stackoom
  简体   繁体   中英

Authorizing a non admin user to run Admin SDK in Google Apps Script

 原文  2021-10-27 10:45:40       google-apps-script/ google-admin-sdk

Question

I'd like to allow a non admin user in our domain to be able to use a Google Sheet which is running code to:

  • List some groups in our organisation
  • Delete/Add users

This requires admin rights, so the following code will not run in a non-admin account... How is it possibile to authorise the non admin user to run admin code?

var RatatoskSheet = SpreadsheetApp.getActiveSpreadsheet();

// -- ADD USER TO GROUP -- Set trigger to onedit -- //
function addUsertoGroup(e) {

   var sheet = e.source.getActiveSheet();
   if (sheet.getName() === 'AddUser') { //Hinders edits on other sheets

      var userData = SpreadsheetApp.getActive().getSheetByName('AddUser');
      var userEmail = userData.getRange(2, 1).getValue(); //Gets data from AddUser.A2
      var groupId = userData.getRange(2, 2).getValue(); //Gets data from cell B2

      var newMember = {
         email: userEmail,
         role: "MEMBER"
      };


      AdminDirectory.Members.insert(newMember, groupId); // Adds new member to a Google group
      var groupData = SpreadsheetApp.getActive().getSheetByName('GroupAddress');
      var groupTwo = [userEmail, groupId]
      groupData.appendRow(groupTwo); //Add member and group to GroupAddress
      var header = ['UserEmail', 'GroupID'];
      userData.clear(); //Reset AddUser (Delete all)
      userData.appendRow(header).setFrozenRows(1);



   }
}

// -- REMOVE USER FROM GROUP -- Set trigger of this function to onedit -- //
function deleteGroupMember(e) {

   var sheet = e.source.getActiveSheet();
   if (sheet.getName() === 'RemoveUser') { //Hinders edits on other sheets

      var RemoveUserData = SpreadsheetApp.getActive().getSheetByName('RemoveUser');
      var groupData = SpreadsheetApp.getActive().getSheetByName('GroupAddress');

      var userEmail = RemoveUserData.getRange(2, 1).getValue(); //Gets data from RemoveUser.A2
      var groupId = RemoveUserData.getRange(2, 2).getValue(); //Gets data from  RemoveUser.B2

      AdminDirectory.Members.remove(groupId, userEmail); //Removes member from a Google group

      var removeDataValues = RemoveUserData.getDataRange().getValues();
      var groupDataValues = groupData.getDataRange().getValues();
      var resultArray = [];
      for (var n in groupDataValues) { //
         var keep = true
         for (var p in removeDataValues) {
            if (groupDataValues[n][0] == removeDataValues[p][0] && groupDataValues[n][1] == removeDataValues[p][1]) {
               keep = false;
               break;
            }
         }
         if (keep) {
            resultArray.push(groupDataValues[n])
         };
      }


      var start = 2; //Starts from Row 2          //
      var killTheRows = groupData.getLastRow() - start + 1; //                           // These lines deletes all rows in GroupAddress
      groupData.deleteRows(start, killTheRows); //Delete all rows with values//

      groupData.getRange(2, 1, resultArray.length, resultArray[0].length).setValues(resultArray); //Repopulate the rows in GroupAddress

      var header = ['UserEmail', 'GroupID'];
      RemoveUserData.clear();
      RemoveUserData.appendRow(header).setFrozenRows(1);



   }
}

// -- LISTS ALL GROUPS AND USERS WITHIN THEM -- Set this as a timed trigger to error correct once a day -- //
function listAllGroups() {
   var grouprows = [];
   var pageToken;

   var page;
   do {
      page = AdminDirectory.Groups.list({
         domain: 'THEDOMAIN',
         maxResults: 200,
         pageToken: pageToken
      });
      var groups = page.groups;
      if (groups) {
         for (var i = 0; i < groups.length; i++) {
            var group = groups[i];
            if (group.email.substring(0, 5) === "staff") {
               grouprows.push(group.email);
            }
         }
      }
      pageToken = page.nextPageToken;
   } while (pageToken);

   var rows = [];
   var pageToken, page2;
   for (var j = 0; j < grouprows.length; j++) {
      do {
         page2 = AdminDirectory.Members.list(grouprows[j], {
            domainName: 'YOURDOMAIN',
            maxResults: 500,
            pageToken: pageToken,
         });
         var members = page2.members;
         if (members) {
            for (var i = 0; i < members.length; i++) {
               var member = members[i];
               var row = [member.email, grouprows[j]];
               rows.push(row);
            }
         }
         pageToken = page2.nextPageToken;
      } while (pageToken);
      if (rows.length > 1) {
         var groupData = RatatoskSheet.getSheetByName("GroupAddress");
         var header = ['UserEmail', 'GroupID'];
         groupData.clear();
         groupData.appendRow(header).setFrozenRows(1);
         groupData.getRange(2, 1, rows.length, header.length).setValues(rows);

      }

   }
   groupData.deleteRow(2); //NB! Removes first group(all@yourdomain.com) Make this whole line a comment if unsure. 



}

1 answers

solution1
 1 ACCPTED  2021-10-27 14:51:36

A way to achieve this is by creating a service account and using domain wide delegation of authority.

After that, since you want to continue on using Apps Script, you will have to get the access token for this service account and make the request using UrlFetchApp since you cannot pass an access token while making a request using Admin SDK Directory advanced service.

Therefore, the requests will end up looking something similar to:

var options = {
    method: "GET",
    contentType: "application/json",
    muteHttpExceptions: true,
};

var response = UrlFetchApp.fetch('https://admin.googleapis.com/admin/directory/v1/groups/{groupKey}/members', {
    headers: {
      Authorization: 'Bearer ' + token
    }
  });

However, this approach might depend on the restrictions you have set in place for your account.

Another option is to deploy your script as a web app

For deploying a web app, the script should contain a doGet(e) or a doPost(e) and return a HTML service HtmlOutput object or a Content service TextOutput object.

After doing this, you should deploy the web app with the following settings:

  • Execute as: Me

  • Who has access: Anyone within domain

Reference

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Google Apps Script admin SDK speed Admin SDK Directory API, Google Apps Script Google Apps Admin Script App | Forwarding Non-Admin Emails How to reset user's password in Google Apps Script using admin SDK? Returning a users directory profile with the Admin SDK on Google Apps Script Update user mail address via apps script with admin SDK Automate user creation using google app script in Google Admin SDK Creating a group with Admin SDK Directory API in Google Apps Script - Error 403 Creating a group with Admin SDK Directory API in Google Apps Script doesn't work "On form submit" Authorizing Google Apps Script to access Drive files
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM