Merge branch 'main' of https://github.com/gam-team/gam

thanks to Ross for suggesting.

.github/actions/entitlements.plist

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+        <!-- These are required for binaries built by PyInstaller -->
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+</dict>
+</plist>

.github/actions/package_exclusions.txt

@@ -2,6 +2,5 @@ oauth2.txt
 nobrowser.txt
 enabledasa.txt
 lastupdatecheck.txt
-*.json
 *.lck
 *.csv

.github/workflows/codeql-analysis.yml

@@ -38,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/get-cacerts.yml

@@ -27,7 +27,7 @@ jobs:
         run: |
           git config --local user.email "action@github.com"
           git config --local user.name "GitHub Action"
-          git add roots.pem
+          git add cacerts.pem
           git diff --quiet && git diff --staged --quiet || git commit -am '[ci skip] Updated cacerts.pem'
 
       - name: Push changes

README.md

@@ -1,6 +1,6 @@
 GAM is a command line tool for Google Workspace admins to manage domain and user settings quickly and easily.
 
-![Build Status](https://github.com/GAM-team/GAM/workflows/Build%20and%20test%20GAM/badge.svg)
+[![Build StatusM](https://github.com/GAM-team/GAM/actions/workflows/build.yml/badge.svg)](https://github.com/GAM-team/GAM/actions/workflows/build.yml)
 
 # Quick Start
 
@@ -32,7 +32,7 @@ There is a public chat room hosted in Google Chat. [Instructions to join](https:
 
 # Author
 
-GAM is maintained by [Jay Lee](mailto:jay0lee@gmail.com). Please direct "how do I?" questions to [Google Groups].
+GAM is maintained by [Jay (James) Lee](mailto:jay0lee@gmail.com) and [Ross Scroggs](mailto:ross.scroggs@gmail.com). Please direct "how do I?" questions to [Google Groups].
 
 [GAM release]: https://github.com/GAM-team/GAM/releases
 [GitHub Releases]: https://github.com/GAM-team/GAM/releases

docs/Addresses.md

@@ -1,4 +1,4 @@
-# Addresses
+!# Addresses
 - [API documentation](#api-documentation)
 - [Display addresses](#display-addresses)
 

docs/Administrators.md

@@ -1,4 +1,4 @@
-# Administrators
+!# Administrators
 - [Administrator roles documentation](#administrator-roles-documentation)
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
@@ -8,6 +8,7 @@
 - [Create an administrator](#create-an-administrator)
 - [Delete an administrator](#delete-an-administrator)
 - [Display administrators](#display-administrators)
+- [Copy roles from one administrator to another](#copy-roles-from-one-administrator-to-another)
 
 ## Administrator roles documentation
 * https://support.google.com/a/answer/33325?ref_topic=4514341
@@ -850,12 +851,17 @@ gam delete adminrole <RoleItem>
 ## Display administrative roles
 ```
 gam info adminrole <RoleItem> [privileges]
-gam print adminroles|roles [todrive <ToDriveAttribute>*] [privileges]
+gam print adminroles|roles [todrive <ToDriveAttribute>*]
+        [privileges] [oneitemperrow]
 gam show adminroles|roles [todrive <ToDriveAttribute>*] [privileges]
 ```
 * `privileges` - Display privileges associated with each role
 
+By default, all privileges for a role are shown on one row as a repeating item.
+When `oneitemperrow` is specified, each privilege is output on a separate row/line with the other role fields.
+
 ## Create an administrator
+Add an administrator role to an administrator.
 ```
 gam create admin <EmailAddress>|<UniqueID> <RoleItem> customer|(org_unit <OrgUnitItem>)
         [condition securitygroup|nonsecuritygroup]
@@ -868,13 +874,15 @@ The option `condition` limits the conditions for delegate admin access. This cur
 * `condition nonsecuritygroup` - limit the delegated admin to managing non-security groups
 
 ## Delete an administrator
+Remove an administrator role from an administrator.
 ```
 gam delete admin <RoleAssignmentId>
 ```
 ## Display administrators
 ```
 gam print admins [todrive <ToDriveAttribute>*]
-        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
+        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition]
+        [privileges] [oneitemperrow]
 gam show admins
         [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
 ```
@@ -886,5 +894,20 @@ options to limit the display:
 * `condition` - Display any conditions associated with a role assignment
 * `privileges` - Display privileges associated with each role assignment
 
+By default, all role privileges for an admin are shown on one row as a repeating item.
+When `oneitemperrow` is specified, each role privilege is output on a separate row/line with the other admin fields.
+
 In versions prior to 6.07.01, specification of both `user <UserItem>`
 and `role <RoleItem>` generated no output due to an undocumented API rule that disallows both.
+
+## Copy roles from one administrator to another
+Get roles for current admin.
+```
+gam redirect csv ./CurrentAdminRoles.csv print admins user currentadmin@domain.com
+```
+Add roles to new admin.
+```
+gam config csv_input_row_filter "scopeType:regex:CUSTOMER" redirect stdout ./UpdateNewAdminCustomerRoles.txt multiprocess redirect stderr stdout csv CurrentAdminRoles.csv gam create admin newadmin@domain.com "id:~~roleId~~" customer
+gam config csv_input_row_filter "scopeType:regex:ORG_UNIT" redirect stdout ./UpdateNewAdminOrgUnitRoles.txt multiprocess redirect stderr stdout csv CurrentAdminRoles.csv gam create admin newadmin@domain.com "id:~~roleId~~" org_unit "id:~~orgUnitId~~"
+```
+

docs/Alert-Center.md

@@ -1,4 +1,4 @@
-# Alert Center
+!# Alert Center
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Introduction](#introduction)

docs/Aliases.md

@@ -21,11 +21,16 @@
 * https://developers.google.com/admin-sdk/directory/v1/guides/search-users
 
 ## Definitions
+See [Collections of Items](Collections-of-Items)
 ```
 <DomainName> ::= <String>(.<String>)+
+<DomainNameList> ::= "<DomainName>(,<DomainName>)*"
+<DomainNameEntity> ::=
+        <DomainNameList> | <FileSelector> | <CSVFileSelector>
 <EmailAddress> ::= <String>@<DomainName>
 <EmailAddressList> ::= "<EmailAddress>(,<EmailAddress>)*"
 <EmailAddressEntity> ::= <EmailAddressList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <UniqueID> ::= id:<String>
 ```
 ## Create an alias for a target
@@ -50,13 +55,18 @@ gam create alias bob[@yourdomain.com] user robert[@yourdomain.com]
 The existing alias is deleted and a new alias is created.
 ```
 gam update alias|aliases <EmailAddressEntity> user|group|target <UniqueID>|<EmailAddress>
-        [notargetverify]
+        [notargetverify] [waitafterdelete <Integer>]
 ```
 `<EmailAddressEntity>` are the aliases, `<EmailAddress>` is the target.
 
 By default, GAM makes additional API calls to verify that the target email address exists before updating the alias;
 if you know that the target exists, you can suppress the verification with `notargetverify.
 
+GAM updates an alias to point to a new target by deleting the alias and then recreates the alias pointing to the new target.
+Unfortunately, if these commands are executed back-to-back; Google generates the `Update Failed: Duplicate` error.
+Now, GAM waits 2 seconds between the delete and the insert which seems to eliminate the problem. If the problem persists,
+use the option `waitafterdelete <Integer>` to increase the wait time to a maximum of 10 seconds.
+
 ## Delete an alias regardless of the target
 ```
 gam delete alias|aliases [user|group|target] <EmailAddressEntity>
@@ -75,7 +85,7 @@ gam <UserTypeEntity> delete aliases
 ```
 
 ## Display aliases
-Display a specific alise.
+Display a specific alias.
 ```
 gam info alias|aliases <EmailAddressEntity>
 ```
@@ -83,7 +93,8 @@ gam info alias|aliases <EmailAddressEntity>
 Display selected aliases.
 ```
 gam print aliases [todrive <ToDriveAttribute>*]
-        [domain <DomainName>] [(query <QueryUser>)|(queries <QueryUserList>)]
+        ([domain|domains <DomainNameEntity>] [(query <QueryUser>)|(queries <QueryUserList>)]
+         [limittoou <OrgUnitItem>])
         [user|users <EmailAddressList>] [group|groups <EmailAddressList>]
         [select <UserTypeEntity>]
         [aliasmatchpattern <RegularExpression>]
@@ -93,8 +104,10 @@ gam print aliases [todrive <ToDriveAttribute>*]
         (addcsvdata <FieldName> <String>)*
 ```
 By default, group and user aliases in all domains in the account are selected; these options allow selection of subsets of aliases:
-* `domain <DomainName>` - Limit aliases to those in `<DomainName>`
-* `(query <QueryUser>)|(queries <QueryUserList>)` - Print aliases for selected users
+* `domain|domains <DomainNameEntity>` - Limit aliases to those in the domains specified by `<DomainNameEntity>`
+  * You can predefine this list with the `print_agu_domains` variable in `gam.cfg`.
+* `(query <QueryUser>)|(queries <QueryUserList>)` - Print aliases for users/groups that match a query; each query is run against each domain
+* `limittoou <OrgUnitItem>` - Print aliases for users in the specified `<OrgUnitItem>`
 * `user|users <EmailAddressList>` - Print aliases for users in `<EmailAddressList`
 * `select <UserTypeEntity>` - Print aliases for users in `<UserTypeEntity>`
 * `group|groups <EmailAddressList>` - Print aliases for groups in `<EmailAddressList`
@@ -116,6 +129,24 @@ By default, the aliases in a list are separated by the `csv_output_field_delimit
 
 Specifying both `onerowpertarget` and `suppressnoaliasrows` causes GAM to not display any targets that have no aliases.
 
+Add additional columns of data from the command line to the output
+* `addcsvdata <FieldName> <String>`
+
+When multiple domains are specified and a query/queries are specified, an API call is made for each domain/query combination.
+```
+$ gam print aliases domains school.org,students.school.org queries "'email:admin*','email:test*'"
+Getting all Users that match query (domain=school.org, query="email:admin*"), may take some time on a large Google Workspace Account...
+Got 3 Users: admin@school.org - admindirector@school.org
+Getting all Users that match query (domain=school.org, query="email:test*"), may take some time on a large Google Workspace Account...
+Got 20 Users: testusera@school.org - testuserx@school.org
+Getting all Users that match query (domain=students.school.org, query="email:admin*"), may take some time on a large Google Workspace Account...
+Got 1 User: admin@students.school.org - admin@students.school.org
+Getting all Users that match query (domain=students.school.org, query="email:test*"), may take some time on a large Google Workspace Account...
+Got 1 User: testuser1@students.school.org - testuser1@students.school.org
+Alias,Target,TargetType
+...
+```
+
 ## Bulk delete aliases
 You can bulk delete aliases as follows; use `(query <QueryUser>)|(queries <QueryUserList>)` and
 `aliasmatchpattern <RegularExpression>` as desired.

docs/Authorization.md

@@ -1,12 +1,13 @@
 # Authorization
 - [Introduction](#introduction)
 - [Headless computers and Cloud Shells](#headless-computers-and-cloud-shells)
-- [Version 5 Update](#version-5-update)
 - [API documentation](#api-documentation)
 - [Python Regular Expressions](Python-Regular-Expressions)
 - [Definitions](#definitions)
 - [Manage Projects](#manage-projects)
   - [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+  - [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
+  - [Authorize GAM to create projects](#authorize-gam-to-create-projects)
   - [Create a new GCP project folder](#create-a-new-gcp-project-folder)
   - [Create a new project for GAM authorization](#create-a-new-project-for-gam-authorization)
   - [Use an existing project for GAM authorization](#use-an-existing-project-for-gam-authorization)
@@ -29,6 +30,7 @@
   - [Update an existing Service Account key](#update-an-existing-service-account-key)
   - [Replace all existing Service Account keys](#replace-all-existing-service-account-keys)
   - [Delete Service Account keys](#delete-service-account-keys)
+  - [Upload a Service Account key to a service account with no keys](#upload-a-service-account-key-to-a-service-account-with-no-keys)
   - [Display Service Account keys](#display-service-account-keys)
 - [Manage Service Account access](#manage-service-account-access)
   - [Full Service Account access](#full-service-account-access)
@@ -88,15 +90,6 @@ If you run a Google Workspace Education SKU, verify that the super admin you'll
 * Choose "All users are 18 or older"
 * Click "SAVE"
 
-Verify whether the super admin you'll be using is in an OU where reauthentication is required.
-* Access the admin console and go to Security -> Overview
-* Scroll down and open Google Cloud session control section
-* Select the OU containing the super admin
-* If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
-* If that sounds unappealing, check Exempt Trusted apps
-* Click "OVERRIDE"
-* Follow the steps below to mark GAM as a trusted app
-
 Based on your domain policies, you may have to mark GAM as a trusted app. These steps are performed after a project is created.
 * Access the admin console and go to Security -> Access and data control -> API controls
 * Check Trust internal, domain-owned apps
@@ -113,31 +106,26 @@ Based on your domain policies, you may have to mark GAM as a trusted app. These
 * Click Next/Continue
 * Click Finish
 
+Verify whether the super admin you'll be using is in an OU where reauthentication is required.
+* Access the admin console and go to Security -> Overview
+* Scroll down and open Google Cloud session control section
+* Select the OU containing the super admin
+* If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
+* If that sounds unappealing, check Exempt Trusted apps
+* Click "OVERRIDE"
+* Follow the steps below to mark GAM as a trusted app
+
+Additional steps may be required if errors are encountered.
+* [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+* [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
+* [Authorize GAM to create projects](#authorize-gam-to-create-projects)
+
 ## Headless computers and Cloud Shells
 With many thanks to Jay, `gam oauth create` now uses a new client access authentication flow
 as required by Google for headless computers/cloud shells; this is required as of February 28, 2022.
 * See: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html
   * OAuth out-of-band (oob) flow will be deprecated
 
-## Version 5 Update
-GAM version `5.00.00` replaced the deprecated `oauth2client` library with the `google-auth` library.
-This change requires a one-time update of the client access file `oauth2.txt`; GAM will continue
-to use the old version of `oauth2.txt` until you perform the update. There is a small performance
-impact until the update is performed. However, you can't use the updated version of `oauth2.txt`
-in prior versions of GAM; if you want to run GAM `5.00.00` and prior versions of GAM,
-do not perform the update until you no longer need to run the prior versions of GAM.
-
-If you are running any GAM version `4.85.00` or later, perform the following command
-after installing `5.00.00` to perform the update.
-```
-gam oauth refresh
-```
-If you are running any GAM version before `4.85.00`, perform the following command
-after installing `5.00.00` to perform the update.
-```
-gam oauth update
-```
-
 ## API documentation
 * https://cloud.google.com/resource-manager/docs/creating-managing-organization#adding_an_organization_administrator
 * https://cloud.google.com/service-usage/docs/reference/rest
@@ -160,6 +148,7 @@ gam oauth update
 <ProjectIDEntity> ::=
         current | gam | <ProjectID> | (filter <String>) |
         (select <ProjectIDList> | <FileSelector> | <CSVFileSelector>)
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <ProjectName> ::= <String>
         Must match this Python Regular Expression: [a-zA-Z0-9 '"!-]{4,30}
 <ServiceAccountName> ::= <String>
@@ -174,19 +163,18 @@ gam oauth update
 ```
 ## Manage Projects
 In all of the project commands, the Google Workspace admin/GCP project manager `<EmailAddress>` can be omitted; you will be prompted for a value.
-You must enter a full address, i.e., user@domain.com; you will be required to enter the password.
+You must enter a full address, i.e., user@domain.com; you will be required to authenticate.
 
-For `print|show projects`, you can eliminate the password requirement by enabling the following scope in `gam update serviceaccount`;
-GAM will then use Service Account access to display projects.
+For `print|show projects`, you can eliminate the password prompt and authentication requirement by specifying the super admin emailaddress used in `gam oauth create`.
 ```
-[*]  9)  Cloud Resource Manager API v3
+gam print projects admin admin@domain.com
 ```
 
 ## Authorize a super admin to create projects
 If you try to create a project and get an error saying that the admin you specified is not authorized to create projects,
 perform these steps and then retry the create project command.
 
-* Login as an existing super admin at cloud.console.google.com
+* Login as an existing super admin at console.cloud.google.com
 * In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
 * Under IAM & Admin select IAM
 * Click the down arrow in the box to the right of Google Cloud
@@ -197,8 +185,70 @@ perform these steps and then retry the create project command.
 * Click in the Select a role box
 * Type project creator in the Filter box
 * Click Project Creator
+* Click + Add Another Role
+* Type organization policy administrator in the Filter box
+* Click Orgainzation Policy Administrator
 * Click Save
 
+## Authorize Service Account Key Uploads
+
+If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxxxx`,
+perform these steps and then you should be able to authorize and use your project.
+
+* Login as an existing super admin at console.cloud.google.com
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click the down arrow in the box to the right of Google Cloud
+* Click the three dots at the right and select IAM/Permissions
+* Now you should be at "Permissions for organization ..."
+* Click on Grant Access
+* Enter the new admin address in Principals
+* Click in the Select a role box
+* Type organization policy administrator in the Filter box
+* Click Organization Policy Administrator
+* Click Save
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click the down arrow in the box to the right of Google Cloud
+* Click the three dots at the right and select Manage Resources
+* Click the three dots at the end of the line for the GAM project just created
+* Click Settings
+* Click Organization Policies in the left column
+* Now you should be at "Policies for Gam Project"
+* Click in the Filter box
+* Enter iam.disableServiceAccountKeyUpload
+* Click the three dots at the end of the Disable Service Account Key Upload
+* Choose Edit policy
+* Click Override parent's policy
+* Click Add A Rule
+* Select Enforcement/Off
+* Click Done
+* Click Set Policy
+
+Wait a couple of minutes for the policy updates to complete and then do the following to upload the service account key:
+```
+gam upload sakey [admin <EmailAddress>]
+```
+
+## Authorize GAM to create projects
+If you try to create a project and get an error saying "This app has been blocked on your domain for either being
+insecure or non-edutational"; you'll have to mark the GAM Project Creation app as trusted.
+Perform these steps and then retry the create project command.
+
+* Access the admin console and go to Security -> Access and data control -> API controls
+* Click **Manage third-party app access**
+* Click Add app and select **OAuth App Name Or Client ID**
+* Paste 297408095146-fug707qsjv4ikron0hugpevbrjhkmsk7.apps.googleusercontent.com
+* Click Search
+* Click Select at right end of line referencing GAM Project Creation
+* Check box to the left of the line with GAM Project Creation client ID
+* Click Select
+* Keep the default scope domain.com (all users) or select an org unit that includes your GAM admin
+* Click Next/Continue
+* Click Trusted: App can request access to all Google data
+* Click Next/Continue
+* Click Finish/Confirm
+
 ## Create a new GCP project folder
 This folder can be used in a subsequent `gam create project parent <String>` command.
 ```
@@ -210,9 +260,19 @@ gam create gcpfolder [admin <EmailAddress] folder <String>
 Create a new project to create and download two files: `client_secrets.json` for the Client and `oauth2service.json` for the Service Account.
 On-screen instructions lead you through the process.
 
+An existing project, `GAM Project Creation`, is used to create your GAM project. The initial instructions tell you how to
+enable this project as a trusted app as your workspace may not allow untrusted third-party apps.
+This is recommended but not mandatory unless your workspace has "Google Cloud" service restricted:
+* https://support.google.com/a/answer/7281227?hl=en#zippy=%2Crestrict-or-unrestrict-google-services
+
+If it is restricted and you complete this step it may take an hour or so to take full affect and allow you to approve GAM project creation.
+
+The final instructions tell you how to enable your new GAM project as a trusted app as your workspace may not allow untrusted third-party apps.
+You can skip these steps if you know that untrusted third-party apps are allowed.
+
 ### Default values
 * `<AppName>` - "GAM"
-* `<ProjectID>` - "gam-project-abc-def-jki" where "abc-def-ghi" are randomly generated
+* `<ProjectID>` - "gam-project-a1b2c" where "a1b2c" are randomly generated
 * `<ProjectName>` - "GAM Project"
 * `<ServiceAccountName>` - `<ProjectID>`
 * `<ServiceAccountDisplayName>` - `<ProjectName>`
@@ -234,6 +294,10 @@ gam create project [admin <EmailAddress>] [project <ProjectID>]
         [projectname <ProjectName>] [parent <String>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)|
+         nokey}
 ```
 * `admin <EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `appname <String>` - Application name, defaults to `GAM`
@@ -245,6 +309,10 @@ gam create project [admin <EmailAddress>] [project <ProjectID>]
 * `sadisplayname <ServiceAccountDisplayName>` - Service account display name
 * `sadescription <ServiceAccountDescription>` - Service account description
 
+You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys)
+
+Use `nokey` if you do not want a service account key created for the project.
+
 ## Use an existing project for GAM authorization
 Use an existing project to create and download two files: `client_secrets.json` for the Client and `oauth2service.json` for the Service Account.
 
@@ -254,8 +322,11 @@ Use an existing project to create and download two files: `client_secrets.json`
 * `<ServiceAccountDescription>` - `<ServiceAccountDisplayName>`
 
 ### Basic
-Use an existing project with default values for the service account. This is typically used when
-the system administrators have created a basic project and you now want to configure it as a GAM project.
+Use an existing uninitialized/uncredentialed project and configure it to be a GAM project; this typically used when
+the GCP  administrators have created a basic project because project creation is not available for most users.
+
+See Jay's notes about how to do this: https://github.com/GAM-team/GAM/wiki/GAM-with--minimal-GCP-rights
+
 ```
 gam use project [<EmailAddress>] [project <ProjectID>]
 ```
@@ -270,6 +341,9 @@ can not be re-downloaded.
 gam use project [admin <EmailAddress>] [project <ProjectID>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
 ```
 * `admin <EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `project <ProjectID>` - An existing Google project ID; if omitted, you will be prompted for the ID
@@ -277,6 +351,8 @@ gam use project [admin <EmailAddress>] [project <ProjectID>]
 * `sadisplayname <ServiceAccountDisplayName>` - Service account display name
 * `sadescription <ServiceAccountDescription>` - Service account description
 
+You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys)
+
 ## Update an existing project for GAM authorization
 This command is used when GAM has added new capabilities that require additional APIs to be added to your project.
 ```
@@ -285,7 +361,7 @@ gam update project [[admin] <EmailAddress>] [<ProjectIDEntity>]
 * `<EmailAddress>` - A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 
 Use these options to select projects.
-* `current` - The project referenced in `client_secret.json`; this is the default
+* `current` - The project referenced in `client_secrets.json`; this is the default
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -297,7 +373,7 @@ gam delete project [[admin] <EmailAddress>] [<ProjectIDEntity>]
 * `<EmailAddress>` - A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 
 Use these options to select projects.
-* `current` - The project referenced in `client_secret.json`; this is the default
+* `current` - The project referenced in `client_secrets.json`; this is the default
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -317,7 +393,7 @@ gam show projects [[admin] <EmailAddress>] [all|<ProjectIDEntity>]
 
 Use these options to select projects.
 * `all` - All projects accessible by the administrator; this is the default
-* `current` - The project referenced in `client_secret.json`
+* `current` - The project referenced in `client_secrets.json`
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -335,7 +411,7 @@ gam print projects [[admin] <EmailAddress>] [all|<ProjectIDEntity>] [todrive <To
 
 Use these options to select projects.
 * `all` - All projects accessible by the administrator; this is the default
-* `current` - The project referenced in `client_secret.json`
+* `current` - The project referenced in `client_secrets.json`
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -373,60 +449,70 @@ writes the credentials into the file oauth2.txt.
 ```
 gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-42[a|r] or s|u|e|c: 
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
 
@@ -456,60 +542,70 @@ writes the credentials into the file `oauth2.txt`.
 ```
 gam oauth update
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-42[a|r] or s|u|e|c: 
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
 
@@ -594,11 +690,14 @@ file or define a new section in `gam.cfg` that references a different `oauth2ser
 gam create|add svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
 ```
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 
 Use these options to select projects.
-* `current` - The project referenced in `client_secret.json`; this is the default
+* `current` - The project referenced in `client_secrets.json`; this is the default
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -608,6 +707,8 @@ Use these options to select user-specified values..
 * `sadisplayname <ServiceAccountDisplayName>` - Service account display name
 * `sadescription <ServiceAccountDescription>` - Service account description
 
+You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys)
+
 After adding an additional service account, you can select specific access APIs for it.
 [Selective Service Account access](#selective-service-account-access)
 
@@ -619,7 +720,7 @@ gam delete svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 
 Use these options to select projects.
-* `current` - The project referenced in `client_secret.json`; this is the default
+* `current` - The project referenced in `client_secrets.json`; this is the default
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -640,7 +741,7 @@ gam print svcaccts [[admin] <EmailAddress>] [all|<ProjectIDEntity>]
 
 Use these options to select projects.
 * `all` - All projects accessible by the administrator; this is the default
-* `current` - The project referenced in `client_secret.json`
+* `current` - The project referenced in `client_secrets.json`
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -664,6 +765,7 @@ There are several methods for generating private keys:
 * `localkeysize 1024` - Gam generates a 1024 bit key; this is not recommended
 * `localkeysize 2048` - Gam generates a 2048 bit key; this is the default
 * `localkeysize 4096` - Gam generates a 4096 bit key
+* `yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]` - [Using GAM7 with a YubiKey](Using-GAM7-with-a-YubiKey)
 
 When `localkeysize` is specified, the optional argument `validityhours <Number>` sets the length of time during which the key will be valid and should be used when the [GCP constraints/iam.serviceAccountKeyExpiryHours organization policy](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#limit_key_expiry) is in use. Note that in order to account for system clock skew, GAM sets the key to be valid two minutes earlier than the current system time and thus it will also expire two minutes earlier.
 
@@ -685,20 +787,16 @@ The `oauth2service.json` file is updated with the new private key.
 
 Keep a good record of where each Service Account key is used as the keys themselves do not record this information.
 
-The two forms of the command are equivalent; the second form is used by Basic Gam.
+The two forms of the command are equivalent; the second form is used by Legacy GAM.
 ```
 gam create sakey
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 gam rotate sakey retain_existing
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 ```
 To distribute `oauth2service.json` files with unique private keys perform the following steps:
 ```
@@ -715,20 +813,16 @@ The `oauth2service.json` file is updated with the new private key. If you had pr
 this `oauth2service.json` file to other users, you must redistribute the updated file as the private key
 in the distributed copies has been revoked.
 
-The two forms of the command are equivalent; the second form is used by Basic Gam.
+The two forms of the command are equivalent; the second form is used by Legacy GAM.
 ```
 gam update sakey
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
-gam rotate sakey replace_existing
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
+gam rotate sakey replace_current
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 ```
 ## Replace all existing Service Account keys
 Create a new Service Account private key; all existing private keys are revoked.
@@ -738,20 +832,16 @@ in the distributed copies has been revoked.
 
 This command can be used if your Service Account keys have been compromised; all existing private keys are revoked.
 
-The two forms of the command are equivalent; the second form is used by Basic Gam.
+The two forms of the command are equivalent; the second form is used by Legacy GAM.
 ```
 gam replace sakeys
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 gam rotate sakeys retain_none
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 ```
 ## Delete Service Account keys
 You can delete Service Accounts keys thus revoking access for that key. Generally, you will
@@ -759,10 +849,24 @@ delete a service account key for a distributed copy of an `oauth2service.json` f
 that user's service account access.
 
 You can disable your current Service Account key if you specify the `doit` argument. This is your
-acknowledgement that you will have to manually create a new Service Account key in the Developer's Console.
+acknowledgement that you will have to manually create a new Service Account key in the Developer's Console
+or upload a new key with the `gam upload sakey` command.
 ```
 gam delete sakeys <ServiceAccountKeyList>+ [doit]
 ```
+## Upload a Service Account key to a service account with no keys
+There are two cases where you will use this command:
+* Your workspace is configured to disable service account private key uploads and you are creating a project.
+* All of your service account keys have been deleted, either manually or with the `gam delete sakeys` command.
+
+The `oauth2service.json` file is updated with the new private key. If you had previously distributed
+any `oauth2service.json` file to other users, you must redistribute the updated file with the new key.
+```
+gam upload sakey [admin <EmailAddress>]
+        (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
+```
 ## Display Service Account keys
 There are system keys and user keys; user keys are what Gam uses; GCP uses system keys.
 
@@ -786,24 +890,38 @@ By default, the following scopes are verified:
 ```
 https://mail.google.com/
 https://sites.google.com/feeds
-https://www.google.com/m8/feeds
+https://www.googleapis.com/auth/analytics.readonly
 https://www.googleapis.com/auth/apps.alerts
 https://www.googleapis.com/auth/calendar
+https://www.googleapis.com/auth/chat.delete
+https://www.googleapis.com/auth/chat.memberships
+https://www.googleapis.com/auth/chat.messages
+https://www.googleapis.com/auth/chat.spaces
 https://www.googleapis.com/auth/classroom.announcements
 https://www.googleapis.com/auth/classroom.coursework.students
+https://www.googleapis.com/auth/classroom.courseworkmaterials
 https://www.googleapis.com/auth/classroom.profile.emails
+https://www.googleapis.com/auth/classroom.profile.photos
 https://www.googleapis.com/auth/classroom.rosters
 https://www.googleapis.com/auth/classroom.topics
 https://www.googleapis.com/auth/cloud-identity
 https://www.googleapis.com/auth/cloud-platform
-https://www.googleapis.com/auth/cloudprint
 https://www.googleapis.com/auth/contacts
+https://www.googleapis.com/auth/contacts.other.readonly
+https://www.googleapis.com/auth/datastudio
+https://www.googleapis.com/auth/directory.readonly
+https://www.googleapis.com/auth/documents
 https://www.googleapis.com/auth/drive
 https://www.googleapis.com/auth/drive.activity
+https://www.googleapis.com/auth/drive.admin.labels
+https://www.googleapis.com/auth/drive.labels
 https://www.googleapis.com/auth/gmail.modify
 https://www.googleapis.com/auth/gmail.settings.basic
 https://www.googleapis.com/auth/gmail.settings.sharing
+https://www.googleapis.com/auth/keep
 https://www.googleapis.com/auth/spreadsheets
+https://www.googleapis.com/auth/tasks
+https://www.googleapis.com/auth/userinfo.profile
 ```
 This scope is verified when `user_service_account_access_only = true` in `gam.cfg`.
 ```
@@ -831,12 +949,127 @@ gam <UserTypeEntity> update serviceaccount (scope|scopes <APIScopeURLList>)*
 * `<UserTypeEntity>` - Typically `user <EmailAddress>`, a non-Google Workspace administrator.
 * `scopes <APIScopeURLList>` - Verify/enable service account access for a set of specific scopes rather than selecting the scopes.
 
+```
+gam user user@domain.com update serviceaccount
+
+[*]  0)  AlertCenter API
+[*]  1)  Analytics API - read only
+[*]  2)  Analytics Admin API - read only
+[*]  3)  Calendar API (supports readonly)
+[*]  4)  Chat API - Memberships (supports readonly)
+[*]  5)  Chat API - Messages (supports readonly)
+[*]  6)  Chat API - Spaces (supports readonly)
+[*]  7)  Chat API - Spaces Delete
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Profile Emails
+[*] 13)  Classroom API - Profile Photos
+[*] 14)  Classroom API - Rosters (supports readonly)
+[*] 15)  Cloud Identity Devices API (supports readonly)
+[*] 16)  Cloud Resource Manager API v3
+[*] 17)  Docs API (supports readonly)
+[*] 18)  Drive API (supports readonly)
+[*] 19)  Drive API - todrive
+[*] 20)  Drive Activity API v2 - must pair with Drive API
+[*] 21)  Drive Labels API v2beta - Admin (supports readonly)
+[*] 22)  Drive Labels API v2beta - User (supports readonly)
+[*] 23)  Forms API
+[*] 24)  Gmail API - Basic Settings (Filters,IMAP, Language, POP, Vacation) - read/write, Sharing Settings (Delegates, Forwarding, SendAs) - read
+[*] 25)  Gmail API - Full Access (Labels, Messages)
+[*] 26)  Gmail API - Full Access (Labels, Messages) except delete message
+[ ] 27)  Gmail API - Full Access - read only
+[ ] 28)  Gmail API - Send Messages - including todrive
+[*] 29)  Gmail API - Sharing Settings (Delegates, Forwarding, SendAs) - write
+[*] 30)  Identity and Access Management API
+[*] 31)  Keep API (supports readonly)
+[*] 32)  Looker Studio API (supports readonly)
+[*] 33)  OAuth2 API
+[*] 34)  People API (supports readonly)
+[*] 35)  People API - Other Contacts - read only
+[*] 36)  People Directory API - read only
+[*] 37)  Sheets API (supports readonly)
+[*] 38)  Sheets API - todrive
+[*] 39)  Sites API
+[*] 40)  Tasks API (supports readonly)
+[ ] 41)  Youtube API - read only
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+
+Please enter 0-41[a|r] or s|u|e|c: c
+
+System time status
+  Your system time differs from admin.googleapis.com by less than 1 second  PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 364 days                                 WARN
+Domain-wide Delegation authentication:, User: user@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.profile.photos                  PASS (14/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (15/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (16/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (17/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (18/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (19/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (20/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (21/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (22/34)
+  https://www.googleapis.com/auth/documents                                 PASS (23/34)
+  https://www.googleapis.com/auth/drive                                     PASS (24/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (25/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (26/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (27/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (29/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (30/34)
+  https://www.googleapis.com/auth/keep                                      PASS (31/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (32/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (33/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (34/34)
+Some scopes Failed!
+To authorize them, please go to the following link in your browser:
+
+    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,...
+
+You will be directed to the Google Workspace admin console Security > API Controls > Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+```
+
 ## Configure Limited access
 You can configure GAM to allow users limited access to your domain via GAM.
 You can limit both client and service account access.
 You can repeat these steps if you want to configure multiple limited users;
 substitute a unique value for `limited` in each of the steps.
 
