Google Admin SDK Directory API User Privileges

Question

Can a normal user account in my domain access the function on Google OAuth2 directory service API to retrieve users list or data ?

I have a web-application which allow the users to login with OAuth2.0. After that, the users should be able to see their profile data.

If I am using a super admin login, everything work just fine which the data is displayed. When I am using a normal user login and a group admin login, I cannot see any data and receive error message as follow:

    Fatal error: Uncaught exception 'Google_ServiceException' with message 'Error calling GET https://www.googleapis.com/admin/directory/v1/users/yifei.liu@example.com?key=(MY_API_Key): (403) Not Authorized to access this resource/api' in /home2/iaapro/public_html/php/google-api-php-client/src/io/Google_REST.php:66 Stack trace: #0 /home2/iaapro/public_html/php/google-api-php-client/src/io/Google_REST.php(36): Google_REST::decodeHttpResponse(Object(Google_HttpRequest)) 
#1 /home2/iaapro/public_html/php/google-api-php-client/src/service/Google_ServiceResource.php(186): Google_REST::execute(Object(Google_HttpRequest)) 
#2 /home2/iaapro/public_html/php/google-api-php-client/src/contrib/Google_DirectoryService.php(653): Google_ServiceResource->__call('get', Array) 
#3 /home2/iaapro/public_html/php/google-plus-access.php(47): Google_UsersServiceResource->get('yifei.liu@iaapr...') 
#4 /home2/iaapro/public_html/php/index.php(2): include_once('/home2/iaapro/p...') 
#5 {main} thrown in /home2/iaapro/public_html/php/google-api-php-client/src/io/Google_REST.php on line 66

Does it mean that only account with domain super admin rights can access the Google Admin SDK Directory API ? Is it possible for me to allow normal user to use this API too ?

Thanks.

Can you share with the people a piece of your code and see where is the error? — Orlando Herrera, Feb 14 '14 at 19:54

score 1 · Answer 1 · edited May 23 '17 at 10:27

Yes. A normal user can retrieve Directory contacts for your domain in read-only mode. They can't make changes to anything in the Directory.

To list Directory contacts, you'll need to

$client->addScope("https://www.googleapis.com/auth/admin.directory.user.readonly");

in your oauth flow.

Then to retrieve, do something like this:

$service = new Google_Service_Directory($client);
$optParams = array(
        'domain' => 'google.domain.com',
        'orderBy' => 'email',
        'viewType' => 'domain_public',
        'query' => "givenName:'Joe' familyName:'Schmoe Jr'"
);
$results = $service->users->listUsers($optParams);
$users = $results->getUsers();

You can also do this entirely via a service account, in which case your user never needs to go through the oauth step. See here for a working example: Google php client library loadServiceAccountJson broken - fix enclosed

score 0 · Answer 2 · answered Feb 16 '14 at 02:29

No. A "normal" user can not manage the users of your domain. For example, only Admin accounts can Create, Delete or update info. about the users.

Please, take a look in the Admin SDK page If you want to manage contacts

A "normal" user can manage his/her contacts. They can see the email, telephone number, labels, etc., etc.

You can visit visit Google contacts API V3 for more information about it.

Google Admin SDK Directory API User Privileges

2 Answers2