We have a national client, with more than 3,000 agents with their own landing pages within their website: example.com/john-doe-agent/state-USA
They want these agents to have access to the Google Analytics data, but only for their specific landing page. They do NOT want the agents to have have access to the whole company's analytics.
What is the best way for these agents to access to their data without having access to the entire site's data?
Any help is appreciated.
Thanks.
Options not applicable in your case:
Filtered views: you could create views filtered at landing page level, however you're limited to 25 views by default so this won't scale.
GA Permissions: permissions aren't granular enough to restrict access to certain content type
Applicable options:
Email dashboards: setup your dashboards to send periodic emails: https://support.google.com/analytics/answer/1038573?hl=en
External Reporting tool: use a tool like Google Data Studio to create/share those dashboards with specific people (not sure you can create 3000 dashboards though).
Related
All of the following options leak all your accounts CloudWatch data.
1. Sharing dashboards via AWS console
Warning
All people who you share the dashboard with are granted the permissions listed in Permissions that are granted to people who you share the dashboard with for the account. If you share the dashboard publicly, then everyone who has the link to the dashboard has these permissions.
The cloudwatch:GetMetricData and ec2:DescribeTags permissions cannot be scoped down to specific metrics or EC2 instances, so the people with access to the dashboard can query all CloudWatch metrics and the names and tags of all EC2 instances in the account.
Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html
2. Adding CloudWatch datasource to Grafana and permit user access to the dashboards in scope only
For example: In a Grafana instance with one data source, one dashboard, and one panel that has one query defined, you might assume that a Viewer can only see the result of the query defined in that panel. Actually, the Viewer has access to send any query to the data source. With a command-line tool like curl (there are lots of tools for this), the Viewer can make their own query to the data source and potentially access sensitive data.
Reference: https://grafana.com/docs/grafana/latest/administration/security/
3. Cross account sharing
Same problem arises that all accounts CloudWatch data is being shared.
Reference: https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html
Cumbersome approach:
Build a backend service that fetches the dashboard relevant data and exposes it in a format that can be read by Grafana. Afterwards one still has to build a dashboard based on that data. Is there an easier way?
I am storing images of one user(owner) in google cloud storage bucket. I wanted to grant read permission for this image to a group of users(contacts of owner).I am planning to use Access Control List for this purpose; e.g., Owner will have full permission to his bucket and the contacts will have read permission on the images. There are chances that owner will have a very huge number of contacts, say 1 million.
So,
will there be any performance issue, if ACL contains a huge number of users?
Will this be the right approach for access control? Or should I consider signed URL?
Regards,Remya
This approach is not going to work for you. There are some significant limitations and downsides to trying to serve content like this. First and foremost, there is a limit of 100 ACL entries on a given object. You could get around this by granting permission to a group for which every user was a member, but even so, it still means that viewing the images will require that every user be logged in to their Google account in addition to however they authenticate for your site.
The canonical way to accomplish this would be to keep all images private and owned by your site's own account. When a user loads a page, verify however you like that they have appropriate authorization to view the images, and if so, generate signed URLs for the images. This allows you to use any authorization scheme without limitation while serving images directly from GCS.
Reading Google Analytics API docs is like diving into Mariana Trench... so hoping to get some help here.
I have a website that users will visit one page per visit (most of the time). I've placed google analytics script on each page (can view reports in my GA account) and now want to write a "reporting page" on which to display information about "per page usage":
page1: 100 visitors, countries, OSes, ...
page2: 125 visitors, countries, OSes, ...
I want to get this info from API.
Could some one please point me to the right pages of the docs, from the very beginning?
For I can't understand even why I should use 2-step OAuth authorization there (or shouldn't I?) - since I'm writing this report for my own site on which I have already placed google scripts thus authorizing everything.
Thank you.
What i am thinking is that I could have a Webapplication with your pages listed. Web application itself is authenticating and querying the result on when user try to find statistics of particular page.
You should follow
1. Register Service account and get authentication key file
2. Register email account viewed in along clientid email a screen in google analytic users as admin level user
3. Use ga-dev-tools.appspot.com/explorer for query building
4.Implemenation needs
a) First Authenticate with the key
b) Get profile id and pass it to the fetching method
c) Fetch data of the query
Let me preface this question with a little background information:
I have a web based system that takes in data from the Google Analytics API and displays that information based upon each clients needs via a web interface.
I use unique URLs for each source/campaign ( Google AdWords, LinkedIn, Facebook, Display Ad Networks, etc. ) containing 'utm' variables and the system generated values. Example: url.com/?utm_source=Google&utm_medium=PPC&utm_content=1234&utm_campaign=This-is-the-campaign-name
Google Analytics is the repository, since a large majority of clients use it on their websites, it's a natural fit to use them as the workhorse for data capturing.
All of the clients have active Google AdWords campaigns, connected Google Analytics accounts, and they have enabled Auto-Tagging.
When I test a Google text ad, the link that is populated in the web browser is similar to the following: url.com/?utm_source=Google&utm_medium=PPC&utm_content=1234&utm_campaign=This-is-the-campaign-name&gclid=123xyz
My current dilemma is centered around AdWords campaigns with Auto-Tagging enabled. The data capture process for all sources ( excluding Google AdWords ) works fine. I have unique tracking codes populated in the 'utm_content' variable, therefore when I call the Google Analytics API, this tracking code acts as my unique identifier. For all Google AdWords campaigns, I update all the destination links within the ad creative to include the system generated URLs that also include the prepopulated values. When viewing the reporting in Google Analytics, the variables/values are non-existent, it is as if Google completely disregards these values and uses a back-channel from Google AdWords to Google Analytics to input the campaign properties. For these Google AdWords campaigns, the visits are not lost, but rather they are associated to the standard Google AdWords campaign/ad group in Google Analytics.
Here is a list of things that I do know:
From what I have read, disabling Auto-Tagging would fix this issue and allow the 'utm' variables and their values to be passed from Google AdWords into Google Analytics. The consequence of disabling Auto-Tagging would be the loss of click to conversion and cost data.
KISSmetrics has documented a similar issue when working with clients that also use Google Analytics. Links that contain the 'gclid', Example: url.com/?gclid=123xyz ( Auto-Tagging enabled ), will not have any additional information logged ( campaign source, medium, etc. ). Links that also contain the 'utm' variables, Example: url.com/?utm_source=Google&utm_medium=PPC&utm_content=1234&utm_campaign=This-is-the-campaign-name&gclid=123xyz, this information is passed to KISSmetrics. For this second scenario, I am assuming the KISSmetrics javascript is reading the URL variables and values.
Here is what I am trying to achieve:
I am trying to avoid having to add a proprietary javascript that reads the URL variables and values and then posts that information to an external URL.
I do not want to add line items to the current Google Analytics javascript ( example: custom variables ).
I am looking for an 'out-of-the-box' solution that perhaps takes into consideration AdWords ValueTrack parameters. My familiarity with these variables is limited, therefore I can not determine if one of these values can be used as a unique identifier to later reference when I access the data using the Google Analytics API. Or as an alternative, using a Google AdWords dimension to do the same. See http://developers.google.com/analytics/devguides/reporting/core/dimsmets/adwords.
I would like to determine if it is possible to continue with the methodology of generating unique URLs, assigning them to Google AdWords campaigns, and taking the results of those campaigns from Google Analytics via their API, without compromising the click to conversion and cost data ( disabling Auto-Tagging ).
Thanks in advance for reading through my plight and any feedback you provide will be greatly appreciated.
So you are correct. When Google Analytics sees both UTM params and the auto-tagging GCLID, it discards the UTM params in favor of the GCLID.
However... acknowledging that this is an issue, especially since AdWords advertisers that use their Conversion Import feature often use both UTM and GCLID, they enabled an override switch in Google Analytics accounts that allows the use of both.
You can learn more about it in their FAQ at https://support.google.com/analytics/answer/1033981?hl=en
I think this should solve your problem.
Jon
we are looking into implementing Facebook Connect on our wiki service, http://www.wikidot.com. User-created sites span the *.wikidot.com domain, but also custom domains (like mine http://michalf.me), all handled by our single service.
We have a centralized account system. Users always log in (and create accounts) at www.wikidot.com and they are automatically logged in in all subdomains (cookie domain set to .wikidot.com - easy) and custom domains (automatically, via a series of redirects).
We would like to add FC into our login flow. Now, it would be great to get some clarification about FC Terms, which suggests using one App ID for every domain. In our case however user-created sites are not separate applications.
So, is it OK to use FC on one centralized website where our users log in (on www.wikidot.com) and expand user status on other domains connected to our service? This is how it works right now, without FC.
It would be great if we could get clarification from someone from FB to make sure we will not be violating any terms or policies.
Thanks!
It isn't possible (as far as I know anyway) to use the same app ID on multiple domains. FB allows use across subdomains, but I have found some difficultly with this even at times with the cookies. When you set up an app, you are asked to provide the domain for it. The domain you put here is the only domain that your app will work for. If your users are only ever signing in on wikidot.com, then I suppose you can use what you have already to move those sessions onto the other domains, but once you are on the other domain, you won't be able to use any of the facebook api features; any requests you make will fail.
I think the 'one app id for every domain' condition is more to target people who are trying to use multiple app ids for one domain. I think so long as you aren't transferring any data about the user to different domains/adverts etc, you should be ok. Essentially what you are doing is adding FB connect to your wikidot site, then a separate feature of wikidot is to keep you logged in on other partner sites?