+In the Admin console, define a new Admin role with the desired privileges,
+assign it to the limited user and indicate whether it is for all Org Units or a specific Org Unit.
+
 On your computer, perform these initial steps:
 
 Make a subdirectory `limited` under the directory specified in `gam.cfg config_dir`
@@ -900,7 +1133,7 @@ This will prevent the limited user from having any client access.
 Perform these steps:
 
 Create a a new service account in your project that will be used for the limited user;
-this will create `outh2service.json`.
+this will create `oauth2service.json`.
 ```
 gam add svcacct saname "gam-limited" sadisplayname "GAM Limited"
 ```

docs/BNF-Syntax.md

@@ -1,7 +1,7 @@
-# Syntax
+!# Syntax
 
 ## BNF Syntax
-This Wiki describes the GAM command line syntax in modified BNF.
+This Wiki describes the GAM7 command line syntax in modified BNF.
 * https://en.wikipedia.org/wiki/Backus-Naur_Form
 
 Skip the History section and start reading at Introduction.

docs/Basic-Items.md

@@ -1,4 +1,4 @@
-# Basic Items
+!# Basic Items
 - [Primitives](#primitives)
 - [Items built from primitives](#items-built-from-primitives)
 - [Named items](#named-items)
@@ -16,44 +16,7 @@
 <FalseValues>= false|off|no|disabled|0
 <TrueValues> ::= true|on|yes|enabled|1
 
-<Charset> ::= ascii|latin1|mbcs|utf-8|utf-8-sig|utf-16|<String>
-<CalendarColorIndex> ::= <Number in range 1-24>
-<CalendarColorName> ::=
-        amethyst|avocado|banana|basil|birch|blueberry|
-        cherryblossom|citron|cobalt|cocoa|eucalyptus|flamingo|
-        grape|graphite|lavender|mango|peacock|pistachio|
-        pumpkin|radicchio|sage|tangerine|tomato|wisteria|
-<ColorHex> ::= "#<Hex><Hex><Hex><Hex><Hex><Hex>"
-<ColorNameGoogle> ::=
-        asparagus|bluevelvet|bubblegum|cardinal|chocolateicecream|denim|desertsand|
-        earthworm|macaroni|marsorange|mountaingray|mountaingrey|mouse|oldbrickred|
-        pool|purpledino|purplerain|rainysky|seafoam|slimegreen|spearmint|
-        toyeggplant|vernfern|wildstrawberries|yellowcab
-<ColorNameWeb> ::=
-        aliceblue|antiquewhite|aqua|aquamarine|azure|beige|bisque|black|blanchedalmond|
-        blue|blueviolet|brown|burlywood|cadetblue|chartreuse|chocolate|coral|
-        cornflowerblue|cornsilk|crimson|cyan|darkblue|darkcyan|darkgoldenrod|darkgray|
-        darkgrey|darkgreen|darkkhaki|darkmagenta|darkolivegreen|darkorange|darkorchid|
-        darkred|darksalmon|darkseagreen|darkslateblue|darkslategray|darkslategrey|
-        darkturquoise|darkviolet|deeppink|deepskyblue|dimgray|dimgrey|dodgerblue|
-        firebrick|floralwhite|forestgreen|fuchsia|gainsboro|ghostwhite|gold|goldenrod|
-        gray|grey|green|greenyellow|honeydew|hotpink|indianred|indigo|ivory|khaki|
-        lavender|lavenderblush|lawngreen|lemonchiffon|lightblue|lightcoral|lightcyan|
-        lightgoldenrodyellow|lightgray|lightgrey|lightgreen|lightpink|lightsalmon|
-        lightseagreen|lightskyblue|lightslategray|lightslategrey|lightsteelblue|
-        lightyellow|lime|limegreen|linen|magenta|maroon|mediumaquamarine|mediumblue|
-        mediumorchid|mediumpurple|mediumseagreen|mediumslateblue|mediumspringgreen|
-        mediumturquoise|mediumvioletred|midnightblue|mintcream|mistyrose|moccasin|
-        navajowhite|navy|oldlace|olive|olivedrab|orange|orangered|orchid|
-        palegoldenrod|palegreen|paleturquoise|palevioletred|papayawhip|peachpuff|
-        peru|pink|plum|powderblue|purple|red|rosybrown|royalblue|saddlebrown|salmon|
-        sandybrown|seagreen|seashell|sienna|silver|skyblue|slateblue|slategray|
-        slategrey|snow|springgreen|steelblue|tan|teal|thistle|tomato|turquoise|violet|
-        wheat|white|whitesmoke|yellow|yellowgreen
-<ColorName> ::= <ColorNameGoogle>|<ColorNameWeb>
-<ColorValue> ::= <ColorName>|<ColorHex>
-<DayOfWeek> ::= mon|tue|wed|thu|fri|sat|sun
-<DriveLabelLanguageCode> ::=
+<BCP47LanguageCode> ::=
         ar-sa| # Arabic Saudi Arabia
         cs-cz| # Czech Czech Republic
         da-dk| # Danish Denmark
@@ -91,6 +54,43 @@
         zh-cn| # Chinese China
         zh-hk| # Chinese Hong Kong
         zh-tw  # Chinese Taiwan
+<Charset> ::= ascii|latin1|mbcs|utf-8|utf-8-sig|utf-16|<String>
+<CalendarColorIndex> ::= <Number in range 1-24>
+<CalendarColorName> ::=
+        amethyst|avocado|banana|basil|birch|blueberry|
+        cherryblossom|citron|cobalt|cocoa|eucalyptus|flamingo|
+        grape|graphite|lavender|mango|peacock|pistachio|
+        pumpkin|radicchio|sage|tangerine|tomato|wisteria|
+<ColorHex> ::= "#<Hex><Hex><Hex><Hex><Hex><Hex>"
+<ColorNameGoogle> ::=
+        asparagus|bluevelvet|bubblegum|cardinal|chocolateicecream|denim|desertsand|
+        earthworm|macaroni|marsorange|mountaingray|mountaingrey|mouse|oldbrickred|
+        pool|purpledino|purplerain|rainysky|seafoam|slimegreen|spearmint|
+        toyeggplant|vernfern|wildstrawberries|yellowcab
+<ColorNameWeb> ::=
+        aliceblue|antiquewhite|aqua|aquamarine|azure|beige|bisque|black|blanchedalmond|
+        blue|blueviolet|brown|burlywood|cadetblue|chartreuse|chocolate|coral|
+        cornflowerblue|cornsilk|crimson|cyan|darkblue|darkcyan|darkgoldenrod|darkgray|
+        darkgrey|darkgreen|darkkhaki|darkmagenta|darkolivegreen|darkorange|darkorchid|
+        darkred|darksalmon|darkseagreen|darkslateblue|darkslategray|darkslategrey|
+        darkturquoise|darkviolet|deeppink|deepskyblue|dimgray|dimgrey|dodgerblue|
+        firebrick|floralwhite|forestgreen|fuchsia|gainsboro|ghostwhite|gold|goldenrod|
+        gray|grey|green|greenyellow|honeydew|hotpink|indianred|indigo|ivory|khaki|
+        lavender|lavenderblush|lawngreen|lemonchiffon|lightblue|lightcoral|lightcyan|
+        lightgoldenrodyellow|lightgray|lightgrey|lightgreen|lightpink|lightsalmon|
+        lightseagreen|lightskyblue|lightslategray|lightslategrey|lightsteelblue|
+        lightyellow|lime|limegreen|linen|magenta|maroon|mediumaquamarine|mediumblue|
+        mediumorchid|mediumpurple|mediumseagreen|mediumslateblue|mediumspringgreen|
+        mediumturquoise|mediumvioletred|midnightblue|mintcream|mistyrose|moccasin|
+        navajowhite|navy|oldlace|olive|olivedrab|orange|orangered|orchid|
+        palegoldenrod|palegreen|paleturquoise|palevioletred|papayawhip|peachpuff|
+        peru|pink|plum|powderblue|purple|red|rosybrown|royalblue|saddlebrown|salmon|
+        sandybrown|seagreen|seashell|sienna|silver|skyblue|slateblue|slategray|
+        slategrey|snow|springgreen|steelblue|tan|teal|thistle|tomato|turquoise|violet|
+        wheat|white|whitesmoke|yellow|yellowgreen
+<ColorName> ::= <ColorNameGoogle>|<ColorNameWeb>
+<ColorValue> ::= <ColorName>|<ColorHex>
+<DayOfWeek> ::= mon|tue|wed|thu|fri|sat|sun
 <EventColorIndex> ::= <Number in range 1-11>
 <EventColorName> ::=
         banana|basil|blueberry|flamingo|graphite|grape|
@@ -119,7 +119,7 @@
         #7a4706|#8a1c0a|#994a64|#ffffff
 <LanguageCode> ::=
         ach|af|ag|ak|am|ar|az|be|bem|bg|bn|br|bs|ca|chr|ckb|co|crs|cs|cy|da|de|
-        ee|el|en|en-gb|en-us|eo|es|es-419|et|eu|fa|fi|fil|fo|fr|fr-ca|fy|
+        ee|el|en|en-ca|en-gb|en-us|eo|es|es-419|et|eu|fa|fi|fil|fo|fr|fr-ca|fy|
         ga|gaa|gd|gl|gn|gu|ha|haw|he|hi|hr|ht|hu|hy|ia|id|ig|in|is|it|iw|ja|jw|
         ka|kg|kk|km|kn|ko|kri|ku|ky|la|lg|ln|lo|loz|lt|lua|lv|
         mfe|mg|mi|mk|ml|mn|mo|mr|ms|mt|my|ne|nl|nn|no|nso|ny|nyn|oc|om|or|
@@ -211,6 +211,7 @@
         gfolder|gdirectory|
         gform|
         gfusion|
+        gjam|
         gmap|
         gpresentation|
         gscript|
@@ -221,72 +222,6 @@
         shortcut
 <MimeTypeName> ::= application|audio|font|image|message|model|multipart|text|video
 <MimeType> ::= <MimeTypeShortcut>|(<MimeTypeName>/<String>)
-<ProductID> ::=
-        nv:<String> |
-        101001 |
-        101005 |
-        101031 |
-        101033 |
-        101034 |
-        101035 |
-        101036 |
-        101037 |
-        101039 |
-        101040 |
-        Google-Apps |
-        Google-Chrome-Device-Management |
-        Google-Drive-storage |
-        Google-Vault
-<SKUID> ::=
-        nv:<String>:<String> |
-        20gb | drive20gb | googledrivestorage20gb | Google-Drive-storage-20GB |
-        50gb | drive50gb | googledrivestorage50gb | Google-Drive-storage-50GB |
-        200gb | drive200gb | googledrivestorage200gb | Google-Drive-storage-200GB |
-        400gb | drive400gb | googledrivestorage400gb | Google-Drive-storage-400GB |
-        1tb | drive1tb | googledrivestorage1tb | Google-Drive-storage-1TB |
-        2tb | drive2tb | googledrivestorage2tb | Google-Drive-storage-2TB |
-        4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
-        8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
-        16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
-        assuredcontrols | 1010390001 |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 |
-        cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
-        cloudidentity | identity | 1010010001 |
-        cloudidentitypremium | identitypremium | 1010050001 |
-        cloudsearch | 1010350001 |
-        gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
-        gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
-        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
-        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 |
-        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 |
-        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 |
-        gsuitegov | gafg | gsuitegovernment | Google-Apps-For-Government |
-        gsuitelite | gal | gsl | lite | Google-Apps-Lite |
-        gwep | workspaceeducationplus | 1010310008 |
-        gwepstaff | workspaceeducationplusstaff | 1010310009 |
-        gwepstudent | workspaceeducationplusstudent | 1010310010 |
-        gwes | workspaceeducationstandard | 1010310005 |
-        gwesstaff | workspaceeducationstandardstaff | 1010310006 |
-        gwesstudent | workspaceeducationstandardstudent | 1010310007 |
-        gwetlu | workspaceeducationupgrade | 1010370001 |
-        meetdialing | googlemeetglobaldialing | 1010360001 |
-        postini | gams | gsuitegams | gsuitepostini | gsuitemessagesecurity | Google-Apps-For-Postini |
-        standard | free | Google-Apps |
-        vault | googlevault | Google-Vault |
-        vfe | googlevaultformeremployee | Google-Vault-Former-Employee |
-        voicepremier | gvpremier | googlevoicepremier | 1010330002 |
-        voicestandard | gvstandard | googlevoicestandard | 1010330004 |
-        voicestarter | gvstarter | googlevoicestarter | 1010330003 |
-        wsbizplus | workspacebusinessplus | 1010020025 |
-        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 |
-        wsbizstan | workspacebusinessstandard | 1010020028 |
-        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 |
-        wsentess | workspaceenterpriseessentials | 1010060003 |
-        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 |
-        wsentstan | workspaceenterprisestandard | 1010020026 |
-        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 |
-        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 |
-        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030
 ```
 ## Items built from primitives
 ```
@@ -345,7 +280,7 @@
 <ChannelCustomerID> ::= <String>
 <ChatMember> ::= spaces/<String>/members/<String>
 <ChatMessage> ::= spaces/<String>/messages/<String>
-<ChatSpace> ::= spaces/<String> | <String>
+<ChatSpace> ::= spaces/<String> | space <String> | space spaces/<String>
 <ChatThread> ::= spaces/<String>/threads/<String>
 <ClassroomInvitationID> ::= <String>
 <ClientID> ::= <String>
@@ -371,12 +306,6 @@
 <CourseWorkState> ::= draft|published|deleted
 <CrOSID> ::= <String>
 <CustomerID> ::= <String>
-<DataStudioAssetID> ::= <String>
-<DataStudioPermission> ::=
-        user:<EmailAddress>|
-        group:<EmailAddress>|
-        domain:<DomainName>|
-        serviceAccount:<EmailAddress>
 <DeliverySetting> ::=
         allmail|
         abridged|daily|
@@ -426,6 +355,7 @@
 <DriveLabelFieldID> ::= <String>
 <DriveLabelSelectionID> ::= <String>
 <DriveLabelName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]
+<DriveLabelPermissionName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]/permissions/(audiences|groups|people)/<String>
 <EmailAddress> ::= <String>@<DomainName>
 <EmailItem> ::= <EmailAddress>|<UniqueID>|<String>
 <EmailReplacement> ::= <String>
@@ -452,15 +382,22 @@
 <LabelID> ::= Label_<String>
 <LabelName> ::= <String>
 <LabelReplacement> ::= <String>
+<LookerStudioAssetID> ::= <String>
+<LookerStudioPermission> ::=
+        user:<EmailAddress>|
+        group:<EmailAddress>|
+        domain:<DomainName>|
+        serviceAccount:<EmailAddress>
 <Marker> ::= <String>
 <MatterItem> ::= <UniqueID>|<String>
 <MatterState> ::= open|closed|deleted
+<MeetConferenceName> ::= conferenceRecords/<String>
+<MeetSpaceName> ::= spaces/<String> | <String>
 <MessageContent> ::=
         (message|textmessage|htmlmessage <String>)|
         (file|textfile|htmlfile <FileName> [charset <Charset>])|
         (gdoc|ghtml <UserGoogleDoc>)|
-        (gcsdoc|gcshtml <StorageBucketObjectName>)|
-        (emlfile <FileName>)
+        (gcsdoc|gcshtml <StorageBucketObjectName>)
 <MessageID> ::= <String>
 <Namespace> ::= <String>
 <NotesName> ::= notes/<String>
@@ -522,6 +459,7 @@
 <ResellerID> ::= <String>
 <ResourceID> ::= <String>
 <SchemaName> ::= <String>
+<SchemaNameField> ::= <SchemaName>.<FieldName>
 <Section> ::= <String>
 <SendAsContent> ::=
         (sig|signature|htmlsig <String>)|
@@ -534,7 +472,7 @@
 <ServiceAccountDisplayName> ::= <String>
         Maximum of 100 characters
 <ServiceAccountDescrition> ::= <String>
-       Maximumof 256 chcracters
+       Maximum of 256 chcracters
 <ServiceAccountEmail> ::= <ServiceAccountName>@<ProjectID>.iam.gserviceaccount.com
 <ServiceAccountUniqueID> ::= <Number>
 <ServiceAccountKey> ::= <String>
@@ -570,6 +508,7 @@
 <TakeoutBucketName> ::= takeout-export-[a-f,0-9,-]*
 <TaskID> ::= <String>
 <TaskListID> ::= <String>
+<TaskListTitle> ::= tltitle:<String>
 <TasklistIDTaskID> ::= <TasklistID>/<TaskID>
 <ThreadID> ::= <String>
 <TimeZone> ::= <String>
@@ -577,6 +516,7 @@
 <Title> ::= <String>
 <ToDriveAttribute> ::=
         (tdaddsheet [<Boolean>])|
+        (tdalert <EmailAddress>)*|
         (tdbackupsheet (id:<Number>)|<String>)|
         (tdcellnumberformat text|number)|
         (tdcellwrap clip|overflow|wrap)|
@@ -584,15 +524,20 @@
         (tdcopysheet (id:<Number>)|<String>)|
         (tddescription <String>)|
         (tdfileid <DriveFileID>)|
+        (tdfrom <EmailAddress>)|
         (tdlocalcopy [<Boolean>])|
         (tdlocale <Locale>)|
         (tdnobrowser [<Boolean>])|
         (tdnoemail [<Boolean>])|
+        (tdnoescapechar [<Boolean>])|
+        (tdnotify [<Boolean>])|
         (tdparent (id:<DriveFolderID>)|<DriveFolderName>)|
-        (tdshare <EmailAddress> commenter|reader|writer)|
+        (tdretaintitle [<Boolean>])|
+        (tdshare <EmailAddress> commenter|reader|writer)*|
         (tdsheet (id:<Number>)|<String>)|
         (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
         (tdsheettitle <String>)|
+        (tdsubject <String>)|
         ([tdsheetdaysoffset <Number>] [tdsheethoursoffset <Number>])|
         (tdtimestamp [<Boolean>] [tdtimeformat <String>]
             [tddaysoffset <Number>] [tdhoursoffset <Number>])|
@@ -611,4 +556,5 @@
         (file|textfile|htmlfile <FileName> [charset <Charset>])|
         (gdoc|ghtml <UserGoogleDoc>)|
         (gcsdoc|gcshtml <StorageBucketObjectName>)
+<YouTubeChannelID> ::= <String>
 ```

docs/Bulk-Processing.md

@@ -1,4 +1,4 @@
-# Bulk Processing
+!# Bulk Processing
 - [Introduction](#introduction)
 - [Python Regular Expressions](Python-Regular-Expressions)
 - [GAM Configuration](gam.cfg)
@@ -8,6 +8,7 @@
 - [CSV files](#csv-files)
 - [CSV files with redirection and select](#csv-files-with-redirection-and-select)
 - [Automatic batch processing](#automatic-batch-processing)
+- [Process Google Sheet commands and save results](#process-google-sheet-commands-and-save-results)
 
 ## Introduction
 Batch and CSV file processing can improve performance by executing Gam commands in parallel.
@@ -41,6 +42,8 @@ Batch files can contain the following types of lines:
   * GAM waits for all running GAM commands to complete
   * GAM prints \<String\> and waits for the user to press any key
   * GAM continues
+* sleep \<Integer\> - Batch processing will suspend for \<Integer\> seconds before the next command line is processed
+  * To be effective, this should immediately follow commit-batch
 * print \<String\> - Print \<String\> on stderr
 * set \<KeywordString\> \<ValueString\>
   * Subsequent lines will have %\<KeywordString\>% replaced with \<ValueString\>
@@ -55,7 +58,7 @@ Tbatch files can also contain the following line:
 * You have a CSV file NewStudents.csv with columns: Email,First,Last,GradYear,Password
 * You have a batch file NewStudents.bat containing these commands:
 ```
-gam csv NewStudents.csv gam create user ~Email firstname ~First lastname ~Last org "/Students/~~GradYear~~" password ~Password
+gam csv NewStudents.csv gam create user "~Email" firstname "~First" lastname "~Last" org "/Students/~~GradYear~~" password "~Password"
 commit-batch
 gam update group seniors sync members ou /Students/2020
 gam update group juniors sync members ou /Students/2021
@@ -69,15 +72,15 @@ gam redirect stdout ./NewStudents.out redirect stderr ./NewStudents.err tbatch N
 ## CSV files
 ```
 gam csv <FileName>|-|(gsheet <UserGoogleSheet>)|(gdoc <UserGoogleDoc>) [charset <Charset>] [warnifnodata]
-        [columndelimiter <Character>] [quotechar <Character>] [fields <FieldNameList>]
+        [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>]
         (matchfield|skipfield <FieldName> <RegularExpression>)* [showcmds [<Boolean>]]
-        [maxrows <Integer>]
+        [skiprows <Integer>] [maxrows <Integer>]
         gam <GAMArgumentList>
 
 gam loop <FileName>|-|(gsheet <UserGoogleSheet>)|(gdoc <UserGoogleDoc>) [charset <Charset>] [warnifnodata]
-        [columndelimiter <Character>] [quotechar <Character>] [fields <FieldNameList>]
+        [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>]
         (matchfield|skipfield <FieldName> <RegularExpression>)* [showcmds [<Boolean>]]
-        [maxrows <Integer>]
+        [skiprows <Integer>] [maxrows <Integer>]
         gam <GAMArgumentList>
 ```
 * `gam csv` - Use parallel processing
@@ -87,11 +90,15 @@ gam loop <FileName>|-|(gsheet <UserGoogleSheet>)|(gdoc <UserGoogleDoc>) [charset
 * `gsheet <UserGoogleSheet>` - A Google Sheet and the one or more columns that contain data
 * `gdoc <UserGoogleDoc>` - A Google Doc and the one or more columns that contain data
 * `columndelimiter <Character>` - Columns are separated by `<Character>`; if not specified, the value of `csv_input_column_delimiter` from `gam.cfg` will be used
+* `noescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `csv_input_no_escape_char` from `gam.cfg` will be used
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings.
 * `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `showcmds` - Write `timestamp,command number/number of commands,command` to stderr when each command starts; write `timestamp, command number/numberof commands,complete` to stderr when command completes
-* `maxrows <Integer>` - Limit the number of filtered rows processed from the CSV file/Google Sheet.
+* `skiprows <Integer>` - Skip filtered rows from the CSV file/Google Sheet.
+  * `skiprows 0` - All rows are processed, this is the default
+  * `skiprows N` - The first N filtered rows are skipped
+* `maxrows <Integer>` - Limit the number of filtered rows processed from the CSV file/Google Sheet after any skipped rows.
   * `maxrows 0` - All rows are processed, this is the default
   * `maxrows N` - N filtered rows are processed
 
@@ -114,7 +121,7 @@ Put a space in front of the `~`: `targetfolder " ~/Documents/GamWork"` to avoid
 * You want a note field that shows their email address as name AT domain.com
 * You have a CSV file Users.csv with columns: primaryEmail,Street,City,State,ZIP
 ```
-gam csv Users.csv gam update user ~primaryEmail address type work unstructured "~~Street~~, ~~City~~, ~~State~~ ~~ZIP~~" primary note text_plain "~~primaryEmail~!~^(.+)@(.+)$~!~\1 AT \2~~"
+gam csv Users.csv gam update user "~primaryEmail" address type work unstructured "~~Street~~, ~~City~~, ~~State~~ ~~ZIP~~" primary note text_plain "~~primaryEmail~!~^(.+)@(.+)$~!~\1 AT \2~~"
 ```
 * You want to do the above using a Google Sheet
 ```
@@ -124,25 +131,44 @@ gam csv gsheet <user> <fileID> "<sheetName>" gam update user "~primaryEmail" add
 ## CSV files with redirection and select
 You should use the `multiprocess` option on any redirected files: `csv`, `stdout`, `stderr`.
 ```
-gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user ~primaryEmail print filelist fields id,title,permissions,owners.emailaddress
+gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
+gam redirect csv - multiprocess todrive csv Users.csv gam user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
 ```
 
 If you want to select a `gam.cfg` section for the command, you can select the section at the outer `gam` and save it
 or select the section at the inner `gam`.
 ```
-gam select <Section> save redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user ~primaryEmail print filelist fields id,title,permissions,owners.emailaddress
-gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam select <Section> user ~primaryEmail print filelist fields id,title,permissions,owners.emailaddress
+gam select <Section> save redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
+gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam select <Section> user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
+gam select <Section> save redirect csv - multiprocess todrive csv Users.csv gam user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
+gam redirect csv - multiprocess todrive csv Users.csv gam select <Section> user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
 ```
 
 ## Automatic batch processing
 You can enable automatic batch (parallel) processing when issuing commands of the form `gam <UserTypeEntity> ...`.
 In the following example, if the number of users in group sales@domain.com exceeds 1, then the `print filelist` command will be processed in parallel.
 ```
-gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,title,permissions,owners.emailaddress
+gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,name,mimetype,basicpermissions
+gam config auto_batch_min 1 redirect csv - multiprocess todrive group sales@domain.com print filelist fields id,name,mimetype,basicpermissions
 ```
 With automatic batch processing, you should use the `multiprocess` option on any redirected files: `csv`, `stdout`, `stderr`.
 
 If you want to select a `gam.cfg` section for the command, you must select and save it for it to be processed correctly.
 ```
-gam select <Section> save config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,title,permissions,owners.emailaddress
+gam select <Section> save config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,name,mimetype,basicpermissions
+```
+
+## Process Google Sheet commands and save results
+You want to process data from a Google Sheet tab and save the results to another tab in the same sheet.
+Make a Google sheet with two tabs: Commands, Results; get the File ID and the two tab IDs.
+Put your command data in the Commands tab.
+
+Run your command, write the results to Results.txt
+```
+gam redirect stdout ./Results.txt multiprocess redirect stderr stdout csv gsheet user@domain.com <FileID> id:<CommandsTabID> gam ... Command
+```
+
+Upload Results.txt to the Results tab of the sheet.
+```
+gam user user@domain.com update drivefile <FileID> localfile Results.txt retainname gsheet id:<ResultsTabID>
 ```

docs/CSV-Input-Filtering.md

@@ -3,6 +3,10 @@
 - [Definitions](#definitions)
 - [Quoting rules](#quoting-rules)
 - [Column row filtering](#column-row-filtering)
+  - [Field names](#field-names)
+  - [Inclusive filters](#inclusive-filters)
+  - [Exclusive filters](#exclusive-filters)
+  - [Matches](#matches)
 - [Column row limiting](#column-row-limiting)
 - [Saving filters in gam.cfg](#saving-filters-in-gamcfg)
 - [Validate filters](#validate-filters)
@@ -12,7 +16,7 @@ There are two values in `gam.cfg` that can be used to filter the input from `gam
 * `csv_input_row_drop_filter` - A list or JSON dictionary used to exclude specific rows based on column values
 
 These filters can be used alone or in conjunction with the `matchfield|skipfield <FieldName> <RegularExpression>` options.
-* https://github.com/taers232c/GAMADV-XTD3/wiki/Bulk-Processing#csv-files
+* https://github.com/GAM-team/GAM/wiki/Bulk-Processing#csv-files
 
 ## Definitions
 [Data Selectors](Collections-of-items)
@@ -39,28 +43,30 @@ These filters can be used alone or in conjunction with the `matchfield|skipfield
 
 <FieldNameFilter> :: = <RegularExpression>
 <RowValueFilter> ::=
-        [(any|all):]count<Operator><Number>|
-        [(any|all):]countrange=<Number>/<Number>|
-        [(any|all):]countrange!=<Number>/<Number>|
-        [(any|all):]date<Operator><Date>|
-        [(any|all):]daterange=<Date>/<Date>|
-        [(any|all):]daterange!=<Date>/<Date>|
-        [(any|all):]length<Operator><Number>|
-        [(any|all):]lengthrange=<Number>/<Number>|
-        [(any|all):]lengthrange!=<Number>/<Number>|
-        [(any|all):]text<Operator><String>|
-        [(any|all):]textrange=<String>/<String>|
-        [(any|all):]textrange!=<String>/<String>|
-        [(any|all):]time<Operator><Time>|
-        [(any|all):]timerange=<Time>/<Time>|
-        [(any|all):]timerange!=<Time>/<Time>|
         [(any|all):]boolean:<Boolean>|
-        [(any|all):]regex:<RegularExpression>|
-        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]count<Operator><Number>|
+        [(any|all):]countrange!=<Number>/<Number>|
+        [(any|all):]countrange=<Number>/<Number>|
+        [(any|all):]data:<DataSelector>|
+        [(any|all):]date<Operator><Date>|
+        [(any|all):]daterange!=<Date>/<Date>|
+        [(any|all):]daterange=<Date>/<Date>|
+        [(any|all):]length<Operator><Number>|
+        [(any|all):]lengthrange!=<Number>/<Number>|
+        [(any|all):]lengthrange=<Number>/<Number>|
+        [(any|all):]notdata:<DataSelector>|
         [(any|all):]notregex:<RegularExpression>|
         [(any|all):]notregexcs:<RegularExpression>|
-        [(any|all):]data:<DataSelector>|
-        [(any|all):]notdata:<DataSelector>|
+        [(any|all):]regex:<RegularExpression>|
+        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]text<Operator><String>|
+        [(any|all):]textrange!=<String>/<String>|
+        [(any|all):]textrange=<String>/<String>|
+        [(any|all):]time<Operator><Time>|
+        [(any|all):]timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timerange!=<Time>/<Time>|
+        [(any|all):]timerange=<Time>/<Time>|
 <RowValueFilterList> ::=
         "'<FieldNameFilter>:<RowValueFilter>'(,'<FieldNameFilter>:<RowValueFilter>')*"
 <RowValueFilterJSONList> ::=
@@ -77,11 +83,17 @@ Name:value form.
 * Each `<FieldNameFilter>:<RowValueFilter>` pair should be enclosed in `'`.
 * If `<FieldNameFilter>` contains a `:` or a space, it should be enclosed in `\"`.
 * If `<RegularExpression>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
+* If `<FieldNameFilter>` or `<RegularExpression>` in `<RowValueFilter>` contain a `\` to escape a special character
+or enter a special sequence, enter `\\\` on Linux and Mac OS, `\\` on Windows,
 
-Example:
+Examples:
 ```
 csv_input_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
 csv_input_row_filter "'email:data:\"csvfile gsheet:email user@domain.com FileID Sheet1\"'"
+Linux and Mac OS
+csv_input_row_filter "'phones.\\\d+.value:regex:(?:^\\\(510\\\) )|(?:^510[- ])\\\d{3}-\\\d{4}'"
+Windows
+csv_input_row_filter "'phones.\\d+.value:regex:(?:^\\(510\\) )|(?:^510[- ])\\d{3}-\\d{4}'"
 ```
 JSON form.
 ```
@@ -156,11 +168,13 @@ In the case of `notregex|notregexcs|notdata`, the filter matches if some (not al
 If neither `any` or `all` is explicitly specified, `any` is the default.
 
 These are the row value filter types:
+* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
 * `count<Operator><Number>` - Used on fields with numbers; a blank field will not match
 * `countrange=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `countrange!=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `<` the left `<Number>` or `>` the right `<Number>`
+* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
 * `date<Operator><Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
 * `daterange=<Date>/<Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
   * The field value must be `>=` the left `<Date>` and `<=` the right `<Date>`
@@ -171,23 +185,25 @@ These are the row value filter types:
   * The field length must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `lengthrange!=<Number>/<Number>` - Used on fields with strings; non string fields will not match
   * The field length must be `<` the left `<Number>` or `>` the right `<Number>`
+* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
+* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
+* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
+* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
+* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
 * `text<Operator><String>` - Used on fields with text
 * `textrange=<String>/<String>` - Used on fields with strings
   * The field value must be `>=` the left `<String>` and `<=` the right `<String>`
 * `textrange!=<String>/<String>` - Used on fields with strings
   * The field value must be `<` the left `<String>` or `>` the right `<String>`
 * `time<Operator><Time>` - Used on fields with times; a blank field will not match
+* `timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `>=` the left `<Hour>:<Minute>` and `<=` the right `<Hour>:<Minute>`
+* `timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `<` the left `<Hour>:<Minute>` or `>` the right `<Hour>:<Minute>`
 * `timerange=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `>=` the left `<Time>` and `<=` the right `<Time>`
 * `timerange!=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `<` the left `<Time>` or `>` the right `<Time>`
-* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
-* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
-* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
-* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
-* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
-* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
-* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
 
 ### **Change in behavior.**
 In versions prior to `5.12.00`, `regex:<RegularExpression>` and `notregex:<RegularExpression>` were processed in a case sensitive manner;

docs/CSV-Output-Filtering.md

@@ -4,12 +4,18 @@
 - [Quoting rules](#quoting-rules)
 - [Column header filtering](#column-header-filtering)
 - [Column row filtering](#column-row-filtering)
+  - [Field names](#field-names)
+  - [Inclusive filters](#inclusive-filters)
+  - [Exclusive filters](#exclusive-filters)
+  - [Matches](#matches)
 - [Column row limiting](#column-row-limiting)
 - [Saving filters in gam.cfg](#saving-filters-in-gamcfg)
 
-There are five values in `gam.cfg` that can be used to filter the output from `gam print` commands.
+There are seven values in `gam.cfg` that can be used to filter the output from `gam print` commands.
 * `csv_output_header_filter` - A list of `<RegularExpressions>` used to select specific column headers to include
 * `csv_output_header_drop_filter` - A list of `<RegularExpressions>` used to select specific column headers to exclude
+* `csv_output_header_force` - A list of <Strings> used to specify the exact column headers to include
+* `csv_output_header_order` - A list of <Strings> used to specify the column header order; any headers in the file but not in the list will appear after the headers in the list.
 * `csv_output_row_filter` - A list or JSON dictionary used to include specific rows based on column values
 * `csv_output_row_drop_filter` - A list or JSON dictionary used to exclude specific rows based on column values
 * `csv_output_row_limit` - A limit on the number of rows written
@@ -44,28 +50,30 @@ on all platforms.
 <FieldNameFilter> :: = <RegularExpression>
 <ColumnFieldNameFilterList> ::= "<FieldNameFilter>(,<FieldNameFilter>)*"
 <RowValueFilter> ::=
-        [(any|all):]count<Operator><Number>|
-        [(any|all):]countrange=<Number>/<Number>|
-        [(any|all):]countrange!=<Number>/<Number>|
-        [(any|all):]date<Operator><Date>|
-        [(any|all):]textrange=<String>/<String>|
-        [(any|all):]textrange!=<String>/<String>|
-        [(any|all):]daterange=<Date>/<Date>|
-        [(any|all):]daterange!=<Date>/<Date>|
-        [(any|all):]length<Operator><Number>|
-        [(any|all):]lengthrange=<Number>/<Number>|
-        [(any|all):]lengthrange!=<Number>/<Number>|
-        [(any|all):]text<Operator><String>|
-        [(any|all):]time<Operator><Time>|
-        [(any|all):]timerange=<Time>/<Time>|
-        [(any|all):]timerange!=<Time>/<Time>|
         [(any|all):]boolean:<Boolean>|
-        [(any|all):]regex:<RegularExpression>|
-        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]count<Operator><Number>|
+        [(any|all):]countrange!=<Number>/<Number>|
+        [(any|all):]countrange=<Number>/<Number>|
+        [(any|all):]data:<DataSelector>|
+        [(any|all):]date<Operator><Date>|
+        [(any|all):]daterange!=<Date>/<Date>|
+        [(any|all):]daterange=<Date>/<Date>|
+        [(any|all):]length<Operator><Number>|
+        [(any|all):]lengthrange!=<Number>/<Number>|
+        [(any|all):]lengthrange=<Number>/<Number>|
+        [(any|all):]notdata:<DataSelector>
         [(any|all):]notregex:<RegularExpression>|
         [(any|all):]notregexcs:<RegularExpression>|
-        [(any|all):]data:<DataSelector>|
-        [(any|all):]notdata:<DataSelector>
+        [(any|all):]regex:<RegularExpression>|
+        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]text<Operator><String>|
+        [(any|all):]textrange!=<String>/<String>|
+        [(any|all):]textrange=<String>/<String>|
+        [(any|all):]time<Operator><Time>|
+        [(any|all):]timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timerange!=<Time>/<Time>|
+        [(any|all):]timerange=<Time>/<Time>|
 <RowValueFilterList> ::=
         "'<FieldNameFilter>:<RowValueFilter>'(,'<FieldNameFilter>:<RowValueFilter>')*"
 <RowValueFilterJSONList> ::=
@@ -83,13 +91,16 @@ Name:value form.
 * If `<FieldNameFilter>` contains a `:` or a space, it should be enclosed in `\"`.
 * If `<RegularExpression>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
 * If `<FieldNameFilter>` or `<RegularExpression>` in `<RowValueFilter>` contain a `\` to escape a special character
-or enter a special sequence, enter `\\\`.
+or enter a special sequence, enter `\\\` on Linux and Mac OS, `\\` on Windows,
 
-Example:
+Examples:
 ```
 csv_output_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
 csv_output_row_filter "'email:data:\"csvfile gsheet:email user@domain.com FileID Sheet1\"'"
+Linux and Mac OS
 csv_output_row_filter "'phones.\\\d+.value:regex:(?:^\\\(510\\\) )|(?:^510[- ])\\\d{3}-\\\d{4}'"
+Windows
+csv_output_row_filter "'phones.\\d+.value:regex:(?:^\\(510\\) )|(?:^510[- ])\\d{3}-\\d{4}'"
 ```
 JSON form.
 ```
@@ -113,7 +124,7 @@ where you get more columns than is desirable.
 * `csv_output_header_filter` - Used to select the column headers to include in the output
 * `csv_output_header_drop_filter` - Used to select the column headers to exclude from the output
 
-Typically, you would use the option that involes typing the fewest column names but both options can be used.
+Typically, you would use the option that involves typing the fewest column names but both options can be used.
 When both options are used, `csv_output_header_drop_filter` is processed first, then `csv_output_header_filter`.
 
 Field names are specified by regular expressions; at its simplest, you specify a complete field name.
@@ -171,32 +182,39 @@ primaryEmail,externalIds,externalIds.0.type,externalIds.0.value,externalIds.1.ty
 You can include rows generated by gam print commands based on column values. You specify a list
 of fields (headers) and the values they must have. `csv_output_row_filter` is used to specify the 
 fields and values. Each field name/expression can appear only once in the list.
-
-You specify whether all or any value filters must match for the row to be included in the output.
-
-* `csv_output_row_filter_mode allmatch` - All value filters must match for the row to be included in the output; this is the default
-* `csv_output_row_filter_mode anymatch` - Any value filter must match for the row to be included in the output
-
 ```
 gam config csv_output_row_filter <RowValueFilterList> ...
 gam config csv_output_row_filter <RowValueFilterJSONList> ...
 ```
 
+You optionally specify whether all or any value filters must match for the row to be included in the output.
+
+* `csv_output_row_filter_mode allmatch` - All value filters must match for the row to be included in the output; this is the default
+* `csv_output_row_filter_mode anymatch` - Any value filter must match for the row to be included in the output
+```
+gam config csv_output_row_filter_mode anymatch csv_output_row_filter <RowValueFilterList> ...
+gam config csv_output_row_filter_mode anymatch csv_output_row_filter <RowValueFilterJSONList> ...
+```
+
+
 ### Exclusive filters
 You can exclude rows generated by gam print commands based on column values. You specify a list
 of fields (headers) and the values they must not have. `csv_output_row_drop_filter` is used to specify the 
 fields and values. Each field name/expression can appear only once in the list.
-
-You specify whether all or any value filters must match for the row to be excluded from the output.
-
-* `csv_output_row_filter_drop_mode allmatch` - If all value filters match, the row is excluded from the output
-* `csv_output_row_filter_drop_mode anymatch` - If any value filter matches, the row is excluded from the output; this is the default
-
 ```
 gam config csv_output_row_drop_filter <RowValueFilterList> ...
 gam config csv_output_row_drop_filter <RowValueFilterJSONList> ...
 ```
 
+You optionally specify whether all or any value filters must match for the row to be excluded from the output.
+
+* `csv_output_row_drop_filter_mode allmatch` - If all value filters match, the row is excluded from the output
+* `csv_output_row_drop_filter_mode anymatch` - If any value filter matches, the row is excluded from the output; this is the default
+```
+gam config csv_output_row_drop_filter_mode allmatch csv_output_row_drop_filter <RowValueFilterList> ...
+gam config csv_output_row_drop_filter_mode allmatch csv_output_row_drop_filter <RowValueFilterJSONList> ...
+```
+
 ### Matches
 A filter matches if the field has the desired value. lf you specify a regular expression for a field name that matches
 several columns, the filter matches if any of the columns has a match. In the case of `notregex|notregexcs|notdata`,
@@ -207,11 +225,13 @@ In the case of `notregex|notregexcs|notdata`, the filter matches if some (not al
 If neither `any` or `all` is explicitly specified, `any` is the default.
 
 These are the row value filter types:
+* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
 * `count<Operator><Number>` - Used on fields with numbers; a blank field will not match
 * `countrange=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `countrange!=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `<` the left `<Number>` or `>` the right `<Number>`
+* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
 * `date<Operator><Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
 * `daterange=<Date>/<Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
   * The field value must be `>=` the left `<Date>` and `<=` the right `<Date>`
@@ -222,23 +242,25 @@ These are the row value filter types:
   * The field length must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `lengthrange!=<Number>/<Number>` - Used on fields with strings; non string fields will not match
   * The field length must be `<` the left `<Number>` or `>` the right `<Number>`
+* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
+* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
+* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
+* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
+* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
 * `text<Operator><String>` - Used on fields with text
 * `textrange=<String>/<String>` - Used on fields with strings
   * The field value must be `>=` the left `<String>` and `<=` the right `<String>`
 * `textrange!=<String>/<String>` - Used on fields with strings
   * The field value must be `<` the left `<String>` or `>` the right `<String>`
 * `time<Operator><Time>` - Used on fields with times; a blank field will not match
+* `timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `>=` the left `<Hour>:<Minute>` and `<=` the right `<Hour>:<Minute>`
+* `timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `<` the left `<Hour>:<Minute>` or `>` the right `<Hour>:<Minute>`
 * `timerange=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `>=` the left `<Time>` and `<=` the right `<Time>`
 * `timerange!=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `<` the left `<Time>` or `>` the right `<Time>`
-* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
-* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
-* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
-* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
-* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
-* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
-* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
 
 ### **Change in behavior.**
 In versions prior to `5.12.00`, `regex:<RegularExpression>` and `notregex:<RegularExpression>` were processed in a case sensitive manner;
@@ -314,7 +336,7 @@ gam config csv_output_row_limit 10 auto_batch_min 1 redirect csv ./BigQuotaFiles
 ```
 
