Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Since UH is a G-Suite, our hawaii.edu domain has unlimited storage for google drive.

The test service account email address is tenure-service-account@robotic-vista-178000.iam.gserviceaccount.com

The prod service account email address is tenure-service-account@its-tenure-and-promotion-proj.iam.gserviceaccount.com

...

Service Accounts

Access our service accounts through the Google Developers Console.  Erik, Frank and I are owners of the project "Tenure" that created the 2 service accounts.

There's one for test and one for prod.

There's a uhtnptst@hawaii.edu and a uhtnp@hawaii.edu user which the service account acts on behalf of the logged in user. These users have been granted an admin role created by Help Desk and that admin role is granted access to Drives and Docs.

Code Block
Grant domain-wide delegation authority for the following clientIDs under the G Suite project named "Tenure"
* 100382501517502303226
* 102969607084129771179
Grant admin access role to uhtnptst@hawaii.edu, which is the exact same role that you granted to uhtnp@hawaii.edu; this role is restricted to Drives and Docs.

With the service account acting on behalf of the uhtnp user, the service account no longer needs to be a member on the shared drive; only the uhtnp user needs to be on the shared drive.

  • uhtnptst is only added to TEST shared drives, i.e. application IDs starting with 199000xx
  • uhtnp is only added to PROD shared drives, i.e. application IDs starting at 1000

The client secret json files are deprecated and new p12 keys were generated to perform the delegation. Those p12 files are loaded on the respective test/trng/prod servers under the home directory's .tenure-conf folder

Drive synchronization software

With GSuite, end users have 2 options to synch their drive files with their desktop and UH's contract supports both

Drive File Stream supports both team and google drives

Backup & Synch only supports google drives

Here's a good comparison between the two:

Image Added

Google Drive

Only the owner of the folder/file can check "Prevent editors from changing access and adding new people"

...

Anyone with Edit access can "Restrict download, print & copy actions on this file for commenters & viewers" and upload files

  • can restrict downloading and printing at the team drive root folder level

Anyone with Full access can manage members in addition to what Edit access can perform

Getting a list of permissions through Google's API DOES NOT return the email address associated with that user so we'll need to keep a list of the uhNumbers associated with the permission IDs upon creation

Options going forward

  1. Stay with Google Drive
    1. Access has to be turned over to uhtnp or tenure-service-account by the applicant, which is a lot of work for the applicant
    2. ownership has to be transferred from uhtnp to tenure-service-account, which is a lot of work for ITS
    3. checkbox must be unticked, "Prevent editors from changing access and adding new people"
  2. Go with Team Drive
    1. Must be 1 team drive per application
    2. Applicant will transfer files into team drive
      1. folders cannot be copied from google drive to team drive so applicants would need to create them and then move the files

...

  • TOCs not retained
  • hyperlinks retained
  • bookmarks retained?
  • ask Moriko if she's willing to share her word document

 

 

 

...