API access justifications

Three separate API scope authorizations are used during the Getting Started process for Little SIS for Classroom and are authorized under the super administrator user. Each has a separate purpose, indicated below:

  1. Authorization of the users.read scope on the currently logged in user is required to confirm that the user is a super-administrator and therefore has the authority to proceed with installing Little SIS for Classroom on the G Suite domain.
  2. Authorization of the users.read as well as read and write access to all available Google Classroom API scopes on a super-administrator account is needed to allow the Users and Classes tables to be built and maintained. Only a super-administrator has the efficient ability to read all Users and Classes on a domain. Little SIS also allows users with delegated authority to make changes to rosters, co-teachers.
  3. Installation of a Client Name and scopes list allowing read and write access to all available Google Classroom API scopes in the Security section of the G Suite admin console.  This step permits Little SIS for Classroom to make API requests under the administrator-delegated authority of any domain user (e.g. teacher or student). This domain user API authority is required for the massive scale read operations that must be performed to build and maintain the Class Info tables (Assignments, Announcements, Rosters, etc.). While these tables technically could be maintained using only the super administrator's access, Google's API quotas and rate limits make this prohibitively difficult to perform under the authority of a single user.

For the setup of the data tables and ongoing data refresh functionality in Little SIS, the following Client Name and Scopes list must also be authorized within the admin console.

Client Name: 117311213619142178125

Scope Justification
admin.directory.group.readonly Used in some circumstances to identify all teachers at a given school.
admin.directory.orgunit.readonly Used to identify all possible org unit values within reporting, as well as in UIs that allow the user to reference OU in a rule, such as when tagging classes to a particular school.
admin.directory.user.readonly Used to identify users across many different contexts in the app.
classroom.courses Used to access information about classes on behalf of teachers and make changes to class state. e.g. to archive a class.
classroom.rosters Used to access rosters on behalf of teachers and to add/remove students.
classroom.announcements.readonly Used to access announcements on behalf of teachers.
classroom.coursework.students.readonly Used to access basic student info (name, etc) on behalf of teachers.
classroom.guardianlinks.students Used to access basic guardian info (email) on behalf of teachers.
classroom.push-notifications  Used to subscribe to certain changes in classes on behalf of teachers, allowing us to keep our data fresh.