Can't Repro
Status Update
No update yet.
Comments
ry...@google.com
Thank you for the report. We have been unable to reproduce the effect as you describe. Using GroupApp.getUsers() in a script requires that the user of that script have "View Member Email Addresses" access, not just "View Member" access. Typically, this is restricted to owners and/or managers of a group. You should verify that the account trying to call your script has the appropriate access.
st...@gmail.com
Hi
Thank you for answer.
It is that just check the parameter.
But I think it is not logic as when a group is setup :Member can see user
With apps script when I use getUsers() as I'm able to see user on web interface I expect to have the list of users with apps script.
The question about getEmail() which must or must not work is a second point but this is not consistent to get an error message "you do not have permission to view the member list" as I can clearly see the list of members of the group on the web interface.
Thank you,
Stéphane
Thank you for answer.
It is that just check the parameter.
But I think it is not logic as when a group is setup :Member can see user
With apps script when I use getUsers() as I'm able to see user on web interface I expect to have the list of users with apps script.
The question about getEmail() which must or must not work is a second point but this is not consistent to get an error message "you do not have permission to view the member list" as I can clearly see the list of members of the group on the web interface.
Thank you,
Stéphane
[Deleted User] <[Deleted User]>
Thanks Ryan. So, based on your comment, SuperAdmins don't inherently have "view member email addresses" access on any/all groups when running scripts?
Like Stéphane, my confusion stemmed from my ability to see email addresses in the web interface, as well as my assumption that SuperAdmins had sufficient permissions to "do and see everything".
Like Stéphane, my confusion stemmed from my ability to see email addresses in the web interface, as well as my assumption that SuperAdmins had sufficient permissions to "do and see everything".
st...@gmail.com
For super admin I use the admin directiory service to get all users and emails of a groups.
Groups service is usefull for all users of the domain, admin or not.
Stéphane
Groups service is usefull for all users of the domain, admin or not.
Stéphane
ry...@google.com
The issue you may have run into here is that domain admin permissions are not the same as group permissions. When you create a group, the group has it's own set of rules saying what members, owners, and managers can do within the group (including seeing member lists and their emails). The Apps Script GroupApp service follows those rules, not the general domain rules.
It is possible to create a group both in the the Groups service (that is,groups.google.com ) and from the admin control panel. If you create a group in the Groups service, the account you use will automatically be made an owner of that group. However, if you create one via the admin control panel, the admin account will not automatically be added as a member or owner of the group. This is intentional, as it allows admins to quickly construct groups and assign users to them, and not unnecessarily add themselves to each one. Once the group is created, you can add the admin account to it via the control panel, but the default is to add accounts as Members (even if the account in question is the admin who created the group via the control panel). So, even if you added the admin account to a group, you may not have given the account the permission it needs to see member email addresses.
It is possible to create a group both in the the Groups service (that is,
[Deleted User] <[Deleted User]>
So there's no programmatic way to query a group even running as a superadmin user and get the details of the group unless the group owner lets us, or we force an admin account into every single group? I'm having the same trouble. This worked last year, and suddenly my group tool for my help desk will show them who is in a group, but will no longer show them members names or roles, and throws this error.
st...@gmail.com
For google apps domain super admin you have to use the directory api
https://developers.google.com/admin-sdk/directory/v1/guides/manage-group-members
This dies not solve the issue that you have to check a second parameters to see group members even if you have access on the interface but this is second point.
Stéphane
This dies not solve the issue that you have to check a second parameters to see group members even if you have access on the interface but this is second point.
Stéphane
[Deleted User] <[Deleted User]>
So you have to use the raw API, not the app script interface?
[Deleted User] <[Deleted User]>
<purged>
[Deleted User] <[Deleted User]>
I agree-- I would expect Super Admins to have permissions to do anything (i.e., sudo or su).
Description
not already been reported.
Please provide a short description of the issue:
-When running getusers() in a google script, on a group set to only allow group members to view the group's members, while logged in as a superadmin google apps account, an error is returned stating "you do not have permission to view the member list". The member list can be viewed without issue in the groups app.
Please provide a small sample script that reliably reproduces the issue.
The sample should run as-is or with minimal setup, without external
dependencies.
function listGroupMembers() {
var GROUP_EMAIL = "onlymemberscanviewmymembers@mydomain.com";
var group = GroupsApp.getGroupByEmail(GROUP_EMAIL);
var users = group.getUsers();
var s = "Group " + GROUP_EMAIL + " has " + users.length +
" members: \n";
for (var i = 0; i < users.length; i++) {
var user = users[i];
s = s + user.getEmail() + ",\n ";
}
var doc = DocumentApp.create('GroupUsers');
doc.getBody().appendParagraph(s);
var url = doc.getUrl();
var email = Session.getActiveUser().getEmail();
var subject = doc.getName();
var body = 'Link to your doc: ' + url;
GmailApp.sendEmail(email, subject, body);
Logger.log(s);
}
What steps will reproduce the problem?
1. create a group
2. set access level to custom and "view members list" to "members"
3. run a getusers() query on the created group
4. access error is reproduced
What is the expected output? What do you see instead?
-The expected output is a list of members, an error stating an issue with permission to view the group members is produced.
What is the project key (found under "File > Project properties")? The
project key does not give the Apps Script team access to your source
code or data. We use it to look up debug information about your script.
MTMoyAQWc_1ugaAvddU5XKeFv7QlOchAA
Please provide any additional information below.
To subsequent readers: If you are also experiencing this issue, please
click the star next to the issue number. We prioritize issues with the
most stars.