I would like to know how a non-admin account can use the Admin SDK

Question

Sorry if my English is weird.

I would like to know how a non-admin account can use the Admin SDK. If you have any suggestions, please let me know.

I'm developing an add-on for an elementary school using Google app script. I want to limit the API by student, teacher, grade, etc. So I need to get the organization information.

There were a few other similar questions, and apparently it would be impossible to try to do it normally.

When using the Admin SDK, Google will display an acceptance confirmation screen to the user. Once the user agrees, Google gives the app an access token that is valid for a short period of time. I'm thinking that I can do this by using that access token. Is this approach dangerous from a security point of view?

---

I'm sorry for the lack of explanation.

I'm currently developing a google slides add-on for an elementary school. It's supposed to display a SPA made with vuejs in the sidebar and let you manipulate it.

For example, we can manage a whitelist of organizations that can use this application in advance, and not allow organizations that do not match the whitelist to use it.

If the organization is managed by school unit, access control can be done by domain, but in some areas, the organization is managed by city, so access control by school unit cannot be realized...

Also.We want to do the following if we match the whitelist.

• The functions that can be used by teachers and students are different.

• The buttons can be changed depending on the grade level of the students.

• Automatically enter student names and class names on slides.

Use an organizational structure to manage the school and students. (https://support.google.com/a/answer/4352075?ref_topic=4390186&hl=en)

We think we can achieve this by using the Admin SDK to get organization information

Answer 1

Answer

It is not possible to use Admin SDK with a non-admin account as Google says in the documentation: This API gives administrators of Google Workspace domains (including resellers) the ability to manage devices, groups, users, and other entities in their domains.

However there are two workarounds for your problem, but you would need to use an admin account to configure the scenario.

Initial approach

• Get the user that is running the application with the class Session and the method getActiveUser and getEmail: var email = Session.getActiveUser().getEmail();
• Get the organizational unit that each user belongs to. With this information you will be able to filter users and display different options in the add-on. The main problem is that you need to use AdminDirectory.Users.get(userEmail) to get the organizational unit, and it needs the following authorization scope: https://www.googleapis.com/auth/admin.directory.user.readonly.

Solution 1

• Create a Spreadsheet with all the users that are going to use the add-on and its organizational unit
• Use List all users to get all the users in a domain and write each email in the first column.
• Use AdminDirectory.Users.get(email).orgUnitPath to get the organizational unit and write it in the next column
• Finally, when users use the add-on, search the email of the active user (Session.getActiveUser().getEmail()) in the Spreadsheet, take the row number and get the value of the organizational unit that is in the second column.

Solution 2

• Create a custom admin role and assign it to every user that is going to use the add-on. You must be signed in as a super administrator for this task. You can do it here and select Users -> Read,
• Assign the new role to each user creating a role assignment
• Finally, users will be able to use var organization = AdminDirectory.Users.get(email).orgUnitPath