Assign Admin permissions for multiple OU to multiple users.

[WillW]

Is there a command I can use to load a list of staff usernames and give them each Device Manger permissions to a list of ORG units?

[Jay Lee]

You can assign roles to a user with this command:

https://github.com/jay0lee/GAM/wiki/Managing-Admins#grant-a-user-an-admin-role

not clear what you mean by "device manager" Is that for mobile devices, Chrome OS, desktop browser?

Jay Lee

On Thu, Jul 29, 2021 at 3:07 PM Ross Scroggs <ross.s...@gmail.com> wrote:

Will,

No. There is no API support for this, thus GAM can' help.

Ross

On Thu, Jul 29, 2021 at 12:01 PM WillW <fcps...@gmail.com> wrote:

Is there a command I can use to load a list of staff usernames and give them each Device Manger permissions to a list of ORG units?

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/9ac7296f-a3c9-466c-99e2-466308fd733an%40googlegroups.com.

--

Ross Scroggs

ross.s...@gmail.com

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJkvRS-HLLHwhAHhXezTPCPqUD1rDqsqNHqtzoD%2BAFXmE_5oiQ%40mail.gmail.com.

[WillW]

Device manager is the role I'm trying to assign.

 I can run

gam create admin ny-hel...@acme.com role "Device Manager" org_unit "Albany"

I want to be able to add the additional org_units "Buffalo", "Brooklyn", etc.

And then do the same for ny-helpdesk2,ny-helpdesk3,ny-helpdesk4,ny-helpdesk5

Looking for a way to automate it as I have a bunch of user and they all manager about 10 OUs. 

[Jay Lee]

Just run a command per admin > OU assignment. You can automate it with a batch script or a CSV that looks like:

admin,orgunit

joes...@example.com,Buffalo

joes...@example.com,Brooklyn

...

Jay Lee

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/1c9a9b55-ddc0-4984-b672-fc461ce13506n%40googlegroups.com.

[Ross Scroggs]

Will,

Thanks to Jay for understanding better than I what you're trying to do.

Make a CSV file (UserRoleOU.csv) for instance.

user,role,org_unit

ny-hel...@acme.com,Device Manager,Albany

...

gam csv UserRoleOU.csv gam create admin "~user" role "~role" org_unit "~org_unit"

If every user is getting the same role you can omit the role common and do:

gam csv UserRoleOU.csv gam create admin "~user" role "Device Manager" org_unit "~org_unit"

Ross

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/1c9a9b55-ddc0-4984-b672-fc461ce13506n%40googlegroups.com.

--

Ross Scroggs

ross.s...@gmail.com

[WillW]

Thank you for this.

I was also looking at the delete admin example where you have   "gam print admins user olda...@acme.com | gam csv - gam delete admin ~roleAssignmentId"   is there a way to filter this by both the user and role so if they had a role other than "Device Manger" it wouldn't affect it?

[Ross Scroggs]

Will,

gam print admins user olda...@acme.com role "Device Manager" | gam csv - gam delete admin ~roleAssignmentId" 

Test the print by itself to verify selection of role.

Ross

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/8db2e717-a3e8-4dd8-b9d0-d0f23313cd64n%40googlegroups.com.

--

Ross Scroggs

ross.s...@gmail.com

[WillW]

I tried running " gam print admins user olda...@acme.com role "Device Manager" " and it didn't return anything. When I run " gam print admins user olda...@acme.com " I can see 4 roles with the "Device Manager" role listed along with two other roles. 

[Ross Scroggs]

Will,

Do: gam print roles

Get the role ID for Device Manager

the do: gam print admin role id:12345678

Ross

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/b5c4fe3b-bf0f-42db-8fe3-8aca6ee26b7an%40googlegroups.com.

--

Ross Scroggs

ross.s...@gmail.com

[WillW]

It works for me with the role name, ID, or the user, but not with the user and (role name or role ID).

[Ross Scroggs]

Will,

Contact me directly via Meet/Zoom.

Ross

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/642039b6-20fa-4207-a128-e2044112361bn%40googlegroups.com.

--

Ross Scroggs

ross.s...@gmail.com

[Ross Scroggs]

Will,

What doesn't work?

Ross

On Mon, Aug 2, 2021 at 11:50 AM WillW <fcps...@gmail.com> wrote:

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/642039b6-20fa-4207-a128-e2044112361bn%40googlegroups.com.

--

Ross Scroggs

ross.s...@gmail.com

[Ross Scroggs]

Will,

I did some investigation. These commands:

# gam print admins [todrive <ToDriveAttribute>*] [user <UserItem>] [role <RoleItem>]

# gam show admins [user <UserItem>] [role <RoleItem>]

use this API call: https://developers.google.com/admin-sdk/directory/reference/rest/v1/roleAssignments/list

Although undocumented, userKey and roleId are mutually exclusive.

You can use output row filtering to achieve what you want:

gam config csv_output_row_filter "roleId:regex:597407939166209" print admin user ad...@domain.com

gam config csv_output_row_filter "assignedToUser:regex:^ad...@domain.com$" print admin role id:597407939166209

Ross

--

Ross Scroggs

ross.s...@gmail.com