I have an application which wants to provide customization for users once they log in. Simple things like displaying a profile image and job title. This information is available in the Google Apps Profiles API, but the domain-admins are concerned about overreach with the scope. In particular, they don't want to approve the application if it has write access when it isn't needed.
The regular scope (with read/write) for the API according to the API Documentation is https://www.google.com/m8/feeds/profiles and I have tried all of the following with no luck
https://www.google.com/m8/feeds/profiles.readonly
https://www.google.com/m8/feeds/profiles.read
https://www.google.com/m8/feeds/profiles/#readonly
https://www.google.com/m8/feeds.readonly
https://www.google.com/m8/feeds.read
https://www.google.com/m8/feeds/#readonly
What scope can I specify in order to get read-only access to the Profile data? If I'm barking up the wrong tree entirely, where should I be looking?
Any non-admin user can access the GAL programmatically, see:
https://github.com/google/gfw-deployments/blob/master/apps/shell/gal/gal_feed.sh
I don't believe this api call is documented or supported officially. Note that the Global Address List is a compilation of user profiles, groups and shared contacts. If you don't want to see groups and shared contacts you'll need to figure out how to parse them out.
You need the user account under whose credentials the code is running to be either:
super admin or
to be listed under CPanel > Domain Settings > Admin Roles > [...put it in a created/user role...] > "Provisioning APIs" > Users - create/update/read/delete (as required, ticked ON). For example, for read only access to the Profiles API, set it there to 'read'.
I wrestled with this myself. I was not able to get this to work either.
Related
I am trying to read out the list of users, incl the user permissions, using the API call documented at https://developers.google.com/analytics/devguides/config/mgmt/v3/mgmtReference/management/accountUserLinks/list
I get the list of users as expected, but not the permissions. (Actually, for "some" users the permissions is listed, but not for the most)
The GA setup has a number of properties, and the users have permissions set on property level in most cases.
My guess is that the "property level permissions" is not reported properly through the API response for the users which in the UI/console have their permissions listed as "None (user has permissions on a lower level)"
As the next intended step is not only to read out the user list, incl permissions, but also do scripted CRUD operations I'd like to understand what the "intended way" to deal with this via the API is.
Anyone that is working with CRUD operations of users via the Analytics management API?
Ah, finally I found the API call https://developers.google.com/analytics/devguides/config/mgmt/v3/mgmtReference/management/webpropertyUserLinks/list which solves the problem.
(Sorry for not RTFM, but it is actually a bit confusing when this API call is at the end of API list, and the other call is in the beginning...)
I am working on a multi-user Clio app that can automatically OCR every document stored in Clio. I would like to enable my app so that the OCR settings are configured once for the firm and not individually for each user.
How does Clio recommend implementing firm-wide settings?
I had thought about using the #DomainName.com part of the customer's email address but that feels brittle and seems like a good way to create a security issue.
Clio recommends that applications store their application specific settings in their own data store (ie Firebase or similiar would work). If you need to share settings across users in an account you can gain access to the account id via the users end point. The following request (ensure your application has the User Read scope set) should get you started.
GET "https://app.clio.com/api/v4/users/who_am_i?fields=id,account\{id\}"
This will return something like:
{"data":{"id":344855567,"account":{"id":809455327,"redacted":true}}
The account id will be the same for each user in the account, you can use this as your account key in storing account specific application settings in whatever data store you're using for your settings.
The API lacks some clear explanations on retrieving the reachestimate for either an ad account or an ad. I have made sure that:
I am an admin/ or added to a Facebook app
I have a paid advertising campaign
The adaccount ID is added in the Settings Advanced panel of the Developer App page
I've been trying to:
In Graph API Explorer, retrieve the data by query expansion: me?fields=adaccounts{campaigns{adsets{ads{reachestimate}}}}. However, I always get one of the following (randomly):
Still in the explorer, retrieve it by direct access: act_{adaccount_id}/reachestimate I get this, even if I am 100% sure the ad account is added in the Advanced Settings panel:
Both of 1 and 2 in the iOS project. I get this: com.facebook.sdk.core error 8
Test it by curl with the example from here. I get this (the same with the one from point 2): The ad account is not enabled for usage in Ads API.
Just as a further note, for point 1 that's not the whole query, but I didn't write the adjacent fields because they would've been redundant for the purpose of this question.
I simply need to retrieve the ad accounts, the campaigns, the ad sets and the reach estimate simultaneously in the same query. It seems like a dead spot for me. Do you have any suggestions? Can you show me a Graph API explorer working example? Or, if what I'm asking is impossible, can you simply show some code that works?
Are you app and ad account owned by the same person?
Facebook Ads API has tiered access. https://developers.facebook.com/docs/marketing-api/access
A newly registered app is in Development Tier and can only access the user's own ad accounts. You need to make some API calls on your own ad account for testing in order to get promoted to Basic Tier and manage other people's ad account.
Apparently, I got:
Please reduce the amount of data you're asking for, then retry your request.
Because the query was to broad. Those 'adjacent' fields actually triggered a massive query, so the solution was to either:
Put a limit(1) on the campaigns.
Individually retrieve the reachestimate for each adset.
I chose the latter because it suited my needs, but it's up to you which solution works better.
I've just integrated my app with IBM's SSO via Cloud Directory. The idea here is that I want access to be very secure and only authorized users (pre-approved) can access the application (e.g. website in this case).
However, I've just realised now that anyone that goes to the app's webpage can, instead of logging in, just select "Register New User" and fill in some details and he's given access? Is there a way to:
1) EITHER keep that registration form, but require one of the admins to approve it before access is given? (better solution)
2) OR completely remove the self-registration option?
As the current situation is far from secure for what I need.
Thanks a lot!
I talked with the support team and that is the best (only) way to do it, just remove the links from the HTML templates.
I'm making a application for facebook that will be used for academic research. Right now when the user goes to install the application I'll request additional information which is stated in the extended permissions.
I would perfectly understand someone not wanting to give out certain aspects of this information (It's just used to gather statistics about people taking part , education, religion etc.)
Does anyone know the best way to filter the permissions? For instance maybe someone is willing to give their age but not education. Therefore can I remove the education request from my application install request dynamically?
If you want to ask the user for only those permissions that he wants to give, you can take input from him before redirecting to Facebook login. You can generate the url for requesting permissions based on this custom set of permissions using the 'perms' attribute of the <fb:loginbutton /> tag or pass the list of permissions you want to the $facebook->getLoginUrl(array('req_perms' => $perms)) call.
To keep track of permission changes, you can use the realtime updates offered. You can know more about it here.
You certainly could build an up-front permissions matrix that the user could cherry-pick from. And that would probably be the way to do it, since you can't do anything to customize the permission challenge that the Facebook Platform generates.
The trick would be keeping track of which permissions the user granted in the given access token you'll receive from back from the Platform. Especially since users can change the permissions granted to your application w/o visiting the application itself - so you'll want to be hooked in to that info via the Real Time Updates.