Can a Google Apps domain admin list the messages of a user?

1
votes

We created an application for Google Apps Marketplace. We want our application to check how many emails each user sent and received per day. I tried to test the form on https://developers.google.com/gmail/api/v1/reference/users/messages/list, and it worked when a user or admin types "me" as userId, but when the domain admin types the email address of a user, he receives an error message:

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "forbidden",
    "message": "Delegation denied for admin@<domain>"
   }
  ],
  "code": 403,
  "message": "Delegation denied for admin@<domain>"
 }
}

(<domain> is the domain I tested).

Is it possible for a domain admin to list the messages of users except himself? I didn't find it listed in the documentation.

Update: I tried to authenticate with the user's email address from our application and then it worked. But I would prefer to authenticate with the domain admin's email address.

1
pythongoogle-appsgoogle-apps-marketplace

1 Answers

1
votes

It is possible. For this, you would need to impersonate the user and then make the same call to the API that you mentioned.

In order to impersonate a user an act on hi's behalf, you have to implement domain wide delegation of authority.

For this you have to create a service account in your project. Then the administrator of the domain has to grant delegation of authority to your application. After that you can use the service account to impersonate any user in the domain, including the admin.