GAM Installation & Configuration video

1,433 views
Skip to first unread message

Brian Gray

unread,
Oct 3, 2015, 6:59:35 PM10/3/15
to Google Apps Manager

I created a video that shows the steps for installing and configuring GAM - https://youtu.be/zfQXj2zawJ8

Graham Ingleby

unread,
Oct 5, 2015, 4:57:48 AM10/5/15
to GAM group
Excellent Brian, thanks very much for that, it will be really useful for getting new GAM users setup

One question though, when authorising the domain access you say to make sure the user signed in is the same as you used to create the OAuth file, I dont think this is correct as I have a single Service Account that I use on multiple domains - possibly you did it this way to get first time users up and running quicker? Or have I been doing it wrong all this time? :o)

Graham

 

 Graham Ingleby | Cloud Computing Consultant | +44 1344 203395 | ging...@ancoris.com
Google+  

On 3 October 2015 at 23:59, Brian Gray <bg...@sstx.org> wrote:

I created a video that shows the steps for installing and configuring GAM - https://youtu.be/zfQXj2zawJ8

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/a913cc66-aa81-4ada-a403-b995e9fee6ee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


This message is for the named person's use only.  If you receive this message in error, please delete it and notify the sender.  Ancoris reserves the right to monitor all e-mail communications through its networks. Ancoris Limited, Registered in England Number: 04830784, Registered address: 5a Frascati Way, Maidenhead, Berkshire SL6 4UY. Trading Address: Lily Hill House, Lily Hill Road, Bracknell, Berkshire RG12 2SJ


Jay Lee

unread,
Oct 5, 2015, 6:19:54 AM10/5/15
to GAM group
First of all, Brian, this is excellent. Project setup has been a major stumbling block to getting started with GAM and the video should go a long way to helping. I'd love to see this added to the Getting Started Wiki page.

Graham's right, the console.developers.google.com owner doesn't necessarily have to be the same Google user you authorize GAM against. A few things to be aware of:
  • Most GAM commands use 3-legged OAuth, authenticating as the admin user. For these, the oauth2.txt authorization (or whatever OAUTHFILE env. variable is set to) is used by GAM. client_secrets.json is the console project that quota will count against. If admin A and admin B both use the same client_secrets.json on different machines, there should be no security issue though they will share quota for the APIs.

  • Some GAM commands, like those for Gmail, Drive and Calendar use the Service Account authorization (oauth2service.json). Sharing this file is very dangerous. The oauth2service.json file alone is enough to authenticate as ANY USER in the domains which have granted scope access to the service account's client id in the admin console.
Hope this helps understanding.

@Brian, can that small segment be edited? Whether it can or not, I'd like to see the video embedded or linked in the getting started guide (anyone logged into Github.com can modify the Wiki).

Thanks!

Jay

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAAcgOW7A%2Bdn3z4az465e6kDEpVunKEbo10N5bOP0Z18ZezEhOg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.
--

Jay Lee

Brian Gray

unread,
Oct 5, 2015, 2:42:02 PM10/5/15
to Google Apps Manager


On Monday, October 5, 2015 at 5:19:54 AM UTC-5, Jay Lee wrote:

Graham's right, the console.developers.google.com owner doesn't necessarily have to be the same Google user you authorize GAM against. 

Jay - 

I went for simplicity in my warning in the video.  The video is targeted at the new GAM user, and I think that your explanations are likely to be more confusing than helpful to that audience.  (I'm not certain that I understand all of it.)

The case that I was trying to warn against is this:
  • user is a domain admin configuring GAM, and so is signed into a domain account to create 
  • user also has a Chrome profile signed into a personal (gmail.com) account (or a spouse's account, etc.)
  • GAM Oauth validation runs, opens a browser window, and connects to the gmail.com account instead of the domain account
(Of course, this is just hypothetical - that would NEVER happen to ME.)

I would prefer to leave the video as it is to maintain the simplicity.  If what you said above is on the wiki somewhere, I can include a link to it as an overlay card in the video.  It would read something like: "Read more about using service accounts here..."

I'll add the video links to the wiki.




Brian Gray

unread,
Oct 5, 2015, 3:01:45 PM10/5/15
to Google Apps Manager


On Monday, October 5, 2015 at 1:42:02 PM UTC-5, Brian Gray wrote:


The case that I was trying to warn against is this:
  • user is a domain admin configuring GAM, and so is signed into a domain account to create 
  • user also has a Chrome profile signed into a personal (gmail.com) account (or a spouse's account, etc.)
  • GAM Oauth validation runs, opens a browser window, and connects to the gmail.com account instead of the domain account


Jay - Perhaps I missed entirely what you were saying.  Did you mean that in the scenario above, it doesn't matter that the authorization was done by a gmail.com account (not associated with the domain I intend to manage with GAM)?

bkg
Reply all
Reply to author
Forward
0 new messages