Added option types <AdminAssigneeTypeList> to gam print|show admins

This commit is contained in:
Ross Scroggs
2025-10-02 16:47:40 -07:00
parent 3a1437872c
commit b4677585bb
4 changed files with 51 additions and 10 deletions

View File

@@ -368,6 +368,7 @@ If an item contains spaces, it should be surrounded by ".
## Named items ## Named items
<AccessToken> ::= <String> <AccessToken> ::= <String>
<AdminAssigneeType> ::= group|user|serviceaccount|unknown
<AlertID> ::= <String> <AlertID> ::= <String>
<APIScopeURL> ::= <String> <APIScopeURL> ::= <String>
<APPID> ::= <String> <APPID> ::= <String>
@@ -691,6 +692,7 @@ If an item contains spaces, it should be surrounded by ".
## Lists of basic items ## Lists of basic items
<AdminAssigneeTypeList> ::= "<AdminAssigneeType>(,<AdminAssigneeType>)*"
<APIScopeURLList> ::= "<APIScopeURL>(,<APIScopeURL>)*" <APIScopeURLList> ::= "<APIScopeURL>(,<APIScopeURL>)*"
<ASPIDList> ::= "<ASPID>(,<ASPID>)*" <ASPIDList> ::= "<ASPID>(,<ASPID>)*"
<AssetTagList> ::= "<AssetTag>(,<AssetTag>)*" <AssetTagList> ::= "<AssetTag>(,<AssetTag>)*"
@@ -1553,9 +1555,11 @@ gam delete admin <RoleAssignmentId>
gam print admins [todrive <ToDriveAttribute>*] gam print admins [todrive <ToDriveAttribute>*]
[user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
[types <AdminAssigneeTypeList>]
[recursive] [condition] [privileges] [oneitemperrow] [recursive] [condition] [privileges] [oneitemperrow]
gam show admins gam show admins
[user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
[types <AdminAssigneeTypeList>]
[recursive] [condition] [privileges] [recursive] [condition] [privileges]
# Alert Center # Alert Center

View File

@@ -1,7 +1,16 @@
7.23.06
Added option `types <AdminAssigneeTypeList>` to `gam print|show admins` that allows filtering
of admin assignments by the type of the assignee; by default, all assignee types are displayed.
```
<AdminAssigneeType> ::= group|user|serviceaccount|unknown
<AdminAssigneeTypeList> ::= "<AdminAssigneeType>(,<AdminAssigneeType>)*"
```
7.23.05 7.23.05
Added option `recursive` to `gam print|show admins` that will display assignments to the members Added option `recursive` that will display assignments to the members
of security groups assigned to roles; the security group membershop is recursively expanded. of security groups assigned to roles; the security group membership is recursively expanded.
7.23.04 7.23.04

