Can't change ownership of a Classroom course; service account not "powerful" enough?

1,145 views
Skip to first unread message

+KimNilsson

unread,
May 22, 2018, 8:53:45 AM5/22/18
to GAM for G Suite
Ross, is this a limitation of the API, or have I done something wrong when setting up GAMADV-X?
Usually I allow all but Reseller APIs. I can do everything else with this gamx instance. 

Service account passes everything, but Classroom isn't one of those 13 scopes checked.
So, maybe the service account needs to be allowed to do more things?
The "transfer classroom ownership" feature is a user only action, so maybe I need to be able to pretend to be the user when running the update owner call?
Maybe the service account also needs this API?


$ gamx update course ID_of_Course owner email.address

Course: ID_of_Course, Update Failed: @UnauthorizedOwnershipAction The current user is not authorized to change ownership for this course

+KimNilsson

unread,
May 22, 2018, 5:03:31 PM5/22/18
to GAM for G Suite
Turns out there's something wrong with the particular domain.
The code is fine. It must be some setting in the domain that's blocking it.

Ross Scroggs

unread,
May 22, 2018, 5:05:33 PM5/22/18
to google-ap...@googlegroups.com
Kim,

In the admin console, go to Apps/G Suite/Classroom, compare settings for working/non-working domain.

Ross

On Tue, May 22, 2018 at 2:03 PM +KimNilsson <there.is.no...@gmail.com> wrote:
Turns out there's something wrong with the particular domain.
The code is fine. It must be some setting in the domain that's blocking it.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/087fe2e5-970c-48ab-a851-4e83df636171%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--

Kim Nilsson

unread,
May 22, 2018, 5:17:07 PM5/22/18
to Google Apps Manager
Was already on my way. :-)
There was one difference, but it should be irrelevant.

The working one had this setting set.

Which classes can users in your domain join
Classes in whitelisted domains

And the non-working had 
Classes in your domain only

Both of them have

Who can join classes in your domain
Any user

I changed the non working to Any G Suite class, but as always Google says 24h wait. It definitely didn't work right away, and, as I said, it doesn't feel like a relevant setting.

Can I up the debug level and get more info for you?
/Kim

Ross Scroggs

unread,
May 22, 2018, 5:42:19 PM5/22/18
to google-ap...@googlegroups.com
I doubt it, when an API fails the error message you see is about all that came back.

Ross

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGPzzFs3fyffGwqYU%2BTVJsjMR2gopAxC2hmfMbW2Gi2j2x7nug%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.


--

Jay Lee

unread,
May 22, 2018, 6:19:24 PM5/22/18
to google-ap...@googlegroups.com
Classroom uses the admin user credentials, not the service account. In my experience, sometimes the owner/teacher can do things in Classroom that the super admin non-owner cannot.

Can you try authorizing GAM as the owner teacher and see if that works?

Jay

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJkvRS_SjU6Y9W8ZyO6PGxdo5189FSqYgqKB10GEtfVBbDRtRg%40mail.gmail.com.

Kim Nilsson

unread,
May 23, 2018, 1:27:06 AM5/23/18
to Google Apps Manager
Hi, Jay!

Only doing oauth create as the owner of the Classroom gave me a slightly different error message.

~$ gamx select andreas update course 8025352253 owner anette.b...@edu.lomma.se
Course: 8025352253, Update Failed: The caller does not have permission

Compared with doing it as my superadmin.

$ gamx select lomma update course 8025352253 owner anette.b...@edu.lomma.se
Course: 8025352253, Update Failed: @UnauthorizedOwnershipAction The current user is not authorized to change ownership for this course

JSON files in both tests are from my superadmin.

Kim Nilsson

unread,
May 23, 2018, 1:39:39 AM5/23/18
to Google Apps Manager
Jay, if I was unclear earlier...

I tested using a superadmin account on a completely different GSFE domain.
On that domain I could change owner of another user's classroom to a third user.

So far it is only my lomma-domain that is causing this trouble.
I have redone the oauth on it but the error message stays the same.

Ross Scroggs

unread,
May 23, 2018, 8:48:15 AM5/23/18
to google-ap...@googlegroups.com
Kim,

I did a quick test using Service Account access, I get the same error as in the first case below.

Click access errors under PERMISSION_DENIED: https://developers.google.com/classroom/reference/Access.Errors

Different error but it also shows the unusual leading @ on the message as in the second case below.

What if you build a new course from the beginning? Create a course, add a second teacher, try to make the second teacher the owner.
Do you get the same error?

Ross
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

Kim Nilsson

unread,
May 23, 2018, 10:41:12 AM5/23/18
to Google Apps Manager
Thank you, Ross.
I thought I had already tested that.

Brand new Classroom. Created by regular user. Added other user as co-teacher.
Could update owner just fine!

So, back to my problem. :-)

The CreatedBy person's account was recently both deleted, restored and renamed.
And as such also all content was deleted and restored.

But, Classrooms are not deleted along with their CreatedBy account. They live on forever (which is another issue we have talked about earlier and can't be deleted or ownership changed).

But, this Classroom I'm trying to deal with has all the correct references to the user's restored account.
(Yes, yes, I know I could login as the user and do the transfer manually, but that'd be cheating. :-) )

Ross Scroggs

unread,
May 23, 2018, 11:38:01 AM5/23/18
to google-ap...@googlegroups.com
See: https://developers.google.com/classroom/reference/Access.Errors

I think that this is the key:
ProjectPermissionDenied

ProjectPermissionDenied indicates that the request attempted to modify a resource associated with a different Developer Console project.

