I am the owner of the Laptop and I have created a guest account. My Admin account has security permission for my OneDrive folder. I want the OneDrive app to be able to run/sync on the guest account but prevent the guest account from accessing it, if possible.
Related
I'm planning on building a G suite integration with my existing SaaS site.
I want Gsuite admins to allow access for their organisation. So I only want "domain install" possible.
After this has been done users can be imported from Google into our application. Users should be able to use SSO to login but I don't want each user having to pass the consent screen.
I also want the app to have readonly access to the calendar of the user.
What is confusing for me: do I need to create a regular web app integration or a Service account integration? I don't really need offline access but I want to avoid all users having to grant access individually.
Here it says: The user sees the OAuth Consent screen only once; if you’re using a service account to allow a domain admin accept terms on behalf of the domain users, then the end users must never see the OAuth consent screen.
So does that mean only service accounts allow this?
Yes, using a service account you can install and authorize one app for all your domain user impersonating the admin account. In such a way, your users won't have to authorize the app individually.
You will have to enable domain wide delegation in order to impersonate the admin account when using a service account.
Reference
Service Account
According to the docs, Google Apps domain administrators can grant service accounts domain-wide authority to access user data on behalf of users in the domain. My understating is this gives service account authority to access data for all users inside the domain. Is there a way to restrict which users service account has access to?
For example, an application that uses Google Calendar API to view events from the calendars of specific list of users in a Google Apps domain.
Can google apps administrator authorize application for access to some but not all users?
Thanks
The answer was to publish an app in Google Apps Marketplace. An app can be turned ON for everyone or some specific organization unit. See Turn a Marketplace app on or off for users. Organization Unit is how you can control who in organization has access to your app.
If you're an administrator, yes. You can control who uses any particular Google service from their account. Just turn the service on or off for those people in your Google Admin Console. When users sign in to their account, they see only those services that are turned on for them.
To delegate domain-wide authority to a service account, first enable domain-wide delegation for an existing service account in the Service accounts section of the Developers Console Permissions page or create a new service account with domain-wide delegation enabled. Your application has the authority to make API calls as users in your domain(to impersonate users).
Here's a useful material for Delegating domain-wide authority to the service account:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
I am a newbie for Web Host Manager(WHM). My client has 2 websites hosted on same server. He has given me the credentials for cPanels and WHM. Now when I want to change some setting or access any configuration file from SSH using the user created for a specific account, it blocks me to do so saying this user account does not have privilege to do so. Is there a way I can get a root user privilege?
It's not possible to assign all root privileges to any normal cPanel account. If you have WHM access then login your WHM and enable shall access for that particular account which you want to access through SSH and after that you can login SSH with that user details.
I have developed and published a simple Marketplace App needing access to all members of a domain. I followed the Google Instructions (see http://goo.gl/XvczDQ) and created a service account (for domain-wide delegation of authority). Everything is working if I access the users from my own company / domain.
But it is not clear to me what happens if an administrator from a different company installs the app from the Google Marketplace. How can I access the users in the client's domain and how works the service account approach there? What are the further steps?
I figured it out myself. Provided that the service account is correctly configured with the required scopes: All you have to know is the client's administrator email and the domain. Usually you can get this with the setup url in your marketplace app.
Then you have to set the service account user to the administrator's email before you request an access token. That worked for me.
When the admin installs the app, he grants you the authorization to use the service account to impersonate his users.
You can also list the users using the Directory API if you need the complete list of users. Note that you will need to have the relevant Directory API scope in your marketplace app configuration and you will need to impersonate an admin user.
Is there a way to grant other FatFractal users Cloud deployment privileges on one of my domains? The domain/application are registered under my FatFractal account, and my partner is receiving 400 Errors (permission denied) from his FF local runtime engine when attempting to deploy an updated version of the app.
Also, is it possible to limit the scope of deployment privileges to a specific domain/application combo as opposed to the entire domain?
If you go to the FatFractal Console and then click on "Invitations" in the menu, you can give other users read-only or read/write privileges to domains and applications.