The Directory API lets you use role-based access control to manage user access to features in your domain. You do this by managing privileges and roles and their assignment to users.
Overview
A privilege is necessary to perform certain tasks and operations in a domain. A role is a collection of privileges (of possibly different services like the Users service, Chrome, and so on) that grants users with that role the ability to perform certain tasks or operations. A role assignment is a record of a particular role given to a user.
The methods in this guide can be used to create roles and manage role assignments for users in a domain. The general process involves using the following three resources:
- The privileges resource is used to get a list of supported privileges in the domain.
- The roles resource is used to create new roles or get existing roles.
- The roleAssignments resource is used to assign a role to a user in the domain.
Get supported privileges
To get a list of supported privileges, use the following GET request and include the authorization described in Authorize requests.
If you are an administrator getting privileges in your own domain, use
my_customeras the customer ID.If you are reseller getting privileges for one of your customers, use the customer ID returned by the Retrieve a user operation.
Request
GET https://admin.googleapis.com/admin/directory/v1/customer/customer_id/roles/ALL/privileges
Response
A successful response returns an HTTP 200 status code. Along with the status code, the response returns the privileges supported in the domain:
{
"kind": "admin\#directory\#privileges",
"etag": ...,
"items": [
{
"kind": "admin\#directory\#privilege",
"etag": ...,
"serviceId": "02afmg282jiquyg",
"privilegeName": "APP_ADMIN",
"isOuScopable": false
},
{
"kind": "admin\#directory\#privilege",
"etag": ...,
"serviceId": "04f1mdlm0ki64aw",
"privilegeName": "MANAGE_USER_SETTINGS",
"isOuScopable": true,
"childPrivileges": [
{
"kind": "admin\#directory\#privilege",
"etag": ...,
"serviceId": "04f1mdlm0ki64aw",
"privilegeName": "MANAGE_APPLICATION_SETTINGS",
"isOuScopable": true
}
]
},
...
]
}
Get existing roles
To get a list of existing roles, use the following GET request and include the authorization described in Authorize requests.
- If you are an administrator getting roles in your own domain, use
my_customeras the customer ID.
If you are reseller getting roles for a customer, use the customer ID that you got using the Retrieve a user operation.
Request
GET https://admin.googleapis.com/admin/directory/v1/customer/customer_id/roles
Response
A successful response returns an HTTP 200 status code. Along with the status code, the response returns the roles that exist in the domain:
{
"kind": "admin\#directory\#roles",
"etag": "\"sxH3n22L0-77khHtQ7tiK6I21Yo/DywA6_jaJCYw-f0lFs2-g17UWe8\"",
"items": [
{
"kind": "admin\#directory\#role",
"etag": ... ,
"roleId": "3894208461012993",
"roleName": "_SEED_ADMIN_ROLE",
"roleDescription": "Google Workspace Administrator Seed Role",
"rolePrivileges": [
{
"privilegeName": "SUPER_ADMIN",
"serviceId": "01ci93xb3tmzyin"
},
{
"privilegeName": "ROOT_APP_ADMIN",
"serviceId": "00haapch16h1ysv"
},
{
"privilegeName": "ADMIN_APIS_ALL",
"serviceId": "00haapch16h1ysv"
},
...
],
"isSystemRole": true,
"isSuperAdminRole": true
},
{
"kind": "admin\#directory\#role",
"etag": "\"sxH3n22L0-77khHtQ7tiK6I21Yo/bTXiZXfuK1NGr_f4paosCWXuHmw\"",
"roleId": "3894208461012994",
"roleName": "_GROUPS_ADMIN_ROLE",
"roleDescription": "Groups Administrator",
"rolePrivileges": [
{
"privilegeName": "CHANGE_USER_GROUP_MEMBERSHIP",
"serviceId": "01ci93xb3tmzyin"
},
{
"privilegeName": "USERS_RETRIEVE",
"serviceId": "00haapch16h1ysv"
},
{
"privilegeName": "GROUPS_ALL",
"serviceId": "00haapch16h1ysv"
},
{
"privilegeName": "ADMIN_DASHBOARD",
"serviceId": "01ci93xb3tmzyin"
},
{
"privilegeName": "ORGANIZATION_UNITS_RETRIEVE",
"serviceId": "00haapch16h1ysv"
}
],
"isSystemRole": true
},
...
]
}
Create a role
To create a new role, use the following POST request and include the
authorization described in Authorize
requests.
Add a privilegeName and serviceId for each privilege that should be
granted with this role. For the request and response properties, see the API
Reference:
Request
POST https://admin.googleapis.com/admin/directory/v1/customer/customer_id/roles
{
"roleName": "My New Role",
"rolePrivileges": [
{
"privilegeName": "USERS_ALL",
"serviceId": "00haapch16h1ysv"
},
{
"privilegeName": "GROUPS_ALL",
"serviceId": "00haapch16h1ysv"
}
]
}
Response
A successful response returns an HTTP 200 status code. Along with the status code, the response returns the properties for the new role:
{
"kind": "admin\#directory\#role",
"etag": "\"sxH3n22L0-77khHtQ7tiK6I21Yo/uX9tXw0qyijC9nUKgCs08wo8aEM\"",
"roleId": "3894208461013031",
"roleName": "My New Role",
"rolePrivileges": [
{
"privilegeName": "GROUPS_ALL",
"serviceId": "00haapch16h1ysv"
},
{
"privilegeName": "USERS_ALL",
"serviceId": "00haapch16h1ysv"
}
]
}
Create a role assignment
To assign a role to a user, use the following POST method and include the authorization described in Authorize requests. Add a JSON body with the user_id of the user, which you can get from users.get(), and the roleId as described in Get existing roles.
