Delegated Admin with Provisioning APIs User Read/Update rights can't see/update secondary domain users

[Jay Lee]

I'm excited to see that delegated Admins can now be given access to the Provisoning API (did I miss this announcement?). However, I'm finding that admins with Read/Update rights to Users can only see get info and update users in the primary domain, not secondary domains. If I make the delegated admin a super admin temporarily, then reads and updates to secondary domain users start working.

Delegated Admin j...@jay.powerposters.org with only Provisioning API Read/Update rights: FAILURE

C:\gam>gam info user p...@poc.pbu.edu

send: 'GET https://apps-apis.google.com/a/feeds/poc.pbu.edu/user/2.0/pbu HTTP/1.

1\r\nAccept-Encoding: identity\r\nHost: apps-apis.google.com\r\nContent-Type: ap

plication/atom+xml\r\nAuthorization: OAuth realm="", oauth_nonce="56846978", oau

th_timestamp="1334859105", oauth_consumer_key="XXXXX.apps.googleuserconte

nt.com", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="XXXXX"

 oauth_signature="XXXXX"\r\nUser-Agent: Google Apps Manager 2.3.1 / j...@ditoweb.com (Ja

y Lee) / Python 2.7.2 final / Windows-7-6.1.7601-SP1 AMD64 / GData-Python 2.0.14

+20110902+custom_mods\r\n\r\n'

reply: 'HTTP/1.1 403 You are not authorized to access this API\r\n'

header: Content-Type: text/html; charset=UTF-8

header: Date: Thu, 19 Apr 2012 18:11:55 GMT

header: Expires: Thu, 19 Apr 2012 18:11:55 GMT

header: Cache-Control: private, max-age=0

header: X-Content-Type-Options: nosniff

header: X-Frame-Options: SAMEORIGIN

header: X-XSS-Protection: 1; mode=block

header: Server: GSE

header: Transfer-Encoding: chunked

Traceback (most recent call last):

  File "gam.py", line 3491, in <module>

    elif command == 'pagesize':

  File "gam.py", line 2040, in doGetUserInfo

    print 'Parent Org: '+result['parentOrgUnitPath']

  File "gdata\apps\service.pyo", line 428, in RetrieveUser

gdata.apps.service.AppsForYourDomainException: {'status': 403, 'body': '<HTML>\n

<HEAD>\n<TITLE>You are not authorized to access this API</TITLE>\n</HEAD>\n<BODY

 BGCOLOR="#FFFFFF" TEXT="#000000">\n<H1>You are not authorized to access this AP

I</H1>\n<H2>Error 403</H2>\n</BODY>\n</HTML>\n', 'reason': 'You are not authoriz

ed to access this API'}

j...@jay.powerposters.org promoted to Super Admin (exact same OAuth token): SUCCESS

C:\gam>gam info user p...@poc.pbu.edu

send: 'GET https://apps-apis.google.com/a/feeds/poc.pbu.edu/user/2.0/pbu HTTP/1.

1\r\nAccept-Encoding: identity\r\nHost: apps-apis.google.com\r\nContent-Type: ap

plication/atom+xml\r\nAuthorization: OAuth realm="", oauth_nonce="01426240", oau

th_timestamp="1334859341", oauth_consumer_key="XXXXX.apps.googleuserconte

nt.com", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="XXXX", oauth_signature="XXXX

"\r\nUser-Agent: Google Apps Manager 2.3.1 / j...@ditoweb.com (

Jay Lee) / Python 2.7.2 final / Windows-7-6.1.7601-SP1 AMD64 / GData-Python 2.0.

14+20110902+custom_mods\r\n\r\n'

reply: 'HTTP/1.1 200 OK\r\n'

header: Content-Type: application/atom+xml; charset=UTF-8

header: Expires: Thu, 19 Apr 2012 18:15:51 GMT

header: Date: Thu, 19 Apr 2012 18:15:51 GMT

header: Cache-Control: private, max-age=0, must-revalidate, no-transform

header: Vary: Accept, X-GData-Authorization, GData-Version

header: GData-Version: 1.0

header: Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT

header: X-Content-Type-Options: nosniff

header: X-Frame-Options: SAMEORIGIN

header: X-XSS-Protection: 1; mode=block

header: Server: GSE

header: Transfer-Encoding: chunked

User: p...@poc.pbu.edu

First Name: PBU

Last Name: User

Is an admin: false

Has agreed to terms: true

IP Whitelisted: false

Account Suspended: false

Must Change Password: false

Quota: 25600

Jay

[Jay Lee]

Update: Google Support informed me that the issue was that GAM was using standard domain provisioning API calls instead of the multidomain calls. I modified GAM to perform the multidomain calls and delegated admins can now read/modify secondary domain users.

Jay