-
Notifications
You must be signed in to change notification settings - Fork 88
Cloud Identity Policies
- API documentation
- Notes
- Python Regular Expressions Match function
- Definitions
- Policies
- Display Cloud Identity Policies
- https://cloud.google.com/identity/docs/concepts/overview-policies
- https://cloud.google.com/identity/docs/reference/rest/v1beta1/policies/list
To use these commands you must update your client access authentication. You'll enter 19R to turn on the Cloud Identity Policy scope; then continue with authentication.
gam oauth delete
gam oauth create
...
[R] 19) Cloud Identity - Policy
<CIPolicyName> ::= policies/<String>|settings/<String>|<String>
<CIPolicyNameList> ::= "<CIPolicyName>(,<CIPolicyName>)*"
<CIPolicyNameEntity> ::=
<CIPolicyNameList> | <FileSelector> | <CSVFileSelector>
These are the supported policies GAM can show today.
user_takeout_status (is takeout enabled for service)
blogger.user_takeout
books.user_takeout
location_history.user_takeout
maps.user_takeout
pay.user_takeout
photos.user_takeout
play.user_takeout
play_console.user_takeout
youtube.user_takeout
service_status (is service enabled)
ad_manager
ads
adsense
alerts
analytics
applied_digital_skills
appsheet
arts_and_culture
beyondcorp_enterprise
blogger
bookmarks
books
calendar
campaign_manager
chat
chrome_canvas
chrome_remote_desktop
chrome_sync
chrome_web_store
classroom
cloud
cloud_search
colab
cs_first
data_studio
developers
domains
drive_and_docs
earth
enterprise_service_restrictions
experimental_apps
feedburner
fi
gmail
groups
groups_for_business
jamboard
keep
location_history
managed_play
maps
material_gallery
meet
merchant_center
messages
migrate
my_business
my_maps
news
partner_dash
pay
pay_for_business
photos
pinpoint
play
play_books_partner_center
play_console
public_data
question_hub
scholar_profiles
search_ads_360
search_and_assistant
search_console
sites
socratic
takeout
tasks
third_party_app_backups
translate
trips
vault
voice
work_insights
youtube
calendar.appointment_schedules
enablePayments
chat.chat_apps_access
enableApps
enableWebhooks
chat.chat_file_sharing
externalFileSharing
internalFileSharing
chat.chat_history
enableChatHistory
historyOnByDefault
allowUserModification
chat.external_chat_restriction
allowExternalChat
chat.space_history
historyState
classroom.api_data_access
enableApiAccess
classroom.class_membership
whoCanJoinClasses
whichClassesCanUsersJoin
classroom.guardian_access
allowAccess
whoCanManageGuardianAccess
classroom.originality_reports
enableOriginalityReportsSchoolMatches
classroom.roster_import
rosterImportOption
classroom.student_unenrollment
whoCanUnenrollStudents
classroom.teacher_permissions
whoCanCreateClasses
cloud_sharing_options.cloud_data_sharing
sharingOptions
detector.regular_expression
displayName
regularExpression
createTime
updateTime
detector.word_list
displayName
wordList
createTime
updateTime
description
drive_and_docs.drive_for_desktop
allowDriveForDesktop
restrictToAuthorizedDevices
showDownloadLink
allowRealTimePresence
drive_and_docs.external_sharing
externalSharingMode
allowReceivingExternalFiles
warnForSharingOutsideAllowlistedDomains
allowReceivingFilesOutsideAllowlistedDomains
allowNonGoogleInvitesInAllowlistedDomains
warnForExternalSharing
allowNonGoogleInvites
allowPublishingFiles
accessCheckerSuggestions
allowedPartiesForDistributingContent
drive_and_docs.file_security_update
securityUpdate
allowUsersToManageUpdate
drive_and_docs.shared_drive_creation
allowSharedDriveCreation
orgUnitForNewSharedDrives
customOrgUnit
allowManagersToOverrideSettings
allowExternalUserAccess
allowNonMemberAccess
allowedPartiesForDownloadPrintCopy
allowContentManagersToShareFolders
gmail.auto_forwarding
enableAutoForwarding
gmail.confidential_mode
enableConfidentialMode
gmail.email_attachment_safety
enableEncryptedAttachmentProtection
encryptedAttachmentProtectionConsequence
enableAttachmentWithScriptsProtection
attachmentWithScriptsProtectionConsequence
enableAnomalousAttachmentProtection
anomalousAttachmentProtectionConsequence
allowedAnomalousAttachmentFiletypes
applyFutureRecommendedSettingsAutomatically
encryptedAttachmentProtectionQuarantineId
attachmentWithScriptsProtectionQuarantineId
anomalousAttachmentProtectionQuarantineId
gmail.email_image_proxy_bypass
imageProxyBypassPattern
enableImageProxy
gmail.enhanced_pre_delivery_message_scanning
enableImprovedSuspiciousContentDetection
gmail.enhanced_smime_encryption
enableSmimeEncryption
allowUserToUploadCertificates
gmail.gmail_name_format
allowCustomDisplayNames
defaultDisplayNameFormat
