I'm excited to see that delegated Admins can now be given access to the Provisoning API (did I miss this announcement?). However, I'm finding that admins with Read/Update rights to Users can only see get info and update users in the primary domain, not secondary domains. If I make the delegated admin a super admin temporarily, then reads and updates to secondary domain users start working.
*Delegated Admin [email protected] with only Provisioning API Read/Update rights: FAILURE* C:\gam>gam info user [email protected] send: 'GET https://apps-apis.google.com/a/feeds/poc.pbu.edu/user/2.0/pbu HTTP/1. 1\r\nAccept-Encoding: identity\r\nHost: apps-apis.google.com\r\nContent-Type: ap plication/atom+xml\r\nAuthorization: OAuth realm="", oauth_nonce="56846978", oau th_timestamp="1334859105", oauth_consumer_key="XXXXX.apps.googleuserconte nt.com", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="XXXXX" oauth_signature="XXXXX"\r\nUser-Agent: Google Apps Manager 2.3.1 / [email protected] (Ja y Lee) / Python 2.7.2 final / Windows-7-6.1.7601-SP1 AMD64 / GData-Python 2.0.14 +20110902+custom_mods\r\n\r\n' reply: 'HTTP/1.1 403 You are not authorized to access this API\r\n' header: Content-Type: text/html; charset=UTF-8 header: Date: Thu, 19 Apr 2012 18:11:55 GMT header: Expires: Thu, 19 Apr 2012 18:11:55 GMT header: Cache-Control: private, max-age=0 header: X-Content-Type-Options: nosniff header: X-Frame-Options: SAMEORIGIN header: X-XSS-Protection: 1; mode=block header: Server: GSE header: Transfer-Encoding: chunked Traceback (most recent call last): File "gam.py", line 3491, in <module> elif command == 'pagesize': File "gam.py", line 2040, in doGetUserInfo print 'Parent Org: '+result['parentOrgUnitPath'] File "gdata\apps\service.pyo", line 428, in RetrieveUser gdata.apps.service.AppsForYourDomainException: {'status': 403, 'body': '<HTML>\n <HEAD>\n<TITLE>You are not authorized to access this API</TITLE>\n</HEAD>\n<BODY BGCOLOR="#FFFFFF" TEXT="#000000">\n<H1>You are not authorized to access this AP I</H1>\n<H2>Error 403</H2>\n</BODY>\n</HTML>\n', 'reason': 'You are not authoriz ed to access this API'} *[email protected] promoted to Super Admin (exact same OAuth token): SUCCESS* C:\gam>gam info user [email protected] send: 'GET https://apps-apis.google.com/a/feeds/poc.pbu.edu/user/2.0/pbu HTTP/1. 1\r\nAccept-Encoding: identity\r\nHost: apps-apis.google.com\r\nContent-Type: ap plication/atom+xml\r\nAuthorization: OAuth realm="", oauth_nonce="01426240", oau th_timestamp="1334859341", oauth_consumer_key="XXXXX.apps.googleuserconte nt.com", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="XXXX", oauth_signature="XXXX "\r\nUser-Agent: Google Apps Manager 2.3.1 / [email protected] ( Jay Lee) / Python 2.7.2 final / Windows-7-6.1.7601-SP1 AMD64 / GData-Python 2.0. 14+20110902+custom_mods\r\n\r\n' reply: 'HTTP/1.1 200 OK\r\n' header: Content-Type: application/atom+xml; charset=UTF-8 header: Expires: Thu, 19 Apr 2012 18:15:51 GMT header: Date: Thu, 19 Apr 2012 18:15:51 GMT header: Cache-Control: private, max-age=0, must-revalidate, no-transform header: Vary: Accept, X-GData-Authorization, GData-Version header: GData-Version: 1.0 header: Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT header: X-Content-Type-Options: nosniff header: X-Frame-Options: SAMEORIGIN header: X-XSS-Protection: 1; mode=block header: Server: GSE header: Transfer-Encoding: chunked User: [email protected] First Name: PBU Last Name: User Is an admin: false Has agreed to terms: true IP Whitelisted: false Account Suspended: false Must Change Password: false Quota: 25600 * * Jay -- You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/dcgJzC8XW-MJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