Request
POST https://admin.googleapis.com/admin/directory/v1/customer/customer_id/roleassignments
{
"roleId": "3894208461012995",
"assignedTo": "100662996240850794412",
"scopeType": "CUSTOMER"
}
Response
A successful response returns an HTTP 200 status code. Along with the status code, the response returns the properties for the new role assignment:
{
"kind": "admin\#directory\#roleAssignment",
"etag": "\"sxH3n22L0-77khHtQ7tiK6I21Yo/VdrrUEz7GyXqlr9I9JL0wGZn8yE\"",
"roleAssignmentId": "3894208461013211",
"roleId": "3894208461012995",
"assignedTo": "100662996240850794412",
"scopeType": "CUSTOMER"
}
Create a role assignment with conditions
You can grant roles to perform actions that meet specific conditions. Currently, only two conditions are supported:
- Only applicable to security groups
- Not applicable to security groups
When condition is set, it will only take effect when the resource being
accessed meets the condition. If condition is empty, the role (roleId) is
applied to the actor (assignedTo) at the scope (scopeType) unconditionally.
To assign a role to a user, use the following POST method and include the authorization described in Authorize requests.
Add a JSON body with the user_id of the user, which you can get from
users.get(), the roleId as
described in Get existing roles, and the condition. The
two condition strings have to be used verbatim as shown below and they
only work with the Groups Editor and Groups Reader
pre-built administrator roles.
These conditions follow
Cloud IAM condition syntax.
Request
Only applicable to security groups
POST https://admin.googleapis.com/admin/directory/v1.1beta1/customer/customer_id/roleassignments
{
"roleId": "3894208461012995",
"assignedTo": "100662996240850794412",
"scopeType": "CUSTOMER",
"condition": "api.getAttribute('cloudidentity.googleapis.com/groups.labels',
[]).hasAny(['groups.security']) && resource.type ==
'cloudidentity.googleapis.com/Group'"
}
Not applicable to security groups
POST https://admin.googleapis.com/admin/directory/v1.1beta1/customer/customer_id/roleassignments
{
"roleId": "3894208461012995",
"assignedTo": "100662996240850794412",
"scopeType": "CUSTOMER",
"condition": "!api.getAttribute('cloudidentity.googleapis.com/groups.labels',
[]).hasAny(['groups.security']) && resource.type ==
'cloudidentity.googleapis.com/Group'"
}
Response
A successful response returns an HTTP 200 status code. Along with the status code, the response returns the properties for the new role assignment:
{
"kind": "admin\#directory\#roleAssignment",
"etag": "\"sxH3n22L0-77khHtQ7tiK6I21Yo/VdrrUEz7GyXqlr9I9JL0wGZn8yE\"",
"roleAssignmentId": "3894208461013211",
"roleId": "3894208461012995",
"assignedTo": "100662996240850794412",
"scopeType": "CUSTOMER",
"condition": "!api.getAttribute('cloudidentity.googleapis.com/groups.labels',
[]).hasAny(['groups.security']) && resource.type ==
'cloudidentity.googleapis.com/Group'"
}
Assign Admin Console UI roles
To assign roles for users that will access their privileges through the Admin
Console UI, certain extra privileges may need to be granted. For example, to
grant a user the ability to create other users through the Admin Console UI, not
only is the USERS_CREATE privilege required but also the USERS_UPDATE and
ORGANIZATION_UNITS_RETRIEVE privileges. The following table maps Admin
Console UI functionality to the required privilege grants for managing users
and organizational units.
| Admin Console UI Functionality | Privileges Needed |
|---|---|
| Organizational Units - Read | ORGANIZATION_UNITS_RETRIEVE |
| Organizational Units - Create | ORGANIZATION_UNITS_RETRIEVE + ORGANIZATION_UNITS_CREATE |
| Organizational Units - Update | ORGANIZATION_UNITS_RETRIEVE + ORGANIZATION_UNITS_UPDATE |
| Organizational Units - Delete | ORGANIZATION_UNITS_RETRIEVE + ORGANIZATION_UNITS_DELETE |
| Organizational Units | ORGANIZATION_UNITS_ALL |
| Users - Read | USERS_RETRIEVE + ORGANIZATION_UNITS_RETRIEVE |
| Users - Create | USERS_CREATE + USERS_UPDATE + ORGANIZATION_UNITS_RETRIEVE |
| Users - Update | USERS_UPDATE + ORGANIZATION_UNITS_RETRIEVE |
| Users - Move Users | USERS_MOVE + USERS_RETRIEVE + ORGANIZATION_UNITS_RETRIEVE |
| Users - Rename Users | USERS_ALIAS + USERS_RETRIEVE + ORGANIZATION_UNITS_RETRIEVE |
| Users - Reset Password | USERS_RESET_PASSWORD + USERS_RETRIEVE + ORGANIZATION_UNITS_RETRIEVE |
| Users - Force Password Change | USERS_FORCE_PASSWORD_CHANGE + USERS_RETRIEVE + ORGANIZATION_UNITS_RETRIEVE |
| Users - Add/Remove Aliases | USERS_ADD_NICKNAME + USERS_RETRIEVE + ORGANIZATION_UNITS_RETRIEVE |
| Users - Suspend Users | USERS_SUSPEND + USERS_RETRIEVE + ORGANIZATION_UNITS_RETRIEVE |
| GROUPS | GROUPS_ALL |
| Security - User Security Management | USER_SECURITY_ALL + USERS_RETRIEVE + ORGANIZATION_UNITS_RETRIEVE |