Permissions

[Gisselle-Guzman]

Hi all,

General question can a low level user create the project , 0Auth client , enable the APIs, create the 0Auth Consent screen . And then get a Super Admin from Org to trust the application. And then the low level user can run the application and sign in.

These are the steps I took, but having trouble with the sign in , I think its because I am a low level when running the tool I get error messages. Error retrieving. Or is this not the case?

Just to confirm does a super admin need to run this tool from start to finish? Or is a super admin just needed to trust application/past client id ,etc of the steps?

[buidav]

Short version

The tool also needs to be run from start to end with a user with either the super admin role or a custom role with the following privileges listed in this comment.

More detailed technical explanation.

So, a super admin account isn't exactly needed from start to end of a tool run but an account with correct privileges is needed for the most critical part when running the tool.
Even though a super admin has allowlisted the OAuth application, in order to access Google's APIs for ScubaGoggles to conduct its assessment checks, an access token needs to be retrieved. A token.json file is created and put in your current directory when ScubaGoggles is run.
The access token is retrieved during a run of ScubaGoggles when a user gets the pop up to authenticate with their Google Workspace account and authorize access.
After the token is retrieved ScubaGoggles automatically begins conducting the assessment using the token to access relevant APIs.
This takes place all in the background when the tool is run.

In theory, a super admin could create their own OAuth Application then run ScubaGoggles to generate token.json file. Then pass off both the credentials.json file and the token.json to an unprivileged user to run the assessment.
In that case though an admin has already done the bulk of the work already and could just run the assessment themselves.

Relevant link:
https://developers.google.com/identity/protocols/oauth2

[Gisselle-Guzman]

Thank you sir. Yep that was my suspicion. Thank you for providing the thread of the permissions needed to create a low level user to run the tool . I will ask if a custom role can be created. Or else will walk through with the super admin on how to create the OAuth application, there's hesitation with putting his password to authorized. Thus the custom role sounds like the best option. Thank you :)