We have a service account that has access to data of our different clients' analytics accounts. Apparently there's an undocumented limit of 200 accounts that a specific user (in our case, the service account) can be linked to. This appears when clients try to add our service account address as a user in their accounts.
As we have some old client accounts linked to our service account, we would like to remove their connections to allow new connections to be added.
Using the analytics management API I was able to get the list of the 200 connected accounts. I figured what needs to be done is to delete the AccounUsertLink between my service account user and their user. Sadly, as my user has no "user management permissions" on the customer's account, I have no way of finding my user's link id, so I cannot delete the connection.
Is there any other way of deleting connected accounts from my service account user? Thanks
Related
I've created 2 calendars using service accounts (tried both with a service account key locally and with the default service account running in Firebase Functions).
When I try to add an event in one calendar and invite the other calendar I get a 403 from the calendar API:
'Service accounts cannot invite attendees without Domain-Wide Delegation of Authority.'
I have calendars created like this aprox. 6 months ago and they can add atendees, what am I doing wrong?
PS: I don't have any "real" user emails involved, I just want to control the calendars created on the service account user. Also, no G Suite domain, it's just a Firebase app.
Thank you in advance!
Service accounts cannot invite attendees without Domain-Wide Delegation of Authority.
Means exactly that in order for a service account to invite attendees to an event the service account must have be authorized to the domain using Domain wide delegation.
Yes this means you need to have a gsuite account. It does not work with standard accounts. You will need to use Oauth2 if you dont have a gsuite account.
I have hundreds of individual analytics accounts right now which I would like to have API access to. Normally, you can just go to the admin page of an account and give access to the service account by entering the service account email. The problem I am having is that I have hundreds of accounts. I'd really not like to add my service email to each account manually. Is there a way I can have access to each analytics account through API without manually entering my email under each account?
This probably isn't helpful...but if you have someone that can work with python/selenium or Winautomation, this would be a straightforward task.
The only way is through a google account that already has access to all the analytics accounts that interest you.
I want to be able to access other users Google Calendars through a service account so I am not prompted for authorization. I am doing this in a simple .net c# console app. When I attempt to create my credentials in the Google API Manager, it gives me the following alert when I specify I am using a non UI app and I want to access User Data. Isn't the purpose of using the service account to access other users data without a UI?
"User data cannot be accessed from a platform without a UI because it requires user interaction for sign-in."
You may have misunderstood the meaning of using a service account to impersonate a user. To help you with Authentication, you might want to check this tutorial : Google Calendar API Authentication with C# by Daimto.
Things to take note of :
To be able to access other calendars by service account, users who own the calendar should share it to the service account.
To impersonate a user, you must know the email address.
From the tutorial:
If you are only accessing data that you own there is no reason to ask a user for permission to access it. You can use a Service account. (Privacy)
If you want to be able to access data owned by someone else you will need to be authenticated.
Hope this helps!
I have built a web application that uses a service account linked to my own Google Account. We use Google Apps, so my Google Account is part of a domain. We have a server with shared contacts, so all of our clients are available as contacts for everyone. In my contacts, this group is called 'directory'.
The application retrieves events from the Google Calendar using the Google Api PHP client. It also retrieves attendees inlcuding all details for those attendees. But if the attendee is not within our domain, it will only retrieve the e-mail address. I also want to get the name for that attendee.
These names are in my contacts in the directory group. When I create an event and invite guests, I can retrieve these contacts and it will show the name and mail adress. But when retrieving the attendees via the API it does not show these names.
Is this a restriction of the API? Is there a solution for this?
I do not want to use the Contacts api with a non-service account, because I don't want to give permission everytime. It is not possible to use the Contacts api with a service account as far as I know.
You are correct that a service account won't work with the Contacts API, however you don't have to authorize it every time you use it. You can provide domain-wide delegation with two-legged OAuth 1.0a instead of 2.0. See https://developers.google.com/google-apps/contacts/v3/index#authorizing_requests_to_the_+wzxhzdk8+_service and https://developers.google.com/accounts/docs/OAuth#GoogleAppsOAuth.
Depending on your setup, you can also use the three-legged OAuth 2.0 flow for a single administrator account and save the refresh token. This would let you re-use that authorization without requiring explicit permission again.
ASP.Net C# and FaceBook Connect.
I'm using Facebook connect on my site. If a new user connects through FB i create an account for them and all is fine. What i would also like to do is check to see if they already have a registered account.
So if someone connects that has not logged in but has an account i would like to be able to locate the account in my application a link it. I hoping this could be done via the email address?
Any ideas
Thanks
Richard
UPDATE: You need Connect.registerUsers:
This method is used to create an
association between an existing user
account on your site and that user's
Facebook account, provided the user
has not connected accounts before.
This method takes an array of account
data, including a required email_hash
and optional account data. For each
connected account, if the user exists,
the information is added to the set of
the user's connected accounts. If the
user has already authorized the site,
the connected account is added in the
confirmed state. If the user has not
yet authorized the site, the connected
account is added in the pending state.
If the user deactivates their external
user account, then call
connect.unregisterUsers. To get the
number of friends a user has in the
pending state, use
connect.getUnconnectedFriendsCount.
If that doesn't resolve your question, this question is not a duplicate of yours, but the answers might give you a way forward:
How do we register users — Facebook Connect users logging in the first time — when we cannot get an email address from facebook?