Custom Admin Role for GAM APIs involving Email Deletion?

[Leonardo Barbosa]

Hey all,

Quick question which I couldn't find in the official GAM documentation: Is it possible to create a Custom Admin Role in the Google Workspace Admin Console (https://admin.google.com/ac/roles) for GAM API privileges to delete email messages on behalf of the users, without using a Super Administrator account? 

For example, I want to allow one of my admins to use "gam users delete messages" to delete wrong emails that users sent by accident, and the only option that I found to use this is to grant my admin a "Super Administrator" role inside our Google Workspace (which is not what I want). I couldn't find an option using a "Custom Admin Role" for that (in case this is a possibility, or a limitation from Google Workspace at the moment).

Thanks in advance!

Best,

Leonardo

[Brian Kim]

Anything that does with Gmail API uses domain wide delegation that needs to be set up by a super admin from https://admin.google.com/ac/owl/domainwidedelegation.

Generally admin running the commands do not need to be an administrator to run any commands that start with gam user us...@domain.com do not need any Admin API privileges

[Leonardo Barbosa]

Hey Brian,

Thanks for your reply! Interesting... In my situation, I have a custom admin role with the Privileges to do any CRUD operations for our users (Read, Update, Delete, etc.) and when our Admin tries to run the "gam users delete messages", he receives the following error message below:

"unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."

Probably has something to do with API Scopes. I'll check here from my end, do some tests, and if I find any other interesting results I'll post it here for the community.

Best,

Leonardo

[Brian Kim]

The syntax of your command is incorrect.

Try on a single user first but first check service account access.

gam user us...@domain.com check serviceaccount

gam user us...@domain.com delete messages query "your query here" doit

--
You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/rjq2ojRcY1k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/5d6a8f37-811d-4f98-9310-40e3914930b1n%40googlegroups.com.

[Jay Lee]

As others mentioned, this is done via domain-wide delegation to the service account. The admin user is not used when accessing Gmail API.

Please make sure you fully understand the ramifications of giving a user this access. The GAM user will have FULL ACCESS TO READ, COPY, MODIFY AND DELETE GMAIL MESSAGES FOR ALL USERS IN YOUR ORGANIZATION.

That's an extremely privileged permission and should be restricted to only trusted, senior persons.

Jay

You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2B0bb37ivsXVhFHFzvD%2BBERD8C5-O%3Dmehup7qh8EiZ%3DY7EchCA%40mail.gmail.com.

[Leonardo Barbosa]

Yup, fully understand that Jay. 

What we did also for some admins: we removed some API scopes from their Domain-Wide Delegation Client IDs, so they can't do some "operations" involving Gmail (I think this is where the error is coming from). This is where the error message was coming from initially :) 

Thanks for clarifying, and for all the support guys!

Best,

Leonardo