0

I have an application which wants to provide customization for users once they log in. Simple things like displaying a profile image and job title. This information is available in the Google Apps Profiles API, but the domain-admins are concerned about overreach with the scope. In particular, they don't want to approve the application if it has write access when it isn't needed.

The regular scope (with read/write) for the API according to the API Documentation is https://www.google.com/m8/feeds/profiles and I have tried all of the following with no luck

  • https://www.google.com/m8/feeds/profiles.readonly
  • https://www.google.com/m8/feeds/profiles.read
  • https://www.google.com/m8/feeds/profiles/#readonly
  • https://www.google.com/m8/feeds.readonly
  • https://www.google.com/m8/feeds.read
  • https://www.google.com/m8/feeds/#readonly

What scope can I specify in order to get read-only access to the Profile data? If I'm barking up the wrong tree entirely, where should I be looking?

Shawn D
  • 170
  • 1
  • 3
  • 12

3 Answers3

3

Any non-admin user can access the GAL programmatically, see:

https://github.com/google/gfw-deployments/blob/master/apps/shell/gal/gal_feed.sh

I don't believe this api call is documented or supported officially. Note that the Global Address List is a compilation of user profiles, groups and shared contacts. If you don't want to see groups and shared contacts you'll need to figure out how to parse them out.

Jay Lee
  • 13,415
  • 3
  • 28
  • 59
0

I wrestled with this myself. I was not able to get this to work either.

Richie Foreman
  • 367
  • 1
  • 6
0

You need the user account under whose credentials the code is running to be either:

  • super admin or

  • to be listed under CPanel > Domain Settings > Admin Roles > [...put it in a created/user role...] > "Provisioning APIs" > Users - create/update/read/delete (as required, ticked ON). For example, for read only access to the Profiles API, set it there to 'read'.

Peter
  • 5,501
  • 2
  • 26
  • 42
  • So, to summarize, it's impossible at the moment to provide read-only access? This is the conclusion I came to as well. Still, it's beneficial to know exactly which permission of the Provisioning API needs to be enabled to read the Profile API. Thanks for your answer. – Shawn D May 07 '13 at 16:14
  • Apologies, I misread - I thought you wanted to update the jobtitle etc. To just read the jobtitle, you would need the 'read' permission for users. I have updated my answer to more directly answer that. – Peter May 07 '13 at 20:57