2

I'm working on a Google App Script that needs to create new Google TeamDrives. I'm a superadmin at my domain and when I try to execute the code (written as suggested by App Script code completion), I get an error:

API call to drive.teamdrives.insert failed with error: Insufficient permissions for this file (line 288, file "Code")

I've been having difficulties finding documentation that deals strictly with App Script, so I'm trying to adapt the API method found here: https://developers.google.com/drive/api/v3/reference/drives/create

Obviously, instead of a direct http call, I use the App Script API as shown in the code below. Also, I've noticed that the API v3 uses the create method, rather than insert used in v2. The App Scripts still appear to be using the insert method. Replacing the insert with create results in an error message indicating the underlying API version is 2:

TypeError: Cannot find function create in object AdvancedServiceIdentifier{name=drive, version=v2}.

The insert method in v2 is very similar to create in v3: https://developers.google.com/drive/api/v2/reference/drives/insert

I had a similar error trying to retrieve permissions on existing drives and the solution was to pass "supportsAllDrives=true" argument with the request (using optional arguments parameter of the API call). Unfortunately, the "insert" method does not have a parameter I could use to pass optional arguments - the resource representation and the request ID are the only parameters of the "insert" method.

My code:

function createSharedDrive() {
  var resource = {
    name: "TestDriveChrisD6"
  };
  var drive = Drive.Teamdrives.insert(resource, "testRequestId_TestDriveChrisD6");
  Logger.log(JSON.stringify(drive)); // to see the result if it works eventually
}

I was hoping this API call would result in a response containing the drive representation, instead I get the error message:

API call to drive.teamdrives.insert failed with error: Insufficient permissions for this file (line 288, file "Code")

The line number in the error message is just my source code line number that contains the code:

var drive = Drive.Teamdrives.insert(resource, "testRequestId_TestDriveChrisD6");

What am I doing wrong? Should I call the http method by a direct request?

ChrisD
  • 56
  • 4
  • I tried the code and it worked perfectly (I'm not the admin for one of the domains where I tested this) and it still created the team drive. I'm assuming you enabled the Drive API from the Advanced Google Services. – Sourabh Choraria Nov 02 '19 at 15:11
  • @SourabhChoraria Yes, the Advanced Google Services I have enabled are Admin Directory API, Drive API and Groups Settings API. Do you have any other APIs enabled that I should possibly try? I'm still getting the error message. – ChrisD Nov 02 '19 at 18:17
  • Sorry, there is nothing else that I've enabled :( In fact, I've also **not** enabled Admin Directory or Groups Settings APIs either. Just the Drive API and it worked perfectly well. – Sourabh Choraria Nov 02 '19 at 18:19
  • @SourabhChoraria Yes, I need the other two APIs for other parts of my app, I didn't think they would be related to the problem. Thanks for testing out the code for me - at least I know I'm using the right syntax. – ChrisD Nov 02 '19 at 18:57
  • It occurred to me, that maybe this error is caused by some domain settings. I don't have much experience with Google domains - I've been entrusted with SuperAdmin access for this project and I don't want to abuse it by randomly changing domain settings. I'd appreciate it if someone knowledgeable about Google domains could suggest a setting I could recommend other admins of my domain to try out for me if they think it's safe to do so (I'm not going to change it on my own - that would be a security risk). – ChrisD Nov 02 '19 at 19:03
  • After Googling this a little further, turns out my Drive API was also enabled from the Google Cloud Console. Perhaps try that out too, at once - https://developers.google.com/drive/api/v3/enable-drive-api#enable_the_drive_api – Sourabh Choraria Nov 02 '19 at 19:03
  • @SourabhChoraria For now my application isn't even listed there. All other Drive API methods seem to work fine, though. I also had no problem creating Google groups. I think I'll have to enable this if I want to use the http API directly, which I'm probably going to end up doing. Thanks for this suggestion. – ChrisD Nov 02 '19 at 21:51
  • @ChrisD were you able to solve it? Your code worked for me too. – Jescanellas Nov 04 '19 at 10:16
  • @Jescanellas Thanks for verifying. I wasn't able to test various domain settings due to the weekend, so it's still not working for me. I'll get someone to take a look at it with me today. – ChrisD Nov 04 '19 at 15:39
  • For anyone else experiencing this problem, I've received a solution from Google support: In the Google Admin console -> Apps -> G Suite -> Settings for Drive and Docs -> Sharing settings, the Shared drive creation section has an option "Prevent users in from creating new drives". It needs to be set to OFF. This allows any users within the same Organizational Unit to create drives. If you want only specific users to be able to create drives, move them to a separate OU and disable this option in that OU. Running out of comment space - read my next comment. – ChrisD Nov 04 '19 at 18:44
  • The setting from my previous comment may take up to 24 hours to take effect. I'm going to test it out and if my problem is fixed by this setting, I'll post it as my answer. – ChrisD Nov 04 '19 at 18:46

1 Answers1

0

My problem has been solved as follows:

  1. Going to Admin Console -> Apps -> G Suite -> Drive and Docs -> Sharing settings
  2. In my domain at the "Shared drive creation" section the setting "Prevent users in <domain name> from creating new shared drives" is ON in the global domain settings and OFF (overridden) for Administrators Organizational Unit. It turns out my user was in the Administrators group, but not in the Administrators Organizational Unit. Moving my user to the admin OU fixed the problem.
ChrisD
  • 56
  • 4