 ## Saving filters in gam.cfg
-If you define a value for `csv_output_header_filter`, `csv_output_header_drop_filter`, `csv_output_row_filter`, `csv_output_row_drop_filter` or `csv_output_row_limit` in the `[DEFAULT]` section of `gam.cfg`,
+If you define a value for `csv_output_header_filter`, `csv_output_header_drop_filter`, `csv_output_header_force`, `csv_output_header_order`, `csv_output_row_filter`, `csv_output_row_drop_filter` or `csv_output_row_limit` in the `[DEFAULT]` section of `gam.cfg`,
 it will apply to every `gam print` command which is probably not desirable. You can store them in `gam.cfg` in named sections.
 ```
 [Filter510]

docs/CSV-Special-Characters.md

@@ -0,0 +1,94 @@
+!# CSV Special Characters
+- [Python CSV documentation](https://docs.python.org/3/library/csv.html#dialects-and-formatting-parameters)
+
+## Python variables that control CSV file reading/writing:
+```
+Dialect.delimiter
+    A one-character string used to separate fields.
+    It defaults to ','.
+
+Dialect.doublequote
+    Controls how instances of quotechar appearing inside a field should themselves be quoted.
+    When True, the character is doubled. When False, the escapechar is used as a prefix to the quotechar.
+    It defaults to True.
+
+Dialect.escapechar
+    A one-character string used by the writer to escape the delimiter if quoting is set to QUOTE_NONE and the quotechar if doublequote is False.
+    On reading, the escapechar removes any special meaning from the following character.
+    It defaults to None, which disables escaping.
+
+Dialect.lineterminator
+    The string used to terminate lines produced by the writer.
+    It defaults to '\r\n'.
+
+    The reader is hard-coded to recognise either '\r' or '\n' as end-of-line, and ignores lineterminator.
+
+Dialect.quotechar
+    A one-character string used to quote fields containing special characters, such as the delimiter or quotechar, or which contain new-line characters.
+    It defaults to '"'.
+
+Dialect.quoting
+    Controls when quotes should be generated by the writer and recognised by the reader. It can take on any of the QUOTE_* constants (see section Module Contents).
+    It defaults to QUOTE_MINIMAL.
+```
+
+## GAM variables that control CSV file reading/writing:
+```
+csv_input_column_delimiter = , - Dialect.delimiter
+csv_input_no_escape_char = true - Dialect.escapechar is set to None if true, '\' if false
+csv_input_quote_char = " - Dialect.quotechar
+csv_output_column_delimiter = , - Dialect.delimiter
+csv_output_no_escape_char = false - Dialect.escapechar is set to None if true, '\' if false
+csv_output_line_terminator = lf - Dialect.lineterminator
+csv_output_quote_char = " - Dialect.quotechar
+todrive_no_escape_char = true - Dialect.escapechar is set to None if true, '\' if false
+```
+
+GAM sets Dialect.doublequote to true and Dialect.quoting to QUOTE_MINIMAL; there are no variables to change these values.
+
+## Examples
+
+### Local file, default settings
+With these settings, here are examples of how field values are mapped on output to a local file:
+```
+csv_output_column_delimiter = ,
+csv_output_no_escape_char = false
+csv_output_quote_char = "
+```
+
+| Input | Output |
+|-------|--------|
+| abc def | abc def |
+| abc,def | "abc,def" |
+| abc"def | "abc""def" |
+| abc\def | abc\\\\def |
+
+### Local file, modified settings
+With these settings, here are examples of how field values are mapped on output to a local file:
+```
+csv_output_column_delimiter = ,
+csv_output_no_escape_char = true
+csv_output_quote_char = "
+```
+
+| Input | Output |
+|-------|--------|
+| abc def | abc def |
+| abc,def | "abc,def" |
+| abc"def | "abc""def" |
+| abc\def | abc\def |
+
+### todrive, default settings
+With these settings, here are examples of how field values are mapped on output to todrive
+```
+csv_output_column_delimiter = ,
+todrive_no_escape_char = true
+csv_output_quote_char = "
+```
+
+| Input | Output |
+|-------|--------|
+| abc def | abc def |
+| abc,def | "abc,def" |
+| abc"def | "abc""def" |
+| abc\def | abc\def |

docs/CalendarExamples.md

@@ -0,0 +1,260 @@
+- [Modifying and Viewing Calendar Access Control Lists (ACLs)](#modifying-and-viewing-calendar-access-control-lists-acls)
+  - [Viewing a Calender's ACL](#viewing-a-calenders-acl)
+  - [Adding Users to a Calendar's ACL](#adding-users-to-a-calendars-acl)
+  - [Updating a User Entry in a Calendar ACL](#updating-a-user-entry-in-a-calendar-acl)
+  - [Deleting Users from a Calendar's ACL](#deleting-users-from-a-calendars-acl)
+- [Viewing and Modifying a User's List of Calendars](#viewing-and-modifying-a-users-list-of-calendars)
+  - [Retrieving a Calendar a User Has Listed](#retrieving-a-calendar-a-user-has-listed)
+  - [Showing the Calendars a User Has Listed](#showing-the-calendars-a-user-has-listed)
+  - [Printing the Calendars a User Has Listed](#printing-the-calendars-a-user-has-listed)
+  - [Deleting a Calendar from a User(s) List of Calendars](#deleting-a-calendar-from-a-users-list-of-calendars)
+  - [Adding a Calendar to a User(s) List of Calendars](#adding-a-calendar-to-a-users-list-of-calendars)
+  - [Updating a Calendar in a User(s) List of Calendars](#updating-a-calendar-in-a-users-list-of-calendars)
+- [Deleting Events for a Calendar](#deleting-events-for-a-calendar)
+- [Wiping a User's Primary Calendar](#wiping-a-users-primary-calendar)
+
+GAM now supports Google Calendar Management with the ability to modify Access Control Lists (ACLs) for calendars and to add, list and remove calendars from a users Google Calendar display. GAM can work with user primary and secondary calendars as well as resource calendars.
+
+All Google Calendars have an email address associated with them. All users who have the Calendar service enabled have a primary calendar identified by their email address. Secondary calendars created by or for the user have a special calendar email address which can be learned with the ` gam user <username> show calendars ` command. Resource Calendars also have a special email address that can be learned with the ` gam print resources ` command.
+
+# Modifying and Viewing Calendar Access Control Lists (ACLs)
+## Viewing a Calender's ACL
+### Syntax
+```
+gam calendar <calendar email> showacl|printacl
+```
+Shows the ACLs for the given calendar (showacl) or prints CSV output of the ACLs (printacl). The ACL list will show who has access to the calendar and what level of access they have.
+
+### Example
+This example displays the Calendar ACLs for joe@acme.com
+```
+gam calendar joe@acme.com showacl
+```
+
+---
+
+
+## Adding Users to a Calendar's ACL
+### Syntax
+```
+gam calendar <calendar email> add freebusy|read|editor|owner <user email> [sendnotifications true|false]
+```
+Gives user email the desired level of access to the given calendar by adding the user to the ACL. freebusy allows the user to see only times whe n the calendar is busy without showing event details. read gives the user rights to view but not edit the calendar. editor gives read/write access to the calendar but not ACL or settings modification rights. owner gives the user full access to the calendar with the ability to modify the ACL and calendar settings.
+
+Use the optional sendnotifications flag to choose whether to send notifications about the calendar sharing change or not. The default is True.
+
+**Note:** The special users domain and default cannot be added to a calendar, they can only be updated or deleted by GAM (see below)
+
+**Note:** giving a user rights to another calendar adds that calendar to their list of calendars automatically. A separate command to add the calendar should not be necessary. *Update*: this no longer seems to happen as of early 2020. You'll need to add the calendar to the user's list of calendar's separately.
+
+### Example
+This example gives Bob editor access to Joe's primary calendar.
+```
+gam calendar joe@acme.com add editor bob@acme.com
+```
+
+---
+
+
+## Updating a User Entry in a Calendar ACL
+### Syntax
+```
+gam calendar <calendar email> update freebusy|read|editor|owner <user email>
+```
+Update the given user's rights to the given calendar. The user should already have explicit access to the calendar. This command will upgrade (or downgrade) the user's access to the desired level of freebusy, read, editor or owner.
+
+**Note:** the special users domain and default can be used instead of an actual user email address to modify public sharing of the calendar. domain applies to all users in the Google Apps organization. default applies to anyone with a Google account (even @gmail.com) and is limited to read or freebusy. Note that your Calendar control panel settings may prevent read sharing of calendars outside the domain in which case you'll get an error trying to set default to read.
+
+### Example
+This example upgrades Bob to be owner of Joe's Calendar:
+```
+gam calendar joe@acme.com update owner bob@acme.com
+```
+
+This example allows anyone with an account in your domain to edit the given resource calendar (including delete others appointments!).
+
+```
+gam calendar example.com_436d6e646572656e6365526f6f6d732d3239352d3372642d5164616d536d6974682d38@resource.calendar.google.com update editor domain
+```
+
+This example allows anyone with a Google account to view Bob's calendar
+```
+gam calendar bob@example.com update read default
+```
+
+---
+
+
+## Deleting Users from a Calendar's ACL
+### Syntax
+```
+gam calendar <calendar email> delete [user <user email>] [id <ACL id>]
+```
+Removes user email rights to the given calendar. Note that the user may still have some level of rights (freebusy or read) to the calendar based on the default level of access to calendars set within the domain. Specifying the ACL by ID is also supported and takes the id column of the [printacl command](#viewing-a-calenders-acl)
+
+**Note:** deleting the domain and default users disables public sharing of your calendar. domain applies to everyone in your Google Apps domain while default applies to everyone with a Google Account.
+
+### Example
+This example removes Bob's direct rights to Joe's calendar
+```
+gam calendar joe@acme.com delete user bob@acme.com
+```
+
+These two examples remove all public sharing of Bob's calendar. Only those with explicit rights will be able to see anything (including freebusy):
+
+```
+gam calendar bob@example.com delete user domain
+gam calendar bob@example.com delete user default
+```
+
+---
+
+
+# Viewing and Modifying a User's List of Calendars
+## Retrieving a Calendar a User Has Listed
+### Syntax
+```
+gam user <user>|group <group>|ou <ou>|all users info calendar <calendar email>
+```
+Displays the details of the users' specific Calendar.
+
+### Example
+This example displays a specific calendar that Bob has added to his Google Calendar app
+```
+gam user bob@acme.com info calendar acme.com_r7vmefng3okeo4l48n4urkjvcg@group.calendar.google.com
+
+User: bob@acme.com's Calendar:
+  Calendar: test
+    ID: acme.com_r7vmefng3okeo4l48n4urkjvcg@group.calendar.google.com
+    Access Level: root
+    Timezone: America/New_York
+    Hidden: false
+    Selected: true
+    Color: #2952A3
+```
+
+## Showing the Calendars a User Has Listed
+### Syntax
+```
+gam user <user>|group <group>|ou <ou>|all users show calendars
+```
+Displays the details of all of the Calendars the user has listed in their Google Calendar.
+
+### Example
+This example lists the calendars that Bob has added to his Google Calendar app
+```
+gam user bob@acme.com show calendars
+
+User: bob@acme.com's Calendars
+  Calendar: bob@acme.com
+    ID: bob@acme.com
+    Access Level: owner
+    Timezone: America/New_York
+    Hidden: false
+    Selected: false
+    Color: #2F6309
+  Calendar: test
+    ID: acme.com_r7vmefng3okeo4l48n4urkjvcg@group.calendar.google.com
+    Access Level: root
+    Timezone: America/New_York
+    Hidden: false
+    Selected: true
+    Color: #2952A3
+  Calendar: Canadian Holidays
+    ID: en.canadian#holiday@group.v.calendar.google.com
+    Access Level: read
+    Timezone: America/New_York
+    Hidden: false
+    Selected: true
+    Color: #2952A3
+```
+
+## Printing the Calendars a User Has Listed
+### Syntax
+```
+gam user <user>|group <group>|ou <ou>|all users print calendars [todrive]
+```
+Display or upload to Google Drive a CSV report of all of the users' calendars. The optional `todrive` parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file. 
+
+### Example
+This example lists the calendars that all users have specified in the Calendar app.
+```
+gam all users print calendars
+```
+
+---
+
+
+## Deleting a Calendar from a User(s) List of Calendars
+### Syntax
+```
+gam user <user>|group <group>|ou <ou>|all users delete calendar <calendar email>
+```
+Removes the given calendar from each of the users' list of calendars. Deleting a calendar from a user's calendar list does not change ACLs on the calendar, it simply removes it from the display.
+
+### Example
+This example removes Joe's calendar from Bob's display of calendars.
+```
+gam user bob@acme.com delete calendar joe@acme.com
+```
+
+---
+
+
+## Adding a Calendar to a User(s) List of Calendars
+### Syntax
+```
+gam user <user>|group <group>|ou <ou>|all users add calendar <calendar email> [selected true|false] [hidden true|false] [reminder email|sms|popup <minutes>] [notification email|sms eventcreation|eventchange|eventcancellation|eventresponse|agenda] [summary <summary>] [colorindex <1-24>] [backgroundcolor <htmlcolor>] [foregroundcolor <htmlcolor>]
+```
+Adds the given calendar to each of the users' list of calendars. Adding a calendar to a user's calendar list does not give them any rights to the calendar that they didn't have before. If the user does not have rights to the calendar, use the ACL command above to both grant them rights and add the calendar to their list of calendars.
+
+The optional argument `selected` determines if the calendar is selected in the user's list of subscribed calendars by default. The optional argument `hidden` determines if the calendar is hidden from the user's list of subscribed calendars. The optional argument `reminder` sets the default reminder type and time for calendar events and can be repeated. The optional argument `notification` sets the default notification type for calendar events and can be repeated. The optional argument `summary` overrides the calendar's default name. The optional argument `colorindex` sets the calendar entries colors. Index colors can be viewed [here](http://calendar-colors.appspot.com/). The optional arguments `backgroundcolor` and `foregroundcolor` manually set the calendars colors.
+
+### Example
+The following example adds Bob's calendar to Joe's list of calendars without it being selected in Joe's calendar display.
+
+```
+gam user joe@acme.com add calendar bob@acme.com selected false
+```
+
+---
+
+
+## Updating a Calendar in a User(s) List of Calendars
+### Syntax
+```
+gam user <user>|group <group>|ou <ou>|all users update calendar <calendar email> [selected true|false] [hidden true|false] [reminder (email|sms|popup <minutes>)|clear] [notification (email|sms eventcreation|eventchange|eventcancellation|eventresponse|agenda)|clear] [summary <summary>] [colorindex <1-24>] [backgroundcolor <htmlcolor>] [foregroundcolor <htmlcolor>]
+```
+Update how a given calendar is displayed in a user's list of calendars. The optional argument `selected` determines if the calendar is selected in the user's list of subscribed calendars by default. The optional argument `hidden` determines if the calendar is hidden from the user's list of subscribed calendars. The optional argument `reminder` sets the default reminder type and time for calendar events and can be repeated. The argument `reminder clear` clears all reminders from the calendar. The optional argument `notification` sets the default notification type for calendar events and can be repeated. The argument `notification clear` clears all notifications from the calendar. The optional argument `summary` overrides the calendar's default name. The optional argument `colorindex` sets the calendar entries colors. Index colors can be viewed [here](http://calendar-colors.appspot.com/). The optional arguments `backgroundcolor` and `foregroundcolor` manually set the calendars colors.
+
+### Example
+The following example updates Bob's view of Joe's calendars, changing the color to green.
+
+```
+gam user bob@acme.com update calendar joe@acme.com colorindex 9
+```
+
+---
+
+# Deleting Events for a Calendar
+### Syntax
+```
+gam calendar <email> deleteevent [eventid <id>] [query <query>] [notifyattendees] [doit]
+```
+Delete event(s) off the given calendar. You should specify either the single event ID with the eventid argument or a query to perform against the calendar to determine which events should be deleted. Query operates in a similar fashion to Calendar UIs search but you should test results carefully, a bad query can delete more events than you intended. The optional argument notifyattendees will send event attendees an email notification that the event is cancelled, removed. Because this command involves deletion of user data, GAM will not perform the action by default unless the doit argument is supplied.
+
+# Wiping a User's Primary Calendar
+### Syntax
+```
+gam calendar <user email> wipe
+```
+Wipe all data from a user's primary calendar. **WARNING: This will delete all user events and there is no way to recover them!** Email address must be a Google Apps user. It's not possible to wipe resource or secondary calendars.
+
+### Example
+The following example deletes all data for Joe's Calendar.
+
+```
+gam calendar joe@acme.com wipe
+```
+
+---

docs/Calendars-Access.md

@@ -28,6 +28,7 @@ Calendar ACL roles (as seen in Calendar GUI):
 <CalendarItem> ::= <EmailAddress>
 <CalendarList> ::= "<CalendarItem>(,<CalendarItem>)*"
 <CalendarEntity> ::= <CalendarList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 
 <CalendarACLRole> ::= editor|freebusy|freebusyreader|owner|reader|writer
 <CalendarACLScope> ::= <EmailAddress>|user:<EmailAdress>|group:<EmailAddress>|domain:<DomainName>|domain|default
@@ -56,11 +57,14 @@ By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
 gam calendars <CalendarEntity> print acls|calendaracls [todrive <ToDriveAttribute>*]
-        [noselfowner]
+        [noselfowner] (addcsvdata <FieldName> <String>)*
         [formatjson [quotechar <Character>]]
 ```
 Option `noselfowner` suppresses the display of ACLs that reference the calendar itself as its owner.
 
+Add additional columns of data from the command line to the output
+* `addcsvdata <FieldName> <String>`
+
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
 the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
@@ -68,13 +72,15 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
 ### Old format commands
-These commands are backwards compatible with basic GAM.
+These commands are backwards compatible with Legacy GAM.
 ```
 gam calendar <CalendarEntity> add <CalendarACLRole> ([user] <EmailAddress>)|(group <EmailAddress>)|(domain [<DomainName>])|default [sendnotifications <Boolean>]
 gam calendar <CalendarEntity> update <CalendarACLRole> ([user] <EmailAddress>)|(group <EmailAddress>)|(domain [<DomainName>])|default [sendnotifications <Boolean>]
 gam calendar <CalendarEntity> delete [<CalendarACLRole>] ([user] <EmailAddress>)|(group <EmailAddress>)|(domain [<DomainName>])|default
 gam calendar <CalendarEntity> showacl [formatjson]
-gam calendar <CalendarEntity> printacl [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]
+gam calendar <CalendarEntity> printacl [todrive <ToDriveAttribute>*]
+        (addcsvdata <FieldName> <String>)*
+        [formatjson [quotechar <Character>]]
 ```
 By default, when you add or update a calendar ACL, notification is sent to the members referenced in the `<CalendarACLScopeEntity>`.
 Use `sendnotifications false` to suppress sending the notification.

docs/Calendars-Events.md

@@ -11,7 +11,7 @@
   - [Add calendar attendees](#add-calendar-attendees)
 - [Update calendar events](#update-calendar-events)
   - [Update calendar attendees](#update-calendar-attendees)
-- [Specify calendar attendees with JSON data](#specify-calendar-attendees-with-JSON-data)
+- [Specify calendar attendees with JSON data](#specify-calendar-attendees-with-json-data)
 - [Delete selected calendar events](#delete-selected-calendar-events)
 - [Delete all calendar events](#delete-all-calendar-events)
 - [Move calendar events to another calendar](#move-calendar-events-to-another-calendar)
@@ -63,10 +63,12 @@ Client access works when accessing Resource calendars.
 <CalendarItem> ::= <EmailAddress>
 <CalendarList> ::= "<CalendarItem>(,<CalendarItem>)*"
 <CalendarEntity> ::= <CalendarList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <DomainName> ::= <String>(.<String>)+
 <EmailAddress> ::= <String>@<DomainName>
 <EmailAddressList> ::= "<EmailAddess>(,<EmailAddress>)*"
 <EmailAddressEntity> ::= <EmailAddressList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 
 <EventAttachmentsSubfieldName> ::=
         attachments.fileid|
@@ -101,12 +103,21 @@ Client access works when accessing Resource calendars.
         creator.id|
         creator.self
 
+<EventFocusTimePropertiesSubfieldName> ::=
+        focustimeproperties.chatstatus|
+        focustimeproperties.declinemode|
+        focustimeproperties.declinemessage
+
 <EventOrganizerSubfieldName> ::=
         organizer.displayname|
         organizer.email|
         organizer.id|
         organizer.self
 
+<EventOutOfOfficePropertiesSubfieldName> ::=
+        outofoffice.declinemode|
+        outofoffice.declinemessage
+
 <EventWorkingLocationPropertiesSubfieldName> ::=
         workinglocationproperties.homeoffice|
         workinglocationproperties.customlocation|
@@ -130,6 +141,7 @@ Client access works when accessing Resource calendars.
         endtimeunspecified|
         extendedproperties|
         eventtype|
+        <EventFocusTimePropertiesSubfieldName>
         gadget|
         guestscaninviteothers|
         guestscanmodify|
@@ -143,6 +155,7 @@ Client access works when accessing Resource calendars.
         organizer|
         <EventOrganizerSubfieldName>|
         originalstart|originalstarttime|
+        <EventOutOfOfficePropertiesSubfieldName>
         privatecopy|
         recurrence|
         recurringeventid|
@@ -156,14 +169,25 @@ Client access works when accessing Resource calendars.
         updated|
         visibility|
         workinglocationproperties|
+        <EventWorkingLocationPropertiesSubfieldName>
 <EventFieldNameList> ::= "<EventFieldName>(,<EventFieldName>)*"
 
 <AttendeeAttendance> ::= optional|required
 <AttendeeStatus> ::= accepted|declined|needsaction|tentative
 
+<EventType> ::=
+        birthday|
+        default|
+        focustime|
+        fromgmail|
+        outofoffice|
+        workinglocation
+<EventTypeList> ::= "<EventType>(,<EventType>)*"
+
 <EventSelectProperty> ::=
         (after|starttime|timemin <Time>)|
         (before|endtime|timemax <Time>)|
+        (eventtype|eventtypes <EventTypeList>)|
         (query <QueryCalendar>)|
         (privateextendedproperty <String>)|
         (sharedextendedproperty <String>)|
@@ -174,6 +198,9 @@ Client access works when accessing Resource calendars.
 
 <EventMatchProperty> ::=
         (matchfield attendees <EmailAddressEntity>)|
+        (matchfield attendeesonlydomainlist <DomainNameList>)|
+        (matchfield attendeesdomainlist <DomainNameList>)|
+        (matchfield attendeesnotdomainlist <DomainNameList>)|
         (matchfield attendeespattern <RegularExpression>)|
         (matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>)|
         (matchfield creatoremail <RegularExpression>)|
@@ -183,6 +210,7 @@ Client access works when accessing Resource calendars.
         (matchfield location <RegularExpression>)|
         (matchfield organizeremail <RegularExpression>)|
         (matchfield organizername <RegularExpression>)|
+        (matchfield organizerself <Boolean>)|
         (matchfield status <RegularExpression>)|
         (matchfield summary <RegularExpression>)|
         (matchfield transparency <RegularExpression>)|
@@ -192,7 +220,7 @@ Client access works when accessing Resource calendars.
         (id|eventid <EventId>) |
         (event|events <EventIdList> |
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVSubkeySelector> | <CSVDataSelector>)
-
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <EventSelectEntity> ::=
         (<EventSelectProperty>+ <EventMatchProperty>*)
 
@@ -205,17 +233,20 @@ Client access works when accessing Resource calendars.
         lavender|peacock|sage|tangerine|tomato
 <PropertyKey> ::= <String>
 <PropertyValue> ::= <String>
+<TimeZone> ::= <String>
 
 <EventAttribute> ::=
+        (allday <Date>)|
         (anyonecanaddself [<Boolean>])|
         (attachment <String> <URL>)|
         (attendee <EmailAddress>)|
         (attendeestatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddress>)|
         available|
+        (birthday <Date>)|
         (color <EventColorName>)|
         (colorindex|colorid <EventColorIndex>)|
         (description <String>)|
-        (end (allday <Date>)|<Time>)|
+        (end|endtime (allday <Date>)|<Time>)|
         (guestscaninviteothers <Boolean>)|
         guestscantinviteothers|
         (guestscanmodify <Boolean>)|
@@ -230,16 +261,18 @@ Client access works when accessing Resource calendars.
         (optionalattendee <EmailAddress>)|
         (originalstart|originalstarttime (allday <Date>)|<Time>)|
         (privateproperty <PropertyKey> <PropertyValue>)|
+        (range <Date> <Date>)|
         (recurrence <RRULE, EXRULE, RDATE and EXDATE line>)|
-        (reminder <Number> email|popup))|
+        (reminder <Number> email|popup)|
         (selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>)|
         (sequence <Integer>)|
         (sharedproperty <PropertyKey> <PropertyValue>)|
         (source <String> <URL>)|
-        (start (allday <Date>)|<Time>)|
+        (start|starttime (allday <Date>)|<Time>)|
         (status confirmed|tentative|cancelled)|
         (summary <String>)|
         tentative|
+        (timerange <Time> <Time>)|
         (timezone <TimeZone>)|
         (transparency opaque|transparent)|
         (visibility default|public|private)
@@ -289,10 +322,12 @@ This is dense reading; a simpler approach is to define a test event in Google Ca
 the recurrence rule that you want, then use `gam info event` to get the recurrence rule and use it in subsequent commands.
 
 ```
-RRULE:FREQ=DAILY
-RRULE:FREQ=DAILY;COUNT=30
-RRULE:FREQ=WEEKLY;BYDAY=WE
-RRULE:FREQ=WEEKLY;WKST=SU;COUNT=13;BYDAY=WE
+RRULE:FREQ=DAILY - Daily
+RRULE:FREQ=DAILY;COUNT=30 - Daily for 30 days
+RRULE:FREQ=WEEKLY - Weekly on the same day of the week as the starting day; e.g., every Wednesday
+RRULE:FREQ=WEEKLY;COUNT=13 - Weekly on the same day of the week as the starting day; e.g., every Wednesday, for 13 weeks
+RRULE:FREQ=MONTHLY - Monthly on the same day of the month as the starting day; e.g., every 15th of the month
+RRULE:FREQ=MONTHLY;BYDAY=4TH - Monthly on the fourth instance of the starting day; e.g., every 4th Thursday
 ```
 
 ## Event colors
@@ -314,8 +349,9 @@ If none of the following options are selected, all events are selected.
 * `<EventSelectProperty>* <EventMatchProperty>*` - Properties used to select events
 
 The Google Calendar API processes `<EventSelectProperty>*`; you may specify none or multiple properties.
-* `after|starttime|timemin <Time>` - Lower bound (inclusive) for an event's end time to filter by. If timeMax is set, timeMin must be smaller than timeMax.
+* `after|starttime|timemin <Time>` - Lower bound (exclusive) for an event's end time to filter by. If timeMax is set, timeMin must be smaller than timeMax.
 * `before|endtime|timemax <Time>` - Upper bound (exclusive) for an event's start time to filter by. If timeMin is set, timeMax must be greater than timeMin.
+* `eventtypes <EventTypeList>` - Select events based on their type.
 * `query <QueryCalendar>` - Free text search terms to find events that match these terms in any field, except for extended properties
 * `privateextendedproperty <String>` - A required private property; `<String>` must be of the form `propertyName=value`
 * `sharedextendedproperty <String>` - A required shared property; `<String>` must be of the form `propertyName=value`
@@ -326,7 +362,15 @@ The Google Calendar API processes `<EventSelectProperty>*`; you may specify none
 
 GAM processes `<EventMatchProperty>*`; you may specify none or multiple properties.
 * `matchfield attendees <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
-* `matchfield attendeespattern <RegularExpression>` - Some attendee must match `<RegularExpression>`
+* `matchfield attendeesonlydomainlist <DomainNameList>` - All attendee's email addresses must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with all attendees in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeesdomainlist <DomainNameList>` - Some attendee's email address must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with attendees in specific external domains
+* `matchfield attendeesnotdomainlist <DomainNameList>` - Some attendee's email address must be in a domain not in `<DomainNameList>`
+  * For example, this lets you look for events with attendees not in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeespattern <RegularExpression>` - Some attendee's email address must match `<RegularExpression>`
 * `matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
 and must have the specified values.
     * `<AttendeeAttendance>` - Default is `required`
@@ -463,7 +507,7 @@ No events are deleted unless you specify the `doit` option; omit `doit` to verif
 
 When events are deleted from a calendar, they are moved to the calendar's trash and are only permanently deleted (purged) after 30 days.
 Following a suggestion here (https://stackoverflow.com/questions/41043053/how-to-empty-calendar-trash-via-google-services) you can permanently delete
-calendar events. This is achieved by creating a temporary calendar, deleting the events, moving the deleted events to the temporary calendar
+calendar events with `purge events`. This is achieved by creating a temporary calendar, deleting the events, moving the deleted events to the temporary calendar
 and then deleting the temporary calendar.
 
 ## Delete all calendar events
@@ -552,7 +596,7 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
 ### Old format commands
-These commands are backwards compatible with basic Gam.
+These commands are backwards compatible with Legacy GAM.
 ```
 gam calendar <CalendarEntity> addevent <EventAttribute>+ [<EventNotificationAttribute>]
 gam calendar <CalendarEntity> deleteevent (id|eventid <EventID>)+ [doit] [<EventNotificationAttribute>]

docs/Calendars.md

@@ -21,6 +21,7 @@ Client access works when accessing Resource calendars.
 <CalendarItem> ::= <EmailAddress>
 <CalendarList> ::= "<CalendarItem>(,<CalendarItem>)*"
 <CalendarEntity> ::= <CalendarList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 
 <TimeZone> ::= <String>
         See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

docs/Chat-Bot.md

@@ -1,4 +1,4 @@
-# Chat Bot
+!# Chat Bot
 
 - [Notes](#notes)
 - [API documentation](#api-documentation)
@@ -36,7 +36,7 @@ This Wiki page was built directly from Jay Lee's Wiki page; my sincere thanks fo
 
 <ChatContent> ::=
         ((text <String>)|
-         (textfile <FileName> [charset <CharSet>])|
+         (textfile <FileName> [charset <Charset>])|
          (gdoc <UserGoogleDoc>)|
          (gcsdoc <StorageBucketObjectName>))
 
@@ -47,6 +47,64 @@ This Wiki page was built directly from Jay Lee's Wiki page; my sincere thanks fo
 <ChatMessageID> ::= client-<String>
         <String> must contain only lowercase letters, numbers, and hyphens up to 56 characters in length.
 ```
+```
+<ChatSpaceFieldName> ::=
+        accesssettings|
+        admininstalled|
+        createtime|
+        displayname|
+        externaluserallowed|
+        importmode|
+        lastactivetime|
+        membershipcount|
+        name|
+        singleuserbotdm|
+        spacedetails|
+        spacehistorystate|
+        spacethreadingstate|threaded|
+        spacetype|type|
+        spaceuri
+<ChatSpaceFieldNameList> ::= "<ChatSpaceFieldName>(,<ChatSpaceFieldName>)*"
+
+<ChatMemberFieldName> ::=
+        createtime|
+        deletetime|
+        groupmember|
+        member|
+        name|
+        role|
+        state|
+<ChatMemberFieldNameList> ::= "<ChatMemberFieldName>(,<ChatMemberFieldName>)*"
+
+<ChatMessageFieldName> ::=
+        accessorywidgets|
+        actionresponse|
+        annotations|
+        argumenttext|
+        attachedgifs|
+        attachment|
+        cards|
+        cardsv2|
+        clientassignedmessageid|
+        createtime|
+        deletetime|
+        deletionmetadata|
+        emojireactionsummaries|
+        fallbacktext|
+        formattedtext|
+        lastupdatetime|
+        matchedurl|
+        name|
+        privatemessageviewer|
+        quotedmessagemetadata|
+        sender|
+        slashcommand|
+        space|
+        text|
+        thread|
+        threadreply
+<ChatMessageFieldNameList> ::= "<ChatMessageFieldName>(,<ChatMessageFieldName>)*"
+```
 
 ## Set up a Chat Bot
 Since GAM 6.04.00, GAM is capable of acting as a Chat Bot and sending messages to Chat Rooms or direct messages to users. You first need to configure your Chat Bot.
@@ -69,6 +127,7 @@ At first you'll have no spaces listed. Try [finding your bot and chatting it](ht
 ### Display information about a specific chat space
 ```
 gam info chatspace space <ChatSpace>
+        [fields <ChatSpaceFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -77,6 +136,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ### Display information about all chat spaces
 ```
 gam show chatspaces
+        [fields <ChatSpaceFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -84,11 +144,12 @@ By default, Gam displays the information as an indented list of keys and values.
 
 ```
 gam print chatspaces [todrive <ToDriveAttribute>*]
+        [fields <ChatSpaceFieldNameList>]
         [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
-
+`
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
 the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
@@ -101,6 +162,7 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ### Display information about a specific chat member
 ```
 gam info chatmember member <ChatMember>
+        [fields <ChatMemberFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -109,7 +171,8 @@ By default, Gam displays the information as an indented list of keys and values.
 ### Display information about all chat members in a chat space
 ```
 gam show chatmembers space <ChatSpace>
-        [showinvited [<Boolean>]] [filter <String>]
+        [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -117,7 +180,8 @@ By default, Gam displays the information as an indented list of keys and values.
 
 ```
 gam print chatmembers [todrive <ToDriveAttribute>*] space <ChatSpace>
-        [showinvited [<Boolean>]] [filter <String>]
+        [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
         [formatjson [quotechar <Character>]]
 ```
 
@@ -162,7 +226,7 @@ gam create chatmessage space <ChatSpace>
 ```
 Specify the text of the message: `<ChatContent>`
 * `text <String>` - The message is `<String>`
-* `textfile <FileName> [charset <CharSet>]` - The message is read from a local file
+* `textfile <FileName> [charset <Charset>]` - The message is read from a local file
 * `gdoc <UserGoogleDoc>` - The message is read from a Google Doc.
 * `gcsdoc <StorageBucketObjectName>` - The message is read from a Google Cloud Storage file.
 
@@ -207,7 +271,7 @@ gam update chatmessage name <ChatMessage>
 ```
 Specify the source of the message:
 * `text <String>` - The message is `<String>`
-* `textfile <FileName> [charset <CharSet>]` - The message is read from a local file
+* `textfile <FileName> [charset <Charset>]` - The message is read from a local file
 * `gdoc <UserGoogleDoc>` - The message is read from a Google Doc.
 * `gcsdoc <StorageBucketObjectName>` - The message is read from a Google Cloud Storage file.
 
@@ -238,6 +302,7 @@ Display the given Chat message.
 
