Required permissions and scopes

In order to operate correctly, the management agent requires an account with permission to manage the objects, which has an associated service account that has access to the appropriate API scopes.

Note that granting the scopes to the service account is not enough. The user object must either have admin rights, or have delegated permissions to the required object.

Scopes

You only require permissions for the object types you want to manage. The minimum scopes required for each object type are shown below.

Note that the required scopes have changed between V1 and V2 depending on what functionality of the Connector you're using. You could need to review the scopes when upgrading the agent to avoid permission errors.

E.g. the following errors indicate that the scopes for the User Schema needs to be reviewed:

"Permission to read the user custom schema was denied" "Permission related TokenResponseException while reading the user custom schema"

user

https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.userschema.readonly

If delegates or send-as addresses are required, then the following scopes are also required (Requires v2 management agent or later)

https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/gmail.settings.sharing

advancedUser

https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.userschema.readonly
https://apps-apis.google.com/a/feeds/emailsettings/2.0/

group

https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.group.member
https://www.googleapis.com/auth/apps.groups.settings
https://www.googleapis.com/auth/admin.directory.domain.readonly

contact

http://www.google.com/m8/feeds/contacts/

calendar

https://www.googleapis.com/auth/calendar
https://www.googleapis.com/auth/admin.directory.resource.calendar

building

https://www.googleapis.com/auth/admin.directory.resource.calendar

feature

https://www.googleapis.com/auth/admin.directory.resource.calendar

domain

https://www.googleapis.com/auth/admin.directory.domain.readonly

classroom (Requires v2 management agent or later)

https://www.googleapis.com/auth/classroom.courses
https://www.googleapis.com/auth/classroom.rosters

organizationalUnits

https://www.googleapis.com/auth/admin.directory.orgunit

Older versions of the management agent

Please note, that versions of the MA prior to build 1.1.6663 require all scopes to be granted to the service account