Installation of GAM for a person who is not a Super Admin.
351 views
Skip to first unread message
Arnaud Lienard
Aug 5, 2022, 4:36:49 AM8/5/22
to GAM for Google Workspace
Hi,
I would like a colleague who does not have the super admin role but has some admin roles to install and use GAM.
The purpose is for him to do transfer Drive files to a new owner with some options..
I suppose that when he installs GAM and after entering "gam oauth create", he will have to select only some authorized scopes but I don't know which ones.
When it leaves everything checked, he have an error 403 (We're sorry, but you do not have accee t this document).
Can you help me? I would like to point out that I am a beginner in the use of GAM.
I would like a colleague who does not have the super admin role but has some admin roles to install and use GAM.
The purpose is for him to do transfer Drive files to a new owner with some options..
I suppose that when he installs GAM and after entering "gam oauth create", he will have to select only some authorized scopes but I don't know which ones.
When it leaves everything checked, he have an error 403 (We're sorry, but you do not have accee t this document).
Can you help me? I would like to point out that I am a beginner in the use of GAM.
Thank you
Ross Scroggs
Aug 5, 2022, 6:04:13 PM8/5/22
to google-ap...@googlegroups.com
Access to documents is done with service account access.
Do: gam user us...@domain.com check serviceaccount
Ross
Please consider the environment before printing this e-mail.Information in this message is confidential and is intended solely for the persons to whom it is addressed. If you are not the intended recipient please notify the sender and immediately delete this message from your computer.This system may be monitored or recorded to secure the effective operation of the system and for other lawful purposes. Please check out the Privacy Notice on our website for details.--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/83908378-c492-4d1a-b587-4e6a22726f75n%40googlegroups.com.
Ross Scroggs
Jay Lee
Aug 5, 2022, 6:11:34 PM8/5/22
to google-ap...@googlegroups.com
If they are not a super admin giving them domain-wide delegation to Drive so that they have completely unlimited access to end user drive data organization -wide seems like a bad idea...
Jay
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJkvRS8xnrRvo6c0jKRCpxiRdEB6cw0FvS%2BBukezx3n1u%2BkEZg%40mail.gmail.com.
Arnaud Lienard
Aug 6, 2022, 4:31:49 AM8/6/22
to GAM for Google Workspace
Hi Ross,
When I execute the command with my GAM session and specify my colleague's email address, I get :
All scopes PASSED!
Service Account Client name: 11111111111111 is fully authorized.
All scopes PASSED!
Service Account Client name: 11111111111111 is fully authorized.
Does this mean that GAM is correctly installed for his account?
Arnaud
@Jay, no worries, he's an experienced administrator who will only use a command line to do drive transfers ownership only for files shared (gam create datatransfer old_...@domaine.com gdrive new_...@domaine.com privacy_level shared)
Kim Nilsson
Aug 6, 2022, 8:07:39 AM8/6/22
to GAM for Google Workspace
Still, when you do the check serviceaccount, and copy the information over to the admin console, you can remove any scopes he doesn't need.
Same with the oauth create. No need to allow unnecessary scopes.
/Kim
Arnaud Lienard
Aug 8, 2022, 3:37:27 AM8/8/22
to GAM for Google Workspace
Hi all,
I have tested with my colleague and he is able to execute the drive command.
Thank you all for your help and have a nice day 😀
Thank you all for your help and have a nice day 😀
Arnaud
Temple Rodgers
Aug 8, 2022, 3:45:14 AM8/8/22
to GAM for Google Workspace
@jay - a small difference of opinion on my part if I may? - I run many GAM queries/commands more or less daily - and I'm not a superadmin (and I don't really need to be). We should keep the number of Superadmins to a minimum and not all Superadmins are good at programming (ha ha!) so I'd argue that a GAM user needs to have a similar level of trust within the organisation as a superadmin, but doesn't actually need to be one.
all the best
all the best
Temple
Kim Nilsson
Aug 9, 2022, 2:59:58 AM8/9/22
to google-ap...@googlegroups.com
It is also possible to limit DwD to certain scopes.
No need to allow all scopes, if the user isn't supposed to do all things.
/Kim
--
There is No Substitute!
Yaniv Schiff
Aug 10, 2022, 1:36:44 PM8/10/22
to GAM for Google Workspace
I'm trying to figure out the same issue here, want the service account to ONLY be able to utilize the Google Drive API. Does anyone know specifically what scopes are required to do so?
Ross Scroggs
Aug 10, 2022, 1:49:13 PM8/10/22
to google-ap...@googlegroups.com
Yaniv,
Drive API
Ross
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/4e50162c-9806-43fc-9c22-7cf3edc1bd3fn%40googlegroups.com.
Ross Scroggs
Yaniv Schiff
Aug 10, 2022, 1:56:18 PM8/10/22
to GAM for Google Workspace
Thanks Ross.
When adding only the Drive auth scopes in admin console and rerunning the GAM service check routine it shows failed for all scopes, including the Drive scopes.
Reply all
Reply to author
Forward
0 new messages