GAM for delegate
874 views
Skip to first unread message
Mike McLoughlin
Oct 28, 2019, 4:45:24 AM10/28/19
to GAM for G Suite
Hi,
I would like to set up a separate GAM instance for a Classroom Administrator such that GAM is configured to just the Classroom scope and that it then can be safely passed onto a delegate without them then being able to reinstall GAM or alter to scope etc.
I am unsure whether it is even possible but, if so, what is the preferred approach to achieve something like this?
Thanks in advance.
- Mike
Steve - DynTech
Oct 28, 2019, 9:05:55 AM10/28/19
to GAM for G Suite
Create an admin account for this user, bob...@domain.com for example. You can use a free cloud identity license instead of full g suite
Configure gam as that person, do not enable domain wide delegation
When authorising the scopes only allow the ones required for classroom use
provide this user with their 3 files, json and txt files.
Do not give this user their credentials to the admin account
Hopefully I didn't miss anything there.
Jay Lee
Oct 28, 2019, 9:15:11 AM10/28/19
to google-ap...@googlegroups.com
Steve pretty much has it covered. Since you're not using service account domain wide delegation or allowing the users to reauth you only need to give them the oauth2.txt file.
Consider giving them read-only access to users, orgunits and groups to make some tasks easier for them.
Jay
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/094ecf63-5d1b-4d85-9d8d-b7edc8de0fce%40googlegroups.com.
Mike McLoughlin
Oct 28, 2019, 10:49:48 AM10/28/19
to GAM for G Suite
Thanks Steve & Jay,
It is great that it is possible and that all sounds very straightforward too.
Thanks again.
- Mike
Peter Nakashima
Oct 28, 2019, 4:15:16 PM10/28/19
to google-ap...@googlegroups.com
Very interesting possibilities.
-- Thanks 
Peter Nakashima --
Peter Nakashima ---- Liholiho Elementary School --
On Mon, Oct 28, 2019 at 3:15 AM Jay Lee <jay...@gmail.com> wrote:
Since you're not using service account domain wide delegation or allowing the users to reauth you only need to give them the oauth2.txt file.Consider giving them read-only access to users, orgunits and groups to make some tasks easier for them.Jay
On Mon, Oct 28, 2019, 9:06 AM Steve - DynTech <st...@dyntech.co.uk> wrote:
Create an admin account for this user, bob...@domain.com for example. You can use a free cloud identity license instead of full g suiteConfigure gam as that person, do not enable domain wide delegationWhen authorising the scopes only allow the ones required for classroom use
provide this user with their oauth2.txt file.
Do not give this user their credentials to the admin account
Mike McLoughlin
Oct 29, 2019, 10:33:49 AM10/29/19
to GAM for G Suite
Hi again Steve & Jay,
I have a couple of follow up questions about this, if I may:
- The todrive feature is very useful and currently will not work without (apparently) some domain-wide service account. Is that true? Can it be locked down to the delegate's account in any way?
- Any attempt to carry out simple commands - eg gam print courses result in 0 courses found. I have tried installing the new GAM instance on Windows & Linux platforms, sharing the oauth.txt as described with the same results. What could be causing that?
TIA,
- Mike
+KimNilsson
Nov 2, 2019, 4:10:49 PM11/2/19
to GAM for G Suite
@Mike
I have used that for a CloudPrint user without any admin access, where we wanted to easily print lists of printers to Sheets.
Mike McLoughlin
Nov 4, 2019, 5:08:36 AM11/4/19
to GAM for G Suite
@Kim - Thanks for that, but what version? I see it on neither GAM now GAMADV-XTD3...
Also, how would it work in practice? If GAM is set up with admin user X and no domain wide service account used and the target delegate user Y tries to use todrive then user Y would need to be able to sign into the browser/account with user X's credentials, right? User Y is only given the oath2.txt file and no password.
- Mike
Mike McLoughlin
Nov 4, 2019, 6:07:13 AM11/4/19
to GAM for G Suite
Hi again @Kim,
As you can see, the latest gamadv-xtd3 only goes up to 35.
Are you seeing this option at your end?
Are you seeing this option at your end?
- Mike
Ross Scroggs
Nov 4, 2019, 8:44:07 AM11/4/19
to google-ap...@googlegroups.com
Mike,
Do: gam config todrive_clientaccess true oauth create
You'll see 3 additional scopes:
[ ] 36) Drive API - todrive_clientaccess
[ ] 37) Gmail API - todrive_clientaccess
[ ] 38) Sheets API - todrive_clientaccess
Ross
On Nov 4, 2019, at 3:07 AM, Mike McLoughlin <tic...@gmail.com> wrote:
Hi again @Kim,
As you can see, the latest gamadv-xtd3 only goes up to 35.
