search

taers232c / GAMADV-XTD3

Command line tool to manage Google Workspace
687 stars 86 forks source link

Group sync ignores "additionalmembers" argument when specifying "manager" or "owner" role #408

Closed anafontoura closed 3 weeks ago

anafontoura commented 2 months ago

I'm following this documentation to sync an OU with a group. I'm also trying to include additional members with 'manager' and 'owner' roles, but the command seems to ignore these parameters when not using a 'member' role. Here are some examples:

## show current R&D users
$ gam print users query "OrgUnitPath=/Domain/RandD"
Getting all Users that match query (query="OrgUnitPath=/Domain/RandD"), may take some time on a large Google Workspace Account...
Got 2 Users: user1@example.com - user2@example.com
primaryEmail
user1@example.com
user2@example.com
## show current group members with their respective roles
$ gam print group-members group mygroup fields email
Getting all Members, Managers, Owners for mygroup@example.com
Got 3 Members, Managers, Owners for mygroup@example.com
group,email
mygroup@example.com,MEMBER,user1@example.com
mygroup@example.com,MANAGER,boss@example.com
mygroup@example.com,MEMBER,user2@example.com
## update group to include new bosses
$ gam update group mygroup sync additionalmembers owner "bigboss@example.com" additionalmembers manager "coboss@example.com" query "OrgUnitPath=/Domain/RandD"
Getting all Users that match query (OrgUnitPath=/Domain/RandD), may take some time on a large Google Workspace Account...
Got 2 Users...
Got 2 Users that matched query (OrgUnitPath=/Domain/RandD)
Getting all Members for mygroup@example.com, may take some time on a large Group...
Got 3 Members for mygroup@example.com...
Group: mygroup@example.com, Remove 0 Members
Group: mygroup@example.com, Add 0 Members
## show that group has not changed
$ gam print group-members group mygroup fields email
Getting all Members, Managers, Owners for mygroup@example.com
Got 3 Members, Managers, Owners for mygroup@example.com
group,email
mygroup@example.com,MEMBER,user1@example.com
mygroup@example.com,MANAGER,boss@example.com
mygroup@example.com,MEMBER,user2@example.com

I have also tried adding "additionalmembers" without a role, and that worked alright. I'm using the latest version of gam running on WSL:

GAMADV-XTD3 6.73.00 - https://github.com/taers232c/GAMADV-XTD3 - pyinstaller
Ross Scroggs <ross.scroggs@gmail.com>
Python 3.12.3 64-bit final
Linux Ubuntu 22.04 Jammy Jellyfish x86_64
taers232c commented 2 months ago

Send me a Meet/Zoom invitation to discuss.

Ross

Ross Scroggs @.***

On Apr 22, 2024, at 6:02 PM, anafontoura @.***> wrote:

I'm following this documentation https://github.com/taers232c/GAMADV-XTD3/wiki/Groups-Membership#synchronize-members-in-a-groupto sync an OU with a group. I'm also trying to include additional members with 'manager' and 'owner' roles, but the command seems to ignore these parameters when not using a 'member' role. Here are some examples:

show current R&D users

$ gam print users query "OrgUnitPath=/Domain/RandD" Getting all Users that match query (query="OrgUnitPath=/Domain/RandD"), may take some time on a large Google Workspace Account... Got 2 Users: @. - @. primaryEmail @. @.

show current group members with their respective roles

$ gam print group-members group mygroup fields email Getting all Members, Managers, Owners for @. Got 3 Members, Managers, Owners for @. group,email @.**@. @.**@. @.**@.

update group to include new bosses

$ gam update group mygroup sync additionalmembers owner @." additionalmembers manager @." query "OrgUnitPath=/Domain/RandD" Getting all Users that match query (OrgUnitPath=/Domain/RandD), may take some time on a large Google Workspace Account... Got 2 Users... Got 2 Users that matched query (OrgUnitPath=/Domain/RandD) Getting all Members for @., may take some time on a large Group... Got 3 Members for @. Group: @., Remove 0 Members Group: @., Add 0 Members

show that group has not changed

$ gam print group-members group mygroup fields email Getting all Members, Managers, Owners for @. Got 3 Members, Managers, Owners for @. group,email @.**@. @.**@. @.**@. I have also tried adding "additionalmembers" without a role, and that worked alright. I'm using the latest version of gam running on WSL:

GAMADV-XTD3 6.73.00 - https://github.com/taers232c/GAMADV-XTD3 - pyinstaller Ross Scroggs @.***> Python 3.12.3 64-bit final Linux Ubuntu 22.04 Jammy Jellyfish x86_64 — Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/408, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL2I5HXJRAFZ6S55LXDY6WXLBAVCNFSM6AAAAABGTZIAE2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGI2TONZRGQZDSMI. You are receiving this because you are subscribed to this thread.

taers232c commented 2 months ago

On any group member operaton, only one role is processed. You specified sync without a role, so it defaulted to member and specified the role for the command. In that case additionalmembers owner @." and additionalmembers manager @." were ignored because they didn't match member.

When you dropped manager from additionalmembers, it defaulted to member and coboss was added.

If you want to sync with the ou and then add additional managers/owners you need multiple commands

gam update group mygroup sync member query "OrgUnitPath=/Domain/RandD" gam update group mygroup add @." gam update group mygroup add manager @."

Ross

Ross Scroggs @.***

On Apr 22, 2024, at 6:02 PM, anafontoura @.***> wrote:

I'm following this documentation https://github.com/taers232c/GAMADV-XTD3/wiki/Groups-Membership#synchronize-members-in-a-groupto sync an OU with a group. I'm also trying to include additional members with 'manager' and 'owner' roles, but the command seems to ignore these parameters when not using a 'member' role. Here are some examples:

show current R&D users

$ gam print users query "OrgUnitPath=/Domain/RandD" Getting all Users that match query (query="OrgUnitPath=/Domain/RandD"), may take some time on a large Google Workspace Account... Got 2 Users: @. - @. primaryEmail @. @.

show current group members with their respective roles

$ gam print group-members group mygroup fields email Getting all Members, Managers, Owners for @. Got 3 Members, Managers, Owners for @. group,email @.**@. @.**@. @.**@.

update group to include new bosses

$ gam update group mygroup sync additionalmembers owner @." additionalmembers manager @." query "OrgUnitPath=/Domain/RandD" Getting all Users that match query (OrgUnitPath=/Domain/RandD), may take some time on a large Google Workspace Account... Got 2 Users... Got 2 Users that matched query (OrgUnitPath=/Domain/RandD) Getting all Members for @., may take some time on a large Group... Got 3 Members for @. Group: @., Remove 0 Members Group: @., Add 0 Members

show that group has not changed

$ gam print group-members group mygroup fields email Getting all Members, Managers, Owners for @. Got 3 Members, Managers, Owners for @. group,email @.**@. @.**@. @.**@. I have also tried adding "additionalmembers" without a role, and that worked alright. I'm using the latest version of gam running on WSL:

GAMADV-XTD3 6.73.00 - https://github.com/taers232c/GAMADV-XTD3 - pyinstaller Ross Scroggs @.***> Python 3.12.3 64-bit final Linux Ubuntu 22.04 Jammy Jellyfish x86_64 — Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/408, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL2I5HXJRAFZ6S55LXDY6WXLBAVCNFSM6AAAAABGTZIAE2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGI2TONZRGQZDSMI. You are receiving this because you are subscribed to this thread.

anafontoura commented 2 months ago

Ok, thank you for the quick response!

In this case, I believe the wiki should be updated to explain this behavior. The command syntax shows (additionalmembers [<GroupRole>] <EmailAddressEntity>)* which leads one to believe it accepts a different role for additional members than the one used for the sync.

Since there doesn't seems to be a way to reflect that behavior on the syntax description. Perhaps a clearer description should be given. Here is a suggestion:

Where it reads:

The option additionalmembers [<GroupRole>] <EmailAddressEntity> can be used to specify members in addition to those specified with <UserTypeEntity>.

Can be added:

The option additionalmembers [<GroupRole>] <EmailAddressEntity> can be used to specify members in addition to those specified with <UserTypeEntity>. If a <GroupRole> is specified, it must match the same role as the one used for the group sync.