https://developers.google.com/admin-sdk/directory/v1/quickstart/python
Is the "Google account for that domain with administrator privileges" mentioned in this prerequisite a super administrator?
https://support.google.com/a/answer/2405986
Or are other admins included?
Thanks for your help.
Others included, depends on the level of access you want to have. For example, you can have a Custom Admin role with Users and Groups Read permission, that will allow you to read all information about users and groups (but you will not be able to modify/add users).
Related
I have a tenant admin account for a SharePoint online tenant. I am tasked with looking at all the sites on the tenant and all the SharePoint groups on each site. Getting a list of sites is easy using PNP libraries (Get-PnPTenantSite). My next step is to loop through each site and get all the security groups associated with each site - also easy using Get-PnPGroup commandlet.
The problem I'm running into is that my tenant admin is not added to some sites - not Site Admin, Not Site Owner, not even Site Reader - and so when my script executes against one of these sites, I'm getting a 403 Forbidden when asking for the groups on the site. Yes, I could avoid this by just adding my tenant admin as an owner on every single site in the tenant, and could probably even do this using a fairly simple powershell script.
However, my question is, why is this necessary? Shouldn't I be able to just run a script with some kind of "tenant admin super-read-permissions" or something that will just temporarily give me all access to everything without having to go through the middle step of adding myself everywhere?
Depending on the needs of your business with SharePoint, it may seem like an unnecessary or extra layer of security. After all, why not allow an administrator to access all the things?
The answer lies in the fact that SharePoint security is designed to allow separation of roles. These roles may not necessarily match exactly how responsibilities are defined in your company.
From Microsoft:
Global Administrators and SharePoint Administrators don't have
automatic access to all sites and each user's OneDrive, but they can
give themselves access to any site or OneDrive.
See https://learn.microsoft.com/en-us/sharepoint/sharepoint-admin-role
Tenant admins have several responsibilities:
Create sites
Delete sites
Manage sharing settings at the organization level
Add and remove site admins
Manage site storage limits
To perform these responsibilities, very little access to the actual sites and their content is required.
Management of access to a site collection and its content is the responsibility of the site collection administrator and site owners.
It sounds like in your company, you wear both hats. You might be creating and deleting sites, and also getting involved in access control or auditing at the site collection level. In these cases, you must use the privilege of the tenant admin (e.g., add and remove site admins) to grant yourself the site collection privileges required to access the information you need.
I recommend not granting yourself these privileges forever. It is helpful to consider that having constant administrative access to all sites is undesirable for a few reasons. For instance:
Search is supposed to be filtered to content that is relevant to the user. If the user is an admin with access to all content, search will not be filtered in a useful way.
While an administrator may certainly grant themselves access to a site, some collaborators would prefer that their content remain private to their team until or unless they require technical support.
All of this addresses the "why" part of your question. As for the technical question, there is currently no "tenant admin super-read-permissions" role that you can use for the data you want to collect.
You all are familiar with the ability to share a Google Doc with certain people, and provide those people with the ability to view, or edit.
I'm trying to understand how such an architecture would be organized in a REST Api.
For instance, for my document I want to grant read access to:
myself
some#email.com
users who belong to domain.com (everybody who belong to my network)
I'd like to give write access to:
myself
another#email.com
In addition, users with the role of admin also have write access regardless of the permission I define, and users with the role moderator have read access regardless of the permission I define.
What would be the ideal (or best practice) architecture for such a thing? Where would I deligate permissions? On the document itself? Would I have another model handling permissions? How would I create the complex rule-based system where access is granted based on a specific email, a broader domain affiliation, and an even broader site-wide roles.
I can imagine a situation where each document has field for different permissions. For instance:
owner: my id
admin: all the site's admins
moderator: all the site's moderators
viewers: a list of emails / domains
editors: a list of emails / domains
But, is this scalable?
I'd love to get some advice.
Thanks!
I am using https://graph.microsoft.com/v1.0/groups but it needs admin privilege. Does anyone know how to get the groups assigned to sign-in user?
For an app to read or manage an Office 365 group, it does require an administrator to grant those permissions to the application. Once granted, the app can query for the O365 groups that the signed in user is a member of. For more information please see the scenarios section in the permissions topic here: https://graph.microsoft.io/en-us/docs/authorization/permission_scopes#permission-scope-scenarios.
Also the front page overview of the Microsoft Graph documentation has a table with common queries: https://graph.microsoft.io/en-us/docs/overview/overview. The one you want (to get the groups for the signed in user) is:
GET https://graph.microsoft.com/v1.0/me/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(a:a%20eq%20'unified')
Hope this helps,
I have a small question related to granting access to multiple sites in Sitecore 7.5.
Let's say I have a website named as website_1 and another website named as website_2 in my Sitecore environment. Now I have created two roles. One role named as r_website_1 gives access to website_1 and another role r_website_2 gives access to website_2.
In r_website_1, only access to website_1 is granted and access to website_2 is denied. The same goes for r_website_2 but for
website_2.
Now I want to give read and write access to user_1 for both websites. What I did was went to User Manager>user_1>Edit>Member Of and then assigned both roles.
What I noticed that the user_1 only gets access to one website. it seems that both roles are countering each another. For example, the denied permission for website_2 in r_website_1 is conflicting with allowed permission for website_2 in r_website_2.
May I know what's the fix for this problem?
Thanks in advance,
Vaibhav
Deny permission always has priority. You cannot remove by simply adding another role with allow access rights.
Instead of using deny you should break the inheritance of chosen access right for the role1 for site2 and similarly for the role2 for site1.
Here is a quote from Sitecore Administrator Security Cookbook:
We recommend that you use inheritance whenever possible to limit the access that roles have to the items in Sitecore. Using inheritance instead of directly denying access rights to items makes it easier to manage the security system.
And you can read about breaking inheritance of access rights in Assign access rights to a security account document.
I want to create a new user group.
The members in this user group can create new users and new groups.
I think creating users or groups require admin permission. This user group does not have other admin permission except creating, editing and deleting user,group. Does alfresco provide this kind of group in alfresco community 4.0c? How can I implement it? How to add a new group with specified permission? I really appreciate for help.
You could add a custom role in permissionDefinitions.xml but I don't think that would help in this instance, since the ability to create users and groups plus the other administrative actions are hard-wired to the built-in administrators role.
Instead, you could create a custom web script which performs a check to see if the current user is a member of your custom security group. Since the authenticated user may not be a repository admin (and probably isn't) then you would need to use something like this Sudo tool for Alfresco webscripts to temporarily give them permission to create the objects.
You would need to be competent in Java webscript development in order to implement this. There are some good resources on the Alfresco wiki, documentation and training materials available online.
You cane manage that through Alfresco Share. In your Alfresco installation directory:
/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/model/permissionDefinitions.xml you'll find the permissionDefinitions.xml file. Through that file you can manage your custom roles for Alfresco users and groups.
Here, in this WIKI you can find some hints about what you need to change to accomplish that.
Hope it helps. The wiki helps here, if you need some better explanation please let me know.