gmail.imap_access
enableImapAccess
gmail.links_and_external_images
enableShortenerScanning
enableExternalImageScanning
enableAggressiveWarningsOnUntrustedLinks
applyFutureSettingsAutomatically
gmail.per_user_outbound_gateway
allowUsersToUseExternalSmtpServers
gmail.pop_access
enablePopAccess
gmail.spoofing_and_authentication
detectDomainNameSpoofing
detectEmployeeNameSpoofing
detectDomainSpoofingFromUnauthenticatedSenders
detectUnauthenticatedEmails
domainNameSpoofingConsequence
employeeNameSpoofingConsequence
domainSpoofingConsequence
unauthenticatedEmailConsequence
detectGroupsSpoofing
groupsSpoofingVisibilityType
groupsSpoofingConsequence
applyFutureSettingsAutomatically
domainNameSpoofingQuarantineId
employeeNameSpoofingQuarantineId
domainSpoofingQuarantineId
unauthenticatedEmailQuarantineId
groupsSpoofingQuarantineId
gmail.user_email_uploads
enableMailAndContactsImport
gmail.workspace_sync_for_outlook
enableGoogleWorkspaceSyncForMicrosoftOutlook
groups_for_business.groups_sharing
ownersCanAllowIncomingMailFromPublic
collaborationCapability
createGroupsAccessLevel
ownersCanAllowExternalMembers
ownersCanHideGroups
newGroupsAreHidden
viewTopicsDefaultAccessLevel
meet.safety_access
meetingsAllowedToJoin
meet.safety_domain
usersAllowedToJoin
meet.safety_external_participants
enableExternalLabel
meet.safety_host_management
enableHostManagement
meet.video_recording
enableRecording
rule.dlp
displayName
description
triggers
condition
action
state
createTime
updateTime
ruleTypeMetadata
rule.system_defined_alerts
displayName
description
action
state
createTime
updateTime
security.advanced_protection_program
enableAdvancedProtectionSelfEnrollment
securityCodeOption
security.less_secure_apps
allowLessSecureApps
security.login_challenges
enableEmployeeIdChallenge
security.password
allowedStrength
minimumLength
maximumLength
enforceRequirementsAtLogin
allowReuse
expirationDuration
security.session_controls
webSessionDuration
security.super_admin_account_recovery
enableAccountRecovery
security.user_account_recovery
enableAccountRecovery
sites.sites_creation_and_modification
allowSitesCreation
allowSitesModification
workspace_marketplace.apps_allowlist
apps
Display selected policies.
gam info policies <CIPolicyEntity>
[nowarnings] [noappnames]
[formatjson]
Select policies::
-
polices/<String>
- A policy name,policies/ahv4hg7qc24kvaghb7zihwf4riid4
-
settings/<String>
- A policy setting type,settings/workspace_marketplace.apps_allowlist
-
<String>
- A policy setting type,workspace_marketplace.apps_allowlist
By default, policy warnings are displayed, use the 'nowarnings` option to suppress their display.
By default, additional API calls are made for settings/workspace_marketplace.apps_allowlist
to get the application name for the application ID. Use option noappnames
to suppress these calls.
By default, Gam displays the information as an indented list of keys and values.
-
formatjson
- Display the fields in JSON format.
Display all or filtered policies.
gam show policies
[filter <String>] [nowarnings] [noappnames]
[group <RegularExpression>] [ou|org|orgunit <RegularExpression>]
[formatjson]
By default, all policies are displayed.
-
filter <String>
- Display filtered policies, See https://cloud.google.com/identity/docs/reference/rest/v1beta1/policies/list -
group <RegularExpression>
- Only display policies whose group email address matches the<RegularExpression>
-
ou|org|orgunit <RegularExpression> - Only display policies whose OU path matches the
`
By default, policy warnings are displayed, use the 'nowarnings` option to suppress their display.
By default, additional API calls are made for settings/workspace_marketplace.apps_allowlist
to get the application name for the application ID. Use option noappnames
to suppress these calls.
By default, Gam displays the information as an indented list of keys and values.
-
formatjson
- Display the fields in JSON format.
gam print policies [todrive <ToDriveAttribute>*]
[filter <String>] [nowarnings] [noappnames]
[group <RegularExpression>] [ou|org|orgunit <RegularExpression>]
[formatjson [quotechar <Character>]]
By default, all policies are displayed:
-
filter <String>
- Display filtered policies, See https://cloud.google.com/identity/docs/reference/rest/v1beta1/policies/list -
group <RegularExpression>
- Only display policies whose group email address matches the<RegularExpression>
-
ou|org|orgunit <RegularExpression> - Only display policies whose OU path matches the
`
By default, policy warnings are displayed, use the 'nowarnings` option to suppress their display.
