Assign service account to Group Admin role in Workspaces (GSuite) - google-workspace

I'm attempting to assign a service account created in a project to the Group Admin role in Workspaces (GSuite) as part of an experiment to set up IAM automation in Terraform.
I'm essentially following this support guide here: https://support.google.com/a/answer/9807615#zippy=%2Cassign-a-role-to-a-service-account
Once I add the service account to be granted Group Admin, pressing "Assign Role" appears to do nothing. The button visually hovers but no action takes place after clicking it. My only option is to back out and discard the request.
I am signed in as a Super Admin. I've also tried Firefox, Safari, and Chrome hoping it was just a UI bug. I contacted Workspace support and while they were extremely helpful they were not able to find any issue on their end or point me in any direction.
I have also tried assigning a dummy user via the 'Assign User' page and I get the same issue. The button/form just doesn't seem to react or produce any error messages.
Is there something I could be missing in my Org setup?

So considering the UI is broken for me, I ended up using the API Explorer to assign the service account to the Group Admin role in Workspaces (GSuite)
Requirements:
Service Account unique ID, found by navigating to your service account from IAM in the console.
Customer ID, this is the customer ID of your Organisation and can be found in Account Settings in Workspaces or running the command:
$ gcloud organizations list
The customer ID is listed under DIRECTORY_CUSTOMER_ID.
You also need to find the roleID of your Group Admin role, I did this via the API Explorer again, requires your Customer ID
https://developers.google.com/admin-sdk/directory/reference/rest/v1/roles/list
Send a request to that and then check the response for:
"roleId": "XXXXXXXXXXXXXXX",
"roleName": "_GROUPS_ADMIN_ROLE",
You then need to use API Explorer to insert your service account using the above details
https://developers.google.com/admin-sdk/directory/reference/rest/v1/roleAssignments/insert
Request body:
{
"assignedTo": "XXXXXXXXXXX",
"roleId": "XXXXXXXXXXX",
"scopeType": "CUSTOMER"
}
Your service account should now be a Group Admin in Workspaces (GSuite)

Related

Azure DevOps REST API Error: You are not authorized to create a subscription

Following this documentation I try to make a user following a work item but I receive the following error:
{
"$id": "1",
"innerException": null,
"message": "You are not authorized to create a subscription.",
"typeName": "System.UnauthorizedAccessException, mscorlib",
"typeKey": "UnauthorizedAccessException",
"errorCode": 0,
"eventId": 0
}
The user which tries to create the subscription is an Admin of the project. Both users have access level Basic on organization level. The request uses Basic Auth with PAT with Full Access privileges. The same request succеeds in a different (test) organization but I don't see where is the difference between.
If your users want to set up Global notification, you need to make sure they are members of the Project Collection Administrators group of the organization.
I tested it in the UI, if the user is a project admin but not a member of the PCA group, then he has no permission to perform the operation.
Thanks for providing detail on your user role & licensing, those are usually the first two things to check in cases like these.
Since you're a Project Administrator and have at least a Basic license, I'd recommend checking two things:
If you're using the same PAT when issuing both calls between organizations, make sure that you've chosen "All accessible organizations" when configuring your PAT:
Within your project, head to Project Settings > Service Connections > Security, verify that the user you're attempting to create a service connection with has access. If they don't, add them to the Endpoint Administrators group.

Azure Devpos Server 2019 : How to correctly manage user role

I'am recently installed Azure DevOps Server 2019 in on-premises server.
However, i'am so confused : How i can set the security and the user permission in the server, such as : Deny user to view author project in the same collection , create custom group not in the azure devops default groups ...
I ask for idea to implement that
Thank you
According to Azure DevOps permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
Deny user to view author project in the same collection.
Assume you were talking about team project. In your scenario, the simplest way is not add that user to your team project. People without team project collection admin permission will not be able to see those projects which they are not added in.
If you already add users in the team project and want the user not be able to see some info such as repo/build/work items in the project .
You need to evidently deny those users for viewing some project repositories/builds/ work items.
As how to create group, you could directly click New Group in the right top corner of the page from Project Settings-- Permission
More details about how are permissions and groups defined, suggest you go through our official doc here-- About permissions and groups
Besides, you could also manage user permission with the help of command line. The tfssecurity command line tool allows us to manage permissions for Azure DevOps groups and users. We could use it in a PowerShell script to grant access to projects that already exists.