Possible Action: Indicate that your application cannot make the desired request. It can only be made by the Developer Console project of the OAuth client ID that created the resource.



--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

Kim Nilsson

unread,
May 23, 2018, 11:54:58 AM5/23/18
to Google Apps Manager
Hmmm, but the Classroom was manually created by the user, not GAM.
Just like the one I manually created with a test-user, which I could transfer.

Kim Nilsson

unread,
May 24, 2018, 3:57:03 PM5/24/18
to Google Apps Manager
This still has me stumped.
Everything you have explained so far, Ross, makes perfect sense, but none of it seem relevant to exactly my situation.

Kim Nilsson

unread,
Jun 5, 2018, 4:37:46 AM6/5/18
to Google Apps Manager
Now I'm getting a new error message!
This one also saying something different from what is actually happening. 
The new.owner is already a teacher in the course, but can't be elevated to owner, since the creator account no longer exists.
Remember that this particular course failed even when the creator did exist.

$ gamx update courses 9798144372 owner new.owner(at)edu.lomma.se
Course: 9798144372, Update Failed: @UserInIllegalDomain Invitation cannot be created for user in this domain

The Classroom exists in the @same.domain as I and the new.owner are in.
But, today the CreatedBy account is among the recently deleted, so it is no longer listed as known.

$ gamx info courses 9798144372 owneremail

Course ID: 9798144372, Owner ID: 111361687401590090164, Does not exist

Course: 9798144372

  alternateLink: http://classroom.google.com/c/OTc5ODE0NDM3Mlpa

  calendarId: edu.lomma.se_cl...@group.calendar.google.com

  courseGroupEmail: Leda_och_l_ra_i_teknik...@edu.lomma.se

  courseMaterialSets:

    materials:

      link:

        thumbnailUrl: https://www.google.com/webpagethumbnail?c=73&s=105:70&f=0&d=http://prezi.com/g1dkjwo2amt7/?utm_campaign%3Dshare%26utm_medium%3Dcopy%26rc%3Dex0share&a=AIYkKU8VlqVADRDQjqrzywanf7x6BsWNwg

        title: Didaktisk Design - Transformation by Johan Westerlund on Prezi

        url: http://prezi.com/g1dkjwo2amt7/?utm_campaign=share&utm_medium=copy&rc=ex0share

      title:

        Didaktisk Design - Transformation

        

        En tolkning av professor Staffan Selanders transformationscykler.

    materials:

      driveFile:

        alternateLink: https://drive.google.com/open?id=1SX4dbXu40bta74pBwxkiDobHJhBX1Owa

        id: 1SX4dbXu40bta74pBwxkiDobHJhBX1Owa

        thumbnailUrl: https://drive.google.com/thumbnail?id=1SX4dbXu40bta74pBwxkiDobHJhBX1Owa&sz=s200

        title: Förslag på digitala verktyg.png

      title: Förslag på digitala verktyg.

    materials:

      driveFile:

        alternateLink: https://drive.google.com/open?id=14RAPjai5KTCrCDjLOmMXHPNvg5HjEpD4

        id: 14RAPjai5KTCrCDjLOmMXHPNvg5HjEpD4

        thumbnailUrl: https://drive.google.com/thumbnail?id=14RAPjai5KTCrCDjLOmMXHPNvg5HjEpD4&sz=s200

        title: Del 4. Digital didaktisk design - moment B, anteckningar.pdf

      title: Anteckningar från del 4 moment B

    materials:

      driveFile:

        alternateLink: https://drive.google.com/open?id=1jAdvfko1eRqZ90cJb3XRVvBJU9F-lKCM

        id: 1jAdvfko1eRqZ90cJb3XRVvBJU9F-lKCM

        thumbnailUrl: https://drive.google.com/thumbnail?id=1jAdvfko1eRqZ90cJb3XRVvBJU9F-lKCM&sz=s200

        title: Leda och lära i tekniktäta klassrum - introduktion.pdf

      title: Introduktion

  courseState: ACTIVE

  creationTime: 2017-12-19T09:54:54+01:00

  descriptionHeading: Leda och lära i tekniktäta klassrum

  enrollmentCode: aemhre

  guardiansEnabled: False

  id: 9798144372

  name: Leda och lära i tekniktäta klassrum

  ownerEmail: Unknown user

  ownerId: 111361687401590090164

  teacherFolder:

    alternateLink: https://drive.google.com/drive/folders/0B3JssyVFEu5XfmZiRVB0TGFLUFJ3TG9JYjQ3a0duSWpZc2R1UUJkc3pMemhfeHI1V3V2VFU

    id: 0B3JssyVFEu5XfmZiRVB0TGFLUFJ3TG9JYjQ3a0duSWpZc2R1UUJkc3pMemhfeHI1V3V2VFU

    title: Leda och lära i tekniktäta klassrum

  teacherGroupEmail: Leda_och_l_ra_i_teknikt_t...@edu.lomma.se

  updateTime: 2018-03-16T14:00:33+01:00



/Kim
--
There is No Substitute!
Reply all
Reply to author
Forward
0 new messages