By default, additional API calls are made for settings/workspace_marketplace.apps_allowlist
to get the application name for the application ID. Use option noappnames
to suppress these calls.
By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
-
formatjson
- Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote "
. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the formatjson
option, double quotes are used extensively in the data resulting in hard to read/process output.
The quotechar <Character>
option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
quotechar
defaults to gam.cfg/csv_output_quote_char
. When uploading CSV files to Google, double quote "
should be used.
Print all service status policies.
gam redirect csv ./ServiceStatusPolicies.csv print policies filter "setting.type.matches('.*service_status')"
Print all polices that apply directly to the OU "/Staff".
gam redirect csv ./StaffPolicies.csv print policies ou "^/Staff$"
Print all polices that apply to the OU "/Staff" and its sub-OUs.
gam redirect csv ./StaffPolicies.csv print policies ou "^/Staff"
Need more help? Ask on the GAM Discussion Group
Update History
Installation
- How to Install GAM7
- How to Uograde GAMADV-XTD3 to GAM7
- How to Upgrade Legacy GAM to GAM7
- How to Update GAM7
- Install GAM as Python Library
- GAM7 on Chrome OS Devices
- GAM7 on Android Devices
- Google Network Addresses
- HTTPS Proxy
- SSL Root CA Certificates
- How to Uninstall GAM7
Configuration
- Authorization
- GAM Configuration
- Running GAM7 securely on a Google Compute Engine
- Using GAM7 with a delegated admin service account
- Using GAM7 with a YubiKey
Notes and Information
- Upgrade Benefits
- Questions? Visit the GAM Discussion Forum
- GAM Public Chat Room
- Scripts
- Other Resources
- Drive REST API v3
- BNF Syntax
- GAM Return Codes
- Python Regular Expressions
- Rclone
Definitions
Command Processing
- Bulk Processing
- Command Line Parsing
- Command Logging and Progress
- Command data from Google Docs/Sheets/Storage
- CSV Special Characters
- CSV Input Filtering
- CSV Output Filtering
- Meta Commands and File Redirection
- Permission matches
- Tag Replace
- Todrive
Collections
Client Access
- Addresses
- Administrators
- Alert Center
- Aliases
- Calendars
- Calendars - Access
- Calendars - Events
- Chrome Auto Update Expiration Counts
- Chrome Browser Cloud Management
- Chrome Device Needs Attention Counts
- Chrome Installed Apps
- Chrome Policies
- Chrome Printers
- Chrome Profile Management
- Chrome Version Counts
- Chrome Version History
- ChromeOS Devices
- Classroom - Courses
- Classroom - Guardians
- Classroom - Invitations
- Classroom - Membership
- Cloud Channel
- Cloud Identity Devices
- Cloud Identity Groups
- Cloud Identity Groups - Membership
- Cloud Identity Policies
- Cloud Storage
- Context Aware Access Levels
- Customer
- Domains
- Domains - Verification
- Domain People - Contacts & Profiles
- Domain Shared Contacts - Global Address List
- Email Audit Monitor
- Find File Owner
- Google Data Transfers
- Groups
- Groups - Membership
- Inbound SSO
- Licenses
- Mobile Devices
- Organizational Units
- Reports
- Reseller
- Resources
- Send Email
- Schemas
- Shared Drives
- Sites
- Users
- Unmanaged Accounts
- Users - Signout and Turn off 2-Step Verification
- Vault - Takeout
- Version and Help
Special Service Account Access
Service Account Access
- Users - Analytics Admin
- Users - Application Specific Passwords
- Users - Backup Verification Codes
- Users - Calendars
- Users - Calendars - Access
- Users - Calendars - Events
- Users - Chat
- Users - Classification Labels
- Users - Classroom - Profile
- Users - Deprovision
- Users - Contacts
- Users - Contacts - Delegates
- Users - Drive - File Selection
- Users - Drive - Activity/Settings
- Users - Drive - Cleanup
- Users - Drive - Comments
- Users - Drive - Copy/Move
- Users - Drive - Files-Display
- Users - Drive - Files-Manage
- Users - Drive - Orphans
- Users - Drive - Ownership
- Users - Drive - Permissions
- Users - Drive - Query
- Users - Drive - Revisions
- Users - Drive - Shortcuts
- Users - Drive - Transfer
- Users - Forms
- Users - Gmail - Client Side Encryption
- Users - Gmail - Delegates
- Users - Gmail - Filters
- Users - Gmail - Forwarding
- Users - Gmail - Labels
- Users - Gmail - Messages/Threads
- Users - Gmail - Profile
- Users - Gmail - S/MIME
- Users - Gmail - SendAs/Signature/Vacation
- Users - Gmail - Settings
- Users - Group Membership
- Users - Keep
- Users - Looker Studio
- Users - Meet
- Users - Classroom - Profile
- Users - People - Contacts & Profiles
- Users - Photo
- Users - Profile Sharing
- Users - Shared Drives
- Users - Spreadsheets
- Users - Tasks
- Users - Tokens
- Users - YouTube