3

Trying to use the new Google Admin SDK for some group creation and adding/removing members to those groups. This is actually just updating some code I had that was previously using the old provisioning API.

I'm trying to add a group as a member of a group, with the role of OWNER. I get an error from Google. If I try to add a group as a member with the role as just MEMBER, it's fine. Only with role OWNER does it return the error. Here's an example:

POST https://www.googleapis.com/admin/directory/v1/groups/mygroup/members

{
 "email": "myGroupToAddAsMember@mydomain.com",
 "role": "OWNER"
}

I get the following response from Google:

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "invalid",
    "message": "Invalid Input: memberKey"
   }
  ],
  "code": 400,
  "message": "Invalid Input: memberKey"
 }
}

I have also tried adding the group as MEMBER, then updating the membership and changing the role to OWNER. This gets the same error.

I can go into the Admin web interface and change the membership to owner, so the system apparently is ok with it. What am I doing wrong? Thanks for your help.

EDIT: This appears to be a known issue (Issue 3791: Unable to insert group owner using Directory API if the owner is group as well) in Google's bug tracking although there is no resolution yet. I haven't been able to determine any programmable workarounds. Anyone?

Josh Curtiss
  • 55
  • 7

2 Answers2

0

I logged a case with Google Support a while back regarding this. This behavior actually became an issue we noticed with the latest version of GADS - as it uses the Directory API now.

Essentially, this is expected behavior. Google don't want groups owning groups. Previously, the Provisioning API overruled this and there was another bug which also allowed you to manually add a group as an owner of a group via the UI (not sure if this is fixed yet).

tl;dr This is expected behavior and Google don't plan to change it last I heard.

miketreacy
  • 1,120
  • 1
  • 11
  • 17
0

I too logged a ticket with support. It's a major issue for us as we use the Groups as Owners to provisioning dynamic security to groups (block the members from posting but allowing all staff member to post to a group for example).

However I suspect it's a case of Google's product groups not talking to each other. The Admin console still supports it for example, and the API documentation has an example response of this happening: https://developers.google.com/admin-sdk/directory/v1/guides/manage-group-members#json-response_2

Our work around at the moment is to:

  1. Add a member to each group with your desired group as owner name (eg all_staff_temp)
  2. Set the member as owner of the group
  3. Create a group with the same name in the console. The group is now the owner of the group

We do this in batch each night, first deleting our temp group which removes all it's memberships, then adding it back in, then creating the group again. It's really hacky, but it works - and suggests that the back does indeed support groups as owners still.

Peter Godwin
  • 267
  • 3
  • 12