0

I'm trying to access my organisations directory list via a standard users account using the following endpoint https://www.googleapis.com/admin/directory/v1/users with the viewType set to domain_public, my organisation set and the https://www.googleapis.com/auth/admin.directory.user.readonly scope.

However every time I try I just get 

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "forbidden",
    "message": "Not Authorized to access this resource/api"
   }
  ],
  "code": 403,
  "message": "Not Authorized to access this resource/api"
 }
}

I've checked with my GSuite admin and both the directory feature and contact sharing are turned on an it's been 24 hour since doing so and I'm doing this via the 'try this api' feautre so I know the token is good.

Are there any other settings my admin has to enable to get this working? I tried with a brand new GSuite account that I set up yesterday for another company and it seemed to just work out the box for them...

Adam Niles-Crane Walker
  • 417
  • 4
  • 19

1 Answers1

1

When receiving a 403 error for the Admin SDK, several possible reasons come into consideration

  • Is a non-admin user trying to use Admin SDK methods that are meant for admins only?
  • Is a non-admin user trying to use Admin SDK methods without specifying viewType: domain_public?
  • Does the non-admin user use a GCP project where the Admin SDK is not enabled?
  • Are you signed in with mutiple accounts into the browser session (the browser changing silently your active session account is a common issue)?
  • Is the request being performed by a service-account (comon authorizaiton issues)?
  • Does your request include trailing commas?
  • Does an admin suer trying to perform a request not have the necessary privelege assigned in the Admin Console?
  • Are the scopes for the requests set correctly?

If non of the reasons above apply and the problem occurs only with a very specific domain, probably there is a problem with the domain itself.

In this case, please contact GSuite Support for troubleshooting.

ziganotschka
  • 25,866
  • 2
  • 16
  • 33
  • according to the docs, the `domain_public` flag is there to let non admin users view the users: https://developers.google.com/admin-sdk/directory/v1/guides/manage-users#retrieve_users_non_admin – Adam Niles-Crane Walker Jun 03 '20 at 10:35
  • Which scopes did you assign to the user? Maybe you can show your relevant code? – ziganotschka Jun 03 '20 at 10:37
  • I'm now just using the 'Try this API' functionality in Googles docs https://developers.google.com/admin-sdk/directory/v1/reference/users/list I added the scope I'm using to my original question which is `https://www.googleapis.com/auth/admin.directory.user.readonly` – Adam Niles-Crane Walker Jun 03 '20 at 10:41
  • I did not realize that you were using the publicly avaiIable method. Now I think I can see the real reason for your problem: Did you create a GCP project the new user in the GCP console and enable in the Admin SDK for this project? – ziganotschka Jun 03 '20 at 10:55
  • Yep, I've done that for my project. I didn't think you needed to for the 'Try this API' feature though? This worked fine for the other GSuite organisation that I mentioned – Adam Niles-Crane Walker Jun 03 '20 at 10:58
  • What did you specify for the customer\domain field? – ziganotschka Jun 03 '20 at 11:04
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/215225/discussion-between-adam-niles-crane-walker-and-ziganotschka). – Adam Niles-Crane Walker Jun 03 '20 at 11:17
  • For schemas and roles you must have super admin rights. For members and users admin rights are sufficient. – Michael Uhlenberg Apr 16 '22 at 05:04