recommended are:

Services Admin
User Management Admin
Groups Admin

Even though this account is never supposed to be accessible by a human being, Enterprise/SMB security teams will/have deny this level of access because its more than the account actually needs and creates additional risk.  A custom "GnG Admin" role is required.

Before I jump into testing permissions, just wanted to ask the group.  I have also opened an issue ticket with the GnG Github project.

Thank you Group

Maven Wave
Eric Landrum
ManagerDeployment Leadership
Mobile  +1.859.462.6127
Email  eric....@mavenwave.com
Website  www.mavenwave.com

Steve Larsen

unread,
Mar 19, 2020, 3:55:12 PM3/19/20
to Grab n Go Loaners
Is there a list of new scopes or admin privileges need to make the master branch of loaner work? Some errors we're seeing are the following

Screenshot 2020-03-19 at 14.50.10.png


Screenshot 2020-03-19 at 14.54.44.png

Mike Helfrich

unread,
Mar 23, 2020, 11:15:22 AM3/23/20
to Steve Larsen, Grab n Go Loaners
Can you provide the error it throws in StackDriver (Google Cloud Logging)? This error is too broad currently for us to know which scope is missing.

--
You received this message because you are subscribed to the Google Groups "Grab n Go Loaners" group.
To unsubscribe from this group and stop receiving emails from it, send an email to loaner+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/loaner/e6180645-4c65-4c4c-9de3-ebc84b0504c9%40googlegroups.com.


--

Google NYC
Mike Helfrich
Corporate Operations Engineer
mikehe...@google.com

Reply all
Reply to author
Forward
0 new messages