Solved: Re: How do I add management privilege to ALL calen...

ham_the_admin · 02-07-2023 08:50 PM

Hi Forum,

I have a service account I have built for a third party workspace management service that requires read and write privilege to every room and desk resource I have in my domain. As root admin, I know I can go calendar by calendar and manually add this service account to each respective calendar resource, how would I do this in bulk for 200+ resources and hopefully in perpetuity?

Cheers,

Ham

icrew

You can do this with the free, open source, command-line, indispensable GAM tool. Check out:

GAM: https://github.com/jay0lee/GAM/wiki
GAM Advanced (a variant with a few more features): https://github.com/taers232c/GAMADV-XTD3/wiki
and the mailing list at https://groups.google.com/forum/#!forum/google-apps-manager

for more details.

Hope that helps,

Ian

View solution in original post

ajojose33333344

@ham_the_admin Please find the below solution from a gam expert:

Advanced GAM solution:

# Get a list of resources, use a filter if desired: https://developers.google.com/admin-sdk/directory/reference/rest/v1/resources.calendars/list

gam redirect csv ./Resources.csv print resources

# Inspect Resources.csv, delete any rows that shouldn't be included

# Replace us...@domain.com with actual value

gam redirect stdout ./AddResourceACLs.txt multiprocess redirect stderr stdout csv ./Resources.csv gam resource "~resourceId" create calendaracls editor user:us...@domain.com

# Inspect AddResourceACLs.txt

Add this to the end of the create calendaracls line: sendnotifications false

This eliminates 200+ emails.

View solution in original post

ajojose33333344

@ham_the_admin have you tried the domain-wide delegation option already?

https://support.google.com/a/answer/162106?hl=en

ham_the_admin

Unsure how to implement within Google Cals itself and don't see a ton of documentation. Was hoping for a more simplistic ability to do it through the admin UI.

Essentially trying to avoid having to do this x200+ resources:

ajojose33333344

HI @ham_the_admin I understand the same- The domain-wide delegation is designed for this purpose :

"App developers and administrators can create service accounts with OAuth 2.0. Then, you authorize the service accounts to access your users' data without requiring each user to give consent. Typical apps granted domain-wide delegation"

It's available in

In the Admin console, go to Menu > Security>Access and data control>API controls.
Click Manage Domain Wide Delegation.

AlanM

@ham_the_admin I suppose when you say service account, you mean a workspace user account, that you have delegated admin privileges to. sadly there is a bug it seems at the moment, as the delegated admin privileges do not allow to manage calendar permissions. this has been reported and ticketed up to Google support for a while now.

You can use a script, and give the script the capability to do this in bulk, but you will need to use Domain wide privileges (as mentioned by @ajojose33333344 ) and create a GCP Project to manage the authentificaiton. this requires some knowledge on oauth2 procedures in appscript.

If you execture the script as super admin, this is not necessary.

ajojose33333344

@AlanM will these scopes won't help?

Scopes

https://www.googleapis.com/auth/calendar	See, edit, share, and permanently delete all the calendars you can access using Google Calendar
https://www.googleapis.com/auth/calendar.events	View and edit events on all your calendars
https://www.googleapis.com/auth/calendar.events.readonly	View events on all your calendars
https://www.googleapis.com/auth/calendar.readonly	See and download any calendar you can access using your Google Calendar
https://www.googleapis.com/auth/calendar.settings.readonly	View your Calendar settings

ham_the_admin

This is spot on. "Service Account" meaning a user (sa_google@domain.xxx) that has domain wide visibility and read/write edit rights to cals as an intermediary for 3rd party apps ie Zoom Room/Workspace, Space IQ, Robin or Teems etc.

Example:
https://support.zoom.us/hc/en-us/articles/206905656-Setting-up-Zoom-Rooms-with-Google-Calendar

the "How to share a Zoom Room calendar resource" portion of the equation is what I am doing but hating life as we I have 200+ resources and likely more to come.

As root/super will try the appscript route, new to GCP. Thank you!

cryptochrome

Is it only resources you need to manage? If so, resources can be managed centrally from the admin console. I would explore the Admin SDK and APIs to see if resources can be controlled through that.

ham_the_admin

It is resources I'm hoping to manage, and was hoping for a way to do it in Admin Console, however not seeing any easy way to manage bulk user, Group or OU privilege in Admin Console. Can update all things about resource and hierarchy within workspace for resources with the exception of user privilege (to my understanding at this point).

icrew