 ```
 gam info chatmessage name <ChatMessage>
+        [fields <ChatMessageFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.

docs/Chrome-AUE-Counts.md

@@ -1,4 +1,4 @@
-# Chrome Auto Update Expiration Counts
+!# Chrome Auto Update Expiration Counts
 
 - [Chrome Auto Update Expiration Counts](#chrome-auto-update-expiration-counts)
   - [API documentation](#api-documentation)

docs/Chrome-Browser-Cloud-Management.md

@@ -3,7 +3,6 @@
 - [Chrome Browser Cloud Management](#chrome-browser-cloud-management)
   - [API documentation](#api-documentation)
   - [Query documentation](#query-documentation)
-  - [Collections of ChromeOS Devices](Collections-of-ChromeOS-Devices)
   - [Definitions](#definitions)
   - [Manage Chrome browsers](#manage-chrome-browsers)
     - [Update Chrome browsers](#update-chrome-browsers)
@@ -25,8 +24,9 @@
 * https://support.google.com/chrome/a/answer/9681204#retrieve_all_chrome_devices_for_an_account
 
 ## Definitions
+* [`<CrOSTypeEntity>`](Collections-of-ChromeOS-Devices)
 
-```BNF
+```
 <BrowserTokenPermanentID> ::= <String>
 <OrgUnitPath> ::= /|(/<String)+
 <QueryBrowser> ::= <String> See: https://support.google.com/chrome/a/answer/9681204#retrieve_all_chrome_devices_for_an_account
@@ -41,6 +41,7 @@
         (query:<QueryBrowser>)|(query:orgunitpath:<OrgUnitPath>)|(query <QueryBrowser>) |
         (browserou <OrgUnitItem>) | (browserous <OrgUnitList>) |
         <FileSelector> | <CSVFileSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 
 <BrowserAttribute> ::=
         (annotatedassetid|asset|assetid <String>)|
@@ -129,14 +130,14 @@ If you have a CSV file, UpdateBrowsers.csv with two columns: deviceId,notes
 this command will add a new line of notes to the front of the existing notes:
 
 ```
-gam csv UpdateBrowsers.csv gam update browser ~deviceId updatenotes "~~notes~~\n#notes#"
+gam csv UpdateBrowsers.csv gam update browser "~deviceId" updatenotes "~~notes~~\n#notes#"
 ```
 
 ## Move Chrome browsers from one OU to another
 ```
 gam move browsers ou|org|orgunit <OrgUnitPath>
         ((ids <DeviceIDList>) |
-         (queries <QueryBrowserList> [querytime.* <Time>]) |
+         (queries <QueryBrowserList> [querytime<String> <Time>]) |
          (browserou <OrgUnitItem>) | (browserous <OrgUnitList>) |
          <FileSelector> | <CSVFileSelector>)
         [batchsize <Integer>]
@@ -177,7 +178,7 @@ By default, Gam displays the information as an indented list of keys and values:
 ```
 gam show browsers
         ([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser>)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
-        [querytime.* <Time>]
+        [querytime<String> <Time>]
         [orderby <BrowserOrderByFieldName> [ascending|descending]]
         [basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
         [formatjson]
@@ -192,7 +193,8 @@ Select the fields to be displayed:
 * `annotated` - Display these fields: deviceId,annotatedAssetId,annotatedLocation,annotatedNotes,annotatedUser
 * `basic` - Display all fields except: browsers, lastDeviceUsers, lastStatusReportTime, machinePloicies; this is the default
 * `allfields/full` - Display all fields
-* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Displaya selected list of fields
+* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
+  * Note that `ou, org and orgunit` are both command line options and field names; use `fields` to include them in the selected list of fields
 
 By default, Gam displays the information as an indented list of keys and values:
 - `formatjson` - Display the fields in JSON format.
@@ -204,7 +206,7 @@ The characters following `querytime` can be any combination of lowercase letters
 ```
 gam print browsers [todrive <ToDriveAttribute>*]
         ([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser>)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
-        [querytime.* <Time>]
+        [querytime<String> <Time>]
         [orderby <BrowserOrderByFieldName> [ascending|descending]]
         [basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
         [sortheaders] [formatjson [quotechar <Character>]]
@@ -231,7 +233,8 @@ Select the fields to be displayed:
 * `annotated` - Display these fields: deviceId,annotatedAssetId,annotatedLocation,annotatedNotes,annotatedUser
 * `basic` - Display all fields except: browsers, lastDeviceUsers, lastStatusReportTime, machinePloicies; this is the default
 * `allfields/full` - Display all fields
-* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Displaya selected list of fields
+* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
+  * Note that `ou, org and orgunit` are both command line options and field names; use `fields` to include them in the selected list of fields
 
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.
@@ -371,7 +374,7 @@ gam revoke browsertoken <BrowserTokenPermanentID>
 ```
 gam show browsertokens
         ([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowserToken)|(queries <QueryBrowserTokenList>)))
-        [querytime.* <Time>]
+        [querytime<String> <Time>]
         [orderby <BrowserTokenFieldName> [ascending|descending]]
         [allfields] <BrowserTokenFieldName>* [fields <BrowserTokenFieldNameList>]
         [formatjson]
@@ -394,7 +397,7 @@ By default, Gam displays the information as an indented list of keys and values:
 ```
 gam print browsertokens [todrive <ToDriveAttribute>*]
         ([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowserToken)|(queries <QueryBrowserTokenList>)))
-        [querytime.* <Time>]
+        [querytime<String> <Time>]
         [orderby <BrowserTokenFieldName> [ascending|descending]]
         [allfields] <BrowserTokenFieldName>* [fields <BrowserTokenFieldNameList>]
         [sortheaders] [formatjson [quotechar <Character>]]

docs/Chrome-Browser-Management.md

@@ -0,0 +1,85 @@
+- [Printing browsers](#printing-browsers)
+- [Moving browsers](#moving-browsers)
+- [Updating browsers](#updating-browsers)
+- [Get info about a browser](#get-info-about-a-browser)
+- [Delete a browser](#delete-a-browser)
+
+GAM 5.30 adds support for the new [Chrome Browser Cloud Management API calls](https://support.google.com/chrome/a/answer/9681204). The API allows you to print, move, update and delete enrolled browsers.
+
+# Printing browsers
+## Syntax
+```
+gam print browsers [query <query>] [projection BASIC|FULL] [todrive] [sort_headers] [fields <fields>]
+```
+Prints enrolled browsers. The optional argument query will limit results to matching browsers. Query format is described [in Google's help articles](https://support.google.com/chrome/a/answer/9681204#example:~:text=You%20can%20specify%20the%20following%20fields,the%20field%20names%20are%20case%20sensitive). By default, GAM only prints basic information about the browsers. The optional argument projection allows selecting FULL which prints a lot more information about each browser including user profiles, policies and extension details. The optional argument todrive will upload the output to a Google Sheet. The optional argument fields specifies a comma separated list of fields you'd like to limit results to.
+
+## Example
+This example prints all browsers.
+```
+gam print browsers
+```
+This example creates a Google Sheet of browsers running on Microsoft Windows
+```
+gam print browsers todrive query "os_platform:Windows"
+```
+----
+## Moving browsers
+### Syntax
+```
+gam move browsers [ids <ids>] [query <query>] [file <file>] [csvfile <csvfile:columnName>] [orgunit <orgunit>] [batch_size <number>]
+```
+Moves the specified browsers from one OrgUnit in Google to another. The browsers must be specified with the ids, query, file or csvfile argument. The orgunit argument specifies the destination of the browsers. By default, GAM will attempt to move 600 browsers at a time which is the max allowed by the API. You can modify this number by specifying batch_size.
+
+### Example
+This example moves all Windows browsers into their own Org Unit.
+```
+gam move browsers query "os_platform:Windows" orgunit /Chrome/Windows
+```
+----
+## Updating browsers
+### Syntax
+```
+gam update browser <id> [user <user>] [location <location>] [notes <notes>] [assetid <assetid>]
+```
+Updates information about a Chrome browser. Information can be set for the user, location, notes and assetid fields.
+
+### Example
+This example updates all four fields
+```
+gam update browser c052d4d7-90b1-407a-911f-c0d05ba0eaeb user jsmith@acme.com location "New York, NY" notes "Browser re-installed on 12/3/20" assetid ABC123
+```
+----
+## Get info about a browser
+### Syntax
+```
+gam info browser <id> [FULL|BASIC] [fields <fields>]
+```
+shows information about a single browser based on the id specified. The optional argument projection retrieves a basic or full list of device attributes. Full includes details like browser profiles, policies and extensions. The optional fields parameter limits which fields are retrieved and printed.
+
+### Example
+This example gets info about a browser
+```
+gam info browser c052d4d7-90b1-407a-911f-c0d05ba0eaeb
+```
+This example shows a LOT of information about the browser
+```
+gam info browser c052d4d7-90b1-407a-911f-c0d05ba0eaeb projection FULL
+```
+This example shows a limited amount of information
+```
+gam info browser c7cf1d21-50af-4419-bf75-67731423a259 fields osPlatform,lastPolicyFetchTime,osPlatformVersion,lastDeviceUser,orgUnitPath
+```
+----
+## Delete a browser
+### Syntax
+```
+gam delete browser <id>
+```
+Deletes the given browser by id. The browser will be removed from Google's admin console and no longer sync policy or reporting. However existing policies will still be applied until the device registration and dm tokens are removed.
+
+### Example
+This example deletes the device.
+```
+gam delete browser c7cf1d21-50af-4419-bf75-67731423a259
+```
+----

docs/Chrome-Installed-Apps.md

@@ -1,11 +1,11 @@
-# Chrome Installed Apps Counts
+!# Chrome Installed Apps Counts
 
-- [Chrome Policies](#chrome-policies)
-  - [API documentation](#api-documentation)
-  - [Definitions](#definitions)
-  - [Quoting rules](#quoting-rules)
-  - [Display Chrome installed apps counts](#display-chrome-installed-apps-counts)
-  - [Display Chrome devices with a specific installed application](#display-chrome-devices-with-a-specific-installed-application)
+- [API documentation](#api-documentation)
+- [Definitions](#definitions)
+- [Quoting rules](#quoting-rules)
+- [Display Chrome installed app details](#display-chrome-installed-app-details)
+- [Display Chrome installed apps counts](#display-chrome-installed-apps-counts)
+- [Display Chrome devices with a specific installed application](#display-chrome-devices-with-a-specific-installed-application)
 
 ## API documentation
 
@@ -19,6 +19,7 @@ the appropriate scope: `Chrome Management API - read only`.
 gam update project
 gam oauth create
 ```
+To get installed app details you must authorize the scope: `Chrome Management API - AppDetails read only`.
 
 ## Definitions
 ```
@@ -47,6 +48,14 @@ Typically, you will enclose the entire list in double quotes and quote each item
 - Items, separated by spaces, with spaces, commas or single quotes in the items themselves
    * ```"'it em' 'it,em' \"it'em\""```
 
+## Display Chrome installed app details
+```
+gam info chromeapp android|chrome|web <AppID>
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
 ## Display Chrome installed apps counts
 ```
 gam show chromeapps

docs/Chrome-Needs-Attention-Counts.md

@@ -1,4 +1,4 @@
-# Chrome Device Needs Attention Counts
+!# Chrome Device Needs Attention Counts
 
 - [Chrome Device Needs Attention Counts](#chrome-device-needs-attention-counts)
   - [API documentation](#api-documentation)

docs/Chrome-Policy-Settings.md

@@ -0,0 +1,79 @@
+- [Showing Chrome Schema of Policy Settings](#showing-chrome-schema-of-policy-settings)
+- [Showing Current Chrome Policy For An OrgUnit](#showing-current-chrome-policy-for-an-orgunit)
+- [Updating Chrome Policy](#updating-chrome-policy)
+- [Clearing Chrome Policies](#clearing-chrome-policies)
+
+## Showing Chrome Schema of Policy Settings
+### Syntax
+```
+gam show chromeschema [filter <filter>]
+```
+Shows the schema of all possible Chrome policy settings available for your organization. The optional filter argument filters results down to matches. The schema is comprised of the top level schema name which groups the policy settings together, an individual setting, the type of the setting (string, boolean, enum) and possible values for the setting with their description.
+
+### Example
+This example prints the full schema for your organization. A truncated example output is also shown with the parts of the schema. In the example output, the schema name is chrome.users.ChromeBrowserUpdates and controls how browsers update. Within this schema there are three settings, rollbackToTargetVersionEnabled, targetVersionPrefixSetting and updateSetting. rollbackToTargetVersionEnabled and updateSetting are TYPE_ENUM meaning there is a limited set of values they can be set to. These values are described in the lines just after the setting. targetVersionPrefixSetting is TYPE_STRING so it accepts a string value as mentioned in it's description.
+```
+gam show chromeschema
+...
+chrome.users.ChromeBrowserUpdates: Chrome browser updates.
+  rollbackToTargetVersionEnabled: TYPE_ENUM
+    ROLLBACK_TO_TARGET_VERSION_DISABLED: Do not rollback to target version.
+    ROLLBACK_TO_TARGET_VERSION_ENABLED: Rollback to target version.
+  targetVersionPrefixSetting: TYPE_STRING
+    Target version prefix. Specifies which version the Chrome browser should be updated to. When a value is set, Chrome will be updated to the version prefixed with this value. For example, if the value is '55.', Chrome will be updated to any minor version of 55 (e.g. 55.24.34.0 or 55.60.2.10). If the value is '55.2.', Chrome will be updated to any minor version of 55.2 (e.g. 55.2.34.100 or 55.2.2.1). If the value is '55.24.34.1', Chrome will be updated to that specific version only. Chrome may stop updating or not rollback if the specified version is more than three major milestones old.
+  updateSetting: TYPE_ENUM
+    UPDATES_DISABLED: Updates disabled.
+    UPDATES_ENABLED: Always allow updates.
+    MANUAL_UPDATES_ONLY: Manual updates only.
+    AUTOMATIC_UPDATES_ONLY: Automatic updates only.
+...
+```
+----
+
+## Showing Current Chrome Policy For An OrgUnit
+### Syntax
+```
+gam show chromepolicy orgunit <orgunit> [printer_id <id>] [app_id <id>]
+```
+Shows the current Chrome policies for the given OrgUnit. The optional argument printer_id will scope the returned policies to those set on the given printer. The optional argument app_id will scope the returned policies to those set on the given app.
+
+### Example
+This example prints policies for the root OrgUnit.
+```
+gam show chromepolicy orgunit /
+```
+This example shows policies for the identified printer.
+```
+gam show chromepolicy orgunit / printer_id 0gjdgxs3dgp3kj
+```
+----
+
+## Updating Chrome Policy
+### Syntax
+```
+gam update chromepolicy [orgunit <orgunit>] [printer_Id <id>] [app_id <id>] schema1 setting1 value setting2 value schema2 setting1 value ...
+```
+Updates the policy settings of the given OrgUnit. The optional printer_id and app_id specify a printer or app to set policy for. Policies involve a schema name, the specific setting of the schema and a value. You can set multiple schemas and settings with one command but they must all apply to the same OrgUnit / printer / app.
+
+### Example
+This example sets Chrome to limit updates to version 89 for the /Browsers OrgUnit. Browsers on newer versions will be rolled back.
+```
+gam update chromepolicy orgunit /Browsers chrome.users.ChromeBrowserUpdates rollbackToTargetVersionEnabled ROLLBACK_TO_TARGET_VERSION_ENABLED targetVersionPrefixSetting "89." updateSetting UPDATES_ENABLED
+```
+This example blocks notifications except for specific URLs
+```
+gam update chromepolicy orgunit /Browsers chrome.users.Notifications defaultNotificationsSetting BLOCK_NOTIFICATIONS notificationsAllowedForUrls *.google.com,*.salesforce.com,*.youtube.com
+```
+
+## Clearing Chrome Policies
+### Syntax
+```
+gam delete policy [orgunit <orgunit>] [printer_id <id>] [app_id <id>] schema1 schema2 schema3 ...
+```
+Clears the settings for the given schema so that they inherit from their parent OrgUnit or, in the case of the / root OrgUnit, inherit from the Google default setting. The optional printer_id and app_id specify a specific printer or app to clear the policies for. Multiple schemas can be cleared by specifying each one separated by spaces but the policies must all apply to the given OrgUnit / printer / app combo.
+
+### Example
+This example clears the Chrome update and notification policies for the /Browsers OrgUnit. They will then inherit either from the / root OrgUnit if set there or from the Google default setting.
+```
+gam delete chromepolicy orgunit /Browsers chrome.users.Notifications chrome.users.ChromeBrowserUpdates
+```

docs/Chrome-Printers.md

@@ -1,4 +1,4 @@
-# Chrome Printers
+!# Chrome Printers
 - [API documentation](#api-documentation)
 - [Notes](#notes)
 - [Definitions](#definitions)

docs/Chrome-Version-Counts.md

@@ -1,4 +1,4 @@
-# Chrome Version Counts
+!# Chrome Version Counts
 
 - [Chrome Version Counts](#chrome-version-counts)
   - [API documentation](#api-documentation)

docs/Chrome-Version-History.md

@@ -1,4 +1,4 @@
-# Chrome Version History
+!# Chrome Version History
 
 - [Chrome Version History](#chrome-version-history)
   - [API documentation](#api-documentation)

docs/ChromeOS-Devices.md

@@ -4,7 +4,6 @@
   - [API documentation](#api-documentation)
   - [Query documentation](#query-documentation)
   - [Notes](#notes)
-  - [Collections of ChromeOS Devices](Collections-of-ChromeOS-Devices)
   - [Definitions](#definitions)
   - [CrOS Query Searchable Fields](#cros-query-searchable-fields)
   - [ChromeOS device update OU error handling](#chromeos-device-update-ou-error-handling)
@@ -24,6 +23,7 @@
     - [Print a header row and fields for selected CrOS devices](#print-a-header-row-and-fields-for-selected-cros-devices)
     - [Print a header row and fields for specified CrOS devices](#print-a-header-row-and-fields-for-specified-cros-devices)
     - [Display Examples](#display-examples)
+    - [Display CrOS device counts](#display-cros-device-counts)
   - [Print ChromeOS device activity](#print-chromeos-device-activity)
     - [Print a header row and activity for selected CrOS devices](#print-a-header-row-and-activity-for-selected-cros-devices)
     - [Print a header row and activity for specified CrOS devices](#print-a-header-row-and-activity-for-specified-cros-devices)
@@ -71,11 +71,12 @@ gam <Command> cros <CrOSEntity> ...
 ```
 The first form allows more powerful selection of devices with `<CrOSTypeEntity>`.
 
-The second form is backwards compatible with Standard GAM and selection with `<CrOSEntity>` is limited.
+The second form is backwards compatible with Legacy GAM and selection with `<CrOSEntity>` is limited.
 
 ## Definitions
-
-```BNF
+* [`<CrOSTypeEntity>`](Collections-of-ChromeOS-Devices)
+ 
+```
 <OrgUnitPath> ::= /|(/<String)+
 <QueryCrOS> ::= <String> See: https://support.google.com/chrome/a/answer/1698333
 <CommandID> ::= <String>
@@ -85,6 +86,7 @@ The second form is backwards compatible with Standard GAM and selection with `<C
 <SerialNumberList> ::= "<SerialNumber>(,<SerialNumber>)*"
 <SerialNumberEntity> ::=
         <SerialNumberList> | <FileSelector> | <CSVFileSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 
 <CrOSEntity> ::=
         <CrOSIDList> | (cros_sn <SerialNumberList>) |
@@ -103,15 +105,22 @@ The second form is backwards compatible with Standard GAM and selection with `<C
         annotatedlocation|location|
         annotateduser|user|
         autoupdateexpiration|
+        autoupdatethrough|
+        backlightinfo|
         bootmode|
+        cpuinfo|
         cpustatusreports|
         deprovisionreason|
         devicefiles|
         deviceid|
+        devicelicensetype|
         diskvolumereports|
         dockmacaddress|
         ethernetmacaddress|
         ethernetmacaddress0|
+        extendedsupporteligible|
+        extendedsupportstart|
+        extendedsupportenabled|
         firmwareversion|
         firstenrollmenttime|
         lastdeprovisiontimestamp|
@@ -126,6 +135,7 @@ The second form is backwards compatible with Standard GAM and selection with `<C
         ordernumber|
         orgunitid|
         orgunitpath|org|ou|
+        osupdatestatus|
         osversion|
         platformversion|
         recentusers|
@@ -133,8 +143,8 @@ The second form is backwards compatible with Standard GAM and selection with `<C
         serialnumber|
         status|
         supportenddate|
-        systemramtotal|
         systemramfreereports|
+        systemramtotal|
         tpmversioninfo|
         willautorenew
 <CrOSFieldNameList> ::= "<CrOSFieldName>(,<CrOSFieldName>)*"
@@ -156,8 +166,10 @@ The second form is backwards compatible with Standard GAM and selection with `<C
 ```
 <CrOSAction> ::=
         deprovision_different_model_replace|
+        deprovision_different_model_replacement|
         deprovision_retiring_device|
         deprovision_same_model_replace|
+        deprovision_same_model_replacement|
         deprovision_upgrade_transfer|
         disable|
         reenable|
@@ -241,10 +253,13 @@ Enter `id:` as the operator. For example, if you are searching for the serial nu
 
 Partial serial number searches are supported, as long as you enter at least three characters in the serial number.
 
+All serial number searches are partial, be careful that you don't enter a partial serial number by mistake
+when actioning/modifying devices as you will affect multiple devices rather than the single desired device.
+
 ### Status
 To view all provisioned or deprovisioned devices, select the status from the left drop-down, and all of the devices that fit this criterion will appear in the view. Alternatively, you can do the following searches from the All devices view:
 
-`gam print cros query "status:[provisioned|disable|deprovisioned]"`
+`gam print cros query "status:[provisioned|disabled|deprovisioned]"`
 
 ### User
 Enter user: as the operator. For example, to match the name Joe, but not Joey, enter the following:
@@ -352,7 +367,7 @@ If you have a CSV file, UpdateCrOS.csv with two columns: deviceId,notes
 this command will add a new line of notes to the front of the existing notes:
 
 ```
-gam csv UpdateCrOS.csv gam update cros ~deviceId updatenotes "~~notes~~\n#notes#"
+gam csv UpdateCrOS.csv gam update cros "~deviceId" updatenotes "~~notes~~\n#notes#"
 ```
 
 ## Add ChromeOS devices to an organizational unit
@@ -379,7 +394,7 @@ given if invalid CrOS deviceIds are specified.
 ### Example: Add ChromeOS devices to a single OU
 Suppose you have a CSV file cros.csv with a single column: deviceId
 ```
-gam update ou /Students/2022 add cros_csvfile cros.csv:deviceId quickcrosmove
+gam update ou /Students/2022 add croscsvfile cros.csv:deviceId quickcrosmove
 ```
 
 ### Example: Add ChromeOS devices to multiple OUs
@@ -399,13 +414,15 @@ gam update ou csvkmd cros.csv keyfield OU datafield deviceId add croscsvdata dev
         deprovision_same_model_replace|
         deprovision_upgrade_transfer|
         disable|
-        reenable|
-        pre_provisioned_disable|
-        pre_provisioned_reenable
+        reenable
 
 gam <CrOSTypeEntity> update action <CrOSAction> [acknowledge_device_touch_requirement]
+        [actionbatchsize <Integer>]
 gam update cros <CrOSEntity> action <CrOSAction> [acknowledge_device_touch_requirement]
+        [actionbatchsize <Integer>]
 ```
+As of GAM version `6.67.00`, the new API function `batchChangeStatus` replaces the old API function `action`; ChromeOS devices are now processed in batches.
+The batch size defaults to 10, the `actionbatchsize <Integer>` option can be used to set a batch size between 10 and 250.
 
 As deprovisioning ChromeOS devices is not reversible, you must enter `acknowledge_device_touch_requirement`
 when `<CrOSAction>` is `deprovision_same_model_replace`, `deprovision_different_model_replace`,
@@ -451,7 +468,7 @@ gam getcommand cros <CrOSEntity> commandid <CommandID> [times_to_check_status <I
 ### Action Examples
 Remove user profile data from the device; the device will remain enrolled and connected.
 User data not synced to the Cloud including Downloads, Android app data and Crostini Linux VMs will be permanently lost.
-Commands with issuecommand directly after gam will work with standard GAM & GAMADV-XTD3, whereas commands where the issuecommand is after the cros <CrOSTypeEntity> will work only with GAMADV-XTD3. 
+Commands with issuecommand directly after gam will work with Legacy GAM & GAM7, whereas commands where the issuecommand is after the cros <CrOSTypeEntity> will work only with GAM7. 
 ```
 gam issuecommand cros dd1d659a-0ea4-4e94-905e-4726c7a5f1e9 command wipe_users doit
 ```
@@ -534,7 +551,7 @@ gam <CrOSTypeEntity> print cros
 
 ```
 gam print cros [todrive <ToDriveAttribute>*]
-        [(query <QueryCrOS>)|(queries <QueryCrOSList>) [querytime.* <Time>]
+        [(query <QueryCrOS>)|(queries <QueryCrOSList>) [querytime<String> <Time>]
          [(limittoou|cros_ou <OrgUnitItem>)|(cros_ou_and_children <OrgUnitItem>)|
           (cros_ous <OrgUnitList>)|(cros_ous_and_children <OrgUnitList>)]]
         [orderby <CrOSOrderByFieldName> [ascending|descending]]
@@ -543,6 +560,7 @@ gam print cros [todrive <ToDriveAttribute>*]
         [start <Date>] [end <Date>] [listlimit <Number>]
         [reverselists <CrOSListFieldNameList>]
         [timerangeorder ascending|descending] [showdvrsfp]
+        (addcsvdata <FieldName> <String>)*
         [sortheaders]
         [formatjson [quotechar <Character>]]
 ```
@@ -554,9 +572,13 @@ is also specified, the query applies to devices within the OUs.
 
 - `(query <QueryCrOS>)|(queries <QueryCrOSList>)` - Select CrOS devices that match a query
 - `limittoou|cros_ou <OrgUnitItem>` - Select CrOS devices directly in the OU `<OrgUnitItem>`
+  - You can predefine this item with the `print_cros_ous` variable in `gam.cfg`.
 - `cros_ou_and_children <OrgUnitItem>` - Select CrOS devices in the OU `<OrgUnitItem>` and its sub OUs
+  - You can predefine this item with the `print_cros_ous_and_children` variable in `gam.cfg`.
 - `cros_ous <OrgUnitList>` - Select CrOS devices directly in the OUs `<OrgUnitList>`
+  - You can predefine this list with the `print_cros_ous` variable in `gam.cfg`.
 - `cros_ous_and_children <OrgUnitList>` - Select CrOS devices in the OUs `<OrgUnitList>` and their sub OUs
+  - You can predefine this list with the `print_cros_ous_and_children` variable in `gam.cfg`.
 
 Use the `querytime<String> <Time>` option to allow times, usually relative, to be substituted into the `query <QueryCrOS>` and `queries <QueryCrOSList>` options.
 The `querytime<String> <Time>` value replaces the string `#querytime<String>#` in any queries.
@@ -581,6 +603,9 @@ otherwise, the remaining field names will appear in the order specified.
 - `timerangeorder descending` - Change the `activetimeranges` order from ascending (oldest to newest) to descending (newest to oldest); this makes it easy to get the `N` most recent values with `timeranges listlimit N timerangeorder descending`.
 - `showdvrsfp` - Display a field `diskVolumeReports.volumeInfo.storageFreePercentage` which is calculated as: `(diskVolumeReports.volumeInfo.storageFree/diskVolumeReports.volumeInfo.storageTotal)*100`
 
+Add additional columns of data from the command line to the output
+* `addcsvdata <FieldName> <String>`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 
 - `formatjson` - Display the fields in JSON format.
@@ -603,6 +628,7 @@ gam <CrOSTypeEntity> print cros [todrive <ToDriveAttribute>*]
         [start <Date>] [end <Date>] [listlimit <Number>]
         [reverselists <CrOSListFieldNameList>]
         [timerangeorder ascending|descending] [showdvrsfp]
+        (addcsvdata <FieldName> <String>)*
         [sortheaders]
         [formatjson [quotechar <Character>]]
 
@@ -631,6 +657,9 @@ otherwise, the remaining field names will appear in the order specified.
 - `timerangeorder descending` - Change the `activetimeranges` order from ascending (oldest to newest) to descending (newest to oldest); this makes it easy to get the `N` most recent values with `timeranges listlimit N timerangeorder descending`.
 - `showdvrsfp` - Display a field `diskVolumeReports.volumeInfo.storageFreePercentage` which is calculated as: `(diskVolumeReports.volumeInfo.storageFree/diskVolumeReports.volumeInfo.storageTotal)*100`
 
+Add additional columns of data from the command line to the output
+* `addcsvdata <FieldName> <String>`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 
 - `formatjson` - Display the fields in JSON format.
@@ -671,13 +700,43 @@ Print information about CrOS devices synced between 45 days ago and 30 days ago:
 gam print cros query "sync:#querytime1#..#querytime2#" querytime1 -45d querytime2 -30d
 ```
 
+## Display CrOS device counts
+Display the number of CrOS devices in an entity.
+```
+gam <CrOSTypeEntity> show count
+gam <CrOSTypeEntity> print cros showitemcountonly
+gam print cros select <CrOSTypeEntity> showitemcountonly
+gam print cros
+        [(query <QueryCrOS>)|(queries <QueryCrOSList>) [querytime<String> <Time>]
+         [(limittoou|cros_ou <OrgUnitItem>)|(cros_ou_and_children <OrgUnitItem>)|
+          (cros_ous <OrgUnitList>)|(cros_ous_and_children <OrgUnitList>)]]
+        showitemcountonly
+```
+Example
+```
+$ gam print cros query "sync:..2020-01-01" showitemcountonly
+Getting all CrOS Devices that match query (sync:..2020-01-01) for /, may take some time on a large Organizational Unit...
+Got 77 CrOS Devices that matched query (sync:..2020-01-01) for /...
+Got 77 CrOS Devices that matched query (sync:..2020-01-01)
+77
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print cros query "sync:..2020-01-01" showitemcountonly)
+Windows PowerShell
+count = & gam print cros query "sync:..2020-01-01" showitemcountonly
+```
+
 ## Print ChromeOS device activity
 
 ### Print a header row and activity for selected CrOS devices
 
 ```
 gam print crosactivity [todrive <ToDriveAttribute>*]
-        [(query <QueryCrOS>)|(queries <QueryCrOSList>) [querytime.* <Time>]
+        [(query <QueryCrOS>)|(queries <QueryCrOSList>) [querytime<String> <Time>]
          [(limittoou|cros_ou <OrgUnitItem>)|(cros_ou_and_children <OrgUnitItem>)|
           (cros_ous <OrgUnitList>)|(cros_ous_and_children <OrgUnitList>)]]
         [orderby <CrOSOrderByFieldName> [ascending|descending]]
@@ -696,9 +755,13 @@ is also specified, the query applies to devices within the OUs.
 
 - `(query <QueryCrOS>)|(queries <QueryCrOSList>)` - Select CrOS devices that match a query
 - `limittoou|cros_ou <OrgUnitItem>` - Select CrOS devices directly in the OU `<OrgUnitItem>`
+  - You can predefine this item with the `print_cros_ous` variable in `gam.cfg`.
 - `cros_ou_and_children <OrgUnitItem>` - Select CrOS devices in the OU `<OrgUnitItem>` and its sub OUs
+  - You can predefine this item with the `print_cros_ous_and_children` variable in `gam.cfg`.
 - `cros_ous <OrgUnitList>` - Select CrOS devices directly in the OUs `<OrgUnitList>`
+  - You can predefine this list with the `print_cros_ous` variable in `gam.cfg`.
 - `cros_ous_and_children <OrgUnitList>` - Select CrOS devices in the OUs `<OrgUnitList>` and their sub OUs
+  - You can predefine this list with the `print_cros_ous_and_children` variable in `gam.cfg`.
 
 Use the `querytime<String> <Time>` option to allow times, usually relative, to be substituted into the `query <QueryCrOS>` and `queries <QueryCrOSList>` options.
 The `querytime<String> <Time>` value replaces the string `#querytime<String>#` in any queries.
@@ -796,7 +859,7 @@ gam redirect stdout ./CrOSDeviceFiles.out redirect stderr stdout csvkmd cros ./C
 Download the device files in parallel.
 
 ```
-gam redirect stdout ./CrOSDeviceFiles.out multiprocess redirect stderr stdout csv ./CrOSDeviceFiles.csv matchfield deviceFiles.type LOG_FILE gam cros ~deviceId get devicefile select ~deviceFiles.createTime
+gam redirect stdout ./CrOSDeviceFiles.out multiprocess redirect stderr stdout csv ./CrOSDeviceFiles.csv matchfield deviceFiles.type LOG_FILE gam cros "~deviceId" get devicefile select "~deviceFiles".createTime
 ```
 
 Suppose you want only the last device file for each Chromebook.
@@ -824,7 +887,7 @@ gam info crostelemetry <SerialNumber>
 ### Display data about all or selected devices.
 ```
 gam show crostelemetry
-        [(ou|org|orgunit <OrgUnitItem>)|(cros_sn <SerialNumber>)|(filter <String>)]
+        [(ou|org|orgunit|ou_and_children <OrgUnitItem>)|(cros_sn <SerialNumber>)|(filter <String>)]
         <CrOSTelemetryFieldName>* [fields <CrOSTelemetryFieldNameList>]
         [start <Date>] [end <Date>] [listlimit <Number>]
         [reverselists <CrOSTelemetryListFieldNameList>]
@@ -833,6 +896,7 @@ gam show crostelemetry
 Use these options to select CrOS devices; if none are chosen, all CrOS devices in the account are selected.
 
 - `ou|org|orgunit <OrgUnitItem>` - Select CrOS devices directly in the OU `<OrgUnitItem>`
+- `ou_and_children <OrgUnitItem>` - Select CrOS devices in the OU `<OrgUnitItem>` and its sub OUs
 - `cros_sn <SerialNumber>` - Select the CrOS device with serial number `<SerialNumber>`.
 - `filter <String>` - Select the CrOS device with a filter.
 - `listlimit <Number>` - Limits the number of repetitions to `<Number>`; if not specified or `<Number>` equals zero, there is no limit.
@@ -849,7 +913,7 @@ By default, Gam displays the information as an indented list of keys and values:
 ### Print data about all or selected devices.
 ```
 gam print crostelemetry [todrive <ToDriveAttribute>*]
-        [(ou|org|orgunit <OrgUnitItem>)|(cros_sn <SerialNumber>)|(filter <String>)]
+        [(ou|org|orgunit|ou_and_children <OrgUnitItem>)|(cros_sn <SerialNumber>)|(filter <String>)]
         <CrOSTelemetryFieldName>* [fields <CrOSTelemetryFieldNameList>]
         [reverselists <CrOSTelemetryListFieldNameList>]
         [start <Date>] [end <Date>] [listlimit <Number>]
@@ -858,6 +922,7 @@ gam print crostelemetry [todrive <ToDriveAttribute>*]
 Use these options to select CrOS devices; if none are chosen, all CrOS devices in the account are selected.
 
 - `ou|org|orgunit <OrgUnitItem>` - Select CrOS devices directly in the OU `<OrgUnitItem>`
+- `ou_and_children <OrgUnitItem>` - Select CrOS devices in the OU `<OrgUnitItem>` and its sub OUs
 - `cros_sn <SerialNumber>` - Select the CrOS device with serial number `<SerialNumber>`.
 - `filter <String>` - Select the CrOS device with a filter.
 - `listlimit <Number>` - Limits the number of repetitions to `<Number>`; if not specified or `<Number>` equals zero, there is no limit.

docs/Classroom-Courses.md

@@ -10,6 +10,7 @@
 - [Manage course aliases](#manage-course-aliases)
 - [Manage course topics](#manage-course-topics)
 - [Display courses](#display-courses)
+- [Display course counts](#display-course-counts)
 - [Display course announcements](#display-course-announcements)
 - [Display course materials](#display-course-materials)
 - [Display course topics](#display-course-topics)
@@ -47,40 +48,50 @@ gam user user@domain.com check|update serviceaccount
 <CourseAliasList> ::= "<CourseAlias>(,<CourseAlias>)*"
 <CourseAliasEntity> ::=
         <CourseAliasList>|<FileSelector>|<CSVFileSelector>|<CSVkmdSelector>|<CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseAnnouncementID> ::= <Number>
 <CourseAnnouncementIDList> ::= "<CourseAnnouncementID>(,<CourseAnnouncementID>)*"
 <CourseAnnouncementIDEntity> ::=
         <CourseAnnouncementIDList>|<FileSelector>|<CSVFileSelector>|<CSVkmdSelector>|<CSVSubkeySelector>|<CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseAnnouncementState> ::= draft|published|deleted
 <CourseAnnouncementStateList> ::= all|"<CourseAnnouncementState>(,<CourseAnnouncementState>)*"
 <CourseID> ::= <Number>|d:<CourseAlias>
 <CourseIDList> ::= "<CourseID>(,<CourseID>)*"
 <CourseEntity> ::=
         <CourseIDList>|<FileSelector>|<CSVFileSelector>|<CSVkmdSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseMaterialID> ::= <Number>
 <CourseMaterialIDList> ::= "<CourseMaterialID>(,<CourseMaterialID>)*"
 <CourseMaterialState> ::= draft|published|deleted
 <CourseMaterialStateList> ::= all|"<CourseMaterialState>(,<CourseMaterialState>)*"
-<CourseMaterialIDEntity> ::= <CourseMaterialIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVSubkeySelector> | <CSVDataSelector>
+<CourseMaterialIDEntity> ::=
+        <CourseMaterialIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVSubkeySelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseState> ::= active|archived|provisioned|declined|suspended
 <CourseStateList> ::= all|"<CourseState>(,<CourseState>)*"
 <CourseSubmissionID> ::= <Number>
 <CourseSubmissionIDList> ::= "<CourseSubmissionID>(,<CourseSubmissionID>)*"
 <CourseSubmissionIDEntity> ::=
         <CourseSubmissionIDList>|<FileSelector>|<CSVFileSelector>|<CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseSubmissionState> ::= new|created|turned_in|returned|reclaimed_by_student
 <CourseSubmissionStateList> ::= all|"<CourseSubmissionState>(,<CourseSubmissionState>)*"
 <CourseTopic> ::= <String>
 <CourseTopicList> ::= "<CourseTopic>(,<CourseTopic>)*"
-<CourseTopicEntity> ::= <CourseTopicList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<CourseTopicEntity> ::=
+        <CourseTopicList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseTopicID> ::= <Number>
 <CourseTopicIDList> ::= "<CourseTopicID>(,<CourseTopicID>)*"
 <CourseTopicIDEntity> ::=
         <CourseTopicIDList>|<FileSelector>|<CSVFileSelector>|<CSVkmdSelector>|<CSVSubkeySelector>|<CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseWorkID> ::= <Number>
 <CourseWorkIDList> ::= "<CourseWorkID>(,<CourseWorkID>)*"
 <CourseWorkIDEntity> ::=
         <CourseWorkIDList>|<FileSelector>|<CSVFileSelector>|<CSVkmdSelector>|<CSVSubkeySelector>|<CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseWorkState> ::= draft|published|deleted
 <CourseWorkStateList> ::= all|"<CourseWorkState>(,<CourseWorkState>)*"
 
@@ -123,6 +134,7 @@ gam user user@domain.com check|update serviceaccount
         creationtime|
         creator|creatoruserid|
         id|
+        individualstudentsoptions|
         materials|
         scheduledtime|
         state|
@@ -143,6 +155,7 @@ gam user user@domain.com check|update serviceaccount
         creator|creatoruserid|
         description|
         id|
+        individualstudentsoptions|
         materials|
         scheduledtime|
         state|
@@ -168,6 +181,7 @@ gam user user@domain.com check|update serviceaccount
         duedate|
         duetime|
         id|
+        individualstudentsoptions|
         materials|
         maxpoints|
         scheduledtime|
@@ -176,6 +190,7 @@ gam user user@domain.com check|update serviceaccount
         title|
         topicid|
         updatetime|
+        workid|
         worktype
 <CourseWorkFieldNameList> ::= "<CourseWorkFieldName>(,<CourseWorkFieldName>)*"
 
@@ -259,53 +274,78 @@ The options `name <String>` and `teacher <UserItem>` are required when creating
 gam create|add course [id|alias <CourseAlias>] <CourseAttribute>*
         [copyfrom <CourseID>
             [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
             [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
             [workstates <CourseWorkStateList>]
+                [individualstudentcoursework copy|delete|maptoall]
                 [removeduedate [<Boolean>]]
                 [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
             [copymaterialsfiles [<Boolean>]]
             [copytopics [<Boolean>]]
             [markdraftaspublished [<Boolean>]]
             [markpublishedasdraft [<Boolean>]]
             [members none|all|students|teachers]]
-            [logdrivefileids [<Boolean>>]]
+            [logdrivefileids [<Boolean>]]
 
 gam update course <CourseID> <CourseAttribute>+
         [copyfrom <CourseID>
             [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
             [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
             [workstates <CourseWorkStateList>]
+                [individualstudentcoursework copy|delete|maptoall]
                 [removeduedate [<Boolean>]]
                 [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
             [copymaterialsfiles [<Boolean>]]
             [copytopics [<Boolean>]]
             [markdraftaspublished [<Boolean>]]
             [markpublishedasdraft [<Boolean>]]
             [members none|all|students|teachers]]
-            [logdrivefileids [<Boolean>>]]
+            [logdrivefileids [<Boolean>]]
 gam update courses <CourseEntity> <CourseAttribute>+
         [copyfrom <CourseID>
             [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
             [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
             [workstates <CourseWorkStateList>]
+                [individualstudentcoursework copy|delete|maptoall]
                 [removeduedate [<Boolean>]]
                 [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
             [copymaterialsfiles [<Boolean>]]
             [copytopics [<Boolean>]]
             [markdraftaspublished [<Boolean>]]
             [markpublishedasdraft [<Boolean>]]
             [members none|all|students|teachers]]
-            [logdrivefileids [<Boolean>>]]
+            [logdrivefileids [<Boolean>]]
 ```
 `copyfrom <CourseID>` allows copying of course announcements, work, topics and members from one course to another.
 * Accouncements - By default, no course announcements are copied
     * `announcementstates <CourseAnnouncementStateList>` - Copy class announcements with the specified states
+        * `individualstudentannouncements copy` - Copy individual student announcements; this is the default. You will get an error if a student is not a member of the course
+        * `individualstudentannouncements delete` - Delete individual student announcements
+        * `individualstudentannouncements maptoall` - Map individual student announcements to all student announcements
 * Materials - By default, no course materials are copied
     * `materialstates <CourseMaterialsStateList>` - Copy class materials with the specified states
+        * `individualstudentmaterials copy` - Copy individual student materials; this is the default. You will get an error if a student is not a member of the course
+        * `individualstudentmaterials delete` - Delete individual student materials
+        * `individualstudentmaterials maptoall` - Map individual student materials to all student materials
 * Work - By default, no course work is copied
     * `workstates <CourseWorkStateList>` - Copy class work with the specified states
+        * `individualstudentcoursework copy` - Copy individual student coursework; this is the default. You will get an error if the student is not a member of the course
+        * `individualstudentcoursework delete` - Delete individual student coursework
+        * `individualstudentcoursework maptoall` - Map individual student coursework to all student coursework
         * `removeduedate false` - Remove due dates before the current time; this is the default
         * `removeduedate|removeduedate true` - Remove all due dates
+* For convenience, setting `individualstudentassignments` sets all the following to the same value:
+    * `individualstudentannouncements`
+    * `individualstudentmaterials`
+    * `individualstudentcoursework`
 * Announcements, Materials and Work Materials files
     * `copymaterialsfiles false` - Copy links to files referenced by materials in the `copyfrom` course; this is the default
     * `copymaterialsfiles|copymaterialsfiles true` - Copy files referenced by materials in the `copyfrom` course
@@ -325,7 +365,7 @@ gam update courses <CourseEntity> <CourseAttribute>+
     * `members students` - Copy students
     * `members teachers` - Copy teachers
 
-When true, `logdrivefileids [<Boolean>>]` generates a CSV file with headers `courseId,ownerId,fileId' that
+When true, `logdrivefileids [<Boolean>]` generates a CSV file with headers `courseId,ownerId,fileId' that
 lists all drive files in the course.
 
