将域范围的委派限制为特定的邮箱 [英] Restrict Domain wide delegation to specific mailboxes

问题描述

我一直在研究服务器到服务器的Google日历集成，通过它可以连接，读取和写入用户的日历.

I have been working on a server to server google calendar integration, where by it connects, reads and writes to a user's calendar.

这工作得很好，但是我对权限范围有疑问.使用具有域范围委派的服务帐户，这意味着该帐户可以访问组织中从CEO到我的每个用户的日历...

This is working perfectly fine, however I have a question regarding permission scope. Using a service account with domain wide delegation, it means that this account has access to calendars for every single users in the organisation from the CEO to me...

是否可以从Google的角度限制此范围，以使服务帐户只能访问特定帐户，类似于EWS允许委派规则的方式.

Is there a way of limiting this scope from Google's side, so that the service account can only access specific accounts, similarly to how EWS allows delegation rules.

我曾经想到的一个想法是创建一个单独的组织单位并在此基础上创建项目(未经测试，但它的伸缩性也不太高).

One idea I had was to create a separate organisational unit and create the project under that (not tested this theory, but it also doesn't feel very scaleable).

有什么想法吗?

谢谢

推荐答案

首先:从技术上讲，一旦启用DWD(域范围委派)并由管理控制台中的任何管理员授权的客户端ID，服务帐户便是超级管理员.

First and foremost: A service account is technically a superadministrator once DWD (domain wide delegation) is enabled and the client ID authorized by any admin in the Admin Console.

这表示:服务帐户可以模拟任何用户，包括任何管理员，并执行声明的范围允许的任何操作.

That translates to: a service account can impersonate any user including any administrator and performing any action allowed by the declared scopes.

在这种情况下:具有允许范围 https://www.googleapis.com的服务帐户/auth/calendar.readonly 可以读取任何域的日历.

In this case: A service account with allowed scope https://www.googleapis.com/auth/calendar.readonly can read any domains calendar.

现在有一个讨厌的解决方法:服务帐户本质上是无权访问Web UI的gmail帐户.因此，只有在启用了外部日历共享的情况下，您才可以与服务帐户共享日历.然后，您不使用DWD.在这种情况下，服务帐户只能充当共享权限所规定的角色.但是，这不是应该使用服务帐户的方式.

Now there's a somewhat nasty workaround: A service account is basically a gmail account without access to the web UI. So you can indeed share a calendar with a service account if and only if external calendar sharing is enabled. Then you do not use DWD. In this case the service account can only act as the sharing permissions dictate. However this is not how a service account is supposed to be used.

这篇关于将域范围的委派限制为特定的邮箱的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！