ChrisPates
commented
7 months ago Currently it’s super admin, which is clearly less than ideal. There is a feature coming to use a service role. I’ll update this issue with the PR when I get back to my desk.
Chris
On 4 Jan 2024, at 10:10, Jan Hecking @.***> wrote:
According to the docs (https://github.com/awslabs/ssosync#google https://github.com/awslabs/ssosync#google ) a Google Workspace "admin user" is required to sync the directory:
You will have to specify the email address of an admin via --google-admin to assume this users role in the Directory.
Is it required that this admin user has the Super Admin role? Or can we use a different admin role with fewer privileges? We tried using a user with a custom admin role with just the "Users > Read" and "Groups > Read" privileges for the Admin API, but the sync failed with a 403 error.
— Reply to this email directly, view it on GitHub https://github.com/awslabs/ssosync/issues/161 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ABVULYLQB3UJKZW5LSQZQ5DYMZ5YFAVCNFSM6AAAAABBMV3B4CVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA3DKMZWGI3DCNI . You are receiving this because you are subscribed to this thread. https://github.com/notifications/beacon/ABVULYI3VQIPJSDJG7IHWF3YMZ5YFA5CNFSM6AAAAABBMV3B4CWGG33NNVSW45C7OR4XAZNFJFZXG5LFVJRW63LNMVXHIX3JMTHHWGXOW4.gif Message ID: @.***>
jhecking
According to the docs (https://github.com/awslabs/ssosync#google) a Google Workspace "admin user" is required to sync the directory:
Is it required that this admin user has the Super Admin role? Or can we use a different admin role with fewer privileges? We tried using a user with a custom admin role with just the "Users > Read" and "Groups > Read" privileges for the Admin API, but the sync failed with a 403 error.