View File

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
""" """
__author__ = 'GAM Team <google-apps-manager@googlegroups.com>' __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
__version__ = '7.23.05' __version__ = '7.23.06'
__license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)' __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
#pylint: disable=wrong-import-position #pylint: disable=wrong-import-position
@@ -16990,21 +16990,37 @@ def doDeleteAdmin():
except (GAPI.forbidden, GAPI.permissionDenied) as e: except (GAPI.forbidden, GAPI.permissionDenied) as e:
ClientAPIAccessDeniedExit(str(e)) ClientAPIAccessDeniedExit(str(e))
ASSIGNEE_EMAILTYPE_TOFIELD_MAP = { ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP = {
'user': 'assignedToUser', 'user': 'assignedToUser',
'group': 'assignedToGroup', 'group': 'assignedToGroup',
'serviceaccount': 'assignedToServiceAccount', 'serviceaccount': 'assignedToServiceAccount',
'unknown': 'assignedToUnknown',
} }
ALL_ASSIGNEE_TYPES = ['user', 'group', 'serviceaccount']
PRINT_ADMIN_FIELDS = ['roleAssignmentId', 'roleId', 'assignedTo', 'scopeType', 'orgUnitId', 'assigneeType'] PRINT_ADMIN_FIELDS = ['roleAssignmentId', 'roleId', 'assignedTo', 'scopeType', 'orgUnitId', 'assigneeType']
PRINT_ADMIN_TITLES = ['roleAssignmentId', 'roleId', 'role', PRINT_ADMIN_TITLES = ['roleAssignmentId', 'roleId', 'role',
'assignedTo', 'assignedToUser', 'assignedToGroup', 'assignedToServiceAccount', 'assignedToUnknown', 'assignedTo', 'assignedToUser', 'assignedToGroup', 'assignedToServiceAccount', 'assignedToUnknown',
'scopeType', 'orgUnitId', 'orgUnit'] 'scopeType', 'orgUnitId', 'orgUnit']
def getAssigneeTypes(myarg, typesSet):
if myarg in {'type', 'types'}:
for gtype in getString(Cmd.OB_ADMIN_ASSIGNEE_TYPE_LIST).lower().replace(',', ' ').split():
if gtype in ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP:
typesSet.add(ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP[gtype])
else:
invalidChoiceExit(gtype, ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP, True)
else:
return False
return True
# gam print admins [todrive <ToDriveAttribute>*] # gam print admins [todrive <ToDriveAttribute>*]
# [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] # [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
# [types <AdminAssigneeTypeList>]
# [recursive] [condition] [privileges] [oneitemperrow] # [recursive] [condition] [privileges] [oneitemperrow]
# gam show admins # gam show admins
# [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] # [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
# [types <AdminAssigneeTypeList>]
# [recursive] [condition] [privileges] # [recursive] [condition] [privileges]
def doPrintShowAdmins(): def doPrintShowAdmins():
def _getPrivileges(admin): def _getPrivileges(admin):
@@ -17034,14 +17050,16 @@ def doPrintShowAdmins():
assignedTo = admin['assignedTo'] assignedTo = admin['assignedTo']
if assignedTo not in assignedToIdEmailMap: if assignedTo not in assignedToIdEmailMap:
assigneeEmail, assigneeType = convertUIDtoEmailAddressWithType(f'uid:{assignedTo}', cd, sal, assigneeEmail, assigneeType = convertUIDtoEmailAddressWithType(f'uid:{assignedTo}', cd, sal,
emailTypes=allAssigneeTypes if admin.get('assigneeType') != 'group' else ['group']) emailTypes=ALL_ASSIGNEE_TYPES if admin.get('assigneeType') != 'group' else ['group'])
if assigneeType in ASSIGNEE_EMAILTYPE_TOFIELD_MAP: if assigneeType in ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP:
assignedToField = ASSIGNEE_EMAILTYPE_TOFIELD_MAP[assigneeType] assignedToField = ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP[assigneeType]
else: else:
assignedToField = 'assignedToUnknown' assignedToField = 'assignedToUnknown'
if assignedToField == 'assignedToUnknown':
assigneeEmail = True assigneeEmail = True
assignedToIdEmailMap[assignedTo] = {'assignedToField': assignedToField, 'assigneeEmail': assigneeEmail} assignedToIdEmailMap[assignedTo] = {'assignedToField': assignedToField, 'assigneeEmail': assigneeEmail}
admin[assignedToIdEmailMap[assignedTo]['assignedToField']] = assignedToIdEmailMap[assignedTo]['assigneeEmail'] admin[assignedToIdEmailMap[assignedTo]['assignedToField']] = assignedToIdEmailMap[assignedTo]['assigneeEmail']
