GAE Python: Control access based on GSuite group

Question

Is it possible to control access to a request handler entirely or some parts therein based on what GSuite for Education/Business group a user belongs to?

Answer 1

It is possible to have code check the GSuite group membership using the Directory API from the Google Apps Admin SDK. You'd probably be interested in one of:

• retrieve all groups for a member
• retrieve a group's member (if just one or a few groups are to be checked).

You'll need to

• Enable the API access in the G Suite Admin console:

G Suite administrators have access to the Admin SDK–a collection of Application Programming Interfaces (APIs). With these APIs, you can build customized administrative tools for your G Suite products. Before you can use the Admin SDK, you need to enable API access in the Google Admin console.

You must be signed in as a super administrator for this task. Enable API access

To verify that API access is enabled:

1. Sign in to your Google Admin console.

   Sign in using an administrator account, not your current account some_user@gmail.com.

2. From the Admin console dashboard, go to Security > API reference.

   To see Security on the dashboard, you might have to click More controls at the bottom.

3. Make sure the Enable API access box is checked.

4. At the bottom, click Save.

• enable the Admin SDK API from the Google Apps APIs group in for your GAE app's API Manager page

• install the Google API Client Library in your GAE app (if not already done)

• address authentication, posibly using your GAE app's service account. See Google API Client Libraries Authentication Overview. And maybe related App Engine OAuth2.0 authorized cron job to analyze Google Sheet.

• (if you want to) restrict app access to only your GSuite domain, see Restrict App Engine access to G Suite accounts on custom domain

• code your access control logic using the directory api to obtain group membership info