*Update:* Google Support informed me that the issue was that GAM was using standard domain provisioning API calls<https://developers.google.com/google-apps/provisioning/#retrieving_user_accounts>instead of the multidomain calls<https://developers.google.com/google-apps/provisioning/#retrieving_users_experimental>. I modified GAM to perform the multidomain calls and delegated admins can now read/modify secondary domain users.
Jay On Thursday, April 19, 2012 2:18:19 PM UTC-4, Jay Lee wrote: > > I'm excited to see that delegated Admins can now be given access to the > Provisoning API (did I miss this announcement?). However, I'm finding that > admins with Read/Update rights to Users can only see get info and update > users in the primary domain, not secondary domains. If I make the delegated > admin a super admin temporarily, then reads and updates to secondary domain > users start working. > > *Delegated Admin j...@jay.powerposters.org with only Provisioning API > Read/Update rights: FAILURE* > > C:\gam>gam info user p...@poc.pbu.edu > send: 'GET > https://apps-apis.google.com/a/feeds/poc.pbu.edu/user/2.0/pbuHTTP/1. > 1\r\nAccept-Encoding: identity\r\nHost: apps-apis.google.com\r\nContent-Type: > ap > plication/atom+xml\r\nAuthorization: OAuth realm="", > oauth_nonce="56846978", oau > th_timestamp="1334859105", oauth_consumer_key="XXXXX.apps.googleuserconte > nt.com", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", > oauth_token="XXXXX" > oauth_signature="XXXXX"\r\nUser-Agent: Google Apps Manager 2.3.1 / > j...@ditoweb.com (Ja > y Lee) / Python 2.7.2 final / Windows-7-6.1.7601-SP1 AMD64 / GData-Python > 2.0.14 > +20110902+custom_mods\r\n\r\n' > reply: 'HTTP/1.1 403 You are not authorized to access this API\r\n' > header: Content-Type: text/html; charset=UTF-8 > header: Date: Thu, 19 Apr 2012 18:11:55 GMT > header: Expires: Thu, 19 Apr 2012 18:11:55 GMT > header: Cache-Control: private, max-age=0 > header: X-Content-Type-Options: nosniff > header: X-Frame-Options: SAMEORIGIN > header: X-XSS-Protection: 1; mode=block > header: Server: GSE > header: Transfer-Encoding: chunked > Traceback (most recent call last): > File "gam.py", line 3491, in <module> > elif command == 'pagesize': > File "gam.py", line 2040, in doGetUserInfo > print 'Parent Org: '+result['parentOrgUnitPath'] > File "gdata\apps\service.pyo", line 428, in RetrieveUser > gdata.apps.service.AppsForYourDomainException: {'status': 403, 'body': > '<HTML>\n > <HEAD>\n<TITLE>You are not authorized to access this > API</TITLE>\n</HEAD>\n<BODY > BGCOLOR="#FFFFFF" TEXT="#000000">\n<H1>You are not authorized to access > this AP > I</H1>\n<H2>Error 403</H2>\n</BODY>\n</HTML>\n', 'reason': 'You are not > authoriz > ed to access this API'} > > *j...@jay.powerposters.org promoted to Super Admin (exact same OAuth > token): SUCCESS* > C:\gam>gam info user p...@poc.pbu.edu > send: 'GET > https://apps-apis.google.com/a/feeds/poc.pbu.edu/user/2.0/pbuHTTP/1. > 1\r\nAccept-Encoding: identity\r\nHost: apps-apis.google.com\r\nContent-Type: > ap > plication/atom+xml\r\nAuthorization: OAuth realm="", > oauth_nonce="01426240", oau > th_timestamp="1334859341", oauth_consumer_key="XXXXX.apps.googleuserconte > nt.com", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", > oauth_token="XXXX", oauth_signature="XXXX > "\r\nUser-Agent: Google Apps Manager 2.3.1 / j...@ditoweb.com ( > Jay Lee) / Python 2.7.2 final / Windows-7-6.1.7601-SP1 AMD64 / > GData-Python 2.0. > 14+20110902+custom_mods\r\n\r\n' > reply: 'HTTP/1.1 200 OK\r\n' > header: Content-Type: application/atom+xml; charset=UTF-8 > header: Expires: Thu, 19 Apr 2012 18:15:51 GMT > header: Date: Thu, 19 Apr 2012 18:15:51 GMT > header: Cache-Control: private, max-age=0, must-revalidate, no-transform > header: Vary: Accept, X-GData-Authorization, GData-Version > header: GData-Version: 1.0 > header: Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT > header: X-Content-Type-Options: nosniff > header: X-Frame-Options: SAMEORIGIN > header: X-XSS-Protection: 1; mode=block > header: Server: GSE > header: Transfer-Encoding: chunked > User: p...@poc.pbu.edu > First Name: PBU > Last Name: User > Is an admin: false > Has agreed to terms: true > IP Whitelisted: false > Account Suspended: false > Must Change Password: false > Quota: 25600 > * > * > Jay > > > -- You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/a7NZZU6YTucJ. To post to this group, send email to google-apps-mgmt-apis@googlegroups.com. To unsubscribe from this group, send email to google-apps-mgmt-apis+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
