Setup Granular access with User Gopher

In order to restrict which OUs your users have access to with User Gopher, the Admin Roles for User Gopher will need to be split into two categories; Global and Granular.  This is due to the fact that some scopes which User Gopher makes use of cannot be restricted within the Admin Console to a per OU delegation.

 Global Scopes

The only Global scopes which User Gopher requires are the Admin API Privileges for Reading/Updating Groups and Schema management.  If you wish to restrict Administrators from updating group memberships, these permissions can be set to Read only.

Granular Scopes

The remainder of the scopes can be configured on a Granular, per OU level.  Of these, the required privileges are Read access to Users and OUs.  All other settings can be configured to the level you wish to allow your users within this role, for the particular OU.  For example, you could setup a Admin Role which only allowed access to the "Reset Password" and "Force Password Change" features of User Gopher.

Note: Currently, User Gopher does not detect the level of Admin Access granularly, and shows all columns to the end user.  Any edits in columns an Admin does not have access to will cause the entire update for that user to fail.

  

From there, make the assignment to the new Administrator to the OU they are granted access to.

 

 When a delegated Admin makes a request through User Gopher to Google, only the users that they have Read access will populate into the sheet.  Likewise, only the OUs which they have permission to read will display in the autocomplete for the Org Unit Path.