 The Classroom API does not support course materials of type `form`, they will not be copied.
@@ -337,7 +377,7 @@ Drive files with `shareMode` `Each student will get a copy` don't seem to be abl
 
 ## Delete courses
 Classes can only be deleted when they are in the ARCHIVED state; to delete a class, you can update its state to ARCHIVED
-and then delete it or you can specify that it be archived as part of the delete command.
+and then delete it or you can specify that it be archived as parot of the delete command.
 ```
 gam delete course <CourseID> [archived]
 gam delete courses <CourseEntity> [archived]
@@ -422,14 +462,42 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
+## Display course counts
+Display the number of courses.
+```
+gam print courses
+        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
+        [owneremailmatchpattern <RegularExpression>]
+        showitemcountonly
+```
+Example
+```
+$ gam print courses states active showitemcountonly
+Getting all Courses that match query (Course State: ACTIVE), may take some time on a large Google Workspace Account...
+Got 268 Courses...
+Got 272 Courses...
+Got 272 Courses...
+272
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print courses states active showitemcountonly)
+Windows PowerShell
+count = & gam print courses states active showitemcountonly
+```
+
 ## Display course announcements
 ```
 gam print course-announcements [todrive <ToDriveAttribute>*]
         (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
         (courseannouncementids <CourseAnnouncementIDEntity>)|(announcementstates <CourseAnnouncementStateList>)*
         (orderby <CourseAnnouncementOrderByFieldName> [ascending|descending])*)
-        [creatoremail] [fields <CourseAnnouncementFieldNameList>] [formatjson [quotechar <Character>]]
+        [creatoremail] [fields <CourseAnnouncementFieldNameList>]
         [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-announcements` command displays course announcement information for all courses.
 
@@ -458,6 +526,8 @@ By default, all course announcement fields are displayed; use the following opti
 * `creatoremail` - Display course announcement creator email; requires an additional API call per course announcement.
 * `fields <CourseAnnouncementFieldNameList>` - Select specific fields to display.
 
+Use the `countsonly` option to display the number of announcements in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -473,8 +543,9 @@ gam print course-materials [todrive <ToDriveAttribute>*]
         (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
         (materialids <CourseMaterialIDEntity>)|(materialstates <CourseMaterialStateList>)*
         (orderby <CourseMaterialOrderByFieldName> [ascending|descending])*)
-        [showcreatoremails|creatoremail] [showtopicnames] [fields <CourseMaterialFieldNameList>] [formatjson [quotechar <Character>]]
+        [showcreatoremails|creatoremail] [showtopicnames] [fields <CourseMaterialFieldNameList>]
         [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-materials` command displays course materials information for all courses.
 
@@ -504,6 +575,8 @@ By default, all course materials fields are displayed; use the following options
 * `showtopicnames` - Display topic names; requires and additional API call per course.
 * `fields <CourseMaterialsFieldNameList>` - Select specific fields to display.
 
+Use the `countsonly` option to display the number of course materials in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -518,8 +591,8 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 gam print course-topics [todrive <ToDriveAttribute>*]
         (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
         (coursetopicids <CourseTopicIDEntity>)
-        [formatjson [quotechar <Character>]]
         [timefilter updatetime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-topics` command displays course topic information for all courses.
 
@@ -544,6 +617,8 @@ To get information about course topics updated within a particular time frame, u
 * `end|endtime <Date>|<Time>` - specify the end of the time frame; if not specified, the time frame will be open ended at the end
 For the filter to apply, `timefilter` and at least one of `start|starttime` and `end|endtime` must be specified.
 
+Use the `countsonly` option to display the number of topics in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -559,8 +634,10 @@ gam print course-work [todrive <ToDriveAttribute>*]
         (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
         (workids <CourseWorkIDEntity>)|(workstates <CourseWorkStateList>)*
         (orderby <CourseWorkOrderByFieldName> [ascending|descending])*)
-        [showcreatoremails] [showtopicnames] [fields <CourseWorkFieldNameList>] [formatjson [quotechar <Character>]]
+        [showcreatoremails] [showtopicnames] [fields <CourseWorkFieldNameList>]
+        [showstudentsaslist [<Boolean>]] [delimiter <Character>]
         [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-work` command displays course work information for all courses.
 
@@ -581,7 +658,7 @@ To get information about course work created/updated/scheduled within a particul
 * `end|endtime <Date>|<Time>` - specify the end of the time frame; if not specified, the time frame will be open ended at the end
 For the filter to apply, `timefilter` and at least one of `start|starttime` and `end|endtime` must be specified.
 
-By default, all pub`lished course work for a course is displayed; use the following options to select specific course work.
+By default, all published course work for a course is displayed; use the following options to select specific course work.
 * `workids <CourseWorkIDEntity>` - Display course work with the IDs specified in `<CourseWorkIDEntity>`.
 * `workstates <CourseWorkStateList>` - Display course work with any of the specified states.
 
@@ -590,6 +667,11 @@ By default, all course work fields are displayed; use the following options to m
 * `showtopicnames` - Display topic names; requires and additional API call per course.
 * `fields <CourseWorkFieldNameList>` - Select specific fields to display.
 
+By default, when course work is assigned to individual students, the student IDs are displayed in multiple indexed columns.
+Use options `showstudentsaslist [<Boolean>]` and `delimiter <Character>` to display the student IDs is a single column as a delimited list.
+
+Use the `countsonly` option to display the number of course works in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -606,8 +688,9 @@ gam print course-submissions [todrive <ToDriveAttribute>*]
         (workids <CourseWorkIDEntity>)|(workstates <CourseWorkStateList>)*
         (orderby <CourseWorkOrderByFieldName> [ascending|descending])*)
         (submissionids <CourseSubmissionIDEntity>)|(submissionstates <CourseSubmissionStateList>)*) [late|notlate]
-        [fields <CourseSubmissionFieldNameList>] [showuserprofile] [formatjson [quotechar <Character>]]
+        [fields <CourseSubmissionFieldNameList>] [showuserprofile]
         [timefilter creationtime|updatetime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-submissions` command displays course submission information for all course work for all courses.
 
@@ -632,7 +715,7 @@ By default, all course submissions for a course work is displayed; use the follo
 * `late` - Display course submissions marked late.
 * `notlate` - Display course submissions not marked late.
 
-To get information about course submissionss created/updated within a particular time frame, use the following options.
+To get information about course submissions created/updated within a particular time frame, use the following options.
 * `timefilter creationtime|updatetime` - select which event to filter
 * `start|starttime <Date>|<Time>` - specify the start of the time frame; if not specified, the time frame will be open ended at the start
 * `end|endtime <Date>|<Time>` - specify the end of the time frame; if not specified, the time frame will be open ended at the end
@@ -645,6 +728,8 @@ By default, only the numeric userId is displayed; use the `showuserprofile` opti
 You can only get profile information if the scope `https://www.googleapis.com/auth/classroom.profile.emails` is enabled
 for service account access; verify with `gam <UserTypeEntity> update serviceaccount`.
 
+Use the `countsonly` option to display the number of submissions in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 

docs/Classroom-Guardians.md

@@ -20,11 +20,15 @@
 <UniqueID> ::= id:<String>
 <GuardianItem> ::= <EmailAddress>|<UniqueID>|<String>
 <GuardianItemList> ::= "<GuardianItem>(,<GuardianItem>)*"
-<GuardianEntity> ::= <GuardianList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<GuardianEntity> ::=
+        <GuardianList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <StudentItem> ::= <EmailAddress>|<UniqueID>|<String>
 <GuardianInvitationID> ::= <String>
 <GuardianInvitationIDList> ::= "<GuardianInvitationId>(,<GuardianInvitationID>)*"
-<GuardianInvitationIDEntity> ::= <GuardianInvitationIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<GuardianInvitationIDEntity> ::=
+        <GuardianInvitationIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <GuardianState> ::= complete|pending
 <GuardianStateList> ::= "<GuardianState>(,<GuardianState>)*"
 ```

docs/Classroom-Invitations.md

@@ -3,9 +3,10 @@
 - [Notes](#notes)
 - [Definitions](#definitions)
 - [Create classroom invitations](#create-classroom-invitations)
-- [Accept classroom invitations](#accept-classroom-invitations)
-- [Delete classroom invitations](#delete-classroom-invitations)
+- [Accept classroom invitations by user](#accept-classroom-invitations-by-user)
+- [Delete classroom invitations by user](#delete-classroom-invitations-by-user)
 - [Display classroom invitations by user](#display-classroom-invitations-by-user)
+- [Delete classroom invitations by course](#delete-classroom-invitations-by-course)
 - [Display classroom invitations by course](#display-classroom-invitations-by-course)
 
 ## API documentation
@@ -24,8 +25,6 @@ Scope: https://www.googleapis.com/auth/classroom.rosters           , Checked: FA
 ```
 Follow the directions to authorize the Service Account scopes.
 
-The Classroom API does not support inviting users from outside your domain.
-
 ## Definitions
 ```
 <DomainName> ::= <String>(.<String>)+
@@ -33,11 +32,15 @@ The Classroom API does not support inviting users from outside your domain.
 <UniqueID> ::= id:<String>
 <ClassroomInvitationID> ::= <String>
 <ClassroomInvitationIDList> ::= "<ClassroomInvitationID>(,<ClassroomInvitationID>)*"
-<ClassroomInvitationIDEntity> ::= <ClassroomInvitationIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<ClassroomInvitationIDEntity> ::=
+        <ClassroomInvitationIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseAlias> ::= <String>
 <CourseID> ::= <Number>|d:<CourseAlias>
 <CourseIDList> ::= "<CourseID>(,<CourseID>)*"
-<CourseEntity> ::= <CourseIDList> | <FileSelector> | <CSVFileSelector | <CSVkmdSelector>
+<CourseEntity> ::=
+        <CourseIDList> | <FileSelector> | <CSVFileSelector | <CSVkmdSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseState> ::= active|archived|provisioned|declined|suspended
 <CourseStateList> ::= all|"<CourseState>(,<CourseState>)*"
 ```
@@ -45,12 +48,18 @@ The Classroom API does not support inviting users from outside your domain.
 Invite users to classes.
 ```
 gam <UserTypeEntity> create classroominvitation courses <CourseEntity> [role owner|student|teacher]
-        [adminaccess|asadmin] [csvformat] [todrive <ToDriveAttributes>*] [formatjson [quotechar <Character>]]
+        [adminaccess|asadmin]
+        [csv|csvformat] [todrive <ToDriveAttributes>*] [formatjson [quotechar <Character>]]
 ```
 If `role` is not specified, `student` will be used.
 
+You can only invite a co-teacher to be an owner of a course.
+
 By default, classroom invitations are issued by the owner of the course, the `adminaccess` option causes the invitations to be issued by the admin named in `oauth2.txt`.
 
+By default, when an invitation is created, GAM outputs details of the invitation as indented keywords and values.
+* `csv|csvformat [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]` - Output the details in CSV format.
+
 ### Example
 
 Suppose you have a CSV file CourseStudent.csv  with two columns: Course,Student.
@@ -60,13 +69,15 @@ gam redirect stdout ./Invites.out redirect stderr stdout csvkmd users CourseStud
 ```
 This command will invite all students to their courses in parallel
 ```
-gam redirect stdout ./Invites.out multiprocess redirect stderr stdout multiprocess csv CourseStudent.csv gam user ~Student create classroominvitation role student course ~Course
+gam redirect stdout ./Invites.out multiprocess redirect stderr stdout multiprocess csv CourseStudent.csv gam user "~Student" create classroominvitation role student course "~Course"
 ```
-## Accept classroom invitations
-Accept classroom invitations for users. You can only invite a co-teacher to be an owner of a course.
+## Accept classroom invitations by user
+Accept classroom invitations for users.
 ```
 gam <UserTypeEntity> accept classroominvitation (ids <ClassroomInvitationIDEntity>)|([courses <CourseEntity>] [role all|owner|student|teacher])
 ```
+`<UserTypeEntity>` must specify users in your domain.
+
 By default, all invitations for the specified users will be accepted.
 
 Select specific invitations to accept:
@@ -77,11 +88,13 @@ Select courses and accept invitations for those courses.
 
 By default, invitations for all roles will be accepted; you can limit the acceptances to invitations of a specific role.
 
-## Delete classroom invitations
+## Delete classroom invitations by user
 Delete classroom invitations for users.
 ```
 gam <UserTypeEntity> delete classroominvitation (ids <ClassroomInvitationIDEntity>)|([courses <CourseEntity>] [role all|owner|student|teacher])
 ```
+`<UserTypeEntity>` must specify users in your domain.
+
 By default, all invitations for the specified users will be deleted.
 
 Select specific invitations to delete:
@@ -100,8 +113,23 @@ gam <UserTypeEntity> show classroominvitations [role all|owner|student|teacher]
 gam <UserTypeEntity> print classroominvitations [todrive <ToDriveAttributes>*] [role all|owner|student|teacher]
         [formatjson [quotechar <Character>]]
 ```
+`<UserTypeEntity>` must specify users in your domain.
+
 By default, invitations for all roles will be displayed; you can limit the display to invitations of a specific role.
 
+## Delete classroom invitations by course
+Delete classroom invitations for courses. This command must be used to delete non-domain member invitations.
+```
+gam delete classroominvitation courses <CourseEntity> (ids <ClassroomInvitationIDEntity>)|(role all|owner|student|teacher)
+```
+Select courses and delete invitations for those courses.
+* `courses <CourseEntity>` - Specify courses
+
+Select specific invitations to delete:
+* `ids <ClassroomInvitationIDEntity>` - Specify invitation IDs
+
+Select invitations to delete by role. By default, invitations for all roles will be deleted; you can limit the deletions to invitations of a specific role.
+
 ## Display classroom invitations by course
 ```
 gam show classroominvitations (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])

docs/Classroom-Membership.md

@@ -6,6 +6,7 @@
 - [Legacy manage membership](#legacy-manage-membership)
 - [Bulk membership changes](#bulk-membership-changes)
 - [Display course membership](#display-course-membership)
+- [Display course membership counts](#display-course-membership-counts)
 
 ## API documentation
 * https://developers.google.com/classroom/reference/rest/
@@ -22,7 +23,9 @@
 <CourseAlias> ::= <String>
 <CourseID> ::= <Number>|d:<CourseAlias>
 <CourseIDList> ::= "<CourseID>(,<CourseID>)*"
-<CourseEntity> ::= <CourseIDList> | <FileSelector> | <CSVFileSelector | <CSVkmdSelector>
+<CourseEntity> ::=
+        <CourseIDList> | <FileSelector> | <CSVFileSelector | <CSVkmdSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseState> ::= active|archived|provisioned|declined|suspended
 <CourseStateList> ::= all|"<CourseState>(,<CourseState>)*"
 ```
@@ -129,3 +132,35 @@ the quote character itself, the column delimiter (comma by default) and new-line
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+## Display course membership counts
+Display the number of course participants.
+```
+gam print course-participants
+        (course|class <CourseID>)*|([teacher <UserItem>] [student <UserItem>]) [states <CourseStateList>]
+        [show all|students|teachers]
+        showitemcountonly
+```
+Example
+```
+$ gam print course-participants teacher asmith states active show students showitemcountonly
+Getting all Courses that match query (Teacher: asmith@domain.com, Course State: ACTIVE), may take some time on a large Google Workspace Account...
+Got 3 Courses...
+Getting Students for Course: 636981507234 (1/3)
+Got 30 Students...
+Got 43 Students...
+Getting Students for Course: 589346784341 (2/3)
+Got 22 Students...
+Getting Students for Course: 589345535881 (3/3)
+Got 23 Students...
+88
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print course-participants teacher asmith states active show students showitemcountonly)
+Windows PowerShell
+count = & gam print course-participants teacher asmith states active show students showitemcountonly
+```

docs/Cloud-Channel.md

@@ -1,4 +1,4 @@
-# Cloud Channel
+!# Cloud Channel
 - [API documentation](#api-documentation)
 - [Notes](#notes)
 - [Definitions](#definitions)

docs/Cloud-Identity-Devices.md

@@ -1,4 +1,4 @@
-# Cloud Identity Devices
+!# Cloud Identity Devices
 - [API documentation](#api-documentation)
 - [Query documentation](#query-documentation)
 - [Definitions](#definitions)
@@ -9,11 +9,13 @@
 - [Synchronize devices](#synchronize-devices)
 - [Display devices](#display-devices)
 - [Print devices](#print-devices)
+- [Display device counts](#display-device-counts)
 - [Approve or block device users](#approve-or-block-device-users)
 - [Delete device users](#delete-device-users)
 - [Wipe device users](#wipe-device-users)
 - [Perform device user actions](#perform-device-user-actions)
 - [Display device users](#display-device-users)
+- [Display device user counts](#display-device-user-counts)
 - [Print device users](#print-device-users)
 - [Display device user client state](#display-device-user-client-state)
 - [Update device user client state](#update-device-user-client-state)
@@ -36,8 +38,9 @@
         See: https://support.google.com/a/answer/7549103
 <QueryDeviceList> ::= "<QueryDevice>(,<QueryDevice>)*"
 <DeviceID> ::= devices/<String>
+<DeviceIDList> ::= "<DeviceID>(,<DeviceID>)*"
 <DeviceEntity> ::=
-        <DeviceIDList> |
+        <DeviceIDList> | devicesn <String> |
         (query:<QueryDevice>)|(query <QueryDevice>)
 <DeviceType> ::= android|chrome_os|google_sync|linux|mac_os|windows
 <DeviceUserID> ::= devices/<String>/deviceUsers/<String>
@@ -167,7 +170,7 @@ These two/three columns are used to match current company devices against the CS
 If `preview` is specified, the operations that would be performed are previewed but are not performed; use this to test.
 ```
 gam sync devices
-        [(query <QueryDevice>)|(queries <QueryDeviceList>) (querytime.* <Time>)*]
+        [(query <QueryDevice>)|(queries <QueryDeviceList>) (querytime<String> <Time>)*]
         csvfile <FileName>
         (devicetype_column <String>)|(static_devicetype <DeviceType>)
         (serialnumber_column <String>)
@@ -190,7 +193,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ## Print devices
 ```
 gam print devices [todrive <ToDriveAttribute>*]
-        [(query <QueryDevice>)|(queries <QueryDeviceList>) (querytime.* <Time>)*]
+        [(query <QueryDevice>)|(queries <QueryDeviceList>) (querytime<String> <Time>)*]
         <DeviceFieldName>* [fields <DeviceFieldNameList>] [userfields <DeviceUserFieldNameList>]
         [orderby <DeviceOrderByFieldName> [ascending|descending]]
         [all|company|personal|nocompanydevices|nopersonaldevices]
@@ -224,6 +227,37 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
+## Display device counts
+Display the number of devices.
+```
+gam print devices
+        [(query <QueryDevice>)|(queries <QueryDeviceList>) (querytime<String> <Time>)*]
+        [all|company|personal|nocompanydevices|nopersonaldevices]
+        showitemcountonly
+```
+Example
+```
+$ gam print devices queries "'model:Mac'" showitemcountonly
+Getting all Devices that match query (model:Mac), may take some time on a large Google Workspace Account...
+Got 100 Devices...
+Got 200 Devices...
+Got 300 Devices...
+...
+Got 900 Devices...
+Got 995 Devices...
+Got 995 Devices...
+995
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print devices queries "'model:Mac'" showitemcountonly)
+Windows PowerShell
+count = & gam print devices queries "'model:Mac'" showitemcountonly
+```
+
 ## Approve or block device users
 Approve or block user profiles on a device.
 ```
@@ -266,7 +300,7 @@ gam info deviceuser <DeviceUserEntity>
 ```
 gam print deviceusers [todrive <ToDriveAttribute>*]
         [select <DeviceID>]
-        [(query <QueryDevice>)|(queries <QueryDeviceList>) (querytime.* <Time>)*]
+        [(query <QueryDevice>)|(queries <QueryDeviceList>) (querytime<String> <Time>)*]
         <DeviceUserFieldName>* [fields <DeviceUserFieldNameList>]
         [orderby <DeviceOrderByFieldName> [ascending|descending]]
         [formatjson [quotechar <Character>]]
@@ -284,6 +318,38 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
+## Display device user counts
+Display the number of device users.
+```
+gam print deviceusers [todrive <ToDriveAttribute>*]
+        [select <DeviceID>]
+        [(query <QueryDevice>)|(queries <QueryDeviceList>) (querytime<String> <Time>)*]
+        showitemcountonly
+```
+Example
+```
+$ gam print deviceusers queries "'model:Mac'" showitemcountonly
+Getting all Device Users that match query (model:Mac), may take some time on a large Google Workspace Account...
+Got 20 Device Users...
+Got 40 Device Users...
+Got 60 Device Users...
+...
+Got 980 Device Users...
+Got 995 Device Users...
+Got 995 Device Users...
+995
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print deviceusers queries "'model:Mac'" showitemcountonly)
+Windows PowerShell
+count = & gam print deviceusers queries "'model:Mac'" showitemcountonly
+```
+
+
 ## Display device user client state
 ```
 gam info deviceuserstate <DeviceUserEntity> [clientid <String>] 

docs/Cloud-Identity-Groups-Membership.md

@@ -61,7 +61,9 @@ and Cloud Identity Premium accounts. Unfortunately, even if you have the require
 <UniqueID> ::= id:<String>
 <GroupItem> ::= <EmailAddress>|<UniqueID>|groups/<String>
 <GroupList> ::= "<GroupItem>(,<GroupItem>)*"
-<GroupEntity> ::= <GroupList>|<FileSelector>|<CSVkmdSelector>|<CSVDataSelector>
+<GroupEntity> ::=
+        <GroupList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <GroupRole> ::= owner|manager|member
 <GroupRoleList> ::= "<GroupRole>(,<GroupRole>)*"
 <CIGroupType> ::= customer|group|other|serviceaccount|user
@@ -176,14 +178,18 @@ testgroup@domain.com,testuser4@domain.com,MEMBER,Remove Failed,Does not exist
 
 ## Synchronize members in a group
 A synchronize operation gets the current membership for a group and does adds and deletes as necessary to make it match `<UserTypeEntity>`.
+This is done by specific role except for a special case where role is ignored.
 ```
-gam update cigroups <GroupEntity> sync [<GroupRole>]
+gam update cigroups <GroupEntity> sync [<GroupRole>|ignorerole]
         [usersonly|groupsonly] [addonly|removeonly]
         [notsuspended|suspended] [notarchived|archived]
         [expire|expires <Time>] [preview] [actioncsv]
         <UserTypeEntity>
 ```
-If `<GroupRole>` is not specified, `member` is assumed.
+If `ignorerole` is specified, GAM removes members regardless of role and adds new members with role MEMBER.
+This is a special purpose option, use with caution and ensure that `<UserTypeEntity>` specifies the full desired membership list of all roles.
+
+If neither `<GroupRole>` nor `ignorerole` is specified, `member` is assumed.
 
 When `<UserTypeEntity>` specifies a group or groups:
 * `usersonly` - Only the user members from the specified groups are added/deleted
@@ -221,7 +227,7 @@ If `actioncsv` is specified, a CSV file with columns `group,email,role,action,me
 that shows the actions performed when updating the group.
 
 ### Examples using CSV file and Google sheets:
-* https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Users#examples-using-csv-files-and-google-sheets-to-update-the-membership-of-a-group
+* https://github.com/GAM-team/GAM/wiki/Collections-of-Users#examples-using-csv-files-and-google-sheets-to-update-the-membership-of-a-group
 
 ### Example
 Assume that at your school there is a group for each grade level and the members come from an OU; here is a sample CSV file GradeOU.csv
@@ -231,10 +237,10 @@ seniors@domain.org,/Students/ClassOf2018
 juniors@domain.org,/Students/ClassOf2019
 ...
 ```
-This allows you to do: `gam csv GradeOU.csv gam update cigroup ~Grade sync members ou ~OU`
+This allows you to do: `gam csv GradeOU.csv gam update cigroup "~Grade" sync members ou "~OU"`
 But suppose that at each grade level there are additional group members that are groups of faculty/staff; e.g., senioradvisors@domain.org.
 In this scenario, you can't do the `update cigroup sync` command as the members that are groups will be deleted; the `usersonly` option allows
-the `update cigroup sync` command to work: `gam csv GradeOU.csv gam update cigroup ~Grade sync members usersonly ou ~OU`
+the `update cigroup sync` command to work: `gam csv GradeOU.csv gam update cigroup "~Grade" sync members usersonly ou "~OU"`
 The users from the OU are matched against the user members of the group and adds/deletes are done as necessary to synchronize them;
 the group members of the group are unaffected.
 

docs/Cloud-Identity-Groups.md

@@ -9,6 +9,7 @@
 - [Manage groups](#manage-groups)
 - [Display information about individual groups](#display-information-about-individual-groups)
 - [Display information about multiple groups](#display-information-about-multiple-groups)
+- [Display group counts](#display-group-counts)
 
 ## API documentation
 * https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups
@@ -57,7 +58,9 @@ and Cloud Identity Premium accounts. Unfortunately, even if you have the require
 <UniqueID> ::= id:<String>
 <GroupItem> ::= <EmailAddress>|<UniqueID>|<String>
 <GroupList> ::= "<GroupItem>(,<GroupItem>)*"
-<GroupEntity> ::= <GroupList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<GroupEntity> ::=
+        <GroupList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <GroupRole> ::= owner|manager|member
 <GroupRoleList> ::= "<GroupRole>(,<GroupRole>)*"
 <CIGroupType> ::= customer|group|other|serviceaccount|user
@@ -365,7 +368,38 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
+### Display dynamic groups
+```
+gam print cigroups query "'cloudidentity.googleapis.com/groups.dynamic' in labels"
+```
+
 ### Display security groups
 ```
 gam print cigroups query "'cloudidentity.googleapis.com/groups.security' in labels"
 ```
+
+## Display group counts
+Display the number of groups.
+```
+gam print cigroups
+        [(cimember|showownedby <UserItem>)|(select <GroupEntity>)|(query <String>)]
+        [emailmatchpattern [not] <RegularExpression>] [namematchpattern [not] <RegularExpression>]
+        [descriptionmatchpattern [not] <RegularExpression>]
+        showitemcountonly
+```
+Example
+```
+$ gam print cigroups showitemcountonly
+Getting all Cloud Identity Groups, may take some time on a large Google Workspace Account...
+Got 242 Cloud Identity Groups: td.current@domain.com - postmaster@domain.com
+242
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print cigroups showitemcountonly)
+Windows PowerShell
+count = & gam print cidgroups showitemcountonly
+```

docs/Cloud-Storage.md

@@ -1,4 +1,4 @@
-# Cloud Storage
+!# Cloud Storage
 - [API documentation](#api-documentation)
 - [Notes](#notes)
 - [Definitions](#definitions)

docs/Collections-of-ChromeOS-Devices.md

@@ -1,4 +1,4 @@
-# Collections of ChromeOS Devices
+!# Collections of ChromeOS Devices
 - [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Definitions](#definitions)
 - [Organization Unit Quoting](#organization-unit-quoting)
@@ -50,6 +50,8 @@
 
 <UserGoogleDoc> ::=
         <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
 <UserGoogleSheet> ::=
         <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
 
@@ -90,7 +92,7 @@
              (gdoc(:<FieldName>)+ <UserGoogleDoc>)|
              (gcscsv(:<FieldName>)+ <StorageBucketObjectName>)|
              (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
-            [warnifnodata] [columndelimiter <Character>] [quotechar <Character>]
+            [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
             [endcsv|(fields <FieldNameList>)]
             (matchfield|skipfield <FieldName> <RegularExpression>)*
             [delimiter <Character>])|
@@ -100,7 +102,7 @@
              (gdoc(:<FieldName>)+ <UserGoogleDoc>)|
              (gcscsv(:<FieldName>)+ <StorageBucketObjectName>)|
              (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
-            [warnifnodata] [columndelimiter <Character>] [quotechar <Character>]
+            [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
             [endcsv|(fields <FieldNameList>)]
             (matchfield|skipfield <FieldName> <RegularExpression>)*
             [delimiter <Character>])|
@@ -117,7 +119,7 @@
               (gdoc(:<FieldName>)+ <UserGoogleDoc>)|
               (gcscsv(:<FieldName>)+ <StorageBucketObjectName>)|
               (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
-            [warnifnodata] [columndelimiter <Character>] [quotechar <Character>]
+            [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
             [endcsv|(fields <FieldNameList>)]
             (matchfield|skipfield <FieldName> <RegularExpression>)*
             [delimiter <Character>])|
@@ -128,7 +130,7 @@
               (gdoc <UserGoogleDoc>)|
               (gcscsv <StorageBucketObjectName>)|
               (gcsdoc <StorageBucketObjectName>))
-             [charset <Charset>] [columndelimiter <Character>] [quotechar <Character>] [fields <FieldNameList>])
+             [charset <Charset>] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>])
             keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
             subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
             (matchfield|skipfield <FieldName> <RegularExpression>)*
@@ -263,7 +265,7 @@ croscsvfile
     (gdoc(:<FieldName>)+ <UserGoogleDoc>)|
     (gcscsv(:<FieldName>)+ <StorageBucketObjectName>)|
     (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
-   [warnifnodata] [columndelimiter <Character>] [quotechar <Character>]
+   [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
    [endcsv|(fields <FieldNameList>)]
    (matchfield|skipfield <FieldName> <RegularExpression>)*
    [delimiter <Character>]
@@ -276,6 +278,7 @@ croscsvfile
 * `gcsdoc(:<FieldName>)+ <StorageBucketObjectName>` - A Google Cloud Storage Bucket Object and the one or more columns that contain ChromeOS deviceIds
 * `warnifnodata` - Issue message 'No CSV file data found' and exit with return code 60 if there is no data selected from the file
 * `columndelimiter <Character>` - Columns are  separated by `<Character>`; if not specified, the value of `csv_input_column_delimiter` from `gam.cfg` will be used
+* `noescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `csv_input_no_escape_char` from `gam.cfg` will be used
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
@@ -290,7 +293,7 @@ croscsvfile_sn
     (gdoc(:<FieldName>)+ <UserGoogleDoc>)|
     (gcscsv(:<FieldName>)+ <StorageBucketObjectName>)|
     (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
-   [warnifnodata] [columndelimiter <Character>] [quotechar <Character>]
+   [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
    [endcsv|(fields <FieldNameList>)]
    (matchfield|skipfield <FieldName> <RegularExpression>)*
    [delimiter <Character>]
@@ -303,6 +306,7 @@ croscsvfile_sn
 * `gcsdoc(:<FieldName>)+ <StorageBucketObjectName>` - A Google Cloud Storage Bucket Object and the one or more columns that contain ChromeOS serial numbers
 * `warnifnodata` - Issue message 'No CSV file data found' and exit with return code 60 if there is no data selected from the file
 * `columndelimiter <Character>` - Columns are  separated by `<Character>`; if not specified, the value of `csv_input_column_delimiter` from `gam.cfg` will be used
+* `noescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `csv_input_no_escape_char` from `gam.cfg` will be used
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
@@ -334,7 +338,7 @@ csvdatafile
      (gdoc(:<FieldName>)+ <UserGoogleDoc>)|
      (gcscsv(:<FieldName>)+ <StorageBucketObjectName>)|
      (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
-   [warnifnodata] [columndelimiter <Character>] [quotechar <Character>]
+   [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
    [endcsv|(fields <FieldNameList>)]
    (matchfield|skipfield <FieldName> <RegularExpression>)*
    [delimiter <Character>]
@@ -348,6 +352,7 @@ csvdatafile
 * `gcsdoc(:<FieldName>)+ <StorageBucketObjectName>` - A Google Cloud Storage Bucket Object and the one or more columns that contain ChromeOS deviceIds
 * `warnifnodata` - Issue message 'No CSV file data found' and exit with return code 60 if there is no data selected from the file
 * `columndelimiter <Character>` - Columns are  separated by `<Character>`; if not specified, the value of `csv_input_column_delimiter` from `gam.cfg` will be used
+* `noescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `csv_input_no_escape_char` from `gam.cfg` will be used
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
@@ -363,7 +368,7 @@ csvkmd
      (gdoc <UserGoogleDoc>)|
      (gcscsv <StorageBucketObjectName>)|
      (gcsdoc <StorageBucketObjectName>))
-    [charset <Charset>] [columndelimiter <Character>] [quotechar <Character>] [fields <FieldNameList>])
+    [charset <Charset>] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>])
    keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
    subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
    (matchfield|skipfield <FieldName> <RegularExpression>)*
@@ -376,6 +381,7 @@ csvkmd
 * `gdoc <UserGoogleDoc>` - A Google Doc containing rows with columns of the type of item specified
 * `warnifnodata` - Issue message 'No CSV file data found' and exit with return code 60 if there is no data selected from the file
 * `columndelimiter <Character>` - Columns are  separated by `<Character>`; if not specified, the value of `csv_input_column_delimiter` from `gam.cfg` will be used
+* `noescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `csv_input_no_escape_char` from `gam.cfg` will be used
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings

docs/Collections-of-Items.md

@@ -1,4 +1,4 @@
-# Collections of Items
+!# Collections of Items
 - [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Definitions](#definitions)
 - [ListSelector](#listselector)
@@ -63,7 +63,7 @@ A CSV file with one or more columns per row that contain Items.
                  (gdoc(:<FieldName>)+ <UserGoogleDoc>)|
                  (gcscsv(:<FieldName>)+ <StorageBucketObjectName>)|
                  (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
-                [warnifnodata] [columndelimiter <Character>] [quotechar <Character>]
+                [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
                 [endcsv|(fields <FieldNameList>)]
                 (matchfield|skipfield <FieldName> <RegularExpression>)*
                 [delimiter <Character>]
@@ -75,6 +75,7 @@ A CSV file with one or more columns per row that contain Items.
 * `gcsdoc(:<FieldName>)+ <StorageBucketObjectName>` - A Google Cloud Storage Bucket Object and the one or more columns that contain Items
 * `warnifnodata` - Issue message 'No CSV file data found' and exit with return code 60 if there is no data selected from the file
 * `columndelimiter <Character>` - Columns are  separated by `<Character>`; if not specified, the value of `csv_input_column_delimiter` from `gam.cfg` will be used
+* `noescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `csv_input_no_escape_char` from `gam.cfg` will be used
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
@@ -90,7 +91,7 @@ A CSV file with a key column that contains an Item and optional subkey and data
                  (gdoc <UserGoogleDoc>)|
                  (gcscsv <StorageBucketObjectName>)|
                  (gcsdoc <StorageBucketObjectName>))
-                 [charset <Charset>] [columndelimiter <Character>] [quotechar <Character>] [fields <FieldNameList>])
+                 [charset <Charset>] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>])
                 keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
                 subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
                 (matchfield|skipfield <FieldName> <RegularExpression>)*
@@ -102,6 +103,7 @@ A CSV file with a key column that contains an Item and optional subkey and data
 * `gcscsv <StorageBucketObjectName>` - A Google Cloud Storage Bucket Object containing rows with columns of items
 * `gcsdoc <StorageBucketObjectName>` - A Google Cloud Storage Bucket Object containing rows with columns of items
 * `columndelimiter <Character>` - Columns are  separated by `<Character>`; if not specified, the value of `csv_input_column_delimiter` from `gam.cfg` will be used
+* `noescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `csv_input_no_escape_char` from `gam.cfg` will be used
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
@@ -165,10 +167,6 @@ Data fields identified in a `csvkmd` argument.
 <CrOSEntity> ::=
         <CrOSIDList> | (cros_sn <SerialNumberList>) |
         (query:<QueryCrOS>) | (query:orgunitpath:<OrgUnitPath>) | (query <QueryCrOS>)
-<DataStudioAssetIDEntity> ::=
-        <DataStudioAssetIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-<DataStudioPermissionEntity> ::=
-        <DataStudioPermissionList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <DeviceIDEntity> ::=
         <DeviceIDList> | (device_sn <SerialNumber>)
         (query:<QueryDevice>) | (query <QueryDevice>)
@@ -202,12 +200,17 @@ Data fields identified in a `csvkmd` argument.
         all_shortcuts |
         all_3p_shortcuts |
         all_items |
+        my_docs |
         my_files |
         my_folders |
         my_forms |
         my_google_files |
         my_non_google_files |
+        my_presentations |
+        my_publishable_items |
+        my_sheets |
         my_shortcuts |
+        my_slides |
         my_3p_shortcuts |
         my_items |
         my_top_files |
@@ -264,6 +267,8 @@ Data fields identified in a `csvkmd` argument.
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <DriveLabelNameEntity> ::=
         <DriveLabelNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
+<DriveLabelPermissionNameEntity> ::=
+        <DriveLabelPermissionNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
 <EmailAddressEntity> ::=
         <EmailAddressList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <FilterIDEntity> ::=
@@ -282,6 +287,10 @@ Data fields identified in a `csvkmd` argument.
         <LabelIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <LabelNameEntity> ::=
         <LabelNameList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<LookerStudioAssetIDEntity> ::=
+        <LookerStudioAssetIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<LookerStudioPermissionEntity> ::=
+        <LookerStudioPermissionList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <MessageIDEntity> ::=
         <MessageIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <MobileEntity> ::=
@@ -332,8 +341,8 @@ Data fields identified in a `csvkmd` argument.
         <SiteACLScopeList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <SiteEntity> ::=
         <SiteList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-<TasklistIDEntity> ::=
-        <TasklistIDList> | <FileSelector> | <CSVFileSelector>
+<TasklistEntity> ::=
+        <TasklistIDList> | <TaskListTitleList> | <FileSelector> | <CSVFileSelector>
 <TasklistIDTaskIDEntity> ::=
         <TasklistIDTaskIDList> | <FileSelector> | <CSVFileSelector>
 <ThreadIDEntity> ::=

docs/Collections-of-Users.md

@@ -1,4 +1,4 @@
-# Collections of Users
+!# Collections of Users
 - [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Definitions](#definitions)
 - [List quoting rules](#list-quoting-rules)
@@ -55,6 +55,8 @@
 
