How to track down permission problems - 403: Forbidden

[James MacLean]

Sample request:

gam calendar somedomain.com_9p25t...@group.calendar.google.com add editor mr...@somedomain.com 

ERROR: 403: Forbidden - forbidden

I believe I have followed the GAM setup from beginning to end but other than making the user a superadmin, I keep getting forbidden.

Is there a process I can use to track down what permissions, settings I am missing?

Thanks,

JES

[Ross Scroggs]

James,

What does this show: gam calendar somedomain.com_9p25t90rbjg8vc5l72tb1bmsk4@group.calendar.google.com showacl

Ross

On Mon, Oct 2, 2017 at 10:42 AM, James MacLean <macl...@gmail.com> wrote:

Sample request:

gam calendar somedomain.com_9p25t90rbjg8vc5l72tb1bmsk4@group.calendar.google.com add editor mr...@somedomain.com 

ERROR: 403: Forbidden - forbidden

I believe I have followed the GAM setup from beginning to end but other than making the user a superadmin, I keep getting forbidden.

Is there a process I can use to track down what permissions, settings I am missing?

Thanks,

JES

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/b1946fe8-845c-44d5-85e6-99b14613e82c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Ross Scroggs

ross.s...@gmail.com

[James MacLean]

Same:

ERROR: 403: Forbidden - forbidden

JES

On Monday, October 2, 2017 at 4:07:18 PM UTC-3, Ross Scroggs wrote:

James,

What does this show: gam calendar somedomain.com_9p25t90rbjg8vc5l72tb1bmsk4@group.calendar.google.com showacl

Ross

On Mon, Oct 2, 2017 at 10:42 AM, James MacLean <macl...@gmail.com> wrote:

Sample request:

gam calendar somedomain.com_9p25t90rbjg8vc5l72tb1bmsk4@group.calendar.google.com add editor mr...@somedomain.com 

ERROR: 403: Forbidden - forbidden

I believe I have followed the GAM setup from beginning to end but other than making the user a superadmin, I keep getting forbidden.

Is there a process I can use to track down what permissions, settings I am missing?

Thanks,

JES

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/b1946fe8-845c-44d5-85e6-99b14613e82c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Ross Scroggs

ross.s...@gmail.com

[+KimNilsson]

Many people forget this step, or forget using another user than themselves.

gam user a_u...@example.com check serviceaccount

[James MacLean]

Hi +KimNilsson 

Already added those and the ones that show up in 'gam oauth info' :

gam user some...@somedomain.com check serviceaccount  
User: some...@somedomain.com 
Scope: https://mail.google.com/                                     PASS
Scope: https://www.googleapis.com/auth/activity                     PASS
Scope: https://www.googleapis.com/auth/calendar                     PASS
Scope: https://www.googleapis.com/auth/drive                        PASS
Scope: https://www.googleapis.com/auth/gmail.settings.basic         PASS
Scope: https://www.googleapis.com/auth/gmail.settings.sharing       PASS
Scope: https://www.googleapis.com/auth/plus.me                      PASS

All scopes passed!
Service account <x> is fully authorized.

Thanks for the help,

JES

[+KimNilsson]

Are you allowed to share the calendar to the user at all?

I mean, if you do it manually in the Calendar interface.

Just trying to find if there's something off with that calendar.

I tried your command and it worked just fine, even with a user outside the domain. (We allow external sharing.)

[James MacLean]

If I use a superadmin GAM instance, it works:

# gam calendar somdomain.com_gfdd...@group.calendar.google.com showacl   
Calendar: somedomain.com_t90rfgf...@group.calendar.google.com, ACL: (Scope: user:somedomain.com_t90sdsdfg...@group.calendar.google.com, Role: owner) (1/2)
Calendar: gnspes.ca_t9sdfsdf0...@group.calendar.google.com, ACL: (Scope: user:o...@somdomaon.com, Role: writer) (2/2)

But as we have various admins, we do not give out superadmin to everyone ;(.

Thanks again,

JES

[Kim Nilsson]

Ahhh, you are trying to let a delegated admin run GAM and manage calendars?

And a superadmin account acknowledged the request from GAM when setting the access?

Did you untick all the APIs the delegated person isn't supposed to be allowed to manage?

[James MacLean]

Hi KimNilsson

On Tuesday, October 3, 2017 at 9:19:18 AM UTC-3, +KimNilsson wrote:

Ahhh, you are trying to let a delegated admin run GAM and manage calendars?

Yes

 

And a superadmin account acknowledged the request from GAM when setting the access?

Yes. Seems to be a requirement to get any access to GAM controls ;).

 

Did you untick all the APIs the delegated person isn't supposed to be allowed to manage?

No. Did not want to limit anything until we have a working solution ;).

Thanks,

JES 

[Kim Nilsson]

Did you try adding relevant admin role access to the user?

[James MacLean]

At this point I've added them all ;(.