GAM Permission and Scopes

8,837 views
Skip to first unread message

PK

unread,
Jul 5, 2017, 12:26:30 AM7/5/17
to GAM for G Suite
Hi

Couple of queries on setting up latest GAM..

1) How do you run the wizard to choose scopes again (which comes during initial setup?)

2) If you don't want to create a new project during setup but use existing ones, how can we do that?

3) Is it easy to find out if a command uses which scope? I have setup a user and all commands fail for him

./gam info domain

ERROR: 403: Not Authorized to access this resource/api - forbidden

./gam info user <mailaddress>

ERROR: 403: Not Authorized to access this resource/api - forbidden

But the check service account WORKS

 Scope: https://mail.google.com/                                     PASS
 Scope: https://www.googleapis.com/auth/activity                     PASS
 Scope: https://www.googleapis.com/auth/calendar                     PASS
 Scope: https://www.googleapis.com/auth/drive                        PASS
 Scope: https://www.googleapis.com/auth/gmail.settings.basic         PASS
 Scope: https://www.googleapis.com/auth/gmail.settings.sharing       PASS
 Scope: https://www.googleapis.com/auth/plus.me                      PASS

All scopes passed!


I have given this account ALL scopes I can think of (similar to another account we have which WORKS in GAM - the only thing is that the other account is global admin)

http://www.google.com/m8/feeds/contacts/,
https://apps-apis.google.com/a/feeds/calendar/resource/,
https://apps-apis.google.com/a/feeds/emailsettings/2.0/,
https://mail.google.com/,
https://sites.google.com/feeds/,
https://www.google.com/m8/feeds,
https://www.googleapis.com/auth/activity,
https://www.googleapis.com/auth/admin.directory.domain,
https://www.googleapis.com/auth/admin.directory.domain.readonly,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.group.member,
https://www.googleapis.com/auth/admin.directory.group.member.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.orgunit,
https://www.googleapis.com/auth/admin.directory.orgunit.readonly,
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.user.alias,
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.userschema,
https://www.googleapis.com/auth/apps.groups.settings,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/calendar.readonly,
https://www.googleapis.com/auth/contacts.readonly,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/gmail.settings.basic,
https://www.googleapis.com/auth/gmail.settings.sharing,
https://www.googleapis.com/auth/plus.me

What are we missing here?

Ross Scroggs

unread,
Jul 5, 2017, 10:57:18 AM7/5/17
to google-ap...@googlegroups.com
PK,

1) gam oauth delete followed by gam oauth create

2) Answer no to this question: GAM is now installed. Are you ready to set up a Google API project for GAM? (yes or no) 

What privileges does your user have?

Ross
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/0941c296-1387-43e8-9d1c-50d24a3490b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

PK

unread,
Jul 5, 2017, 5:19:43 PM7/5/17
to GAM for G Suite
Thanks Ross

1) Thanks

2) What I meant was after doing no, it still says to run gam create project.. is there a command to input existing project / service account / clientid etc.. whatever is required if it already exists

3) So the user is suppose to be a super admin for it to work? Currently has no admin roles assigned. User needs to do some mail settings / calendar create delete and info command on users..
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.

Ross Scroggs

unread,
Jul 5, 2017, 6:08:01 PM7/5/17
to google-ap...@googlegroups.com
PK,

What you need from a project are a client_secrets.json file and an oauth2service.json file.
Is this an upgrade to an existing version of GAM? Do you already have these files?
Using a super admin is simple, otherwise you have to define an admin role and set the desired Admin API Privileges.

Ross

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsubscribe...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/71cc6120-ff0b-4475-8759-65e804ed6bbd%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--

PK

unread,
Jul 5, 2017, 6:56:05 PM7/5/17
to GAM for G Suite
Thanks Ross

I was just curious on how to use existing projects.. I have copied those two files across machines and OS and it works.. Was just a generic question

Giving Super User was a security issue I was thinking for doing specific GAM tool stuff.. but yeah it will be done.. I was just trying to asertain the minimum level of admin rights required to do those jobs..
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.



--

Ross Scroggs

unread,
Jul 5, 2017, 7:00:29 PM7/5/17
to google-ap...@googlegroups.com
PK,

These are the do it by hand instructions for making a project and downloading client_secrets.json and oauth2service.json.

Ross

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsubscribe...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsubscribe...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.



--

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/e7fcd210-fdf3-4512-9661-a9c1e3631c7e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Reply all
Reply to author
Forward
0 new messages