Management API with multiple accounts

[Graeme]

Hello all,

Since we have hundreds of sites to track, we have multiple GA logins (accounts is a confusing term), let's call them tra...@xxx.com, tra...@xxx.com, etc.

Within each of these, we have multiple accounts, representing a client, e.g. Client1, Client2, etc.

Within each of these accounts we have multiple web properties to track.

I'm automating the download of GA data for every one of thousands of web properties, using a script applying OAUTH2 and a service API structure.

Since users seem to be on a web property level, I've been doing the following:

1. For each of our logins (track1...), create a Service Account with a Client ID, gserviceaccount.com email and a Key file.

2. Go into every login/account/web property and add the gserviceaccount.com email as a user with read-only privs.

See the problem? :) Surely I don't have to create hundreds of these users, one for every web property. That's nuts. At the worst I would expect to create one user per login, that can access all accounts and web properties within. There doesn't seem to be a way to do this.

Am I missing something really obvious? Help greatly appreciated. I can't be the only person doing this.

Graeme

[Graeme]

Sorry, I take that back, Users are on the ACCOUNT level, but with up to 50 accounts per login, that's still a lot of work to create users.

I need to be able to create users at the login level, capable of accessing all accounts and web properties.

Graeme

[chris@shufflepoint]

Why not create a single Google credential and grant it access to all those GA accounts?

[Graeme]

Not entirely sure what you mean by that Chris? One login credential can only access 50 accounts, and besides, the service API user has to be created on the account level, not above it. Service accounts are different to human ones. Am I missing something?

[chris@shufflepoint]

Hi Graeme,
I wasn't aware of the 50 accounts limit. Do you have a reference URL for that?

[Graeme]

Hello Chris,

Actually I think I am confusing profiles with accounts. :)

"You may have up to 50 profiles in any given Analytics account."

https://developers.google.com/analytics/resources/concepts/gaConceptsAccounts#organization

Even if I were to put everything into a single login (with unlimited accounts) however, nowhere in the documentation or the web tools does it indicate creating a user at the root level, so I think I am forced to create one for every account, several hundred of them. Ugh.

The quote below might be an elusive indication of the problem (in the section above the one in the url above):

"You can only access Analytics reports using a valid Google Accounts email address. You cannot sign in to Analytics with an email address hosted by Google Apps."

I take this to mean that I cannot log in at the root level with the xxxxx@developer.gserviceaccount.com email address that the API requires, which backs up the empirical evidence I have.

Graeme

[chris@shufflepoint]

Hi Graeme,
I guess I'm still not clear on what problem you are trying to solve.  So I'll propose a solution and you can tell me what's wrong with it.

1. forget about service accounts and creating multiple users
2. create a single login and grant it access to all the GA accounts you need to query
3. get an OAuth token for that account
4. use that token to get an access token and query all the accounts, web props, profiles.

[Graeme]

Hey Chris,

Yeah, that's exactly what I was planning on doing. If you've logged in to the Google Analytics Account Manager (https://www.google.com/analytics/web/#management/Account) then you'll see that you can't create a user at the login level. You have to do it at the level of every account.

If you create a login with an OAuth2 token, it can't gain access to your GA accounts unless you go and add the xx...@developer.gserviceaccount.com email address as a user, thereby granting access.

What you say works as a web user, but not with the service level accounts that I need to use to automate fetching all my GA data without a human authentication step.

You are dead right about how it should work, but I can't find a way to make that happen, as per my explanation above, unless I am missing something extremely obvious.

Graeme

On Thursday, September 20, 2012 10:27:18 PM UTC-7, chris@shufflepoint wrote:

Hi Graeme,

[chris@shufflepoint]

My point is that you don't need to use a service account. With one global account you would do an iteractive grant, but you only have to do that once.

[Graeme]

That is very true. In my experience though, such things get forgotten by the server (or reset on an update) and require refreshing. I didn't want an automated script to have to reply on human intervention.

An option though, I agree. Thanks, I'll have to consider that.

[chris@shufflepoint]

If your computer is forgetting things, then you have larger issues :)
The OAuth 2.0 refresh tokens don't expire so they work fine for server-side automation.