Invited user Azure Devops project but they are unable to access it

I added a user to my Azure Devops project but when they click on the link in the invitation email they get the "401 - Uh-oh, you do not have access." error. What am I doing wrong?
What I did that seems to have worked, was I made the project public, and the other user was able to access it. After they had accessed one time successfully I made it private again. They are still able to get to it.
First, check if your Azure DevOps organization is AAD based or not. Then that invited user should use corresponding account, work/school account for AAD based, personal account for the other. For example:
A highly specific 401 error case. In this case, both a personal Microsoft account and a work or school account (Azure AD) that have the same sign-in address exist. You've signed in with your work or school account, but your personal account is the identity with access to the organization.
More detail explanation you could take a look at our official documentation here:
Why can't I sign in after I select "personal Microsoft account" or
"work or school account"?
Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions. Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out
completely. Sign in again and select your other identity:
Close all browsers, including browsers that aren't running Azure DevOps.
Open a private or incognito browsing session.
Go to this URL: https://aka.ms/vssignout.
You see a message that says, "Sign out in progress." After you sign out, you're redirected to the Azure DevOps #dev.azure.microsoft.com webpage.
If the sign-out page takes more than a minute to sign you out, close the browser and continue.
Sign in to Azure DevOps again. Select your other identity.
Suggest you to use a InPrivate mode browser to login, then use your Microsoft Account to authenticate, also select personal account if you need to choose between a "work or school account" and my "personal account".

GSuite marketplace Listing with Admin SDK + SERVICE ACCOUNT

I brought up a GSuite Marketplace Listing with Service account created and Domain Wide Delegation enabled. I want to retrieve the users and orgunits of the customer.
Created a new Google Cloud Project
Enabled 'Admin SDK' in the project
Enabled 'GSuite Marketplace SDK', filled the scopes 'https://www.googleapis.com/auth/admin.directory.orgunit.readonly',
'https://www.googleapis.com/auth/admin.directory.user.readonly' and published the listing.
Enabled the 'Enable API Access' in the Admin Console of the customer.
The customer installed the app but I saw that the client_id of the SA was not added under the "Authorized API clients" section. When I try to retrieve the list of users in GSuite, I get the below error.
"unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested"
Am I missing something in the marketplace listing ?
Why do you expect the SA's Oauth client to automatically appear under 'Authorized API Clients'? The instructions for setting up whitelisted Oauth clients for the domain mention you have to do it manually.

Rename alias in jazzhub

I want to change https://hub.jazz.net/project/user1 to https://hub.jazz.net/project/user2 ... i.e. just change the name from user1 to user2.
I have checked update profile section and it allows update to a lot of fields but not profile id (i.e. user1).
I am not looking at changing ownership since Bluemix id is same ... just renaming user1 to user2.
Aliases are permanent and cannot be changed. However, you can create another alias and link to it from your DevOps Services account.
Create a new alias:
Log in to DevOps Services, click the Profile Settings icon, and
click Profile.
On your profile page, click EDIT PROFILE.
Click PERSONAL INFORMATION and change your email address to another email address that is not associated with your IBM id. Note:To verify which email address is associated with your IBM id, click here.
Unlink your email address:
Log in to DevOps Services by using your IBM id.
Go to the Unlink your Jazz ID and IBM id page and click Unlink Accounts.
After your accounts are unlinked, log out of DevOps Services.
Associate your new alias with your IBM id:
Log in to DevOps Services by using your IBM id.
Enter your new alias, accept the DevOps Services terms of use, and click Finish.
On the Success page, click Continue. Then, click the Profile Settings icon and click Profile.
Verify that your new alias is listed with your name.
more details here: https://hub.jazz.net/docs/faq/#alias_change