Search code examples
google-analyticsgoogle-analytics-api

The forbidden error occurs, when I try to link an account to another user with an email

I have a user's refresh token with these scopes:

'https://www.googleapis.com/auth/analytics https://www.googleapis.com/auth/analytics.edit https://www.googleapis.com/auth/analytics.readonly https://www.googleapis.com/auth/analytics.manage.users’’

The user has a few accounts and a forbidden error occurs for XXXX2 account when I try to give access to an account to another user(you can see at the below code and account list json). I checked this account's effective permission field, I see that it is an empty array as you can see below as well.

In my opinion, this error reason is that this user does not have ‘manage_users’ permissions for this account(XXXX2), so this is an expected error, isn't it?

PS: I can link XXXX1 properly with the below code.

My code :

linkAccount = self.service.management().accountUserLinks().insert(
        accountId=accountId,
        body={
            'permissions': {
                'local': [
                    'EDIT',
                    'MANAGE_USERS'
                    ]
            },
            'userRef': {
                'email': email}}).execute()

User Account list :

{
        "id": "XXXX1",
        "kind": "analytics#account",
        "selfLink": "https://www.googleapis.com/analytics/v3/management/accounts/XXXX1”,
        "name": "XXXX1",
        "permissions": {
            "effective": [
                "COLLABORATE",
                "EDIT",
                "MANAGE_USERS",
                "READ_AND_ANALYZE"
            ]
        },
        "created": "2014-02-17T17:52:10.911Z",
        "updated": "2019-06-04T16:06:12.717Z",
        "childLink": {
            "type": "analytics#webproperties",
            "href": "https://www.googleapis.com/analytics/v3/management/accounts/XXXX1/webproperties"
        }
    },
    {
        "id": "XXXX2”,
        "kind": "analytics#account",
        "selfLink": "https://www.googleapis.com/analytics/v3/management/accounts/XXXX2”,
        "name": "XXXX2",
        "permissions": {
            "effective": []
        },
        "created": "2015-07-02T19:11:16.307Z",
        "updated": "2019-03-05T21:16:19.552Z",
        "childLink": {
            "type": "analytics#webproperties",
            "href": "https://www.googleapis.com/analytics/v3/management/accounts/XXXX2/webproperties"
        }
    }

Error Code :

<HttpError 403 when requesting https://analytics.googleapis.com/analytics/v3/management/accounts/XXXXX/entityUserLinks?alt=json returned "User does not have permission to perform this operation.". Details: "User does not have permission to perform this operation."
Solution

  • I would check what access the currently authenticated user has to the account in question.

    If the user you are authenticated with only has read access. To the Analytica account there not going to be able to give your application the ability to add another user.