Why do I keep getting 403 User does not have sufficient permission for this profile error from Analytics API

c# api google-app-engine oauth google-analytics

10,347

Solution 1

I was providing the wrong id number to access my Analytics data. I was using the id contained in the table id (I am pretty sure this is what it is called) that looks like UA-XXXXXX-1 when this is the account id number. Eventually after going back and rereading all of the documentation I saw where it said to use the profile (view) Id.

Actually this post: Google Analytics throws 403 error

mentioned that you need to make sure you are using the correct id, but the reason I did not think this referred to me was because it called the number the profile id, but when I was looking in Google Analytics, I could not find a profile id. In the analytics web interface, it is called the view id. I must have gotten lost in the sea of documentation and forgot about this part:

https://developers.google.com/analytics/devguides/reporting/core/v3/reference#ids

where it specifically says to use the "view (profile) id".

Solution 2

This is a simple error. You are trying to access a profile for which your Google Account has no authorisation. Kindly log in to the GA account, and navigate to the View/Profile you're trying to access, and go to Admin -> View -> User Management -> Add Permissions For:. This is the error which occurs only when you try to access a profile for which you don't have authorisation.

Also remember, sometimes you might have a few Google Accounts, only one of which has access to the Analytics profile in question (for example, home and work accounts). Sometimes when you're already logged in to a Google Account which does not have access to the Analytics profile in question, but you have logged in for the OAuth process using that account (which has no access) and given the C# application the authority to use those credentials, it will not ask you to log in. Say you're logged in to your home account which doesn't have access, and you use your C# application. During the OAuth authentication process, all it asks for now is whether you authorise this application to use your Google Account credentials. If you don't sign out of your home account and re-sign-in with your work account before this OAuth Authentication, then this error will occur infinitely, since your Account really does not have access to the profile in question at all.

10,347

Author by

Adam

Updated on June 05, 2022

Comments

Adam almost 2 years

EDIT: Also I have read the following posts on Stack Overflow, but I don't think they have the solution I am looking for:

Google Analytics throws 403 error Google Analytics API: "User does not have sufficient permissions for this account."

I am creating an installed application in C# to access and display my Google Analytics Data.

I have read Google's documentation for OAuth v2.0 and the Analytics v3 API, and I cannot retrieve my analytics data. Here is what I have done so far.

Navigate to the following URL in a Web Browser where I am prompted to log in to my Google Account (the account that owns the Analytics Account and has full ownership and permission) or if my browser has saved my login, an accept screen comes up asking me to confirm that I want to allow the app to access my analytics data. Here is the URL: https://accounts.google.com/o/oauth2/auth?redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&client_id=XXXXXX.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fanalytics.readonly&approval_prompt=force&access_type=offline");

After the code is successfully returned and retrieved from the browser title window as the OAuth 2.0 documentation specifies for installed applications, I take this code and Create the following request which successfully returns an access token:

    WebRequest request = WebRequest.Create("https://accounts.google.com/o/oauth2/token");
    string body = String.Format("code={0}&client_id=XXXXXXXXXXX.apps.googleusercontent.com&client_secret=XXXXXXXXXXX&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code"
        ,browser.OAuthCode);
    request.Method = "POST";
    byte[] reqBytes = Encoding.UTF8.GetBytes(body);
    request.ContentType = "application/x-www-form-urlencoded";
    request.ContentLength = reqBytes.Length;
    request.GetRequestStream();
    Stream stream = request.GetRequestStream();
    stream.Write(reqBytes, 0, (int)request.ContentLength);

    WebResponse response = request.GetResponse();
    Stream s = response.GetResponseStream();
    StreamReader sr = new StreamReader(s);

    string json = sr.ReadToEnd();

    OAuthResponse tokenHolder = new OAuthResponse();
    tokenHolder = Newtonsoft.Json.JsonConvert.DeserializeObject<OAuthResponse>(json);

    return tokenHolder.AccessToken;

Finally, after successfully retrieving an access token, I create another Request to retrieve my analytics data like so:

public WebRequest ApiRequest()
{
    string oAuthToken = OAuthToken();


