Find the minimum privileges that need to be assigned to a custom admin role to run the tool

[amart241]

The permissions needed to access the API with the scopes that we need are a bit vague. The reports API Google Documentation guide says that a super admin or a custom admin is needed to access the API.

Lessons learned from M365, members of the public aren't comfortable with running some random tool off the internet as the highest privileged role in their Cloud environment. For GWS, this is the super admin role.

There is no specific Google Documentation for assigning the custom admin the minimum permissions we need to access the reports and directory apis:

This issue is to find out and document the minimum privileges that need to be assigned to a custom admin to run this tool. Then test if there are any issues running the tool as an account assigned just that custom admin role. How to create a custom admin role.

See the README for the OAuth scopes we're currently using for Goggles

[jacdavi]

Testing with the branch for #152 I was able to get the same output as a super admin using a custom role with the following privileges:

• Console
  • Reports
  • Directory Settings > Settings
• API
  • Organization Units > Read
  • Users > Read
  • Groups > Read
  • Domain Management

Note that selecting some privileges enables others, so in total this role has 11 console privileges and 5 API privileges ("Billing Read" seems to always get enabled after saving without it).

[buidav]

~Closing this as we found a while ago that the~ ~super admin role is required to access the admin audit log.~ ~Even a cloned super admin role didn't not have the sufficient privileges.~ Domain wide delegation of authority caused the above issue.