Error 403: Insufficient Permission

[Marcos Ferreira da Silva]

I'm using the gam-3:03 and I enabled the following options in the google API panel.

• Admin SDK
  
• Audit API
  
• Groups Settins API
  

I start early gam choose the options:

8  : Admin Settings API

9  : Groups Settings API

11 : Audit Reports API 

When I finish shows the error:

Error 403: Insufficient Permission - insufficientPermissions

If I run from the command line I get the same error

gam.py info domain

Google Apps Domain: uniube.br

Error 403: Insufficient Permission - insufficientPermissions

I access the url  https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=<TOKEN> and it return:

{
 "issued_to": "111111-111111.apps.googleusercontent.com",
 "audience": "111111-111111.apps.googleusercontent.com",
 "scope": "https://www.googleapis.com/auth/userinfo.email https://apps-apis.google.com/a/feeds/domain/ https://www.googleapis.com/auth/apps.groups.settings https://www.googleapis.com/auth/admin.reports.audit.readonly",
 "expires_in": 3123,
 "email": "xx...@xxxxx.xxx",
 "verified_email": true,
 "access_type": "offline"
}

Can someone help me?

[Jay Lee]

Is the user you authenticated as a Super Admin?

Regards,

Jay Lee
Director of Google Apps Deployments   |  Dito

☎ (267) 712-9533  |  ✉ j...@ditoweb.com

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/36ed7d65-0335-4de8-99f9-8bac152c1f5a%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Marcos Ferreira da Silva]

I am using superadmin user.

______________________________

Marcos Ferreira da Silva

Analista de Suporte em TI  -  LPIC-2 

TI Suporte - gerência e suporte em TI
Uberlândia - MG    (34) 9154-0150

 

2013/12/20 Jay Lee <j...@ditoweb.com>

--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Manager" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/rtRUZ-lb0L4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJHSAXatZDw12kHgSDDY3QXC%2B1CK1AFmjitzeADNaQFw9vmEAA%40mail.gmail.com.

[Karl]

Got the same error, this solved it for me:

In the Google Admin panel do the following:

Security->Advanced 

settings->Authentication->Manage third party OAuth Client access

And delete if theres anything like this "380063494358.apps.googleusercontent.com" 

Try to connect gam again, and it worked for me

2013/12/20 Jay Lee <j...@ditoweb.com>

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/36ed7d65-0335-4de8-99f9-8bac152c1f5a%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Manager" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/rtRUZ-lb0L4/unsubscribe.

To unsubscribe from this group and all its topics, send an email to google-apps-manager+unsub...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.

[Marcos Ferreira da Silva]

Now I am trying with version 3.04.

I am trying to activate the delegation of email to another user. 

In version 2 works but this version 3 could never make it work.

Always appears the message "Error 403: Insufficient Permission - insufficientPermissions"

______________________________

Marcos Ferreira da Silva

Analista de Suporte em TI  -  LPIC-2 

TI Suporte - gerência e suporte em TI
Uberlândia - MG    (34) 9154-0150

 

To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/ecca68bd-4aa7-4024-8279-22956fb2ff01%40googlegroups.com.

[Jay Lee]

Try running:

gam oauth revoke

and then rerunning a command like "gam info domain". This time leave all APIs selected, just choose the last option to continue.

Regards,

Jay Lee
Director, Apps Deployments   |  Dito

☎ (267) 712-9533  |  ✉ j...@ditoweb.com

  

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAPhn4oMX_jeKFgXdm-Q9Fse%3DUF_M28g%2B4Vu3E2NsNZ5CPnH3OA%40mail.gmail.com.

[Marcos Ferreira da Silva]

I revoked but showed the same errors. 

I deleted and created the OAuth.

./gam.py info domain

Select the authorized scopes for this token. Include a 'r' to grant read-only access or an 'a' to grant action-only access.

[ ]  0)  Group Directory API (supports read-only)

[ ]  1)  Organizational Unit Directory API (supports read-only)

[ ]  2)  User Directory API (supports read-only)

[ ]  3)  Chrome OS Device Directory API (supports read-only)

[ ]  4)  Mobile Device Directory API (supports read-only and action)

[ ]  5)  User Email Settings API

[ ]  6)  Calendar Resources API

[ ]  7)  Audit Monitors, Activity and Mailbox Exports API

[*]  8)  Admin Settings API

[*]  9)  Groups Settings API

[ ] 10)  Calendar Data API (supports read-only)

[*] 11)  Audit Reports API

[ ] 12)  Usage Reports API

[ ] 13)  Drive API (create report documents for admin user only)

[ ] 14)  License Manager API

[ ] 15)  User Security Directory API

[ ] 16)  Notifications Directory API

[ ] 17)  Site Verification API

     18)  Select all scopes

     19)  Unselect all scopes

     20)  Continue

20

Go to the following link in your browser:

    http://goo.gl/xxxx

Enter verification code: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Authentication successful.

Google Apps Domain: xxxxxx.xxx

Error 403: Insufficient Permission - insufficientPermissions

______________________________

Marcos Ferreira da Silva

Analista de Suporte em TI  -  LPIC-2 

TI Suporte - gerência e suporte em TI
Uberlândia - MG    (34) 9154-0150

 

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJHSAXZU6KScGJ_OVZXU6HHyUaOjK7T%2BdCGy5S8pa7bnk28hsw%40mail.gmail.com.

[Marcos Ferreira da Silva]

At google apis page:

Dashboard

Project Summary Name API Project

Project Domain xxxxx.xx

Project Number 012345678901

Project ID Register...

