Setting Scopes to Restrict User Permissions for Google Web Services

Liz Sanderson
Liz Sanderson
  • Updated

FME Version

  • FME 2022.1


FME allows users to set up web connections for a variety of commonly used web services. Web connections store users’ web service credentials for repeated use in FME, such that a user does not have to manually enter access credentials each time a web service is needed. The Google family of web services is frequently accessed in FME workflows, and setting up the web connection for a Google web service is fairly straightforward. Restricting user permissions to Google web services, however, can be a bit difficult to figure out without some guidance. It is important to consider these user permissions when setting up a new Google web service; users who only require read access to a service should not be granted read/write access, in the interest of preventing inadvertent overwriting of critical resources.

User permissions for Google web services are referred to as scopes. Thus, user permissions for a Google web service are established by first setting the scope of the web service. This article explains how to set the scope of your Google web service so that users can still access the Google web service functionality they require while your resources remain safeguarded against inadvertent alterations. For demonstration purposes, this article will make use of a Google Drive web service definition, though other Google web service definitions are available for use within FME Desktop.


Step-by-Step Instructions

1.  Access FME Options

Open FME Workbench, and access FME Options from the Tools tab.

Accessing FME Options menu


2.  Access the Manage Web Services Dialog

Select Web Connections from the menu on the left, and then select the Manage Services button in the lower-right corner of the Web Connections display.



3.  Select the Google Web Service to Restrict

Find the + button at the bottom left of the Manage Web Services dialog, and select the drop-down arrow next to it. Hover over the Create From option, and then select the Google Service whose scope you wish to restrict. For the purposes of this article, the Google Drive web service option will be selected.



4.  Name Your Google Web Service

Give this new Google Drive web service definition a meaningful name in the New Web Service (Created from Google Drive) template. This demonstration will be adding the .metadata.readonly scope to the Google Drive web service definition, so you could name this new web service Google Drive Metadata ReadOnly.


5.  Apply a Scope to the Google Web Service

Here is where you will specify the scope of this Google Drive web service. Click on the ellipses next to the URL field under Authorization Parameters to open a text editor containing a long URL.  


The URL contained within the text editor is the default URL for a Google Drive web service with the default scope applied, copied below:

In this case, the URL ends with /drive, indicating that no restrictions have been applied to this authorization URL. Each different Google web service will have different URL text in place of the /drive, but the general format for the default URL is relatively consistent across all Google web services.

You will set the scope parameter for your Google Drive web service at the end of this default URL. If, for example, you would like users to have read-only access to the metadata of files stored on a Google Drive, you would add a .metadata.readonly to the end of the URL as follows: scope=  (bolded and italicized for effect only)

From the text editor accessed at the beginning of this step, simply add the .metadata.readonly scope to the end of the default URL text. Select OK once the scope is added. 

Note: Google Drive, and all other Google web services, have several other scopes available for use as described in the Scopes for Google APIs documentation. A simple search of this document by the Google web service you would like to restrict (Ctrl + F, then enter "Drive" for this example) will direct you to the different scope parameters applicable to your Google web service of interest, and how to correctly append them to the end of the default URL. However, these scopes must be enabled when you initially register a third-party application with the Google Drive web service. Safe Software only enabled the .metadata.readonly scope during registration with Google Drive, so this scope is the only scope available for restricting the Google Drive web service definition linked with the Safe Software client ID and client secret. If you would like to take advantage of the other scopes available, you must obtain your own client ID and client secret values from Google by registering FME Desktop (or FME Server, if applicable) as a third-party app of Google Drive, under your own Google login credentials. This is done by first logging into your Google user account, and then starting a new project with the Google Developer's Console Library.  

6.  Create the New Web Service Connection for Your Restricted Google Web Service

Once the URL is formatted correctly for the scope you require, select Apply and then Close to return to the main Web Connections view in FME Options. Now you are able to create a web connection using your newly established and restricted Google Drive web service. To create this new web connection, click on the  +  button beneath the Connections table.

In the Web Service field of the dialog that opens, select your new web service (in this example, Google Drive Metadata ReadOnly). Name your new connection and select Authenticate.  


7.  Verify Restrictions Have Been Applied

Verify in the resulting authentication window that the scope is restricted as expected.


8.  Apply the New Web Connection

Use your new Google web connection in FME just as you would any other web connection.

Note: FME does not restrict access to web connections based on their scope or permissions, so it is possible for your connection to be chosen even though the resulting call within a workspace will fail. For example, if you create a read-only Google Drive web connection, your connection will be available within the GoogleDriveConnector transformer even if the ‘upload’ option is selected. In this case, the translation will fail at runtime due to insufficient permissions.

Was this article helpful?



Please sign in to leave a comment.