GAMADV-XTD3 running locally with Read and SuperAdmin Roles, switch between (2) completely independent GCP Projects
75 views
Skip to first unread message
Jonathan Ascencio
Nov 2, 2022, 4:22:11 PM11/2/22
to GAM for Google Workspace
Hey everyone,
Here is my goal and I want to ensure this would be the most NEAT and SIMPLE way of going about this...
I need to separate (2) roles basically, "ReadOnly" and "SuperAdmin". Same Domain.
I want to be able to either use the same project and have two different permissions sets OR what im currently trying is two different projects with two different permissions set from IAM
Problem, is that the "ReadOnly" is STILL being able to conduct write commands, is there something needing to be adjust to the project to lower permissions?
Has anyone done something like this?
Ross Scroggs
Nov 2, 2022, 4:25:41 PM11/2/22
to google-ap...@googlegroups.com
Jonathan,
Send me a Meet/Zoom invitation.
Ross
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/93f807d1-099a-4642-9049-5c89d6c7e6ben%40googlegroups.com.
Ross Scroggs
Jonathan Ascencio
Dec 13, 2022, 9:44:54 PM12/13/22
to GAM for Google Workspace
Thanks Ross,
I made a successful attempt to separate Read Only and Super Admin priv selection but it utilizes (2) independent GCP Projects..
+ I want to utilize the service account to perform any actions. This is what I have listed within my gam.cfg file.
user_service_account_access_only = true
[SuperAdmin]
domain = domain.com
customer_id = XXXXXX
config_dir = SuperAdmin
[ReadOnly]
domain = domain.com
customer_id = XXXXXX
config_dir = ReadOnly
Is there a neater way to configure this? I overlooked https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#configure-limited-access, but I still am a bit confused on this actually works and if it is a better solution more so an (all in one) project that can be used to switch between ReadOnly and SuperAdmin roles. Would it have to be configured via OAuth.txt or Service Accounts GCP Role? A bit confused regarding this, apologies
Ross Scroggs
Dec 13, 2022, 11:36:47 PM12/13/22
to google-ap...@googlegroups.com
Jonathon,
I'm in California (PST) and am generally available starting at 7:45.
Send me a Meet/Zoom invitation and I'll review your setup with you.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/ce09a242-6f3b-42d8-a3dc-da8cbb3291een%40googlegroups.com.
Brian Kim
Dec 14, 2022, 8:29:06 PM12/14/22
to GAM for Google Workspace
Depends on what you are trying to read, you can change the scopes for each section by doing
gam oauth create OR update.
gam user $username update serviceaccount
both will ask you to select the scopes either through client access (what you can do with your admin account that authorizes gam) and service account (authorized through the scopes you specify from https://admin.google.com/ac/owl/domainwidedelegation). Some of the API scopes support Read-only, which would require you to type 12R, as an example, if scope 12 supported read only.
Reply all
Reply to author
Forward
0 new messages