Google+ Page Request connection

Owners xxxx@xxxxx.xx - you

Service Status

Admin SDK No known issues

API Access

Product name: GAM

Google account: x...@xxxxx.xx

Home page URL:

Client ID for installed applications

Client ID: 111111111111-22222222222222222222222222222222.apps.googleusercontent.com

Client secret: 000000000000000000000000

Redirect URIs: urn:ietf:wg:oauth:2.0:oob http://localhost

Simple API Access

API key: 2222222222222222222_333333333_444444444

Referers: Any referer allowed

Activated on: Sep 27, 2013 6:44 AM

Activated by: x...@xxxxx.xx – you

Notification Endpoints

Allowed Domains: No domains allowed

I created a new "Client ID for installed applications" and I downloaded the json file.

gam-3.04]# python gam.py info domain

Select the authorized scopes for this token. Include a 'r' to grant read-only access or an 'a' to grant action-only access.

[ ]  0)  Group Directory API (supports read-only)

[ ]  1)  Organizational Unit Directory API (supports read-only)

[ ]  2)  User Directory API (supports read-only)

[ ]  3)  Chrome OS Device Directory API (supports read-only)

[ ]  4)  Mobile Device Directory API (supports read-only and action)

[ ]  5)  User Email Settings API

[ ]  6)  Calendar Resources API

[ ]  7)  Audit Monitors, Activity and Mailbox Exports API

[*]  8)  Admin Settings API

[ ]  9)  Groups Settings API

[ ] 10)  Calendar Data API (supports read-only)

[ ] 11)  Audit Reports API

[ ] 12)  Usage Reports API

[ ] 13)  Drive API (create report documents for admin user only)

[ ] 14)  License Manager API

[ ] 15)  User Security Directory API

[ ] 16)  Notifications Directory API

[ ] 17)  Site Verification API

     18)  Select all scopes

     19)  Unselect all scopes

     20)  Continue

Go to the following link in your browser:

    http://goo.gl/xxxxxx

Enter verification code: 11111111111111111111111111111111111111111111111111111111111111

Authentication successful.

Google Apps Domain: xxxxxx.xx

Error 403: Insufficient Permission - insufficientPermissions

______________________________

Marcos Ferreira da Silva

Analista de Suporte em TI  -  LPIC-2 

TI Suporte - gerência e suporte em TI
Uberlândia - MG    (34) 9154-0150

 

[Jay Lee]

The "gam info domain" command needs at least read access to users (option 2r) in order to work properly.

I strongly suggest you start with all scopes selected while getting familiar with GAM. Once you've got the basics down you can play with limiting GAM to the least permissions needed for your scripts.

Regards,

Jay Lee
Director, Apps Deployments   |  Dito

☎ (267) 712-9533  |  ✉ j...@ditoweb.com

  

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAPhn4oOFNaQDe58e%2BvO3Dvr86r-Dux6Ev2_57L4PqxCODNKYOw%40mail.gmail.com.

[Marcos Ferreira da Silva]

Now I got successfull.

Authentication successful.

Google Apps Domain: xxxxxx.xx

Customer ID: 00000000

Default Language: pt_BR

Organization Name: webmail xxxxxx

Maximum Users: 3000

Current Users: 2478

Domain is Verified: true

Domain Edition: education

Customer PIN: 111111111

Domain Creation Time: 2008-12-16 04:05:25 -0800

Domain Country Code: BR

MX Verification Verified: true

MX Verification Method: mx

SSO Signon Page:

SSO Logout Page:

SSO Password Page:

SSO Enabled: false

SSO Whitelist IPs:

SSO Use Domain Specific Issuer: false

User Migration Enabled: true

Outbound Gateway Smart Host: None

Outbound Gateway SMTP Mode: None

But when I try to delegate I receive an error.

 gam-3.04]# python gam.py user  xx...@xxxxx.xx delegate to y...@xxxxx.xx

Giving y...@xxxxx.xx delegate access to x...@xxxxx.xx (1 of 1)

Error: 600: Unknown Error: {'status': 401, 'body': '<HTML>\n<HEAD>\n<TITLE>Token invalid - AuthSub token has wrong scope</TITLE>\n</HEAD>\n<BODY BGCOLOR="#FFFFFF" TEXT="#000000">\n<H1>Token invalid - AuthSub token has wrong scope</H1>\n<H2>Error 401</H2>\n</BODY>\n</HTML>\n', 'reason': 'Token invalid - AuthSub token has wrong scope'}

______________________________

Marcos Ferreira da Silva

Analista de Suporte em TI  -  LPIC-2 

TI Suporte - gerência e suporte em TI
Uberlândia - MG    (34) 9154-0150

 

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJHSAXZhFKsVNtczyVnQ3%2BfP1Xw7JSdpacNBwJpz46HqACQqZg%40mail.gmail.com.

[Jay Lee]

Are both addresses users within the Google Apps domain and are their acounts not suspended or requiring a password change?

Regards,

Jay Lee
Director, Apps Deployments   |  Dito

☎ (267) 712-9533  |  ✉ j...@ditoweb.com

  

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAPhn4oM847j9NZ50D%2Bn2joveh_1NX0eHVLvg%3DvHrvUCJStTQjg%40mail.gmail.com.

[Marcos Ferreira da Silva]

Enabling all options worked.

But a only need an option to delegate an account to another user.

What the options that I have to ckeck to enable only what I want?

I discovered that the new google panel disabled my delegate option that was checked in old version.

______________________________

Marcos Ferreira da Silva

Analista de Suporte em TI  -  LPIC-2 

TI Suporte - gerência e suporte em TI
Uberlândia - MG    (34) 9154-0150

 

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJHSAXbChoaVOjiyqgE%2B570_R_JC97d9HM0yhf6zvzO%2BX8NeLQ%40mail.gmail.com.