Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Find the minimum privileges that need to be assigned to a custom admin role to run the tool #83

Closed
amart241 opened this issue Dec 7, 2023 · 3 comments · Fixed by #499
Closed

Find the minimum privileges that need to be assigned to a custom admin role to run the tool #83

amart241 opened this issue Dec 7, 2023 · 3 comments · Fixed by #499
Assignees
@buidav
Labels
enhancement
Milestone
Driftwood

Comments

@amart241
Copy link
Collaborator

amart241 commented Dec 7, 2023
edited by buidav
Loading

The permissions needed to access the API with the scopes that we need are a bit vague.
The reports API Google Documentation guide says that a super admin or a custom admin is needed to access the API.

Lessons learned from M365, members of the public aren't comfortable with running some random tool off the internet as the highest privileged role in their Cloud environment. For GWS, this is the super admin role.

There is no specific Google Documentation for assigning the custom admin the minimum permissions we need to access the reports and directory apis:

This issue is to find out and document the minimum privileges that need to be assigned to a custom admin to run this tool.
Then test if there are any issues running the tool as an account assigned just that custom admin role.
How to create a custom admin role.

See the README for the OAuth scopes we're currently using for Goggles
@buidav buidav added this to the Backlog milestone Dec 8, 2023
@buidav buidav removed the Medium label Dec 12, 2023
@buidav buidav mentioned this issue Jan 9, 2024
Closed
@jacdavi
Copy link
Collaborator

jacdavi commented Jan 19, 2024
edited
Loading

Testing with the branch for #152 I was able to get the same output as a super admin using a custom role with the following privileges:

  • Console
    • Reports
    • Directory Settings > Settings
  • API
    • Organization Units > Read
    • Users > Read
    • Groups > Read
    • Domain Management

Note that selecting some privileges enables others, so in total this role has 11 console privileges and 5 API privileges ("Billing Read" seems to always get enabled after saving without it).

@buidav buidav modified the milestones: Barracuda, Coast May 15, 2024
@buidav
Copy link
Collaborator

buidav commented Aug 24, 2024
edited
Loading

Closing this as we found a while ago that the
super admin role is required to access the admin audit log.
Even a cloned super admin role didn't not have the sufficient privileges.
Domain wide delegation of authority caused the above issue.

@buidav buidav closed this as not planned Won't fix, can't repro, duplicate, stale Aug 24, 2024
@buidav buidav reopened this Aug 26, 2024
@adhilto adhilto modified the milestones: Coast, Driftwood Sep 23, 2024
@adhilto
Copy link
Collaborator

adhilto commented Dec 4, 2024

Issue OBE; with the inclusion of the policy API, ScubaGoggles no longer supports custom roles, super admin is required.

@adhilto adhilto mentioned this issue Dec 11, 2024
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@buidav buidav

Labels
enhancement
Projects
None yet
Milestone
Driftwood
Development

Successfully merging a pull request may close this issue.

Policy API Integration cisagov/ScubaGoggles
4 participants
@jacdavi @buidav @amart241 @adhilto