We are trying to create a separate Admin role to assign to users to be able to call the Google Classroom API (domain). If we set them to be 'super admin' it works but we do not want to give these users super admin permissions. Anyone knows any guide or the settings to set on this?
Asked
Active
Viewed 1,123 times
2
-
I'm afraid users have to be a super admins to do that. Could you specify what exactly these users should be able to do? – Iamblichus Mar 23 '20 at 10:08
-
view classes, enroll/remove a student to a class, add/remove co-teacher – facultyclassroom test Mar 23 '20 at 15:03
1 Answers
0
Answer:
There is no role apart from Super Admin that will let a user make all these actions. You can check that by assigning custom admin roles to the user. Even if all possible privileges are checked, if the user is not a Super Admin, the user cannot act as a domain administrator in Classroom API.
What non-Super Admins can do:
Non-super admin users can only access courses they are part of (as teachers, or students), not all courses in the domain.
They can remove students and other teachers from courses they own directly via courses.teachers.delete and courses.students.delete, but they cannot directly add new students and teachers to their courses via courses.teachers.create and courses.students.create. Only domain administrators (Super Admins) can do that. Non-admins must first send an invitation via invitations.create(), and obtain the user's consent.
Update: Service Accounts:
You can also make your application use a Service Account in order to impersonate a Super Admin, so that this account can act on behalf of this admin, and do what the admin can do. To do this, you would have to create the Service Account and delegate domain-wide authority to it, by visiting the Admin console and following the steps specified here.
Beware, granting domain-wide delegation is a very powerful tool, since it gives the Service Account the ability to act on behalf of any user in the domain, so it could be easily abused if not managed carefully (without domain-wide delegation, a Service Account is similar to a regular account, and it can only access resources that have been created by it, shared with it, etc., like a regular account).
Anyway, once the domain-wide delegation is created, using the Service Account in your application is very similar to using a regular account. In the application, you have to build the credentials and then specify which user should be impersonated by the account by writing the user's email address. I don't know which language are you using, but you can find code snippets to do this in Java and Python here, or with Node here.
Reference:
Iamblichus
- 18,540
- 2
- 11
- 27
-
If we create an API key and make our application uses it instead of OAuth, will it work? – facultyclassroom test Mar 25 '20 at 13:39
-
@facultyclassroomtest No, that won't work. [As specified here](https://developers.google.com/classroom/guides/auth#AboutAuthorization), you "**have to use OAuth 2.0 to authorize requests. No other authorization protocols are supported**". – Iamblichus Mar 25 '20 at 15:16
-
I see we can create Service Account and link to OAuth to authorize requests? Will it work? if yes, how can I include service account to the OAuth request? – facultyclassroom test Mar 25 '20 at 16:52
-
-
thanks for the reply... I am using C#. Getting the following error ERROR: Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"unauthorized_client", Description:"Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.", Uri:"" I have already given the API access on the Admin Console -> Security section to the scope as well... – facultyclassroom test Mar 26 '20 at 15:40
-
1I think it is working now. It probably takes some time to sync the service clientID / scope permissions – facultyclassroom test Mar 26 '20 at 16:13