 <UserGoogleDoc> ::=
         <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
 <UserGoogleSheet> ::=
         <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
 ```
@@ -88,8 +90,6 @@
         <SharedDriveIDEntity> |
         <SharedDriveNameEntity>
 
-<SheetEntity> ::= <String>|id:<Number>
-
 <UserTypeEntity> ::=
         (all users|users_ns|users_susp|users_ns_susp)|
         (user <UserItem>)|
@@ -127,7 +127,7 @@
              (gdoc(:<FieldName>)+ <UserGoogleDoc>)|
              (gcscsv(:<FieldName>)+ <StorageBucketObjectName>)|
              (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
-            [warnifnodata] [columndelimiter <Character>] [quotechar <Character>]
+            [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>][quotechar <Character>]
             [endcsv|(fields <FieldNameList>)]
             (matchfield|skipfield <FieldName> <RegularExpression>)*
             [delimiter <Character>])|
@@ -148,7 +148,7 @@
               (gdoc(:<FieldName>)+ <UserGoogleDoc>)|
               (gcscsv(:<FieldName>)+ <StorageBucketObjectName>)|
               (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
-            [warnifnodata] [columndelimiter <Character>] [quotechar <Character>]
+            [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>][quotechar <Character>]
             [endcsv|(fields <FieldNameList>)]
             (matchfield|skipfield <FieldName> <RegularExpression>)*
             [delimiter <Character>])|
@@ -161,7 +161,7 @@
               (gdoc <UserGoogleDoc>)|
               (gcscsv <StorageBucketObjectName>)|
               (gcsdoc <StorageBucketObjectName>))
-             [charset <Charset>] [columndelimiter <Character>] [quotechar <Character>] [fields <FieldNameList>])
+             [charset <Charset>] [columndelimiter <Character>] [noescapechar <Boolean>][quotechar <Character>] [fields <FieldNameList>])
             keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
             subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
             (matchfield|skipfield <FieldName> <RegularExpression>)*
@@ -360,7 +360,7 @@ csvfile
     (gdoc(:<FieldName>)+ <UserGoogleDoc>)|
     (gcscsv(:<FieldName>)+ <StorageBucketObjectName>)|
     (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
-   [warnifnodata] [columndelimiter <Character>] [quotechar <Character>]
+   [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>][quotechar <Character>]
    [endcsv|(fields <FieldNameList>)]
    (matchfield|skipfield <FieldName> <RegularExpression>)*
    [delimiter <Character>]
@@ -373,7 +373,8 @@ csvfile
 * `gcsdoc(:<FieldName>)+ <StorageBucketObjectName>` - A Google Cloud Storage Bucket Object and the one or more columns that contain Users
 * `warnifnodata` - Issue message 'No CSV file data found' and exit with return code 60 if there is no data selected from the file
 * `columndelimiter <Character>` - Columns are  separated by `<Character>`; if not specified, the value of `csv_input_column_delimiter` from `gam.cfg` will be used
-* `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
+* `noescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `csv_input_no_escape_char` from `gam.cfg` will be used
+* `quotechar <Character>` - The column quote character is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
 * `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
@@ -408,7 +409,7 @@ csvdatafile
      (gdoc(:<FieldName>)+ <UserGoogleDoc>)|
      (gcscsv(:<FieldName>)+ <StorageBucketObjectName>)|
      (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
-   [warnifnodata] [columndelimiter <Character>] [quotechar <Character>]
+   [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>][quotechar <Character>]
    [endcsv|(fields <FieldNameList>)]
    (matchfield|skipfield <FieldName> <RegularExpression>)*
    [delimiter <Character>]
@@ -422,7 +423,8 @@ csvdatafile
 * `gcsdoc(:<FieldName>)+ <StorageBucketObjectName>` - A Google Cloud Storage Bucket Object and the one or more columns contain the type of item specified
 * `warnifnodata` - Issue message 'No CSV file data found' and exit with return code 60 if there is no data selected from the file
 * `columndelimiter <Character>` - Columns are  separated by `<Character>`; if not specified, the value of `csv_input_column_delimiter` from `gam.cfg` will be used
-* `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
+* `noescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `csv_input_no_escape_char` from `gam.cfg` will be used
+* `quotechar <Character>` - The column quote character is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
 * `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
@@ -439,7 +441,7 @@ csvkmd
      (gdoc <UserGoogleDoc>)|
      (gcscsv <StorageBucketObjectName>)|
      (gcsdoc <StorageBucketObjectName>))
-    [charset <Charset>] [columndelimiter <Character>] [quotechar <Character>] [fields <FieldNameList>])
+    [charset <Charset>] [columndelimiter <Character>] [noescapechar <Boolean>][quotechar <Character>] [fields <FieldNameList>])
    keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
    subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
    (matchfield|skipfield <FieldName> <RegularExpression>)*
@@ -454,7 +456,8 @@ csvkmd
 * `gcsdoc <StorageBucketObjectName>` - A Google Cloud Storage Bucket Object with columns of the type of item specified
 * `warnifnodata` - Issue message 'No CSV file data found' and exit with return code 60 if there is no data selected from the file
 * `columndelimiter <Character>` - Columns are  separated by `<Character>`; if not specified, the value of `csv_input_column_delimiter` from `gam.cfg` will be used
-* `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
+* `noescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `csv_input_no_escape_char` from `gam.cfg` will be used
+* `quotechar <Character>` - The column quote character is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
 * `(keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>])+`

docs/Command-Data-From-Google-Docs-Sheets-Storage.md

@@ -1,4 +1,4 @@
-# Command data from Google Docs, Sheets and Cloud Storage
+!# Command data from Google Docs, Sheets and Cloud Storage
 - [Introduction](#introduction)
 - [Definitions](#definitions)
 - [Read data from a Google Doc or Drive File](#read-data-from-a-google-doc-or-drive-file)

docs/Command-Line-Parsing.md

@@ -1,8 +1,9 @@
-# Command Line Parsing
+!# Command Line Parsing
 - [Linux and MacOS](#linux-and-macos)
 - [Windows Command Prompt](#windows-command-prompt)
 - [Windows PowerShell](#windows-powershell)
 - [List quoting rules](#list-quoting-rules)
+- [Queries example](#queries-example)
 
 ## Linux and MacOS
 
@@ -16,6 +17,10 @@ To embed a `'` in a string enclosed in `"`, enter `'`; `name "Test'Group"`.
 
 To embed a `"` in a string enclosed in `'`, enter `"`; `name 'Test"Group'`.
 
+To embed a `'` in a string enclosed in `'`, enter `'\''`; `name 'Test'\''Group'`.
+
+To embed a `"` in a string enclosed in `"`, enter `\"`; `name "Test\"Group"`.
+
 Linux and MacOS do not recognize smart or curly quotes, `“` and `”`, they can not be used to enclose arguments.
 
 ## Windows Command Prompt
@@ -56,3 +61,19 @@ Typically, you will enclose the entire list in double quotes and quote each item
    * ```"'it em' 'it,em' \"it'em\""```
 
 Typical places where these rules apply are lists of OUs and Contact Groups.
+
+## Queries example
+### Linux and MacOS
+```
+gam print users queries "\"orgUnitPath='/Students/Lower School/2027'\",\"orgUnitPath='/Students/Lower School/2028'\""
+```
+
+### Windows Command Prompt
+```
+gam print users queries "\"orgUnitPath='/Students/Lower School/2027'\",\"orgUnitPath='/Students/Lower School/2028'\""
+```
+
+### Windows Power Shell
+```
+gam print users queries "`"orgUnitPath=\'/Students/Lower\ School/2027\'`",`"orgUnitPath=\'/Students/Lower\ School/2028\'`""
+```

docs/Command-Logging-Progress.md

@@ -1,4 +1,4 @@
-# Command Logging and Progress
+!# Command Logging and Progress
 - [Introduction](#introduction)
 - [GAM Configuration](gam.cfg)
 - [Command Logging](#command-logging)
@@ -35,7 +35,7 @@ The log file being written to is always `gam.log`. When this log file is filled,
 
 Commands are logged at completion with a timestamp, return code and the command line
 ```
-2021-08-01T19:350:30.777-07:00,0,/Users/admin/bin/gamadv-xtd3/gam info domain
+2021-08-01T19:350:30.777-07:00,0,/Users/admin/bin/gam7/gam info domain
 ```
 
 Commands that generate sub-commands, `gam batch|tbatch|csv|loop`, log the initial command with a return code of `*`,
@@ -44,14 +44,14 @@ the sub-command lines and the initial command with a numeric return code.
 $ gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv gam info user "~primaryEmail" quick name
 2021-08-01T19:50:38.151-07:00,0/6,Using 6 processes...
 $ more ~/.gam/gam.log
-2021-08-01T19:50:38.120-07:00,*,/Users/admin/bin/gamadv-xtd3/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user ~primaryEmail quick name
+2021-08-01T19:50:38.120-07:00,*,/Users/admin/bin/gam7/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user "~primaryEmail" quick name
 2021-08-01T19:50:39.144-07:00,0,gam info user testuser2 quick name
 2021-08-01T19:50:39.358-07:00,0,gam info user testuser3 quick name
 2021-08-01T19:50:39.358-07:00,0,gam info user testuser1 quick name
 2021-08-01T19:50:39.401-07:00,0,gam info user testuser5 quick name
 2021-08-01T19:50:39.459-07:00,56,gam info user testuserx quick name
 2021-08-01T19:50:39.470-07:00,0,gam info user testuser4 quick name
-2021-08-01T19:50:39.483-07:00,0,/Users/admin/bin/gamadv-xtd3/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user ~primaryEmail quick name
+2021-08-01T19:50:39.483-07:00,0,/Users/admin/bin/gam7/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user "~primaryEmail" quick name
 ```
 
 ## Command Progress

docs/Context-Aware-Access-Levels.md

@@ -8,6 +8,7 @@
 - [Parameters for Basic Levels](#parameters-for-basic-levels)
 - [Create an Access Level](#create-an-access-level)
 - [Update an Access Level](#update-an-access-level)
+- [Update Access Levels with JSON](#update-access-levels-with-json)
 - [Delete an Access Level](#delete-an-access-level)
 - [Display all Access Levels](#display-all-access-levels)
 - [CAA Region Codes](#caa-region-codes)
@@ -23,7 +24,7 @@ gam update project
 ```
 
 ## API documentation
-* https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies/list
+* https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies
 
 ## Grant Service Account Rights to Manage CAA
 In order for GAM to manage CAA access levels, you need to grant your service account a special role for your GCP organization.
@@ -41,6 +42,8 @@ In order for GAM to manage CAA access levels, you need to grant your service acc
 
 ## Definitions
 ```
+<JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
+
 <QueryCEL> ::= <String>
         See: https://cloud.google.com/access-context-manager/docs/custom-access-level-spec
 
@@ -144,7 +147,7 @@ basic
 ## Create an Access Level
 Create a new access level. CAA supports basic and custom conditions.
 ```
-gam create caalevel <String> [description <String>] (basic <CAABasicAttribute>+)|(custom <QueryCEL>)
+gam create caalevel <String> [description <String>] (basic <CAABasicAttribute>+)|(custom <QueryCEL>)|<JSONData>
 ```
 
 ## Example
@@ -166,7 +169,7 @@ gam create caalevel CORP_IPS basic condition ipsubnetworks 1.2.3.0/24,4.5.6.0/24
 ## Update an Access Level
 Updates an existing access level. CAA supports basic and custom conditions.
 ```
-gam update caalevel <CAALevelName> [description <String>] (basic <CAABasicAttribute>+)|(custom <QueryCEL>)
+gam update caalevel <CAALevelName> [description <String>] (basic <CAABasicAttribute>+)|(custom <QueryCEL>)|<JSONData>
 ```
 
 ## Examples
@@ -175,6 +178,27 @@ This example adds UK to the allowed regions for CORP_COUNTRIES
 gam update caalevel CORP_COUNTRIES basic condition regions US,CA,UK endcondition
 ```
 
+## Update Access Levels with JSON
+Update existing CAA levels via their JSON data; create a CSV file of CAA levels.
+```
+gam redirect csv ./CAAlevels.csv print caalevels formatjson quotechar "'"
+```
+Edit the JSON column for the desired CAA level(s) in CAAlevels.csv.
+Update the desired CAA level by selecting the row by it's title; repeat for each title to update.
+```
+gam config csv_input_row_filter "title:text='Example Title'" csv CAAlevels.csv quotechar "'" gam update caalevel "~name" json "~JSON"
+```
+
+## Example
+Edit CAAlevels.csv and add UK to the allowed regions for CORP_COUNTRIES
+```
+{"regions": ["US", "CA", "UK"]}
+```
+Do the update.
+```
+gam config csv_input_row_filter "title:text='CORP_COUNTRIES'" csv CAAlevels.csv quotechar "'" gam update caalevel "~name" json "~JSON"
+```
+
 ## Delete an Access Level
 Deletes the specified access level.
 ```

docs/Custom-Schemas.md

@@ -0,0 +1,71 @@
+- [Creating a Custom User Schema](#creating-a-custom-user-schema)
+- [Updating a Custom User Schema](#updating-a-custom-user-schema)
+- [Print All Custom User Schemas](#print-all-custom-user-schemas)
+- [Show All Custom User Schemas](#show-all-custom-user-schemas)
+- [Get One Custom User Schema](#get-one-custom-user-schema)
+- [Deleting a Custom User Schema](#deleting-a-custom-user-schema)
+
+# Creating a Custom User Schema
+## Syntax
+```
+gam create schema <schemaname>
+ field <fieldname> type <bool|double|email|int64|phone|string>
+ [indexed] [restricted] [multivalued]
+ [range <minimum> <maximum>]
+ endfield
+```
+Create a new custom user schema. *schemaname* is the name of the schema to create. You can have up to 100 schemas in your Google Apps instance and each schema can have up to 100 fields defined. *fieldname* is the name of the field. *type* is required and specifies the type of the field. bool, double, email, int64, phone and string are the allowed types. The optional parameter *indexed* specifies that searching will be performed on this field. The optional parameter *restricted* specifies that only super administrators and the user can read the field value(s), other users will not have access. The optional parameter *multivalued* specifies that the field can contain multiple values per-user. The optional parameter *range* is required to permit range queries (greater than or less than) on number fields. The *endfield* parameter is necessary to end the given field. Once a schema is created, schema values can be set for users with [gam user create and update commands](https://github.com/jay0lee/GAM/wiki/GAM3DirectoryCommands#setting-custom-user-schema-fields-at-create-or-update).
+
+## Example
+This example creates a StudentData schema with the fields id, grade and labels. The id field will be hidden from regular users (restricted) and indexed. The labels field will be multivalue. This example also shows how you would set this schema for an existing user.
+```
+gam create schema StudentData
+ field id type string indexed restricted endfield
+ field grade type int64 endfield
+ field labels type string multivalued endfield
+
+gam update user tommy.jones
+ StudentData.id 839342028
+ StudentData.grade 1
+ StudentData.labels multivalue TRANSFER_STUDENT
+ StudentData.labels multivalue HONOR_ROLL 
+```
+
+# Updating a Custom User Schema
+## Syntax
+```
+gam update schema <schemaname>
+ field <fieldname> type <bool|double|email|int64|phone|string>
+  [indexed] [restricted] [multivalue]
+  [range <minimum> <maximum>]
+  endfield
+```
+Update a custom user schema. Note that many schema update operations aren't possible in order to preserve existing user data. As a rule of thumb, schemas should be well thought out when first created as after-the-fact changes can prove challenging. schemaname is the name of the schema to create. You can have up to 100 schemas in your Google Apps instance and each schema can have up to 100 fields defined. fieldname is the name of the field. type is required and specifies the type of the field. bool, double, email, int64, phone and string are the allowed types. The optional parameter indexed specifies that searching will be performed on this field. The optional parameter restricted specifies that only super administrators and the user themself can read the field value(s), other users will not have access. The optional parameter multivalued specifies that the field can contain multiple values per-user. The endfield parameter is necessary to end the given field. Schema values can be set for users with [gam user create and update commands](https://github.com/jay0lee/GAM/wiki/GAM3DirectoryCommands#setting-custom-user-schema-fields-at-create-or-update).
+
+# Print All Custom User Schemas
+## Syntax
+```
+gam print schemas [todrive]
+```
+Print all custom user schemas. Output displays all schema fields and attributes such as restricted, indexed, multivalue, etc. The optional `todrive` argument will upload the CSV data to a Google Docs Spreadsheet file in the Administrators Google Drive rather than displaying it locally.
+
+# Show All Custom User Schemas
+## Syntax
+```
+gam show schemas
+```
+Display all custom user schemas in a formatted style. Output displays all schema fields and attributes such as restricted, indexed, multivalue, etc.
+
+# Get Info On One Custom User Schema
+## Syntax
+```
+gam info schema <schemaname>
+```
+Get info about one custom user schema. Output displays the schemas fields and attributes such as restricted, indexed, multivalue, etc. Schema values can be set for users with [gam user create and update commands](https://github.com/jay0lee/GAM/wiki/GAM3DirectoryCommands#setting-custom-user-schema-fields-at-create-or-update).
+
+# Deleting a Custom User Schema
+## Syntax
+```
+gam delete schema <schemaname>
+```
+Delete a custom user schema. Deleting the schema also removes user data for the given schema.

docs/Customer.md

@@ -1,4 +1,4 @@
-# Customer
+!# Customer
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Update customer](#update-customer)

docs/Data-Transfers.md

@@ -0,0 +1,75 @@
+- [Request a Data Transfer](#request-a-data-transfer)
+- [Get Information About a Data Transfer](#get-information-about-a-data-transfer)
+- [Print All Data Transfers](#print-all-data-transfers)
+- [Print Information About Apps That Support Data Transfer](#print-information-about-apps-that-support-data-transfer)
+
+# Request a Data Transfer
+## Syntax
+```
+gam create datatransfer <old owner> <app> <new owner> (<parameter> <value>)*
+```
+Creates a data transfer request. Old owner is the source user whose data will be transferred. App is the name of the application data to transfer. New owner is the target user that will receive the data. Depending on the app, optional parameters can be specified which determine the scope of data to be transferred.
+
+## Example
+This example transfers all Drive files for oldguy@acme.com to newguy@acme.com
+```
+gam create datatransfer oldguy@acme.com gdrive newguy@acme.com privacy_level shared,private
+```
+This example transfers only Drive files shared by terminated@acme.com to manager@acme.com
+```
+gam create datatransfer terminated@acme.com gdrive manager@acme.com privacy_level shared
+```
+This example transfers Calendar entries from oldguy to newguy and releases calendar resources booked by oldguy.
+```
+gam create datatransfer oldguy@acme.com calendar newguy@acme.com release_resources true
+```
+---
+
+# Get Information About a Data Transfer
+## Syntax
+```
+gam info datatransfer <id>
+```
+Get information about an existing data transfer including the status.
+
+## Example
+This example shows the status of a given data transfer.
+```
+
+gam info datatransfer AKrEtIYIysvNvudwY69gEtJNb85tK87Py2SJl8uwq78BxSMMRgn46rWtuKPIxmkWehZ_YJguKbSs
+Old Owner: sarah@acme.com
+New Owner: announce@acme.com
+Request Time: 2015-09-29T20:45:28.085Z
+Application: Drive
+Status: completed
+Parameters:
+ PRIVACY_LEVEL: PRIVATE,SHARED
+```
+---
+# Print All Data Transfers
+## Syntax
+```
+gam print datatransfers [oldowner <email>] [newowner <email>] [status <completed|failed|inProgress>] [todrive]
+```
+Prints a CSV of all data transfers. With no parameters, all transfers will be printed. The oldowner, newowner and status parameters limit the output to results which match. The todrive parameter causes GAM to generate a Google Spreadsheet of the results rather than outputting the CSV file to the console.
+
+## Example
+This example prints all transfers
+```
+gam print datatransfers
+```
+This example prints all transfers that have failed to a Google Spreadsheet.
+```
+gam print datatransfers status failed todrive
+```
+---
+
+# Print Information About Apps That Support Data Transfer
+## Syntax
+```
+gam print transferapps
+```
+
+Prints information about all apps which support data transfer.
+
+---

docs/Domain-People-Contacts-Profiles.md

@@ -31,6 +31,7 @@ gam user user@domain.com check serviceaccount
 <PeopleResourceNameList> ::= "<PeopleResourceName>(,<PeopleResourceName>)*"
 <PeopleResourceNameEntity> ::=
         <PeopleResourceNameNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 
 <PeopleSourceName> ::=
         contact|contacts|
@@ -132,7 +133,7 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ## Display Domain Profiles
 ### Display as an indented list of keys and values.
 ```
-gam info people|domainprofiles <PeopleResourceNameEntity>
+gam info domainprofiles|people|peopleprofiles <PeopleResourceNameEntity>
         [allfields|(fields <PeopleFieldNameList>)]
         [formatjson]
 ```
@@ -142,7 +143,7 @@ By default, Gam displays the fields `names,emailaddresses`.
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam show people|domainprofiles
+gam show domainprofiles|people|peopleprofiles
         [query <String>]
         [mergesources <PeopleMergeSourceName>]
         [allfields|(fields <PeopleFieldNameList>)]
@@ -162,7 +163,7 @@ By default, Gam displays the information as an indented list of keys and values.
 
 ### Display as a CSV file.
 ```
-gam print people|domainprofiles [todrive <ToDriveAttribute>*]
+gam print domainprofiles|people|peopleprofiles [todrive <ToDriveAttribute>*]
         [query <String>]
         [mergesources <PeopleMergeSourceName>]
         [allfields|(fields <PeopleFieldNameList>)]

docs/Domain-SharedContacts-GAL.md

@@ -35,7 +35,7 @@
 
 <NoteContent> ::=
         ((<String>)|
-         (file <FileName> [charset <CharSet>])|
+         (file <FileName> [charset <Charset>])|
          (gdoc <UserGoogleDoc>)|
          (gcsdoc <StorageBucketObjectName>))
 
@@ -54,7 +54,8 @@
 <ContactID> ::= <String>
 <ContactIDList> ::= "<ContactID>(,<ContactID>)*"
 <ContactEntity> ::=
-        <ContactIDList>|<FileSelector>|<CSVkmdSelector>|<CSVDataSelector>
+        <ContactIDList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <ContactSelection> ::=
         [query <QueryContact>]
         [emailmatchpattern <RegularExpression> [emailmatchtype work|home|other|<String>]]
@@ -185,14 +186,29 @@
 ## Create domain shared contacts
 ```
 gam create contact <ContactAttribute>+
+        [(csv [todrive <ToDriveAttribute>*] (addcsvdata <FieldName> <String>)*))| returnidonly]
 ```
+By default, the domain name and contact ID are displayed on stdout.
+* `csv [todrive <ToDriveAttribute>*]` - Write domain name and contact ID values to a CSV file.
+  * `addcsvdata <FieldName> <String>` - Add additional columns of data from the command line to the output
+* `returnidonly` - Display just the contact ID on stdout
+
+To retrieve the contact ID with `returnidonly`:
+```
+Linux/MacOS
+contactId=$(gam create contact ... returnidonly)
+Windows PowerShell
+$contactId = & gam create contact ... returnidonly
+```
+
 ## Select domain shared contacts
 You specify contacts by ID or by selection qualifiers.
 ```
 <ContactID> ::= <String>
 <ContactIDList> ::= "<ContactID>(,<ContactID>)*"
 <ContactEntity> ::=
-        <ContactIDList>|<FileSelector>|<CSVkmdSelector>|<CSVDataSelector>
+        <ContactIDList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <ContactSelection> ::=
         [query <QueryContact>]
         [emailmatchpattern <RegularExpression> [emailmatchtype work|home|other|<String>]]

docs/DomainVerification.md

@@ -0,0 +1,128 @@
+- [Getting Verification Codes For A Domain](#getting-verification-codes-for-a-domain)
+- [Performing Domain Verification](#performing-domain-verification)
+- [Getting info about existing successful domain verifications](#getting-info-about-existing-successful-domain-verifications)
+
+GAM 3.04 and later allows admins to generate the details for domain verification as well as attempt the actual verify and print out existing verifications.
+
+In order to use a domain with G Suite, all primary, secondary and alias domains must be verified. Once an admin verifies a domain, they will be able to add it and it's subdomains as secondary and alias domains in G Suite.
+
+It's important to understand that the verification codes are unique to each user. If admin A generates the verification codes and admin B attempts to verify those codes, it will fail.
+
+# Getting Verification Codes For A Domain
+## Syntax
+```
+gam create verify <domain>
+```
+Displays the DNS and Web server verification codes that are needed in order to verify the given domain name.
+
+## Example
+This example shows the DNS and Web codes that would need to be created in order for the admin to verify the example.com domain.
+```
+gam create verify example.com
+
+TXT Record Name:   example.com
+TXT Record Value:  google-site-verification=ORsLMhIHCe2TFX3jeSgRpUk4A4WfywZ9znTS
+sjfWDbE
+
+CNAME Record Name:   3umntkhyge7x.example.com
+CNAME Record Value:  gv-so2ram4atzoczj.dv.googlehosted.com
+
+Saving web server verification file to: google38973a5e4d01f5ee.html
+Verification File URL: http://example.com/google38973a5e4d01f5ee.html
+
+Meta URL:               http://example.com/
+Meta HTML Header Data:  <meta name="google-site-verification" content="ORsLMhIHC
+e2TFX3jeSgRpUk4A4WfywZ9znTSsjfWDbE" />
+```
+
+---
+
+
+# Performing Domain Verification
+## Syntax
+```
+gam update verify <domain> <CNAME|TXT|SITE>
+```
+Attempt domain verification of the given domain using the given method (cname, txt or site). In order for verification to succeed, the domain's DNS or Web Server must have been updated to contain the correct record.
+
+## Example
+This example attempts DNS TXT record verification of the example.com domain (and is expected to fail).
+```
+gam update verify example.com txt
+
+ERROR: The necessary verification token could not be found on your site.
+Method:  DNS_TXT
+Token:      google-site-verification=ORsLMhIHCe2TFX3jeSgRpUk4A4WfywZ9znTSsjfWDbE
+
+DNS Record: $Id: example.com 1921 2013-10-21 04:00:39Z dknight $
+DNS Record: v=spf1 -all
+```
+
+This example attempts DNS TXT record verification of the jay.powerposters.org domain and succeeds.
+```
+gam update verify jay.powerposters.org txt
+
+SUCCESS!
+Verified:  jay.powerposters.org
+ID:  dns%3A%2F%2Fjay.powerposters.org
+Type: INET_DOMAIN
+All Owners:
+ admin@jay.powerposters.org
+
+You can now add jay.powerposters.org or it's subdomains as secondary or domain aliases of the jay.powerposters.org G Suite Account.
+```
+
+---
+
+
+# Getting info about existing successful domain verifications
+## Syntax
+```
+gam info verify
+```
+Prints out a list of the DNS domains that the given administrator has already successfully performed domain verification against.
+
+## Example
+This example prints out all the existing domain verifications for admin@jay.powerposters.org.
+```
+gam info verify
+
+Site: secondary.ditoapps.com
+Type: INET_DOMAIN
+Owners:
+ admin@jay.powerposters.org
+
+Site: sdomain.jay.powerposters.org
+Type: INET_DOMAIN
+Owners:
+ admin@jay.powerposters.org
+
+Site: jay.powerposters.org
+Type: INET_DOMAIN
+Owners:
+ admin@jay.powerposters.org
+
+Site: jaylee.powerposters.org
+Type: INET_DOMAIN
+Owners:
+ admin@jay.powerposters.org
+
+Site: http://sites.google.com/a/jay.powerposters.org/my-site/
+Type: SITE
+Owners:
+ jay@jay.powerposters.org
+ admin@jay.powerposters.org
+
+Site: http://sites.google.com/a/jay.powerposters.org/my-site2/
+Type: SITE
+Owners:
+ jay@jay.powerposters.org
+ admin@jay.powerposters.org
+
+Site: vtest.powerposters.org
+Type: INET_DOMAIN
+Owners:
+ admin@jay.powerposters.org
+```
+
+---

docs/Domains-Verification.md

@@ -1,4 +1,4 @@
-# Domains - Verification
+!# Domains - Verification
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Introduction](#introduction)

docs/Domains.md

@@ -1,12 +1,14 @@
-# Domains
+!# Domains
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Create a domain](#create-a-domain)
 - [Promote a domain to be primary](#promote-a-domain-to-be-primary)
 - [Delete a domain](#delete-a-domain)
 - [Display domains](#display-domains)
+- [Display domains count](#display-domains-count)
 - [Create and delete domain aliases](#create-and-delete-domain-aliases)
 - [Display domain aliases](#display-domain-aliases)
+- [Display domain aliases count](#display-domain-aliases-count)
 
 ## API documentation
 * https://developers.google.com/admin-sdk/directory/reference/rest/v1/domains
@@ -30,15 +32,18 @@ gam delete domain <DomainName>
 ```
 ## Display domains
 ```
-gam info domain [<DomainName>] [formatjson]
-gam show domains [formatjson]
+gam info domain [<DomainName>]
+        [formatjson]
+gam show domains
+        [formatjson]
 ```
 For `info`, if `<DomainName>` is omitted, information about the primary domain will be displayed.
 
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam print domains [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]
+gam print domains [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the information as columns of fields.
 * `formatjson` - Display the fields in JSON format.
@@ -49,6 +54,13 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
+## Display domains count
+Display the number of domains.
+```
+gam print|show domains
+        showitemcountonly
+```
+
 ## Create and delete domain aliases
 ```
 gam create domainalias|aliasdomain <DomainAlias> <DomainName>
@@ -56,13 +68,16 @@ gam delete domainalias|aliasdomain <DomainAlias>
 ```
 ## Display domain aliases
 ```
-gam info domainalias|aliasdomain <DomainAlias> [formatjson]
-gam show domainaliases|aliasdomains [formatjson] [formatjson [quotechar <Character>]]
+gam info domainalias|aliasdomain <DomainAlias>
+        [formatjson]
+gam show domainaliases|aliasdomains
+        [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam print domainaliases|aliasdomains [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]
+gam print domainaliases|aliasdomains [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the information as columns of fields.
 * `formatjson` - Display the fields in JSON format.
@@ -73,3 +88,9 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
+## Display domain aliases count
+Display the number of domain aliases.
+```
+gam print|show domainaliases|aliasdomains
+        showitemcountonly
+```

docs/Downloads-Installs.md

@@ -0,0 +1,56 @@
+!# Downloads-Installs-GAM7
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page.
+Choose one of the following:
+
+* Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
+  - Start a terminal session and execute one of the following commands:
+  - New install, default path `$HOME/bin`
+    - `bash <(curl -s -S -L https://git.io/gam-install)`
+  - New install, specify a path
+    - `bash <(curl -s -S -L https://git.io/gam-install) -d <Path>`
+  - Update to latest version, do not create project or authorizations, default path `$HOME/bin`
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l`
+  - Update to latest version, do not create project or authorizations, specify a path
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l -d <Path>`
+
+By default, a folder, `gam7`, is created in the default or specified path and the files are downloaded into that folder.
+Add the `-s` option to the end of the above commands to suppress creating the `gam7` folder; the files are downloaded directly into the default or specified path.
+
+* Executable Archive, Manual, Linux/Google Cloud Shell
+  - `gam-7.wx.yz-linux-x86_64-glibc2.35.tar.xz`
+  - `gam-7.wx.yz-linux-x86_64-glibc2.31.tar.xz`
+  - `gam-7.wx.yz-linux-x86_64-legacy.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Raspberry Pi/ChromeOS ARM devices
+  - `gam-7.wx.yz-linux-aarch-glibc2.31.tar.xz`
+  - `gam-7.wx.yz-linux-aarch-legacy.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Mac OS versions Big Sur, Monterey, Ventura - M1/M2
+  - `gam-7.wx.yz-macos-aarch.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Mac OS, versions Big Sur, Monterey, Ventura - Intel
+  - `gam-7.wx.yz-macos-x86_64.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.zip`
+  - Download the archive, extract the contents into some directory.
+  - Start a Command Prompt/PowerShell session.
+
+* Executable Installer, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.msi`
+  - Download the installer and run it.
+  - Start a Command Prompt/PowerShell session.
+
+* Source, all platforms
+  - `Source code(zip)`
+  - `Source code(tar.gz)`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal/Command Prompt/PowerShell session.

docs/Downloads.md

@@ -1,74 +0,0 @@
-# Downloads
-You can download the current GAMADV-XTD3 release from the [GitHub Releases](https://github.com/taers232c/GAMADV-XTD3/releases) page. Choose one of the following:
-
-* Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
-  - Start a terminal session and execute one of the following commands:
-  - New install, default path `$HOME/bin`
-    - `bash <(curl -s -S -L https://raw.githubusercontent.com/taers232c/GAMADV-XTD3/master/src/gam-install.sh)`
-  - New install, specify a path
-    - `bash <(curl -s -S -L https://raw.githubusercontent.com/taers232c/GAMADV-XTD3/master/src/gam-install.sh) -d <Path>`
-  - Update to latest version, do not create project or authorizations, default path `$HOME/bin`
-    - `bash <(curl -s -S -L https://raw.githubusercontent.com/taers232c/GAMADV-XTD3/master/src/gam-install.sh) -l`
-  - Update to latest version, do not create project or authorizations, specify a path
-    - `bash <(curl -s -S -L https://raw.githubusercontent.com/taers232c/GAMADV-XTD3/master/src/gam-install.sh) -l -d <Path>`
-
-By default, a folder, `gamadv-xtd3`, is created in the default or specified path and the files are downloaded into that folder.
-Add the `-s` option to the end of the above commands to suppress creating the `gamadv-xtd3` folder; the files are downloaded directly into the default or specified path.
-
-* Executable Archive, Manual, Linux/Google Cloud Shell
-  - `gamadv-xtd3-6.wx.yz-linux-x86_64-glibc2.35.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-x86_64-glibc2.31.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-x86_64-glibc2.27.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-x86_64-glibc2.23.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-x86_64-glibc2.19.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-x86_64-legacy.tar.xz`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
-
-* Executable Archive, Manual, Raspberry Pi/ChromeOS ARM devices
-  - `gamadv-xtd3-6.wx.yz-linux-arm64-glibc2.31.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-arm64-glibc2.27.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-arm64-glibc2.23.tar.xz`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
-
-* Executable Archive, Manual, Mac OS versions Big Sur, Monterey, Ventura - M1/M2
-  - `gamadv-xtd3-6.wx.yz-macos-arm64.tar.xz`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
-
-* Executable Archive, Manual, Mac OS, versions Big Sur, Monterey, Ventura - Intel
-  - `gamadv-xtd3-6.wx.yz-macos-x86_64.tar.xz`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
-
-* Executable Archive, Manual, Mac OS, versions prior to Big Sur
-  - `gamadv-xtd3-6.wx.yz-macos-x86_64-legacy.tar`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
-
-* Executable Archive, Manual, Windows 64 bit
-  - `gamadv-xtd3-6.wx.yz-windows-x86_64.zip`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
-
-* Executable Installer, Manual, Windows 64 bit
-  - `gamadv-xtd3-6.wx.yz-windows-x86_64.msi`
-  - Download the installer and run it.
-  - Start a Command Prompt/PowerShell session and cd to the install directory.
-
-* Executable Archive, Manual, Windows 32 bit
-  - `gamadv-xtd3-6.wx.yz-windows-x86.zip`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
-
-* Executable Installer, Manual, Windows 32 bit
-  - `gamadv-xtd3-6.wx.yz-windows-x86.msi`
-  - Download the installer and run it.
-  - Start a Command Prompt/PowerShell session and cd to the install directory.
-
-* Source, all platforms
-  - `Source code(zip)`
-  - `Source code(tar.gz)`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal/Command Prompt/PowerShell session and cd to the install directory.