    //need to change this so people can select different ones
    string idParam = "ids=ga:XXXXXX";

    startDate = "start-date=" + startDate;
    endDate = "end-date=" + endDate;

    string totalEventsMetric = "ga:totalEvents";
    string uniqueEventsMetric = "ga:uniqueEvents";

    string categoryDimension = "ga:eventCategory";
    string actionDimension = "ga:eventAction";
    string labelDimension = "ga:eventLabel";

    string parameters = "";

    if ((bool)this._showTotalEvents.IsChecked)
        parameters += "metrics=" + totalEventsMetric;
    if ((bool)this._shwoUniqueEvents.IsChecked)
        if (parameters != "")
            parameters += "," + uniqueEventsMetric;
        else
            parameters += "metrics=" + uniqueEventsMetric;
    if ((bool)this._showCategory.IsChecked)
        if (parameters != "")
            parameters += "&dimensions=" + categoryDimension;
        else
            parameters += "dimensions=" + categoryDimension;
    if ((bool)this._showAction.IsChecked)
        if (parameters != "" & parameters.Contains("dimensions"))
            parameters += "," + actionDimension;
        else if (parameters != "" & !parameters.Contains("dimensions"))
            parameters += "&dimensions=" + actionDimension;
        else
            parameters += "dimensions=" + actionDimension;
    if ((bool)this._showLabel.IsChecked)
        if (parameters != "" & parameters.Contains("dimensions"))
            parameters += "," + labelDimension;
        else if (parameters != "" & !parameters.Contains("dimensions"))
            parameters += "&dimensions=" + labelDimension;
        else
            parameters += "dimensions=" + labelDimension;

    if (parameters != "")
    {
        parameters += "&" + idParam;
        parameters += "&" + startDate;
        parameters += "&" + endDate;
    }
    else
    {
        parameters += idParam;
        parameters += "&" + startDate;
        parameters += "&" + endDate;
        parameters += "&metrics=" + totalEventsMetric;
        parameters += "," + uniqueEventsMetric;
    }

    string url = string.Format("https://www.googleapis.com/analytics/v3/data/ga?{0}", parameters);
    WebRequest request = WebRequest.Create(url);
    request.Method = "GET";
    request.Headers.Add("Authorization: Bearer " + oAuthToken);
    return request;
}

My url ends up looking something like this:

https://www.googleapis.com/analytics/v3/data/ga?metrics=ga:totalEvents,ga:uniqueEvents&dimensions=ga:eventCategory,ga:eventAction,ga:eventLabel&ids=ga:XXXXX&start-date=2013-12-01&end-date=2014-01-01

And my Header:

{Authorization: Bearer oAuthTokenGoesHere}

And the error I get every time:

{"error":{"errors":[{"domain":"global","reason":"insufficientPermissions","message":"User does not have sufficient permissions for this profile."}],"code":403,"message":"User does not have sufficient permissions for this profile."}}

I cannot figure out why I am getting this error when this is an installed program. I log into the actual account in the web browser that opens up before I click accept and retrieve the OAuth code to exchange for a token. I have tried adding the App Engine and Compute Engine email address form the developer's console to my analytics account using the web interface, but this does not help. There is no email address associated with client ids for installed applications either, presumably because you have to log in in a browser before you can get a code.

I also tried passing the token in as a parameter instead of a header, but that did not work either.

I am not sure what to do from here.

Adam about 10 years

Sorry for the late reply. The Google Account I am logging into has full permission to do anything to the view. I also cleared my browser's cache and cookies and logged in with this account and I still get the same error. Everyone keeps telling me to add the account under Admin-> View-> User Management -> Add Permissions. Have you ever made a client id in the developer's console for an installed application? There is no email address you can add. The account I am logging into during the OAuth process is listed and has permission to do anything to my analytics view
artfuldev about 10 years

You do the Admin -> View thing in the Google Analytics website (google.com/analytics), not in the Developer Console.
garyrgilbert over 6 years

DOH! Thanks I have been looking for the problem for over an hour and couldn't figure out why I kept getting 403 and there it was the stupid view number I overlooked it!