Admin API Privilege (suspend user)

Question

The Google Admin control panel provides the "Suspend Users" API privelege. What's the API call to suspend a user? https://developers.google.com/admin-sdk/directory/v1/reference/users/patch requires the https://www.googleapis.com/auth/admin.directory.user scope which in turn requires the (Users->Update) privelege that allows not just suspending but other operations (i.e. "Reset password", etc).

My goal is to grant my app the privelege to suspend users and disallow any other operations (i.e. "Reset password", etc.) — freedomLover, Oct 19 '15 at 12:20

score 2 · Answer 1 · answered Feb 04 '20 at 11:55

2

patch API didn't work for me. update API worked.

Python code:

user = service.users().get(userKey=email).execute()
user['suspended'] = True
service.users().update(userKey=email, body=user).execute();

answered Feb 04 '20 at 11:55

Sibil

107
8

score 0 · Answer 2 · answered Oct 19 '15 at 21:01

0

The api call you mentioned is correct (patch or update) you just have to set the parameter 'suspended' to true and that would be enough to suspend a user.

When doing the call (for example in the website you provided) you will add the user's email and in the parameter section you can just add:

{
  "suspended": true
}

Keep in mind that you have to be an administrator in order to be able to call this api.

The scope mentioned will allow you to perform all those kind of operations and because resetting a password as well as suspending a user (and other operation) are achieved using the same api call (patch/update), the only way you can restrict the use of this is by doing it programmatically.

You will have to select what kind of operations you will let the users of your app can do. but you won't be able to restrict it on the side of the scope.

answered Oct 19 '15 at 21:01

Gerardo

3,460
1
16
18

The Google Apps admin UI suggests it might be possible to restrict it on the side of the scope. Is the UI misleading? Please see http://i.imgur.com/FwTSbGR.png – freedomLover Oct 21 '15 at 15:00
There you are assigning the privileges to a certain user in the admin console. In this case the scope grants permission to perform all those operations, but the user will be restrict to use the application only to perform the actions allowed. This means that the restriction on privileges comes from the admin console rather than the scope. – Gerardo Oct 21 '15 at 18:30
If "suspend Users" is assigned and the "Update" privilege is not, then any patch API call will fail(including the ones only updating the "suspended" field). – freedomLover Oct 22 '15 at 09:02

Admin API Privilege (suspend user)

2 Answers2