Skip to content

feat(admin): add user and group management (Admin Directory API)#403

Open
dl-alexandre wants to merge 1 commit intosteipete:mainfrom
dl-alexandre:main
Open

feat(admin): add user and group management (Admin Directory API)#403
dl-alexandre wants to merge 1 commit intosteipete:mainfrom
dl-alexandre:main

Conversation

@dl-alexandre
Copy link

@dl-alexandre dl-alexandre commented Mar 3, 2026

Summary

Add Google Admin SDK Directory API support for user and group management in Google Workspace.

Resolves #340

Changes

  • New Service: ServiceAdmin with scopes for admin.directory.user, admin.directory.group, and admin.directory.group.member
  • New Commands:
    • gog admin users list --domain example.com - List users in a domain
    • gog admin users get user@example.com - Get user details
    • gog admin users create user@example.com --given "John" --family "Doe" - Create new user
    • gog admin users suspend user@example.com - Suspend user account
    • gog admin groups list --domain example.com - List groups in a domain
    • gog admin groups members list group@example.com - List group members
    • gog admin groups members add group@example.com user@example.com --role MEMBER - Add member
    • gog admin groups members remove group@example.com user@example.com - Remove member

Features

  • Domain-wide delegation support via service accounts
  • JSON and plain TSV output formats
  • Pagination with --all flag
  • Dry-run support for mutating commands
  • Confirmation prompts for destructive actions
  • Comprehensive error handling for common issues (API not enabled, insufficient permissions, domain-wide delegation not configured)

Requirements

  • Google Workspace account (consumer Gmail accounts not supported)
  • Service account with domain-wide delegation enabled
  • Admin SDK API enabled in Google Cloud Console

Note on PR #179

This is a focused implementation addressing the core user/group management requirements from #340. It intentionally does NOT cover the full GAM feature parity scope of PR #179, which includes additional APIs like:

  • Alert Center, Analytics, Calendar (admin)
  • Cloud Identity, CAA (Context-Aware Access)
  • Licenses, Org Units, Printers
  • Reports, Reseller, Resources
  • Roles, Schemas, SSO
  • Transfer, Vault, YouTube

Those additional features would require separate PRs to keep review manageable.

Test Plan

  • go build ./... passes
  • go test ./... passes
  • golangci-lint run passes (1 expected gosec warning for password field)

Usage Example

# Configure service account with domain-wide delegation
gog auth add admin@example.com --services admin

# List users in domain
gog admin users list --domain example.com

# Get specific user details
gog admin users get user@example.com --json

# Create new user
gog admin users create newuser@example.com \
  --given "John" \
  --family "Doe" \
  --password "TempPass123!" \
  --change-password

# Suspend user (with confirmation)
gog admin users suspend user@example.com --force

# List groups
gog admin groups list --domain example.com

# Add member to group
gog admin groups members add engineering@example.com newuser@example.com --role MEMBER

@dl-alexandre
feat(admin): add user and group management via Admin Directory API
64cd89a 
Implements Google Admin SDK Directory API support for Workspace user and

group management with domain-wide delegation.

New commands:

- gog admin users list --domain example.com

- gog admin users get user@example.com

- gog admin users create user@example.com --given John --family Doe

- gog admin users suspend user@example.com

- gog admin groups list --domain example.com

- gog admin groups members list group@example.com

- gog admin groups members add group@example.com user@example.com --role MEMBER

- gog admin groups members remove group@example.com user@example.com

Closes steipete#340

Note: This is a focused implementation of core user/group management.

For full GAM feature parity (PR steipete#179), additional work would be needed

for: alerts, licenses, org units, printers, reports, vault, SSO, etc.
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 3, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 64cd89a5f9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

internal/googleauth/service.go
Comment on lines +217 to +221
ServiceAdmin: {
scopes: []string{
"https://www.googleapis.com/auth/admin.directory.user",
"https://www.googleapis.com/auth/admin.directory.group",
"https://www.googleapis.com/auth/admin.directory.group.member",
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Handle admin service in scope option resolution

Adding ServiceAdmin here is incomplete because AuthAddCmd computes scopes via ScopesForManageWithOptions, but scopesForServiceWithOptions has no ServiceAdmin branch and returns errUnknownService. In practice, gog auth add --services admin fails before starting OAuth, so the new admin workflow cannot be authorized through the documented command.

Useful? React with 👍 / 👎.

internal/cmd/admin.go
},
Password: c.Password,
ChangePasswordAtNextLogin: c.ChangePwd,
IsAdmin: c.Admin,
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Stop setting output-only admin flag on user creation

The create request writes IsAdmin directly from --admin, but admin elevation in Directory API is managed via a separate admin action rather than by setting the user resource field. This makes --admin unreliable (ignored or rejected by the API), so the command can report a successful create while not granting admin privileges as requested.

Useful? React with 👍 / 👎.

internal/cmd/admin.go
}
items = append(items, item{
Email: u.PrimaryEmail,
Name: u.Name.FullName,
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Check for nil name before building JSON user list

The JSON path dereferences u.Name.FullName without verifying u.Name is non-nil. If the API returns a user entry without the nested name object, this command panics during listing instead of returning partial results.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(admin): add user and group management (Admin Directory API)

1 participant

@dl-alexandre