Search code examples
google-oauthgoogle-appsgoogle-apps-marketplacegoogle-directory-api

How to determine user permissions with Google Directory API

Google Apps has several built-in "roles" that have privileges to perform tasks for your domain/organization, for example a Help Desk Admin, Groups Admin or Super User Admin. Find them all here.

We have a console that allows a Google admin to manage which users from that organization/domain should be able to access our App, and we want to limit access to this console only to those admins that have the necessary privileges for the tasks on the console.

However, I simply cannot find a way to determine whether a logged in user has those necessary privileges, short of just trying a couple calls and seeing if they work. Although it's a different Google API, that's exactly what they tell Google Analytics developers to do here.

Retrieving Permissions for the Authorized User

You can retrieve permissions information for the currently authorized user by performing a list or get operation on a Accounts, Web Properties, or Views (Profiles) resource.

To perform these operations the user must authorize either of the following scopes: ....

When you get a list of users from Google Directory API (/admin-sdk/directory/v1/reference/users), it has only two properties regarding administrator privileges, isAdmin and isDelegatedAdmin. isAdmin is true for super users and false for everyone else. isDelegatedAdmin is true for these other types of Admin roles mentioned on the link above. But there does not seem to be any way to retrieve the more specific admin roles, and even if you could, an organization could create a custom admin role that means you really need to check granular permissions instead of just role.

Has anyone solved this in a more efficient way than trying to call all the necessary APIs to see if the succeed or fail? I have searched extensively for the better part of a day and cannot find an better solution.

Solution

  • Edited 2018-09-19

    You can retrieve this information using the following endpoints:

    • Roles - Returns the roles defined in the organization, including the IDs of the privileges granted to the role.
    • RoleAssignments - Returns the roles that have been assigned to specific users.
    • Privileges - Returns information about the available privileges.

    See the Managing Roles guide for more information.