docs/Drive-File-Selection.md

@@ -55,12 +55,17 @@
         all_shortcuts |
         all_3p_shortcuts |
         all_items |
+        my_docs |
         my_files |
         my_folders |
         my_forms |
         my_google_files |
         my_non_google_files |
+        my_presentations |
+        my_publishable_items |
+        my_sheets |
         my_shortcuts |
+        my_slides |
         my_3p_shortcuts |
         my_items |
         my_top_files |
@@ -75,9 +80,10 @@
         others_3p_shortcuts |
         others_items |
         writable_files
+
 <SharedDriveID> ::= <String>
 <SharedDriveName> ::= <String>
-<SharedDriveIDEntity> ::= (teamdriveid <DriveFileItem>) | (teamdriveid:<DriveFileItem>)
+<SharedDriveIDEntity> ::= (teamdriveid <SharedDriveID>) | (teamdriveid:<SharedDriveID>)
 <SharedDriveNameEntity> ::= (teamdrive <SharedDriveName>) | (teamdrive:<SharedDriveName>)
 <SharedDriveFileNameEntity> ::= (teamdrivefilename <DriveFileName>) | (teamdrivefilename:<DriveFileName>)
 
@@ -181,7 +187,7 @@ gam user testuser show fileinfo anydrivefilename "Test File"
 gam user testuser show fileinfo anydrivefilename:"Test File"
 ```
 ## Select file ownership
-By default, files the user owns are sisplayed; you can select the ownership characteristic.
+By default, files the user owns are displayed; you can select the ownership characteristic.
 ```
 anyowner|(showownedby any|me|others)
 ```
@@ -200,6 +206,7 @@ By default, all types of files and folders are displayed; you can specify a list
         gfolder|gdirectory|
         gform|
         gfusion|
+        gjam|
         gmap|
         gpresentation|
         gscript|
@@ -212,12 +219,13 @@ By default, all types of files and folders are displayed; you can specify a list
 <MimeTypeList> ::= "<MimeType>(,<MimeType>)*"
 ```
 This is the mapping from `<MimeTypeShortcut>` to MIME type.
-* `gdoc|gdocument` - 'application/vnd.google-apps.document
+* `gdoc|gdocument` - application/vnd.google-apps.document
 * `gdrawing` - application/vnd.google-apps.drawing
 * `gfile` - application/vnd.google-apps.file
 * `gfolder|gdirectory` - application/vnd.google-apps.folder
 * `gform` - application/vnd.google-apps.form
 * `gfusion|gfusiontable` - application/vnd.google-apps.fusiontable
+* `gjam` - application/vnd.google-apps.jam
 * `gmap` - application/vnd.google-apps.map
 * `gpresentation` - application/vnd.google-apps.presentation
 * `gscript` - application/vnd.google-apps.script
@@ -243,30 +251,37 @@ The options combine ownership and broad MIME type selections.
 ```
 <DriveFileQueryShortcut> ::=
         all_files | all_folders | all_google_files | all_non_google_files | all_items |
-        my_files | my_folders | my_google_files | my_non_google_files | my_items |
+        my_docs | my_files | my_folders | my_forms | my_google_files | my_non_google_files | my_items |
+        my_presentations | my_publishable_items | my_sheets | my_slides |
         my_top_files | my_top_folders | my_top_items |
         others_files | others_folders | others_google_files | others_non_google_files | others_items |
         writable_files
 ```
-* all_files - "mimeType != application/vnd.google-apps.folder"
-* all_folders - "mimeType = application/vnd.google-apps.folder"
-* all_google_files - "mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* all_files - "mimeType != 'application/vnd.google-apps.folder'"
+* all_folders - "mimeType = 'application/vnd.google-apps.folder'"
+* all_google_files - "mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * all_non_google_files - "not mimeType contains 'vnd.google'"
 * all_items - "" (An empty query specifies all files and folders)
-* my_files - "'me' in owners and mimeType != application/vnd.google-apps.folder"
-* my_folders - "'me' in owners and mimeType = application/vnd.google-apps.folder"
-* my_google_files - "'me' in owners and mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* my_docs - "'me' in owners and mimeType = 'application/vnd.google-apps.document'"
+* my_files - "'me' in owners and mimeType != 'application/vnd.google-apps.folder'"
+* my_folders - "'me' in owners and mimeType = 'application/vnd.google-apps.folder'"
+* my_forms - "'me' in owners and mimeType = 'application/vnd.google-apps.form'"
+* my_google_files - "'me' in owners and mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * my_non_google_files - "'me' in owners and not mimeType contains 'vnd.google'"
+* my_presentations - "'me' in owners and mimeType = 'application/vnd.google-apps.presentation'"
+* my_publishable_items - "'me' in owners and (mimeType = 'application/vnd.google-apps.document' or mimeType = 'application/vnd.google-apps.form' or mimeType = 'application/vnd.google-apps.presentation' or mimeType = 'application/vnd.google-apps.spreadsheet')"
+* my_sheets - "'me' in owners and mimeType = 'application/vnd.google-apps.spreadsheet'"
+* my_slides - "'me' in owners and mimeType = 'application/vnd.google-apps.presentation'"
 * my_items - "'me' in owners"
-* my_top_files - "'me' in owners and mimeType != application/vnd.google-apps.folder and 'root' in parents"
-* my_top_folders - "'me' in owners and mimeType = application/vnd.google-apps.folder and 'root' in parents"
+* my_top_files - "'me' in owners and mimeType != 'application/vnd.google-apps.folder' and 'root' in parents"
+* my_top_folders - "'me' in owners and mimeType = 'application/vnd.google-apps.folder' and 'root' in parents"
 * my_top_items - "'me' in owners and 'root' in parents"
-* others_files - "not 'me' in owners and mimeType != application/vnd.google-apps.folder"
-* others_folders - "not 'me' in owners and mimeType = application/vnd.google-apps.folder"
-* others_google_files - "not 'me' in owners and mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* others_files - "not 'me' in owners and mimeType != 'application/vnd.google-apps.folder'"
+* others_folders - "not 'me' in owners and mimeType = 'application/vnd.google-apps.folder'"
+* others_google_files - "not 'me' in owners and mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * others_non_google_files - "not 'me' in owners and not mimeType contains 'vnd.google'"
 * others_items - "not 'me' in owners"
-* writable_files - "'me' in writers and mimeType != application/vnd.google-apps.folder"
+* writable_files - "'me' in writers and mimeType != 'application/vnd.google-apps.folder'"
 
 ## Select based on file size
 For these filters, GAM processes then after the list of files is downloaded. You can combine these
@@ -288,7 +303,7 @@ Use [Permission matches](#permission-matches) to limit the display to files with
 ### Examples
 ```
 gam user testuser show fileinfo query "name='Test File'"
-gam user testuser show fileinfo query:"name='Test Folder' and mimeType=application/vnd.google-apps.folder"
+gam user testuser show fileinfo query:"name='Test Folder' and mimeType='application/vnd.google-apps.folder'"
 gam user testuser print filelist my_non_google_files
 ```
 ## Select root folder
@@ -304,6 +319,7 @@ You can select a list of file IDs by referencing files that contain file IDs.
 ```
 <DriveFileEntity> ::=
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVSubkeySelector>) | <CSVDataSelector>)
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 ```
 * [Collections of Items](Collections-of-Items)
 
@@ -349,9 +365,9 @@ See: [Drive Query](https://developers.google.com/drive/api/v3/search-files)
         all_files | all_folders | all_google_files | all_non_google_files | all_items
 ```
 Keyword to query mappings for `<DriveFileQueryShortcut>`:
-* all_files - "mimeType != application/vnd.google-apps.folder"
-* all_folders - "mimeType = application/vnd.google-apps.folder"
-* all_google_files - "mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* all_files - "mimeType != 'application/vnd.google-apps.folder'"
+* all_folders - "mimeType = 'application/vnd.google-apps.folder'"
+* all_google_files - "mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * all_non_google_files - "not mimeType contains 'vnd.google'"
 * all_items - "" (An empty query specifies all files and folders)
 

