非管理员对Google Admin SDK的只读访问权限 [英] Non-admin read-only access to Google Admin SDK

问题描述

在关于Google Developers Blog (从2014年9月23日开始)，内容为:

In a post on the Google Developers blog from September 23, 2014, it says:

对所有域用户的读取权限

从历史上看，只有管理员才能访问Admin SDK中的数据. 从今天开始，任何用户(不仅是管理员)现在都可以致电 目录API可以读取域中任何用户的个人资料(当然， 将遵守ACLing设置和配置文件共享设置.

Historically, only admins have been able to access the data in the Admin SDK. Beginning today, any user (not just admins) will now be able to call the Directory API to read the profile of any user on the domain (of course, we will respect ACLing settings and profile sharing settings).

但是，尽管检查了我可以找到的每个Google Apps Admin设置，但非管理员用户对Directory API的调用仍然失败.简码:

However, despite checking every Google Apps Admin setting I can find, my calls calls to the Directory API fail for non-admin users. Condensed code:

params = {
  client_id: XXXXXX, 
  scope: 'https://www.googleapis.com/auth/admin.directory.user.readonly', 
  response_type: 'token id_token', 
  immediate: true
};
gapi.auth.authorize(params, gHandleAuthResult);
var request = gapi.client.request({
  'path': '/admin/directory/v1/users',
  'params': {
     'customer': 'my_customer',
  }
});
request.then(function (response) {
  var users = response.result.users;
  if (!!users && users.length > 0) {
    users.forEach(function (user) {
      newMember.id = user.id || '';
    }
  }
}

这使用了JavaScript的Google API客户端库.我已经在多个Google Apps帐户上尝试过此方法，但它始终适用于管理员帐户，而不适用于非管理员帐户，我得到的响应是未授权访问此资源/api".

This is using the Google API Client Library for JavaScript. I've tried this on multiple Google Apps accounts, it always works for admin accounts, never for non-admins, for whom I get the response "Not Authorized to access this resource/api".

上一篇帖子对此进行了询问，并收到了回复您必须使用服务帐户，但这是从2014年6月开始撰写博客文章的时间.我已经成功地使用服务帐户拨打了电话，但宁愿不必这样做，因为它需要服务器充当网桥.

A previous post asked about this and received a response that you have to use a service account, but that was from June 2014, before the blog post. I have succeeded in making the call using a service account, but would rather not have to do so as it requires a server to act as a bridge.

Google开发人员文档说"Google工程师会监视并回答google-admin-sdk标签"，因此希望在此处寻求Google的回答.

The Google developer docs say that "Google engineers monitor and answer against the tag google-admin-sdk", so hoping for an answer from Google here.

推荐答案

尝试:

var request = gapi.client.request({
  'path': '/admin/directory/v1/users',
  'viewType': 'domain_public'
  'params': {
  'customer': 'my_customer',
  }
});

需要

viewType = domain_public以非管理员身份执行用户帐户文档.

这篇关于非管理员对Google Admin SDK的只读访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！