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/f89112ea-3d1a-4e8b-aa47-618af375ee84%40googlegroups.com.
<Screenshot 2019-11-04 at 11.04.31.png>
Mike McLoughlin
Nov 4, 2019, 8:52:52 AM11/4/19
to GAM for G Suite
Hi Ross,
Thanks for that - the extra options then appeared.
However, this scenario involves setting up GAM for a delegate without giving the delegate the password to the account (so they cannot re-install and change scopes etc). So, will the todrive_clientaccess work in this situation?
- Mike
On Monday, 4 November 2019 13:44:07 UTC, Ross Scroggs wrote:
Mike,Do: gam config todrive_clientaccess true oauth createYou'll see 3 additional scopes:
[ ] 36) Drive API - todrive_clientaccess[ ] 37) Gmail API - todrive_clientaccess[ ] 38) Sheets API - todrive_clientaccessRoss
On Nov 4, 2019, at 3:07 AM, Mike McLoughlin <tic...@gmail.com> wrote:
Hi again @Kim,As you can see, the latest gamadv-xtd3 only goes up to 35.<Screenshot 2019-11-04 at 11.04.31.png>
Are you seeing this option at your end?- Mike
On Monday, 4 November 2019 10:08:36 UTC, Mike McLoughlin wrote:@Kim - Thanks for that, but what version? I see it on neither GAM now GAMADV-XTD3...Also, how would it work in practice? If GAM is set up with admin user X and no domain wide service account used and the target delegate user Y tries to use todrive then user Y would need to be able to sign into the browser/account with user X's credentials, right? User Y is only given the oath2.txt file and no password.- Mike
On Saturday, 2 November 2019 20:10:49 UTC, +KimNilsson wrote:@Mike1. I don't know if Jay has this, or if only Ross does.I have used that for a CloudPrint user without any admin access, where we wanted to easily print lists of printers to Sheets.--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
Kim Nilsson
Nov 4, 2019, 12:27:49 PM11/4/19
to Google Apps Manager
Mike, you set everything up before giving info to the user.
Mike McLoughlin
Nov 5, 2019, 3:42:36 AM11/5/19
to GAM for G Suite
Hi Kim,
Thanks for the advice.
I had a video chat with Ross yesterday and we went through the settings and all appeared to work. However, I double-checked this morning and the created file is was not owned by the user specified in todrive_user (in the Config file) but instead was owned by the user in the oauth2.txt file. (This is what the guide you originally linked to suggests should be the case.)
I had a video chat with Ross yesterday and we went through the settings and all appeared to work. However, I double-checked this morning and the created file is was not owned by the user specified in todrive_user (in the Config file) but instead was owned by the user in the oauth2.txt file. (This is what the guide you originally linked to suggests should be the case.)
Is this your experience too? Or is the created file owned by the todrive_user?
- Mike
Kim Nilsson
Nov 5, 2019, 3:55:29 AM11/5/19
to Google Apps Manager
In my case I set everything up with the delegated account, so there's no reference to the admin account anywhere.
Mike McLoughlin
Nov 5, 2019, 3:59:21 AM11/5/19
to GAM for G Suite
Ah, I see. So therefore the delegated account must have Admin privileges though - as this is what is required by the GAM to work..?
Apologies if I am missing something obvious here.
- Mike
Kim Nilsson
Nov 5, 2019, 4:00:26 AM11/5/19
to Google Apps Manager
That all depends on what it's supposed to be able to do.
Mike McLoughlin
Nov 5, 2019, 5:00:51 AM11/5/19
to GAM for G Suite
Well, like you I just need someone to manage Classroom with GAM and be able to use todrive to make their life easier.
I (initially) also did not want to share Admin credentials with them but it seems you are suggesting that the way you have done it, you give them a limited Admin account and use the technique you originally mentioned so they can see their Drive files. That sounds cool.
Would it be possible to share how you have done that, perhaps? I have tried similar without success with (for example) printing of a teachers courses showing zero for that reduce Admin account.
Anything you can share would be gratefully received :-)
- Mike
Mike McLoughlin
Nov 6, 2019, 5:24:08 AM11/6/19
to GAM for G Suite
Hi Ross & Kim,
(I experienced this yesterday and could only get around this with the delegate account by making it superadmin).
