Within my company's domain, I'm able to successfully search for users via this call: https://developers.google.com/admin-sdk/directory/v1/reference/users/list (domain: mydomain.com, viewType: domain_public, and my own email as the sub= in the service account authorization.)
I've confirmed that with a web browser, anyone in my company can view membership of any group in the company by going to https://groups.google.com/a/mycompany/forum/#!members/mygroup.
It seems to follow (same api, obviously open company-wide) that I should be able to obtain group members via this call: https://developers.google.com/admin-sdk/directory/v1/reference/members/list
However, even using the API Explorer, I'm getting:
403 OK
- SHOW HEADERS -
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}
],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
This doesn't seem to make sense... Is this a permission that needs to be/can be changed at the organization level? (ie my admins have allowed user/list but haven't yet allowed members/list?)
If this is somehow intentional behavior within the API... why? And has anyone found a way around? (Screenscraping https://groups.google.com/a/mycompany/forum/#!members/mygroup would probably work, but just seems so insane when there's theoretically an API...)
FWIW - I'm trying to use php to do this in a service running on a linux machine, but until I can get it working within even the API explorer, I'm not sure that's relevant. My first attempt was to take all the code that works for users/list and make the call to members/list instead. When that failed, I tried API Explorer and failed there as well.
You can get the admins to allow the "Read" Admin API Privilege for users in your domain.
Admin Console > Admin Roles > Create new role (e.g. "All users GroupsAPIRead") > Privileges > Admin API Privileges (not Admin Console API Privileges) > Groups > tick "Read" (don't tick create, update or delete).