Context aware

[Gabriel Clifton]

I am trying to play with the new Context Aware and when I try gam print caalevels todrive with GAMADV, I get ERROR: Please grant service account <blah>.gserviceaccount.com the Access Context Manager Editor role in your GCP organization.

I have already ran gam oauth update and verified all are selected. Can't figure out what I am missing.

[Jay Lee]

You need to explicitly follow the steps at:

https://github.com/GAM-team/GAM/wiki/Context-Aware-Access-Levels#grant-service-account-rights-to-manage-caa

Jay

On Tue, Apr 12, 2022, 3:40 PM 'Gabriel Clifton' via GAM for Google Workspace <google-ap...@googlegroups.com> wrote:

I am trying to play with the new Context Aware and when I try gam print caalevels todrive with GAMADV, I get ERROR: Please grant service account <blah>.gserviceaccount.com the Access Context Manager Editor role in your GCP organization.

I have already ran gam oauth update and verified all are selected. Can't figure out what I am missing.

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/2e55c62d-8ed2-48a8-b271-5fdc850336bcn%40googlegroups.com.

[Gabriel Clifton]

I have "Access Context Manager Editor, Organization Administrator, Owner" permissions. Been waiting for a bit. Maybe I am being too impatient, maybe I set something wrong, or as my grandfather would say "maybe I'm not holding my b**l* right".

[Gabriel Clifton]

OK, thanks to Ross for helping me figure this out. You can't grant access to your normal GAM account, but rather the service account that is specified in the <blah>.gserviceaccount.com and you have to go one level up from where I was. Bingo!

[Jay Lee]

Any suggestions for improvements to the error message GAM throws when that's not in place? I'm also curious to hear what you plan to do with CAA and GAM.

Jay Lee

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/6b313e51-7fa9-41cf-8fb7-bf836909cffbn%40googlegroups.com.

[Gabriel Clifton]

I can't think of an improvement to the error message, I think it is just an issue for TLDR readers like me that skim through the instructions too quickly and an issue on Google's end for not letting API users run everything under one permission and letting us just update permissions for everything like GAM oauth update. They let you add it in the oauth update but adding the hassle of making the further permissions as a different service than your standard gam user is too much. As far as the use, well I extensively utilize gam to keep logs of everything and then use it to modify my Google environment. Just like AD where you have tools to backup your environment, log it, and modify it.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp-CTvCiQgfgfmzejMX6VJVEFD5rEasiERh0xBA_VF2sCQ%40mail.gmail.com.

--

Gabriel Clifton | Network Administrator

Fort Stockton ISD | Technology Center
gabriel...@fsisd.net | http://www.fsisd.net
Office (432) 336-4055 ext 2

Fax (432) 336-4050
1204 W. Second St., Fort Stockton, TX 79735

Please note: Although we may sometimes respond to email, text, and phone calls instantly at all hours of the day, our regular support hours are 8:00 AM - 5:00 PM, Monday through Friday. We may need to wait until the next school day to attend to your issue. All issues are worked on a first-come, first-served basis depending on severity, and issues with proper work orders submitted are handled first.

Confidentiality notice: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
"You must always be willing to work without applause."
— Ernest Hemingway

"You just have to find that thing that's special about you that distinguishes you from all the others, and through true talent, hard work, and passion, anything can happen."
— Dr. Dre

[Ross Scroggs]

Gabriel,

You can see how you Context-Aware Access Levels a working with: gam report contextawareaccess

See: https://github.com/taers232c/GAMADV-XTD3/wiki/Reports#activity-reports

Ross

--

ross.s...@gmail.com

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJXDcnuY_8bAC6P1Shd9_4k%3Du8AOnvLDjSWr%2BYYNe7K4VW9LJQ%40mail.gmail.com.

[Kim Nilsson]

Interesting.

I assigned the access right (Access Context Manager Editor) to my service account in the Resource Manager interface.

It appeared to me like I couldn't follow the instructions, as my gam project was not "inside the organisation", and it seemed like the access right had to be set on the organisation level, and not the project level?

[Jay Lee]

Service accounts outside your organization can have rights to your organization.

Jay

--

You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/92cef0ae-991c-4d5e-83af-ee4a112f9364n%40googlegroups.com.

[Kim Nilsson]

Yes, it seemed to have worked fine, as I could print my current caalevels.