Lovely chatting with you yesterday, by the way :-)
This morning, I have tested out the new theory by creating a low-level Admin user - with just User Management applied:
This was to an attempt to get around the issue where the command gam print courses teacher x...@domain.com (or even gam print courses) results in 0 courses found but it is still the case:
(I experienced this yesterday and could only get around this with the delegate account by making it superadmin).
So, what is the minimum Admin permissions needed to be set in the G Suite Console to make the delegate account be able to see all courses and those owned by students and teachers?
The good news is the todrive aspect is now working without the service account needed, so it is just this issue remaining.
Kind regards,
- Mike
Mike McLoughlin
Nov 7, 2019, 6:09:46 AM11/7/19
to GAM for G Suite
Hi Ross,
Thanks for the chat yesterday, by the way.
I need to confirm I am doing things as you suggested last night, as things are not quite working yet, I'm afraid:
I have:
- used a superadmin account to set up GAMADV-XTD3 with a new project
- set todrive_user as the delegate account
- not yet edited or moved any files (eg oauth2.txt, client_secrets.json & oauth_service.json) as I wanted to set it working first before locking it down.
- tried both:
- including the scopes 36, 36 & 38 but that refers to the superadmin user in oauth.txt, of course
- not including the scopes 36, 36 & 38 but gam print courses results in ERROR: There are no scopes authorized for the Drive API:
How is the todrive_user supposed to work? Have I missed a step you mentioned here?
Kind regards,
- Mike
Mike McLoughlin
Nov 7, 2019, 6:12:50 AM11/7/19
to GAM for G Suite
I forgot to mention, of the service account scopes:
I am using just these as discussed:
- Mike
Jay Lee
Nov 7, 2019, 6:21:53 AM11/7/19
to google-ap...@googlegroups.com
You're giving this delegate full access to all users drive and email. That seems risky and over permissive.
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/fab104f9-d845-44d2-af01-e00c630ee959%40googlegroups.com.
Mike McLoughlin
Nov 7, 2019, 6:28:31 AM11/7/19
to GAM for G Suite
Hi Jay,
Thanks for chipping in - and I agree entirely.
The idea was to dive the delegate needed access to just maintain Classroom. The sticking point came with wanting to provide todrive without risking anything. Unfortunately, there does not seem to be a way of doing this safely so I will likely abandon this method and the delegate will have to do without todrive, downloading to text files instead.
A shame, but thanks to all for all the help with this though.
- Mike
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
Kevin Melillo ✉
Nov 7, 2019, 8:08:07 AM11/7/19
to google-ap...@googlegroups.com
Just a thought here, as I am working with a similar need, not exactly the same, but similar. In my case I would like the helpdesk staff to be able to do two things... somehow use gam to do a whatis on an email address, so they can see if the email currently exists. If it is a user, who are the delegates, and what is the vacation status... if it is a group, who are the managers and members.
I did not want to give them direct access to GAM, as these are the only two things they really needed. So I developed a local website with PHP. It asks for the email address, then runs the proper GAM commands in the background, and reports back the results I needed them to see. It seems to work well. I now need management approval to roll this out to them.
You might be able to perform something similar in your case. As the classroom admin will only have access to a web browser and URL, this may work for you, although it is a bit tricky to set up.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/fab104f9-d845-44d2-af01-e00c630ee959%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/9b4e4b60-0af1-463e-9ea8-240a8133851d%40googlegroups.com.
|
Mike McLoughlin
Nov 7, 2019, 8:21:56 AM11/7/19
to GAM for G Suite
Hi Kevin,
That is an interesting solution. Thanks for sharing :-)
- Mike
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/fab104f9-d845-44d2-af01-e00c630ee959%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/9b4e4b60-0af1-463e-9ea8-240a8133851d%40googlegroups.com.
+KimNilsson
Nov 15, 2019, 8:59:19 AM11/15/19
to GAM for G Suite
Kevin, any documentation exists how you did that?
Kevin Melillo ✉
Nov 15, 2019, 10:18:14 AM11/15/19
to google-ap...@googlegroups.com
I just took my work and added it up to GitHub. I commented in the readme how it works, and what I did, and if there
are any other questions, reach out. THE LINK.
As stated in the README, it works for me.
I welcome all comments and critiques!
Let me know.
On Fri, Nov 15, 2019 at 8:59 AM +KimNilsson <there.is.no...@gmail.com> wrote:
Kevin, any documentation exists how you did that?
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/b97be1ba-9ecd-4332-9244-5b79f823595f%40googlegroups.com.
Kim Nilsson
Nov 15, 2019, 5:32:54 PM11/15/19
to Google Apps Manager
Thanks, Kevin!
Reply all
Reply to author
Forward
0 new messages