Super Admin Access Grant Follow
In this article:
- What is the purpose of the Super Admin access grant?
- Why do we need a Super Admin account on the student subdomain?
What is the purpose of the Super Admin access grant?
Google’s Open Authentication Protocol or “OAuth” requires that all third party applications (like Hāpara) are added individually by a Super Administrator in the domain.
OAuth is the industry-standard protocol for authorization. It allows third-party apps to access APIs without users having to give their credentials, including passwords, to those apps. Hāpara needs permission from a domain Super Administrator in order to work with a Google Workspace domain.
To use OAuth, Hāpara calls the Google Directory API under the context of a domain Super Administrator–which is why our system records a domain Super Administrator on the Google Workspace instance.
Our system requires validation that this Super Admin user is in the same domain as the student accounts. In the case where a Google Workspace instance has multiple domains, it is possible to use a single domain Super Admin account as long as this account has email aliases in the student domain.
It is best-practice to use a separate, non-human Super Administrator account, that is not linked to any real person. This prevents the scenario in which the person who has the domain Super Administrator account leaves the school/district, and/or the account is suspended or deleted, leaving Hāpara no longer functional on your domain.
Why do we need a Super Admin account on the student subdomain?
Strictly speaking, we do not require full Super Admin access, but we do require a user with at least Groups Admin and User Management Admin access.
This allows Hāpara to perform the following actions on student domains, which are part of core Hāpara functionality:
- Create and manage Google Groups and their memberships
- Create Hāpara system user accounts on the student domains. These accounts own the Google Drive folder structure that we create for the classes, teachers and students.
- Let teachers reset student passwords via Hāpara (this is an optional function).