API Access Justifications, Little SIS for Classroom

Three separate API scope authorizations are used during the Getting Started process for Little SIS for Classroom and are authorized under the super administrator user. Each has a separate purpose, indicated below:

  1. Authorization of the users.read scope on the currently logged in user is required to confirm that the user is a super-administrator and therefore has the authority to proceed with installing Little SIS for Classroom on the Google Workspace domain.
  2. Authorization of the users.read as well as read and write access to all available Google Classroom API scopes on a super-administrator account is needed to allow the Users and Classes tables to be built and maintained. Only a super-administrator has the efficient ability to read all Users and Classes on a domain. Little SIS also allows users with delegated authority to make changes to rosters, co-teachers.
  3. Installation of a Client Name and scopes list allowing read and write access to all available Google Classroom API scopes in the Security section of the Google Workspace Admin console. This step permits Little SIS for Classroom to make API requests under the administrator-delegated authority of any domain user (e.g. teacher or student). This domain user API authority is required for the massive scale read operations that must be performed to build and maintain the Class Info tables (Assignments, Announcements, Rosters, etc.). While these tables technically could be maintained using only the super administrator's access, Google's API quotas and rate limits make this prohibitively difficult to perform under the authority of a single user.

For the setup of the data tables and ongoing data refresh functionality in Little SIS, the following Client Name and Scopes list must also be authorized within the Admin console.

Client Name: 117311213619142178125

Scope Justification

Used in some circumstances to identify all teachers at a given school.
admin.directory.orgunit.readonly  Used to identify all possible org unit values within reporting, as well as in UIs that allow the user to reference OU in a rule, such as when tagging classes to a particular school. 
admin.directory.user.readonly Used to identify users across many different contexts in the app.

Used to access information about classes on behalf of teachers and make changes to class state. e.g. to archive a class.
classroom.rosters Used to access rosters on behalf of teachers and to add/remove students.
classroom.announcements.readonly Used to access announcements on behalf of teachers.
classroom.coursework.students.readonly Used to access basic student info (name, etc) on behalf of teachers.

classroom.guardianlinks.students  Used to access basic guardian info (email) on behalf of teachers.
classroom.push-notifications Used to subscribe to certain changes in classes on behalf of teachers, allowing us to keep our data fresh.


3rd Party App Access Blocked or Have Certain Scopes Blocked

If you have all 3rd party services restricted or restricted access to either the Google Sign-in service or the Google Workspace Admin service, you will need to add this Client ID to the trusted list:

Client ID: 538690509659-t0a47quji8m6bovkiq6dg3auoinr0q9m.apps.googleusercontent.com.

The ID for the "Sign in with Google" portion is separate from the App ID that performs the function.


Document Version Date Description of Change


Articles in this section

See more