admin['assignedToField'] = assignedToIdEmailMap[assignedTo]['assignedToField']
if privileges is not None: if privileges is not None:
admin.update(privileges) admin.update(privileges)
if 'orgUnitId' in admin: if 'orgUnitId' in admin:
@@ -17058,11 +17076,11 @@ def doPrintShowAdmins():
roleId = None roleId = None
userKey = None userKey = None
oneItemPerRow = recursive = showPrivileges = False oneItemPerRow = recursive = showPrivileges = False
typesSet = set()
kwargs = {} kwargs = {}
rolePrivileges = {} rolePrivileges = {}
fieldsList = PRINT_ADMIN_FIELDS fieldsList = PRINT_ADMIN_FIELDS
assignedToIdEmailMap = {} assignedToIdEmailMap = {}
allAssigneeTypes = list(ASSIGNEE_EMAILTYPE_TOFIELD_MAP.keys())
while Cmd.ArgumentsRemaining(): while Cmd.ArgumentsRemaining():
myarg = getArgument() myarg = getArgument()
if csvPF and myarg == 'todrive': if csvPF and myarg == 'todrive':
@@ -17071,6 +17089,8 @@ def doPrintShowAdmins():
userKey = kwargs['userKey'] = getEmailAddress() userKey = kwargs['userKey'] = getEmailAddress()
elif myarg == 'role': elif myarg == 'role':
_, roleId = getRoleId() _, roleId = getRoleId()
elif getAssigneeTypes(myarg, typesSet):
pass
elif myarg == 'recursive': elif myarg == 'recursive':
recursive = True recursive = True
allGroupRoles = ','.join(sorted(ALL_GROUP_ROLES)) allGroupRoles = ','.join(sorted(ALL_GROUP_ROLES))
@@ -17093,6 +17113,8 @@ def doPrintShowAdmins():
if roleId and not kwargs: if roleId and not kwargs:
kwargs['roleId'] = roleId kwargs['roleId'] = roleId
roleId = None roleId = None
if not typesSet:
typesSet = set(ADMIN_ASSIGNEE_TYPE_TO_ASSIGNEDTO_FIELD_MAP.values())
fields = getItemFieldsFromFieldsList('items', fieldsList) fields = getItemFieldsFromFieldsList('items', fieldsList)
printGettingAllAccountEntities(Ent.ADMIN_ROLE_ASSIGNMENT) printGettingAllAccountEntities(Ent.ADMIN_ROLE_ASSIGNMENT)
try: try:
@@ -17123,11 +17145,12 @@ def doPrintShowAdmins():
i += 1 i += 1
if roleId and roleId != admin['roleId']: if roleId and roleId != admin['roleId']:
continue continue
assignedTo = admin['assignedTo']
if admin['assigneeType'] != 'group' or not recursive: if admin['assigneeType'] != 'group' or not recursive:
_setNamesFromIds(admin, _getPrivileges(admin)) _setNamesFromIds(admin, _getPrivileges(admin))
expandedAdmins.append(admin) if admin['assignedToField'] in typesSet:
expandedAdmins.append(admin)
continue continue
assignedTo = admin['assignedTo']
if assignedTo not in groupMembers: if assignedTo not in groupMembers:
membersList = [] membersList = []
membersSet = set() membersSet = set()
@@ -17136,6 +17159,9 @@ def doPrintShowAdmins():
memberOptions, memberDisplayOptions, level, {Ent.TYPE_USER}) memberOptions, memberDisplayOptions, level, {Ent.TYPE_USER})
groupMembers[assignedTo] = membersList[:] groupMembers[assignedTo] = membersList[:]
_setNamesFromIds(admin, _getPrivileges(admin)) _setNamesFromIds(admin, _getPrivileges(admin))
if admin[assignedToIdEmailMap[assignedTo]['assignedToField']] not in typesSet:
continue
expandedAdmins.append(admin)
if not groupMembers[assignedTo]: if not groupMembers[assignedTo]:
expandedAdmins.append(admin) expandedAdmins.append(admin)
continue continue
@@ -17173,6 +17199,7 @@ def doPrintShowAdmins():
Ind.Decrement() Ind.Decrement()
else: else:
for admin in expandedAdmins: for admin in expandedAdmins:
admin.pop('assignedToField')
if not oneItemPerRow or 'rolePrivileges' not in admin: if not oneItemPerRow or 'rolePrivileges' not in admin:
csvPF.WriteRowTitles(flattenJSON(admin)) csvPF.WriteRowTitles(flattenJSON(admin))
else: else:

View File

@@ -1138,6 +1138,7 @@ class GamCLArgs():
OB_ARGUMENT = 'argument' OB_ARGUMENT = 'argument'
OB_ASP_ID_LIST = 'ASPIDList' OB_ASP_ID_LIST = 'ASPIDList'
OB_ASSET_ID = 'AssetID' OB_ASSET_ID = 'AssetID'
OB_ADMIN_ASSIGNEE_TYPE_LIST = 'AdminAssigneeTypeList'
OB_BROWSER_ENROLLEMNT_TOKEN_ID = 'BrowserEnrollmentTokenID' OB_BROWSER_ENROLLEMNT_TOKEN_ID = 'BrowserEnrollmentTokenID'
OB_BROWSER_ENTITY = 'BrowserEntity' OB_BROWSER_ENTITY = 'BrowserEntity'
OB_BUILDING_ID = 'BuildingID' OB_BUILDING_ID = 'BuildingID'