docs/Drive-Items.md

@@ -1,4 +1,4 @@
-# Drive Items
+!# Drive Items
 - [Basic Items](Basic-Items)
 - [List Items](List-Items)
 ```

docs/Drive-REST-API-v3.md

@@ -1,10 +1,10 @@
-All Google Drive API calls have been converted from v2 to v3, see: https://developers.google.com/drive/v3/web/migration
+!All Google Drive API calls have been converted from v2 to v3, see: https://developers.google.com/drive/v3/web/migration
 Many of the changes are internal to Gam and have no visible effect. Google has modified/renamed many field names and these will affect scripts that parse the output from `gam print/show drivesettings/drivefileacls/fileinfo/filelist/filerevisions`. Additionally, Google has dropped some fields and their values are no longer available. On input, Gam accepts both the old and new field names.
 
 A variable, `drive_v3_native_names` (default value is True), has been added to `gam.cfg` to control the field names on output: when True, the v3 native field names are used; when False, the v3 native field names are mapped to the v2 field names.
 
 If you have scripts that process the output from these print commands, you may have to make modifications to your scripts.
-Run your print/show commands with a version of Standard Gam and save the output.
+Run your print/show commands with a version of Legacy Gam and save the output.
 With drive_v3_native_names = False, run your print/show commands with this version of Gam and compare the output to that saved in the previous run;
 modify your scripts that process the output as appropriate.
 

docs/Email-Audit-Monitor.md

@@ -1,4 +1,4 @@
-# Email Audit Monitor
+!# Email Audit Monitor
 - [API documentation](#api-documentation)
 - [Notes](#notes)
 - [Definitions](#definitions)

docs/ExamplesAccountAuditing.md

@@ -0,0 +1,317 @@
+- [About Google Apps Audits](#about-google-apps-audits)
+- [Audit Monitors](#audit-monitors)
+  - [Create a Audit Monitor](#create-a-audit-monitor)
+  - [List Audit Monitors](#list-audit-monitors)
+  - [Delete an Audit Monitor](#delete-an-audit-monitor)
+- [Managing the GPG Key](#managing-the-gpg-key)
+  - [Updating the GPG Key on Google's Servers](#updating-the-gpg-key-on-googles-servers)
+- [User Account Activity](#user-account-activity)
+  - [Request an Account's Activity](#request-an-accounts-activity)
+  - [Retrieving Current Status of Activity Request(s)](#retrieving-current-status-of-activity-requests)
+  - [Downloading the Results of a Completed Activity Request](#downloading-the-results-of-a-completed-activity-request)
+  - [Deleting a Completed Activity Request](#deleting-a-completed-activity-request)
+- [User Mailbox Exports](#user-mailbox-exports)
+  - [Request an Export of a User's Mailbox](#request-an-export-of-a-users-mailbox)
+  - [Retrieving Current Status of Export(s)](#retrieving-current-status-of-exports)
+  - [Downloading the Results of a Completed Export Request](#downloading-the-results-of-a-completed-export-request)
+  - [Deleting a Completed Export Request](#deleting-a-completed-export-request)
+- [Using GPG with Audits](#using-gpg-with-audits)
+  - [Creating/Uploading a GPG Key](#creatinguploading-a-gpg-key)
+    - [Downloading GPG](#downloading-gpg)
+      - [Windows Users](#windows-users)
+      - [Linux Users](#linux-users)
+      - [Mac Users](#mac-users)
+    - [Creating/Uploading the Key](#creatinguploading-the-key)
+    - [Uploading the GPG Key](#uploading-the-gpg-key)
+  - [Decrypting Downloaded Files with GPG](#decrypting-downloaded-files-with-gpg)
+
+# About Google Apps Audits
+```diff
+- Most of the Email Audit API's functionality has been replaced/improved upon
+- by Google's Vault and email routing functionality. GAM 3.8+ no longer supports
+- the email audit commands listed below. If you need to use these audit commands,
+- use GAM 3.72 or older. No support is provided for these commands going forward.
+```
+
+# Audit Monitors
+## Create a Audit Monitor
+**This command is deprecated and will not work in GAM 3.8+**. [Details](#about-google-apps-audits)
+### Syntax
+```
+gam audit monitor create <source user> <destination user> [begin <begin date>] [end <end date>]  [incoming_headers]
+  [outgoing_headers] [nochats] [nodrafts] [chat_headers] [draft_headers]
+```
+create an audit monitor for the source user. All Mail to and from the source user will be forwarded to the destination user. By default, the audit will begin immediately and last for 30 days. Optional parameters begin and end can set the start and end times. Both parameters must be in the future with end being later than begin, the format is "YYYY-MM-DD hh:mm". Optional parameters, incoming\_headers and outgoing\_headers configure the audit to not send the given message's full email body but just the message headers. By default, the audit will also forward the source user's Chats and saved message Drafts. The optional parameters nochats and nodrafts disable forwarding of these type of messages. The optional parameters chat\_headers and draft\_headers tell the audit to only send the headers of the given messages instead of the full message body.
+
+Only one audit is possible per a source and destination user combo. Creating a new audit with the same source and destination of an existing audit will overwrite the settings of the current of the existing audit.
+
+### Example
+This example configures an audit of the source user, forwarding full copies of all incoming, outgoing, chat and draft messages to the destination user. The audit will start immediately and terminate in 30 days time
+```
+gam audit monitor create jsmith fthomas
+```
+
+This example will start the audit on the given date and end it on the given date. Only message headers of each type will be sent to fthomas
+```
+gam audit monitor create jsmith fthomas begin "2010-07-15 12:00" end "2011-07-15 12:00"
+  incoming_headers outgoing_headers chat_headers draft_headers
+```
+
+This example will not capture drafts or chats
+```
+gam audit monitor create jsmith fthomas nochats nodrafts
+```
+
+---
+
+
+## List Audit Monitors
+**This command is deprecated and will not work in GAM 3.8+**. [Details](#about-google-apps-audits)
+### Syntax
+```
+gam audit monitor list <source user>
+```
+shows the current audit monitors for the user source user.
+
+This example will list the current monitors for the user jsmith
+```
+gam audit monitor list jsmith
+
+jsmith has the following monitors:
+
+ Destination: fthomas
+  Begin: 2010-07-04 12:00
+  End: 2010-08-05 12:00
+  Monitor Incoming: HEADER_ONLY
+  Monitor Outgoing: HEADER_ONLY
+  Monitor Chats: NONE
+  Monitor Drafts: NONE
+```
+
+---
+
+
+## Delete an Audit Monitor
+**This command is deprecated and will not work in GAM 3.8+**. [Details](#about-google-apps-audits)
+### Syntax
+```
+gam audit monitor delete <source user> <destination user>
+```
+delete the audit monitor for the given source user / destination user combo.
+
+This example deletes the monitor that is sending all jsmith's mail to fthomas
+```
+gam audit monitor delete jsmith fthomas
+```
+
+---
+
+
+# Managing the GPG Key
+## Updating the GPG Key on Google's Servers
+**This command is deprecated and will not work in GAM 3.8+**. [Details](#about-google-apps-audits)
+### Syntax
+```
+gam audit uploadkey
+```
+updates the public GPG key that Google's servers use to encrypt Audit Activity and Export files. The key should be provided on Standard Input. See [Using GPG with Audits](ExamplesAccountAuditing#using-gpg-with-audits) for more details on GPG keys.
+
+This example tells GPG to print the key on standard output and gam reads the key on standard input
+```
+gpg --export --armor | gam audit uploadkey
+```
+
+---
+
+
+# User Account Activity
+**This command is deprecated and will not work in GAM 3.8+**. [Details](#about-google-apps-audits)
+### Syntax
+## Request an Account's Activity
+```
+gam audit activity request <user>
+```
+request the account activity of the given user. Requests can take several hours/days to be completed by Google's servers. GAM will print out a request ID which can be used to monitor the progress of the request (see Retrieving Request Status below). Note that before requesting an account's activity, a GPG key should be uploaded to Google Servers. See [Using GPG with Audits](ExamplesAccountAuditing#Using_GPG_with_Audits) for more details on GPG keys. Failure to upload a key will result in the activity request always getting a status of ERROR.
+
+This example creates a request for the user's activity
+```
+gam audit activity request jsmith
+```
+
+---
+
+
+## Retrieving Current Status of Activity Request(s)
+**This command is deprecated and will not work in GAM 3.8+**. [Details](#about-google-apps-audits)
+### Syntax
+```
+gam audit activity status [user] [request_id]
+```
+get the current status of existing account activity requests. Optionally, a user and request\_id can be specified to limit the retrieval to a single request.
+
+This example retrieves the status of all current activity requests
+```
+gam audit activity status
+```
+
+---
+
+
+## Downloading the Results of a Completed Activity Request
+**This command is deprecated and will not work in GAM 3.8+**. [Details](#about-google-apps-audits)
+### Syntax
+```
+gam audit activity download <user> <request_id>
+```
+download the results of an activity request that has a status of COMPLETED. The required parameters user and request\_id specify which request to download. The GPG encrypted activity file will be saved to a file named with the format activity-username-request\_id-1.txt.gpg and should be decrypted with GPG.
+
+This example downloads the encrypted activity log of the COMPLETED request
+```
+gam audit activity download jsmith 234342
+```
+
+---
+
+
+## Deleting a Completed Activity Request
+**This command is deprecated and will not work in GAM 3.8+**. [Details](#about-google-apps-audits)
+### Syntax
+```
+gam audit activity delete <user> <request_id>
+```
+delete the completed activity request for the given user. User and Request ID are required parameters.
+
+This example deletes the completed activity request for the user
+```
+gam audit activity delete jsmith 234342
+```
+
+---
+
+
+# User Mailbox Exports
+**This command is deprecated and will not work in GAM 3.8+**. [Details](#about-google-apps-audits)
+### Syntax
+## Request an Export of a User's Mailbox
+```
+gam audit export request <user> [begin <Begin Date>] [end <End Date>] [search <Search Query>] [headersonly] [includedeleted]
+```
+request an export of all mail in a user's mailbox. Optional parameters begin and end date specify the range of messages that should be included in the export and should be of the format "YYYY-MM-DD hh:mm". By default, export begins at account creation and ends at the time of the export request. Optional parameter search, specifies a search query defining what messages should be included in the export. The query parameters are the same as those used in the Gmail interface and described [here](http://mail.google.com/support/bin/answer.py?hl=en&answer=7190). Optional parameter headersonly specifies that only the message headers should be included in the export instead of the full message body. Optional parameter includedeleted specifies that deleted messages should also be included in the export.
+
+Note that before requesting an export of an account, a GPG key should be uploaded to Google's Server. See [Using GPG with Audits](ExamplesAccountAuditing#Using_GPG_with_Audits) for more details on GPG keys. Failure to upload a key will result in the export request always getting a status of ERROR.
+
+This example requests an export of all of a user's mail including deleted messages
+```
+gam audit export request jsmith includedeleted
+```
+
+This example requests an export of all of a user's mail for a 30 day range including deleted
+```
+gam audit export request jsmith begin "2010-06-01 00:00" end "2010-07-01 00:00" includedeleted
+```
+
+This example requests an export of all of a user's mail that has the word secret in the message subject
+```
+gam audit export request jsmith search "subject:secret"
+```
+
+---
+
+
+## Retrieving Current Status of Export(s)
+**This command is deprecated and will not work in GAM 3.8+**. [Details](#about-google-apps-audits)
+### Syntax
+```
+gam audit export status [user] [request_id]
+```
+retrieve the status of current export requests. If the optional parameters user and request\_id are specified, only the status of the one request will be retrieved, otherwise all current requests' status will be retrieved.
+
+This example shows the status of all current export requests
+```
+gam audit export status
+```
+
+---
+
+
+## Downloading the Results of a Completed Export Request
+**This command is deprecated and will not work in GAM 3.8+**. [Details](#about-google-apps-audits)
+### Syntax
+```
+gam audit export download <user> <request_id>
+```
+download the encrypted results of a completed export request. The required parameters user and request\_id specify which request's results should be downloaded. The encrypted files are saved with file names of export-username-request\_id-file\_number.mbox.gpg. If a file already exists on the hard drive, GAM will not re-download that file. GAM does not verify that the existing local file is complete, only that it exists. Thus if a download is interrupted, delete the partially downloaded file and start the process again, GAM will then skip over the files that have finished downloading. After they have been downloaded, they can be decrypted with GPG and then viewed with a mail client like Thunderbird.
+
+This example downloads the completed export request for jsmith
+```
+gam audit export download jsmith 344920
+```
+
+---
+
+
+## Deleting a Completed Export Request
+**This command is deprecated and will not work in GAM 3.8+**. [Details](#about-google-apps-audits)
+### Syntax
+```
+gam audit export delete <user> <request_id>
+```
+delete the completed export request. The required parameters user and request\_id specify which request to delete.
+
+This example deletes the export request for the given user
+```
+gam audit export delete jsmith 344920
+```
+
+
+# Using GPG with Audits
+## Creating/Uploading a GPG Key
+**This command is deprecated and will not work in GAM 3.8+**. [Details](#about-google-apps-audits)
+### Syntax
+Google's Servers use GPG to encrypt files that you request via the Audit API for account activity and mailbox export. Before you can successfully request a user account activity log or mailbox export, you need to create a GPG and upload it to Google's Servers for their use.
+### Downloading GPG
+#### Windows Users
+A Windows version of GPG can be downloaded [here](ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.10b.exe). I suggest installing it to an easy to remember location like C:\GPG.
+
+#### Linux Users
+GPG comes with many Linux distributions by default. Try opening a Terminal and typing:
+```
+gpg --version
+```
+if you get an error, visit your Linux Distributions website and search for instructions on installing GPG.
+
+#### Mac Users
+You can download a version of GPG for Macs [here](https://gpgtools.org/). Download the GPG Suite and run the package installer. The GUI suite will open. You can quit it and continue as below or use the GUI to generate your key.
+
+### Creating/Uploading the Key
+Run the command:
+```
+gpg --gen-key --expert
+```
+you will be prompted for the kind of key you want, choose "RSA and RSA (default)".
+
+Next you'll be prompted for the keysize. This determines how strong the encryption is. If you're not paranoid about security, I suggest choosing a smaller key size as bigger keys will take longer to encrypt/decrypt your data thus greatly slowing down the process (especially for large exports), 1024 should be fine in most cases.
+
+Next you'll be prompted for how long the key should be valid. Specify 0 so that the key does not expire.
+
+Next you'll be prompted for your name, email address and a comment. Remember the name you enter, you'll need it for the next step. Google doesn't really use this information so feel free to make something up if you want.
+
+Finally, you'll be prompted for a passphrase, you'll need this passphrase in order to decrypt activity logs and exports so make sure you remember what it is!
+
+### Uploading the GPG Key
+You can now upload your key to Google's Servers with the command:
+```
+gpg --export --armor -a "Your Name" | \path\to\gam\gam audit uploadkey
+```
+where "Your Name" is the name you entered for yourself in the last GPG command. This will output the GPG key and "pipe" it into GAM, telling GAM to upload the key to Google.
+
+## Decrypting Downloaded Files with GPG
+Once you've submitted requests, the requests complete and you download requests, you can decrypt the data with GPG. The command to decrypt is:
+```
+gpg --output <new decrypted file> --decrypt <encrypted file> 
+```
+encrypted file is one of the files GAM downloaded from a completed activity or export request. In the case of exports, you may have multiple files to decrypt. Here's an example decrypt command:
+```
+gpg --output jsmith-activity.txt --decrypt c:\gam\activity-jsmith-34231-1.txt.gpg
+```
+this will create a file jsmith-activity.txt with the decrypted results.

docs/ExamplesCSV.md

@@ -0,0 +1,155 @@
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+**Table of Contents**  *generated with [DocToc](http://doctoc.herokuapp.com/)*
+
+- [Printing All Users](#printing-all-users)
+    - [Syntax](#syntax)
+    - [Example](#example)
+  - [users.csv contains:](#userscsv-contains)
+  - [Smith, wsmith@example.com, William,](#smith-wsmith@examplecom-william)
+  - [](#)
+- [Printing All Groups](#printing-all-groups)
+    - [Syntax](#syntax-1)
+    - [Examples](#examples)
+  - [](#-1)
+- [Print All Aliases](#print-all-aliases)
+    - [Syntax](#syntax-2)
+    - [Example](#example-1)
+  - [](#-2)
+- [Print All Organizational Units](#print-all-organizational-units)
+    - [Syntax](#syntax-3)
+    - [Example](#example-2)
+  - [](#-3)
+- [Print All Resource Calendars](#print-all-resource-calendars)
+    - [Syntax](#syntax-4)
+    - [Example](#example-3)
+  - [](#-4)
+- [Print Reports](#print-reports)
+    - [Syntax](#syntax-5)
+    - [Example](#example-4)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+(TODO: Add table of contents.)
+
+_**Comments have been turned off for these help pages, please post your questions and comments to the [Mailing List](http://groups.google.com/group/google-apps-manager)**_
+
+# Printing All Users
+
+### Syntax
+```
+gam print users [firstname] [lastname] [username] [ou] [suspended] [changepassword] [agreed2terms] [admin] [aliases] [groups]
+```
+prints a CSV file of all users in the Google Apps Organization. The CSV output can be redirected to a file using the operating system's pipe command (such as "> users.csv") see examples below. By default, the only column printed is the user's full email address. The optional arguments firstname, lastname, username, ou (organization unit), suspended, changepassword, agreed2terms, admin, nicknames and groups add the respective additonal column to the CSV output. Note that adding one or more of firstname, lastname, suspended, changepassword, agreed2terms or admin will require an additional call to Google's servers and will increase the length of time for the command to complete. Adding aliases will also require an additional call to Google's servers. Note also that adding  groups will require 1 additional call to Google's servers <b>per user</b> which will significantly increase the length of time for the command to complete.
+
+### Example
+This example will generate the csv file users.csv showing with columns for Email, Firstname and Lastname
+```
+gam print users firstname lastname > users.csv
+Getting all users in the organization (may take some time on a large Google Apps
+ account)...
+Getting detailed info for users in example.com domain (may take some time on a large
+ domain)...
+
+users.csv contains:
+--
+Lastname, Email, Firstname,
+User, admin@example.com, Super,
+Jones, pjones@example, Paul,
+Smith, wsmith@example.com, William,
+--
+```
+
+---
+
+
+# Printing All Groups
+### Syntax
+```
+gam print groups [name] [description] [members] [managers] [owners] [settings] [domain <domainname>] [admincreated] [id] [aliases] [todrive]
+```
+prints a CSV file of all groups in the Google Apps domain. The CSV output can be redirected to a file using the operating system's pipe command (such as "> groups.csv") see examples below. By default, the only column printed is the email address. The optional arguments name and description add the respective additional column to the CSV output. The optional arguments members, managers, owners and settings each perform additional API calls per group which may greatly increase the time it takes the command to complete. members, managers and owners will include a column for the respective role. settings will add multiple columns for the groups advanced settings. domain will limit the results to groups that have a primary address in the supplied domain. admincreated will include a True/False column in the results, False being user-created groups. aliases will add 2 columns to the output, Aliases and nonEditableAliases. The optional todrive parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file.
+
+### Examples
+this example will output basic details for all groups and upload the results to Google Drive.
+```
+gam print groups name description todrive
+```
+
+---
+
+
+# Print All Aliases
+### Syntax
+```
+gam print aliases [todrive]
+```
+prints a CSV file of all user and group aliases in the Google Apps domain. The CSV output can be redirected to a file using the operating system's pipe command (such as "> nicknames.csv") see examples below. The optional todrive parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file.
+
+### Example
+this example will output all aliases to Google Drive
+```
+gam print nicknames todrive
+```
+
+---
+
+
+# Print All Organizational Units
+### Syntax
+```
+gam print orgs [name] [description] [parent] [inherit]
+```
+prints a CSV file of all organizational units in the Google Apps account. The CSV output can be redirected to a file using the operating system's pipe command (such as "> orgs.csv") see examples below. By default, the only column output is "Path" (OUs full path). The optional arguments name, description, parent and inherit add the respective additonal column to the CSV output. Only 1 call to Google's servers is done no matter which arguments are specified so the optional arguments should not significantly increase the time it takes for the command to complete.
+
+### Example
+this example will output all organizations to the file orgs.csv including all optional columns
+```
+gam print orgs name description parent inherit > orgs.csv
+```
+
+---
+
+
+# Print All Resource Calendars
+### Syntax
+```
+gam print resources [id] [description] [email]
+```
+prints a CSV file of all resource calendars in the Google Apps account. The CSV output can be redirected to a file using the operating system's pipe command (such as "> resources.csv") see examples below. By default, the only column output is "Name"The optional arguments id, description and email add the respective additonal column to the CSV output. Only 1 call to Google's servers is done no matter which arguments are specified so the optional arguments should not significantly increase the time it takes for the command to complete.
+
+### Example
+this example will output all resource calendars to the file resources.csv including all optional columns
+```
+gam print resources id description email > resources.csv
+```
+
+---
+
+
+# Print Reports
+### Syntax
+```
+gam report accounts|activity|disk_space|email_clients|summary [YYYY-MM-DD]
+```
+Prints one of 5 Google Apps reports:
+  * The **accounts** report contains a list of all of the hosted accounts that exist in your domain on a particular day. The report includes both active accounts and suspended accounts. The status column will indicate whether each account is active or suspended. The field definitions for the accounts report can be found [here](http://code.google.com/googleapps/domain/reporting/google_apps_reporting_api.html#Accounts_Report).
+  * The **activity** report identifies the total number of accounts in your domain as well as the number of active and idle accounts over several different time periods. In this report, activity encompasses user interaction with his email, such as reading or sending email. The activity statistics includes web mail as well as POP activity. The field definitions for the activity report can be found [here](http://code.google.com/googleapps/domain/reporting/google_apps_reporting_api.html#Activity_Report).
+  * The **disk\_space** report shows the amount of disk space occupied by users' mailboxes. The report identifies the total number of accounts in your domain as well as the number of accounts that fall into several different size groupings. Mailboxes that occupy less than 1GB of disk space are grouped in increments of 100MB, and mailboxes that occupy between 1GB and 10GB of disk space are grouped in increments of 500MB. The field definitions for the disk\_space report can be found [here](http://code.google.com/googleapps/domain/reporting/google_apps_reporting_api.html#Disk_Space_Report).
+  * The **email\_clients** report explains how users in your domain access their hosted accounts on a day-by-day basis. For each day, the report lists the total number of accounts in your domain as well as the number and percentage of users who accessed their accounts using WebMail. This report does not include suspended accounts in the account total. The field definitions for the email\_clients report can be found [here](http://code.google.com/googleapps/domain/reporting/google_apps_reporting_api.html#Email_Clients_Report).
+  * The **summary** report contains the total number of accounts, total mailbox usage in bytes and total mailbox quota in megabytes for your domain. Each row in the report contains data for one day. This report does not include information for suspended accounts. The field definitions for the summary report can be found [here](http://code.google.com/googleapps/domain/reporting/google_apps_reporting_api.html#Summary_Report).
+
+optionally, a date can be specified in YYY-MM-DD format. The report for the given day will be pulled. If not specified, the report for the most recent day that has passed 12pm Pacific time will be pulled (e.g. today or yesterday if it's not yet noon Pacific time).
+
+**Note:** unlike the "gam print" commands, the report commands offer a snapshot of activity on a Google Apps domain for the given day, they are not realtime. For example, if you create a new user and then pull the accounts report, that user will not be included. It will take 24-48 hours before the user is included in the most recent accounts report.
+
+### Example
+This command will pull the most recently available accounts report.
+```
+gam report accounts
+```
+
+This example will pull the summary report from last month.
+```
+gam report summary 2011-11-30
+```

docs/ExamplesEmailSettings.md

@@ -0,0 +1,897 @@
+- [Signatures and Away Messages](#signatures-and-away-messages)
+  - [Setting a Signature](#setting-a-signature)
+  - [Retrieving a Signature](#retrieving-a-signature)
+  - [Enabling/Disabling and Setting a Vacation (Away) Message](#enablingdisabling-and-setting-a-vacation-away-message)
+  - [Retrieving Vacation Settings](#retrieving-vacation-settings)
+- [Labels and Filters](#labels-and-filters)
+  - [Create a Label](#create-a-label)
+  - [Retrieving User's Labels](#retrieving-users-labels)
+  - [Delete a Label](#delete-a-label)
+  - [Create a Filter](#create-a-filter)
+  - [Retrieve a Filter](#retrieve-a-filter)
+  - [Delete a Filter](#delete-a-filter)
+  - [Print Filter Details](#print-filter-details)
+  - [Show Filter Details](#show-filter-details)
+- [IMAP, POP](#imap-pop)
+  - [Setting IMAP Settings](#setting-imap-settings)
+  - [Retrieving IMAP Settings](#retrieving-imap-settings)
+  - [Setting POP Settings](#setting-pop-settings)
+  - [Retrieving POP Settings](#retrieving-pop-settings)
+- [Send As](#send-as)
+  - [Add a Send As Address (Custom From)](#add-a-send-as-address-custom-from)
+  - [Update a Send As Address](#update-a-send-as-address)
+  - [Delete a Send As Address](#delete-a-send-as-address)
+  - [Retrieve a Send As Address](#retrieve-a-send-as-address)
+  - [Print Send As Addresses](#print-send-as-addresses)
+  - [Show Send As Addresses](#show-send-as-addresses)
+- [Forwarding](#forwarding)
+  - [Add a Forwarding Address](#add-a-forwarding-address)
+  - [Delete a Forwarding Address](#delete-a-forwarding-address)
+  - [Retrieve a Forwarding Address](#retrieve-a-forwarding-address)
+  - [Print Forwarding Addresses](#print-forwarding-addresses)
+  - [Show Forwarding Addresses](#show-forwarding-addresses)
+  - [Setting a Forward](#setting-a-forward)
+  - [Print Forward Settings](#print-forward-settings)
+  - [Show Forward Settings](#show-forward-settings)
+- [Delegates](#delegates)
+  - [Creating a Gmail delegate](#creating-a-gmail-delegate)
+  - [Deleting a Gmail delegate](#deleting-a-gmail-delegate)
+  - [Print Gmail delegates](#print-gmail-delegates)
+  - [Show Gmail delegates](#show-gmail-delegates)
+  - [Creating a Contact delegate](#creating-a-contact-delegate)
+  - [Deleting a Contact delegate](#deleting-a-contact-delegate)
+  - [Print Contact delegates](#print-contact-delegates)
+  - [Show Contact delegates](#show-contact-delegates)
+- [Managing S/MIME Certificates](#managing-smime-certificates)
+  - [Adding S/MIME Certificates](#adding-smime-certificates)
+  - [Updating S/MIME Certificates](#updating-smime-certificates)
+  - [Deleting S/MIME Certificates](#deleting-smime-certificates)
+  - [Show/Print S/MIME Certificates](#show-print-smime-certificates)
+- [Hiding/Unhiding users from the domain contacts](#hidingunhiding-users-from-the-domain-contacts)
+  - [Changing a users profile to hidden/unhidden](#changing-a-users-profile-to-hiddenunhidden)
+  - [Showing users profile hidden/unhidden status](#showing-users-profile-hiddenunhidden-status)
+- [User Profile Photos](#user-profile-photos)
+  - [Updating Profile Photos](#updating-profile-photos)
+  - [Getting Profile Photos](#getting-profile-photos)
+  - [Deleting Profile Photos](#deleting-profile-photos)
+- [Managing User Email](#managing-user-email)
+  - [Modifying User Emails](#modifying-user-emails)
+  - [Deleting or Trashing User Emails](#deleting-trashing-or-untrashing-user-emails)
+  - [Sending Email as a User](#sending-email-as-a-user)
+  - [Dropping Emails into a User Mailbox](#dropping-emails-into-a-user-mailbox)
+  - [Drafting Emails for a User](#drafting-emails-for-a-user)
+- [Print/Show User Gmail Profile](#print-show-user-gmail-profile)
+  - [Print User Gmail Profile](#print-user-gmail-profile)
+  - [Show User Gmail Profile](#show-user-gmail-profile)
+- [Managing User Display Language](#managing-user-display-language)
+  - [Set User Language](#set-user-language)
+  - [Get User Language](#get-user-language)
+
+# Signatures and Away Messages
+## Setting a Signature
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users [signature <signature text>] [file <signature file>] [replyto <EmailAddress>] (replace <Tag> <String>)*
+```
+sets a email signature for the given users' primary email address. Use quotes around the signature text if it contains spaces (which it almost certainly will). New lines can be specified with \n. HTML can also be used. An empty string like "" will disable the signature. Use the optional `file` argument to specify a filename that contains the signature text. This is easier for long, complex signatures.  Use the optional `replyto` argument to specify a reply to address for use with this signature. The optional argument `replace` can be used to insert values into the signature text. Every instance of {`Tag`} in the signature will be replaced by `String`. Instances of the form {RT}...{`Tag`}...{/RT} will be eliminated if that `Tag` was not specified or if `Tag` was specified but the accompanying `String` is empty. {RT} and {/RT} are eliminated from the signature.
+### Example
+This example sets all user's signatures to be:
+```
+Acme Inc
+1321 Main Ave
+http://www.acme.com
+```
+
+```
+gam all users signature
+ "Acme Inc<br>1321 Main Ave<br>http://www.acme.com
+```
+
+This example reads the signature from a file:
+```
+gam user bob@example.com signature file bobs-sig.txt
+```
+
+This example reads the signature from an HTML file:
+```
+gam user sue@example.com signature file sues-html-sig.html html
+```
+----
+
+## Retrieving a Signature
+### Syntax
+```
+gam
+ user <username> | group <groupname>| ou <ouname> | all users show signature [format]
+```
+Shows the email signature for the given users. By default, the raw HTML of the signature is shown, the optional argument `format` causes the HTML to be interpreted.
+
+### Example
+This example shows all user's signature
+
+```
+gam all users show signature
+```
+----
+
+## Enabling/Disabling and Setting a Vacation (Away) Message
+### Syntax
+```
+gam
+ user <username> | group <groupname> | ou <ouname> | all users
+ vacation on|off subject <subject text> [message <message text>] | [file <message file>] [html]
+ startdate <YYYY-MM-DD> enddate <YYYY-MM-DD>
+ [contactsonly] [domainonly]
+ (replace <Tag> <String>)*
+```
+enable or disable a vacation/away message for the given users. `subject <subject text>` will set the away message subject. `message <message text>` will set the away message text. Use quotes around `<subject text>` and `<message text>` if they contain spaces (which they probably will). If `file` is specified instead of message, the message will be read from the given text file. In `<message text>`, \n will be replaced with a new line. The optional argument `html` says to interpret the message text as HTML. Except for the simplest messages, you should specify `html` even if your message doesn't contain HTML as Google does unexpected line wrapping when `html` is not specified. The optional `startdate` and `enddate` arguments set a start and end date for the vacation message to be enabled. The optional argument `contactsonly` will only send away messages to persons in the user's Contacts. The optional argument `domainonly` will prevent vacation messages from going to users outside the Google Apps domain. The optional argument `replace` can be used to insert values into the away message text. Every instance of {`Tag`} in the message will be replaced by `String`. Instances of the form {RT}...{`Tag`}...{/RT} will be eliminated if that `Tag` was not specified or if `Tag` was specified but the accompanying `String` is empty. {RT} and {/RT} are eliminated from the message.
+
+### Example
+This example sets the away message for the user
+```
+gam user epresley vacation on subject "Elvis has left the building"
+ message "I will be on Mars for the next 100 years. I'll get back to you when I return.\n\nElvis"
+```
+
+This example reads the message from a text file:
+```
+gam user bob@example.com vacation on subject "I am away" file bobs-away-message.txt
+```
+----
+
+## Retrieving Vacation Settings
+### Syntax
+```
+gam
+ user <username> | group <groupname> |ou <ouname> | all users show vacation [format]
+```
+Show the given user's vacation message and settings. By default, the plain text or raw HTML of the vacation message is shown, the optional argument `format` causes the HTML to be interpreted.
+
+## Example
+This example shows the vacation settings for jsmith
+```
+gam user jsmith show vacation
+```
+
+# Labels and Filters
+## Create a Label
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users label <label name>
+```
+create a Gmail Label for the given users. Use quotes around the label name if it contains spaces. Labels are described <a href='http://mail.google.com/support/bin/answer.py?hl=en&answer=118708'>here.</a>
+
+### Example
+This example creates a label called New Label for all users
+```
+gam all users label "New Label"
+```
+
+## Retrieving User's Labels
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users show labels [onlyuser] [showcounts]
+```
+Show the labels for the given users. If the optional argument `onlyuser` is specified, default labels including inbox, unread, drafts, sent, chat, muted, spam, trash, popped, and contactcsv will not be shown. Label visibility will also be reported. If the optional argument `showcounts` is specified, message and thread counts will be show for each label.
+
+### Example
+This example shows the labels for all members of the marketing group
+```
+gam group marketing show labels
+```
+
+## Delete a Label
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users delete label <label name>
+```
+delete the given label for the given users.  Use quotes around the label name if it contains spaces. Labels are described <a href='http://mail.google.com/support/bin/answer.py?hl=en&answer=118708'>here.</a>
+
+### Example
+This example deletes a label called Old Label for all users
+```
+gam all users delete label "Old Label"
+```
+
+## Create a Filter
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users filter
+  from <email>|to <email>|subject <words>|haswords <words>|nowords <words>|musthaveattachment
+  label <label name>|markread|archive|star|forward <email address>|trash|neverspam|important|notimportant
+```
+Create a Filter for the given users. Filter must have one or more conditions (from, to, subject, haswords, nowords or musthaveattachment) and one or more actions (label, markread, archive, star, forward, trash, neverspam, important or notimportant). You do not need to create a label before creating a filter that labels messages, creating a filter that labels messages will automatically create the label. **Filters** are described <a href='http://mail.google.com/support/bin/answer.py?hl=en&answer=6579'>here</a> and **Search operators** <a href='https://support.google.com/mail/answer/7190?hl=en'>here</a>.
+
+### Examples
+This example creates a filter for the user john that labels messages from dianne@gmail.com and archives them (thus they will only appear under the label)
+
+```
+gam user john filter from dianne@gmail.com label Dianne archive
+```
+This example creates a filter for the user john that marks messages from dianne@gmail.com as category:primary and stars them (hint: you can find **all predefined Lable/Category types** [here](https://developers.google.com/gmail/api/guides/labels))
+
+```
+gam user john filter from dianne@gmail.com label "CATEGORY_PERSONAL" star
+```
+
+This example creates a filter for the user john that labels messages from anyuser@anysubdomain.example.com and anyuser@example.com and marks messages to never send to spam (hint: `-me` avoids **Sent messages** to show up in the INBOX)
+
+```
+gam user john filter from "-me AND .example.com OR example.com" label "thrusted" neverspam
+```
+
+## Retrieve a Filter
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users info filters <FilterIDList>
+```
+
+Display details of a list of specific filters.
+
+## Delete a Filter
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users delete filters <FilterIDList>
+```
+
+Delete a list of filters of a user.
+
+## Print Filter Details
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users print filters [todrive]
+```
+Display or upload to Google Drive a CSV report of all of a users' filters. The optional `todrive` parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file.
+
+## Show Filter Details
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users show filters
+```
+Display details of all of a users' filters.
+
+# IMAP, POP
+## Setting IMAP Settings
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users imap on|off [noautoexpunge] [expungebehavior archive|deleteforever|trash] [maxfoldersize 0|1000|2000|5000|10000]<br>
+```
+turn IMAP on or off for given users. There are three options:<br>
+`noautoexpunge`: If this value is not specified, Gmail will immediately expunge a message when it is marked as deleted in IMAP. When specified, Gmail will wait for an update from the client before expunging messages marked as deleted.
+`expungebehavior`: The action that will be executed on a message when it is marked as deleted and expunged from the last visible IMAP folder. The acceptable values are: "archive": Archive messages marked as deleted; "deleteforever": Immediately and permanently delete messages marked as deleted. The expunged messages cannot be recovered; "trash": Move messages marked as deleted to the trash.
+`maxfoldersize`: An optional limit on the number of messages that an IMAP folder may contain. Legal values are 0, 1000, 2000, 5000 or 10000. A value of zero is interpreted to mean that there is no limit.
+
+### Example
+This example will turn IMAP on for all current users in the domain.
+```
+gam all users imap on
+```
+
+## Retrieving IMAP Settings
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users show imap
+```
+shows the given users' current IMAP settings.
+
+### Example
+This example shows all user's IMAP status.<br>
+```
+gam all users show imap<br>
+```
+
+
+## Setting POP Settings
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users pop on|off [for allmail|newmail] [action keep|archive|delete|markread]<br>
+```
+turn POP3 on or off for given users, "for allmail" will expose all Inbox mail to the POP client while "for newmail" will expose only mail received after POP was enabled. POPped mail can be left alone (keep), archived (archive), deleted (delete) or marked read (markread). If the for and action arguments are not specified, all mail will be popped and kept in the Inbox.
+
+### Example
+This example will turn POP on for any users in the group students. All mail in the Inbox will be exposed to the POP client and POPped emails will be kept in the Inbox.
+```
+gam group students pop on
+```
+
+This example will turn POP on for Bob but only for new mail he receives. Mail will be archived after it is popped:
+```
+gam user bob@example.com pop on for newmail action archive
+```
+
+
+## Retrieving POP Settings
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users show pop
+```
+show the given users' POP settings.
+
+### Example
+This example shows the pop settings for the group students
+```
+gam group students show pop
+```
+
+# Send As
+## Add a Send As Address (Custom From)
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users sendas <EmailAddress> <Name> [signature <String>|(file <FileName>) [replyto <EmailAddress>] [default] [treatasalias <Boolean>] (replace <Tag> <String>)*
+```
+Add `<EmailAddress>` as one of the given users' send as addresses (also called Custom From). `<Name>` is the nice name users see with the email (Use quotes if `<name>` includes spaces). Each send as address can have its own signature. See <a href='https://github.com/jay0lee/GAM/wiki/ExamplesEmailSettings#setting-a-signature'>Setting a Signature</a>. Optionally, `default` specifies that this should be the address used for outgoing mail by default (user can choose which address mail is sent from when they compose). Also optional, `replyto <EmailAddress>` specifies a Reply To address to be used when mail is sent out via this sendas. See <a href='https://support.google.com/a/answer/1710338?ctx=gmail&hl=en&authuser=0&visit_id=1-636106946018751865-4063694491&rd=1'>here</a> for a description of the `treatasalias <Boolean>` argument. The optional argument `replace` can be used to insert values into the signature text. Every instance of {`Tag`} in the signature will be replaced by `String`. Instances of the form {RT}...{`Tag`}...{/RT} will be eliminated if that `Tag` was not specified or if `Tag` was specified but the accompanying `String` is empty. {RT} and {/RT} are eliminated from the signature.
+
+****Warning:**** Google has recently taken steps to limit what email addresses forwards can be set to via the API (and thus via GAM).
+See <a href='http://googleappsupdates.blogspot.com/2010/05/gmail-now-requires-verification-of.html'>this blog post</a> for details about what domains you can set forwards to.
+Generally you are limited to forwarding to your primary domain, alias and secondary domains and subdomains of those.
+
+### Example
+This example adds mtodd as one of alincoln's send as addresses.
+```
+gam user alincoln sendas mtodd "First Lady" replyto mtodd signature "Mary"
+```
+
+## Update a Send As Address
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users update sendas <EmailAddress> [name <Name>] [signature <String>|(file <FileName> ) (replace <Tag> <String>)*] [replyto <EmailAddress>] [default] [treatasalias <Boolean>]
+```
+Update the characteristics of  `<EmailAddress>` as one of the given users' send as addresses. See above for a description of the arguments.
+
+### Example
+This example updates mtodd as one of alincoln's send as addresses.
+```
+gam user alincoln update sendas mtodd name "Abe's Wife"
+```
+
+## Delete a Send As Address
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users delete sendas <EmailAddress>
+```
+Delete `<EmailAddress>` as one of the given users' send as addresses.
+
+### Example
+This example deletes alincoln's send as address mtodd.
+```
+gam user alincoln delete sendas mtodd
+```
+
+## Retrieve a Send As Address
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users info sendas <EmailAddress> [format]
+```
+Shows the status of `<EmailAddress>` as one of the given users' send as addresses.
+
+### Example
+This example shows the status of alincoln's send as address mtodd.
+```
+gam user alincoln info sendas mtodd
+```
+
+## Print Send As Addresses
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users print sendas [todrive]
+```
+Display or upload to Google Drive a CSV report of users' send as addresses. The optional `todrive` parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file.
+
+### Example
+This example outputs all users send as addressess in a CSV format.
+```
+gam all users print sendas
+```
+
+## Show Send As Addresses
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users show sendas [format]
+```
+Shows the given users' send as addresses.
+
+### Example
+This example shows alincoln's send as addresses.
+```
+gam user alincoln show sendas
+```
+# Forwarding
+## Add a Forwarding Address
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users add forwardingaddress <EmailAddress>
+```
+Add `<EmailAddress>` as one of the given users' forwarding addresses.
+****Warning:**** Google has recently taken steps to limit what email addresses forwards can be set to via the API (and thus via GAM). See <a href='http://googleappsupdates.blogspot.com/2010/05/gmail-now-requires-verification-of.html'>this blog post</a> for details about what domains you can set forwards to. Generally you are limited to forwarding to your primary domain, alias and secondary domains and subdomains of those.
+
+### Example
+This example adds mtodd as one of alincoln's forwarding addresses.
+```
+gam user alincoln add forwardingaddress mtodd
+```
+
+## Delete a Forwarding Address
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users delete forwardingaddress <EmailAddress>
+```
+Delete `<EmailAddress>` as one of the given users' forwarding addresses.
+
+### Example
+This example deletes alincoln's forwarding address mtodd.
+```
+gam user alincoln delete forwardingaddress mtodd
+```
+
+## Retrieve a Forwarding Address
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users info forwardingaddresses <EmailAddress>
+```
+Shows the status of `<EmailAddress>` as one of the given users' forwarding addresses.
+
+### Example
+This example shows the status of alincoln's forwarding address mtodd.
+```
+gam user alincoln info forwardingaddress mtodd
+```
+
+## Print Forwarding Addresses
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users print forwardingaddresses [todrive]
+```
+Display or upload to Google Drive a CSV report of users' forwarding addresses. The optional `todrive` parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file.
+
+### Example
+This example outputs all users forwarding addressess in a CSV format.
+```
+gam all users print forwardingaddresses
+```
+
+## Show Forwarding Addresses
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users show forwardingaddresses
+```
+Shows the given users' forwarding addresses.
+
+### Example
+This example shows alincoln's forwarding addresses.
+```
+gam user alincoln show forwardingaddresses
+```
+
+## Setting a Forward
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users forward off
+gam user <username>|group <groupname>|ou <ouname>|all users forward on <EmailAddress> keep|archive|delete|markread
+```
+Disable/enable and set an automatic email forward for the given users. If turning forwarding on, an `<EmailAddress>` and an action (`keep|archive|delete|markread`) are both required. The `<EmailAddress>` you specify must already have been set up as a forwarding address. Actions specify what to do with messages that have been forwarded.
+
+### Example
+This example sets a forward for the user, messages will be deleted after they are forwarded so they will not show up in the user's account
+```
+gam user eclapton forward on eclapton@music.com delete
+```
+
+## Print Forward Settings
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users print forward [todrive]
+```
+Display or upload to Google Drive a CSV report of users' forward settings. The optional `todrive` parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file.
+
+### Example
+This example outputs all users forwarding settings in a CSV format.
+```
+gam all users print forward
+```
+
+## Show Forward Settings
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users show forward
+```
+shows the given users' forwarding settings.
+
+### Example
+This example shows alincoln's forwarding settings.
+```
+gam user alincoln show forward
+```
+
+
+# Delegates
+A delegate is someone who has been given access to someone else's email or contacts. The delegator is the one whose email and contacts are accessible by the delegate.
+Delegate and the delegators must be in the same domain, granting delegate access across multiple domains is currently not possible.
+
+## Creating a Gmail delegate
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users delegate to <delegate email>
+gam user <username>|group <groupname>|ou <ouname>|all users add delegate <delegate email>
+```
+Gives email and contact access for the given users (the delegators) to the specified delegate account. Unlike when users request delegate access via Gmail settings, no email will be sent to the delegators for approval, the approval occurs immediately.
+The delegate and the delegator must be in the same domain, granting delegate access across multiple domains is currently not possible.
+
+Both the Gmail delegator and the delegate:
+
+* Must be active. A 500 error is returned if either user is suspended and disabled.<br>
+* Must not require a change of password on the next sign in. A 500 error is returned if either user has this flag enabled in the control panel, or, using the Provisioning API, the changePasswordAtNextLogin attribute is true.
+
+You can confirm these settings using the <a href='ExamplesProvisioning#Get_User_Info'>gam info user</a> command. Both "Account suspended" and "Must change password" should show false for both the delegate and the delegator.
+
+### Example
+This example gives jbezos access to the contacts and email of the sales account.
+```
+gam user sales delegate to jbezos@amazon.com
+```
+
+
+## Deleting a Gmail delegate
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users delete delegate <delegate email>
+```
+Deletes the delegate for the given users.
+
+### Example
+This example takes away deSecretary's access to deBoss's email and contacts.
+<br>
+```
+gam user deBoss delete delegate deSecretary
+```
+
+## Print Gmail delegates
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users print delegates [todrive]
+```
+Display or upload to Google Drive a CSV report of users' delegates. The optional `todrive` parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file.
+
+Prints the delegates that have access to the given user accounts.
+
+### Example
+This example prints delegates across the entire domain.
+```
+gam all users print delegates
+```
+
+
+## Show Gmail delegates
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users show delegates [csv]
+```
+Shows the delegates that have access to the given user accounts. Optional argument csv prints out CSV style output instead of human readable.
+
+### Example
+This example shows delegates for users in the technology group.
+```
+gam group technology show delegates
+```
+----
+##  Creating a Contact delegate
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users add contactdelegate <delegate email>
+```
+Delegates given user(s) contacts to the given delegate user.
+
+### Example
+This examples gives D. Landingham access to manage J. Bartlet's contacts.
+```
+gam user jbartlet@acme.com add contactdelegate dlandingham@acme.com
+```
+----
+## Deleting a Contact delegate
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users delete contactdelegate <delegate email>
+```
+Removes a delegate user's access to a given user's contacts.
+
+### Example
+This example removes C. Young's delegate access to J. Bartlet's contacts.
+```
+gam user jbartlet@acme.com delete contactdelegate cyoung@acme.com
+```
+----
+## Print Contact delegates
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users print contactdelegates [todrive]
+```
+Prints the contact delegates of a given user. The optional todrive argument causes the output to generate a Google Sheet rather than printing to the console.
+
+### Example
+This example prints all contact delegates for J. Bartlet to a Google Sheet.
+```
+gam user jbartlet@acme.com print contactdelegates todrive
+```
+----
+## Show Contact delegates
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users show contactdelegates
+```
+Shows the contact delegates of a given user in human-friendly output format.
+
+### Example
+This example shows all contact delegates for J. Bartlet.
+```
+gam user jbartlet@acme.com show contactdelegates
+```
+----
+
+# Managing S/MIME Certificates
+## Adding S/MIME Certificates
+### Syntax
+```
+gam user <email> add smime <file <filename>> <password <password>> [default] [sendas <email>]
+```
+Uploads an S/MIME certificate for the user. The file argument specifies the local file which contains the S/MIME Certificate to be uploaded. The password argument specifies the password used to encrypt the S/MIME certificate. The optional argument default specifies that if user has multiple certificates for this sendas, this one should be the default. The optional argument sendas specifies the sendas email address that the S/MIME certificate should be used with. If sendas is not specified, the user's primary address is assumed.
+
+### Example
+This example uploads the file jim.pfx for Jim and marks it as default.
+```
+gam user jim@acme.com add smime file jim.pfx password p@ssw3rd default
+```
+----
+## Updating S/MIME Certificates
+### Syntax
+```
+gam user <email> update smime [id <id>] [sendas <email>] <default>
+```
+Updates a S/MIME certificate for a user. Currently the only update operation is to mark the certificate as the default. The id argument specifies the id of the S/MIME certificate to update. If ID is not specified then all existing certificates will be listed. The sendas argument specifies the sendas address which owns the certificate to be updated. If sendas is not specified, the user's primary address is assumed. The default argument updates the selected certificate to be the default. Currently default is required since it's the only update operation.
+
+### Example
+This example sets a certificate to be the default for John's primary address.
+```
+gam user john@acme.com update smime id 84833830 default
+```
+----
+
+## Deleting S/MIME Certificates
+### Syntax
+```
+gam user <email> delete smime <id <id>> [sendas <email>]
+```
+Deletes a S/MIME certificate for a user. The id argument specfies which S/MIME certificate should be deleted. The optional sendas argument specifies the sendas address which the certificate is associated with. If sendas is not specified then the user's primary address is used.
+
+### Example
+This example delete's the user's certificate.
+```
+gam user john@acme.com delete smime id 34394348349
+```
+----
+
+## Show/Print S/MIME Certificates
+### Syntax
+```
+gam user <email> show|print smime primaryonly todrive
+```
+Show or print the S/MIME certificates of the specified user(s). Show displays the certificates on the screen while print outputs CSV format. The optional argument primaryonly skips looking up additional sendas addresses for user and only pulls certificates associated with the user's primary address. The optional argument todrive specifies that printed output should be uploaded to a Google Drive Spreadsheet instead of displaying the CSV to the screen.
+
+### Example
+This example creates a spreadsheet with all user primary certificates.
+```
+gam all users print smime primaryonly todrive
+```
+----
+
+<h1>Hiding/Unhiding users from the domain contacts</h1>
+Individual user profiles can be hidden/unhidden from the domain contacts list (sometimes called the Global Address List or GAL).<br>
+<br>
+<h2>Changing a users profile to hidden/unhidden</h2>
+<h3>Syntax</h3>
+<pre><code>gam user &lt;username&gt;|group &lt;groupname&gt;|ou &lt;ouname&gt;|all users profile shared|unshared<br>
+</code></pre>
+Share a user's profile (contact) information with other users in the domain. If a user's profile is shared, they'll show up in autocomplete and contact searches for other users. If a user is unshared, others will not be able to discover the user's address and detailed contact info.<br>
+<br>
+<h3>Example</h3>
+this example hides all users in the asked-to-be-hidden Google group from email address autocomplete and contact searches.<br>
+<br>
+<pre><code>gam group asked-to-be-hidden profile unshared<br>
+</code></pre>
+<hr />
+
+<h2>Showing users profile hidden/unhidden status</h2>
+<h3>Syntax</h3>
+<pre><code>gam user &lt;username&gt;|group &lt;groupname&gt;|ou &lt;ouname&gt;|all users show profile<br>
+</code></pre>
+Show the current sharing status of the users' profile.<br>
+<br>
+<h3>Example</h3>
+this example shows the status of all user profiles in the domain.<br>
+<br>
+<pre><code>gam all users show profile<br>
+</code></pre>
+<hr />
+
+# User Profile Photos
+## Updating Profile Photos
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users update photo <photo filename>
+```
+Create or replace the user's photo with the one specified by filename. File should be jpg format. You can use #user# as part of the filename and it will be replaced with the user's full email address.
+
+### Examples
+this example replaces Michael Jones' photo with the one from the employee photo directory
+```
+gam user michael.jones@acme.com update photo h:\employee-photos\mjones.jpg
+```
+
+this example replaces all user's photos with ones stored in c:\photos\<user email>.jpg
+```
+gam all users update photo c:\photos\#user#.jpg
+```
+
+## Getting Profile Photos
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users get photo [drivedir|(targetfolder <FilePath>)] [noshow]
+```
+Gets the users' current photo and saves it to a file named username-domain.jpg in the GAM path. If `drivedir` is specified, the files will be saved in the folder referenced by the environment variable GAMDRIVEDIR. If `targetfolder <FilePath>` is specified, the files will be saved in FilePath. The `noshow` argument prevents to photo data from being displayed to stdout.
+
+## Example
+This example retrieves photos for all users in Google Apps and saves them to files in the C:\photos directory.
+```
+gam all users get photo targetfolder "C:\photos"
+```
+
+## Deleting Profile Photos
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users delete photo
+```
+Deletes the given users' profile photo returning it to blank.
+
+### Example
+This example will delete the profile photo for all members of the group named abused-the-system
+```
+gam group abused-the-system delete photo
+```
+
+
+# Managing User Emails
+## Modifying User Emails
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users modify messages|threads query <gmail search> [doit] [maxtomodify <number>] [addlabel <label>] [removelabel <label>] 
+```
+Modify user Gmail messages or threads. If you specify messages, the search will be done against individual messages and only individual messages that match the query will be modified. If you specify threads then all messages in all threads that match the query will be modified. The addlabel argument specifies labels that should be added to matching messages/threads. The removelabel argument specifies labels that should be added to matching messages/threads. The query parameter is required and uses Gmail search syntax. See the [Advanced Gmail Search help article](https://support.google.com/mail/answer/7190?hl=en) for some tips on complex searches. 
+
+By default, GAM will not modify any messages/threads for users. The doit parameter is needed to tell GAM to actually perform the modify operation. 
+
+The maxtomodify paramater (default: 1) defines how many matching messages/threads per user that may be modified. If more than this number of message matches the search query, GAM will refuse to modify ANY messages for that user. 
+
+### Example
+This example moves all matching messages to the Spam folder.
+```
+gam user joe@acme.com modify messages query 'subject:"buy viagra"' addlabel SPAM removelabel INBOX doit maxtomodify 10
+```
+
+This example marks all messages from president@acme.com as Important and Starred.
+```
+gam all users modify messages query from:president@acme.com addlabel IMPORTANT addlabel STARRED doit maxtomodify 500
+```
+----
+
+## Deleting, Trashing or Untrashing User Emails
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users delete|trash|untrash messages|threads query <gmail search> [doit] [maxtodelete|maxtotrash|maxtountrash <number>] 
+```
+Delete or move to trash messages or threads for a user or group of users. If you specify messages, the search will be done against individual messages and only individual messages that match the query will be deleted/trashed/undeleted. If you specify threads then all messages in all threads that match the query will be deleted/trashed/undeleted. The query parameter is required and uses Gmail search syntax. See the [Advanced Gmail Search help article](https://support.google.com/mail/answer/7190?hl=en) for some tips on complex searches. 
+
+By default, GAM will not delete/trash/untrash any messages for users, it only shows what messages will be impacted. The doit parameter is needed to tell GAM to actually perform the delete/trash/untrash operation.
+
+The maxtodelete/maxtotrash/maxtountrash paramater (default: 1) defines how many matching messages/threads per user that may be affected. If more than this number of message matches the search query, GAM will refuse to modify ANY messages for that user.
+
+### Examples
+This example gets a count of how many messages a user has with PDF attachments but doesn't actually do anything to them.
+```
+gam user joe@acme.org delete messages query filename:pdf
+```
+
+This example will delete the message that has this exact [RFC822 Message ID header](https://support.google.com/groups/answer/75960?hl=en) for all users. Only one message at most will be deleted for all users (they should have only one copy). This example is useful if an email is sent to a large number of people and you wish to remove it from their mailbox quickly.
+```
+gam all users delete messages query rfc822msgid:CAGoYzwvzepSfbHB8mBoOx4VqsiotTmRjvBSFjz8NMg2VXeHTrA@mail.gmail.com doit
+```
+
+This example will trash the thread that has a message from internal.leaker@gmail.com. This means that if users have replied to the message or forwarded it, those messages should also be deleted from the user mailbox.
+```
+gam all users delete threads query from:internal.leaker@gmail.com maxtodelete 10 doit
+```
+
+This example will trash all messages older than 7 years for members of the group. **BE CAREFUL!** There is no undo button. This command could be run on a regular basis (once a day or so) in order to ensure messages older than 7 years are trashed for the user.
+```
+gam group purge7@acme.org trash messages query older_than:7y doit maxtodelete 999999999
+```
+## Sending Email as a User
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users sendemail [message <message>] [file <file>] [subject <subject] [recipient <recipient>]
+```
+Sends an email as the given user. The optional argument message specifies the text to use for the email message including headers and body. The optional argument file reads the message including headers and body from a local file. An easy way to create a rich email message is to send it to yourself in Gmail UI and then [Download the original](https://support.google.com/mail/answer/29436?hl=en) to a file. The optional arguments subject and recipient set the message subject / recipient respectively and will override the headers set in message or file.
+
+### Example
+This example sends a quick message to the user and from the user
+```
+gam user test@example.com sendemail subject "from me, to me"
+```
+This example sends a message from the user to an external address
+```
+gam user test@example.com sendemail file c:\gam\test.eml recipient thedude@gmail.com
+```
+## Dropping Emails into a User Mailbox
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users insertemail|importemail [message <message>] [file <file>] [subject <subject] [recipient <recipient>] [labels <labels,>]
+```
+Drops an email into the given users mailbox. Note that unlike sendemail, these commands will always put the email directly into the user's mailbox, no matter who the recipient is set to. insertemail uses the [INSERT API method](https://developers.google.com/gmail/api/v1/reference/users/messages/insert) and is fastest though messages will not be de-duplicated or threaded in the Gmail mailbox. importemail uses the [IMPORT API method](https://developers.google.com/gmail/api/v1/reference/users/messages/import) which is slower but offers more processing options during delivery. By default, messages dropped in a user mailbox receive *no labels* which means they are archived and marked as read. To best grab a user's attention for reading the recommendation is to set labels like INBOX,UNREAD,IMPORTANT,STARRED. The optional argument message specified the message including headers and body. The optional argument file reads the message including headers and body from a local file. The optional arguments subject and recipient set the message subject and recipients overriding message and file. The optional argument labels specifies a comma separated list of labels to apply to the message.
+
+Dropped messages do not get processed by user Gmail filters.
+
+### Example
+This example is the fastest way to get an email in front of a LOT of users quickly with a custom message per-user.
+```
+gam print users givenname | gam csv - gam user ~primaryEmail insertemail subject "ALERT: ~~givenName~~ donuts in the break room" labels INBOX,UNREAD,IMPORTANT,STARRED
+```
+## Drafting Emails for a User
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users draftemail [message <message>] [file <file>] [subject <subject] [recipient <recipient>]
+```
+Places a draft email in the given user's mailbox. The optional argument message specifies the email message including headers and body. The optional argument file reads the message from a local file. The optional argument subject sets the message subject overriding message/file. The optional argument recipient sets the message recipient overriding message/file.
+
+### Example
+This example creates a draft message for a user.
+```
+gam user me@example.com draftemail subject "TPS Report" message "This is my TPS report" recipient boss@example.com
+```
+
+# Print/Show User Gmail Profile
+## Print User Gmail Profile
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users print gmailprofile [todrive]
+```
+Display or upload to Google Drive a CSV report of user Gmail profile data. The optional `todrive` parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file. 
+
+## Show User Gmail Profile
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users print gmailprofile
+```
+Display a formatted report of user Gmail profile data.
+---
+# Managing User Display Language
+## Set User Language
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users language <language code>
+```
+set the display language used for the user. A full list of language codes can be found [here.](https://developers.google.com/gmail/api/guides/language_settings#display_language).
+### Example
+This example sets the user's language to UK English
+```
+gam user jlennon language en-GB
+```
+---
+## Get User Language
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users show language
+```
+get the display language currently set for the user.
+### Example
+This example gets the current language of the user.
+```
+gam user jlennon show language
+```
+---

docs/ExamplesOrganizations.md

@@ -0,0 +1,111 @@
+- [Creating an Organization Unit](#creating-an-organization-unit)
+- [Updating (and adding users to) an Organization Unit](#updating-and-adding-users-to-an-organization-unit)
+- [Retrieving an Organization Unit's Information](#retrieving-an-organization-units-information)
+- [Deleting an Organization Unit](#deleting-an-organization-unit)
+
+# Creating an Organization Unit
+## Syntax
+```
+gam create org <name> [description <Description>] [parent <Parent Org>] [noinherit]
+```
+create an organizational unit. The required argument name is the organization unit name, if it contains spaces, it should be quoted. The optional argument description offers more details on the organizational unit, if it contains spaces it should be quoted. The optional argument parent allows the organization unit to be created as a sub-org of an existing organization unit, if it contains spaces it should be quoted. If parent is not specified, the new organization is created at the top level. The optional argument noinherit blocks policy setting inheritance from organization units higher in the organization tree, inheritance is enabled by default if noinherit is not specified.
+
+## Example
+This example creates an Organization Unit with all optional arguments
+
+```
+gam create org "Mail Enabled Faculty" description "Faculty with access to Gmail" parent /Employees
+```
+
+---
+
+
+# Updating (and adding users to) an Organization Unit
+## Syntax
+```
+gam update org <name> [name <New Name>] [description <Description>] [parent <Parent>] [inherit|noinherit] [add users <Users> | file <File Name> | group <Group Name>]
+```
+update an organization unit. The required argument name is the organization unit name, if it contains spaces, it should be quoted. If the organization unit is a sub-organization, it should use the format "parent org/org" (use the / character between the parent and the sub-org). The optional argument "name ..." specifies a new name for the organization unit, if it contains spaces, it should be quoted. The optional argument description offers more details on the organizational unit, if it contains spaces it should be quoted. The optional argument parent allows the organization unit to be moved as a sub-org of an existing organization unit, if it contains spaces it should be quoted. The optional arguments inherit and noinherit enable/disable inheritance respectfully. The optional argument add specifies a list, filename or group of users that should be moved into the organization unit. If using add users, the list of users should be quoted and spaces should be used between each user. If using file, the given file should contain a list of users to be added, one per line. If using group, specify the name of a Google Apps group that contains the users you would like moved into the organization unit.
+
+**Important:** Users can only exist in one organization unit at a time. When you add them to an organization unit with this command, they will be removed from their previous organization unit.
+
+
+## Example
+This example updates the organization unit's parameters without adding any users
+```
+gam update org Faculty description "Faculty Users" parent Employees
+```
+
+This example renames the organization unit
+```
+gam update org Faculty name "Faculty and Staff"
+```
+
+This example adds the given list of users to the organization unit
+```
+gam update org Faculty add users "socrates plato aristotle"
+```
+
+This example assumes that the file faculty.txt exists and looks like:
+```
+davinci
+michelangelo
+raphael
+```
+it will add these users to the organization unit
+```
+gam update org Faculty add file faculty.txt
+```
+
+This example will add members of the Google Apps group inventors to the Faculty organization unit
+```
+gam update org Faculty add group inventors
+```
+
+---
+
+
+# Retrieving an Organization Unit's Information
+## Syntax
+```
+gam info org <name> [nousers|child]
+```
+retrieve details about the given organization unit. GAM will print a summary of the organization unit. If the nousers argument is selected, the users in the org won't be listed. The child argument prints users in the sub-orgs along with the string "(child") next to their email address.
+
+## Example
+This example will print a summary detailing the given organization unit
+```
+gam info org Faculty
+Organization Unit: Faculty
+Description: Faculty Users
+Parent Org: /
+Block Inheritance: false
+Users:
+ davinci@domain.com
+ michelangelo@domain.com
+ raphael@domain.com
+```
+
+---
+
+
+# Deleting an Organization Unit
+## Syntax
+```
+gam delete org <orgUnitPath>
+```
+delete the given organization unit.
+
+**Important:** The organization unit must be completely emptied of users and sub-organizations before it can be deleted.
+
+## Example
+This example will delete the already emptied organization unit Sub-faculty and then afterwards delete the emptied organization unit Faculty.
+
+```
+gam delete org /Faculty/Sub-faculty
+```
+
+```
+gam delete org /Faculty
+```
+---

docs/Find-File-Owner.md

@@ -1,4 +1,4 @@
-# Find File Owner
+!# Find File Owner
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Display File Ownership](#display-file-ownership)
@@ -47,11 +47,8 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 
 ## Display File Ownership for Old files
 If the above commands fail, you can try to loop through all accounts, however this might take a long time if you are on a large Google Workspace Account.
-
-```
-gam config auto_batch_min 1 redirect csv - multiprocess redirect stderr null multiprocess all users print filelist select id <DriveFileID> fields id,name,owners.emailaddress norecursion showownedby any
-```
-Starting with version 6.07.26, this can be made more efficient by terminating processing after the owner is identified.
+If any lines are displayed, the file owner is in the `owners.0.emailAddress` column.
 ```
 gam config auto_batch_min 1 multiprocessexit rc=0 redirect csv - multiprocess redirect stderr null multiprocess all users print filelist select id <DriveFileID> fields id,name,owners.emailaddress norecursion showownedby any
+gam config auto_batch_min 1 multiprocessexit rc=0 redirect csv - multiprocess redirect stderr null multiprocess all users print filelist select name <DriveFileName> fields id,name,owners.emailaddress norecursion showownedby any
 ```

docs/GAM-Return-Codes.md

@@ -1,6 +1,6 @@
-# GAM Return Codes
+!# GAM Return Codes
 
-These are the return codes used by GAMADV-XTD3.
+These are the return codes used by GAM7.
 
 ```
 SUCCESS_RC = 0
@@ -32,6 +32,7 @@ ENTITY_IS_A_USER_ALIAS_RC = 21
 ENTITY_IS_A_GROUP_RC = 22
 ENTITY_IS_A_GROUP_ALIAS_RC = 23
 ENTITY_IS_AN_UNMANAGED_ACCOUNT_RC = 24
+ORGUNIT_NOT_EMPTY_RC = 25
 CHECK_USER_GROUPS_ERROR_RC = 29
 ORPHANS_COLLECTED_RC = 30
 # Warnings/Errors
@@ -61,4 +62,14 @@ TARGET_DRIVE_SPACE_ERROR_RC = 74
 USER_REQUIRED_TO_CHANGE_PASSWORD_ERROR_RC = 75
 USER_SUSPENDED_ERROR_RC = 76
 NO_CSV_DATA_TO_UPLOAD_RC = 77
+NO_SA_ACCESS_CONTEXT_MANAGER_EDITOR_ROLE_RC = 78
+ACCESS_POLICY_ERROR_RC = 79
+YUBIKEY_CONNECTION_ERROR_RC = 80
+YUBIKEY_INVALID_KEY_TYPE_RC = 81
+YUBIKEY_INVALID_SLOT_RC = 82
+YUBIKEY_INVALID_PIN_RC = 83
+YUBIKEY_APDU_ERROR_RC = 84
+YUBIKEY_VALUE_ERROR_RC = 85
+YUBIKEY_MULTIPLE_CONNECTED_RC = 86
+YUBIKEY_NOT_FOUND_RC = 87
 ```

docs/GAM-with-minimal-GCP-rights.md

@@ -1,4 +1,4 @@
-# GAM setup with minimal GCP permissions.
+!# GAM setup with minimal GCP permissions.
 
 - GCP Admin can create a project for the Workspace / GAM admin.
 

docs/GAM7-on-Android-Devices.md

@@ -1,7 +1,7 @@
-# GAMADV-XTD3 on Android Devices
-GAMADV-XTD3 now runs on 64-bit Android devices such as Google's Pixel phones. The installation requires an app that adds the Linux environment to Android such as [UserLAnd](https://play.google.com/store/apps/details?id=tech.ula&hl=en_US).
+!# GAM7 on Android Devices
+GAM7 now runs on 64-bit Android devices such as Google's Pixel phones. The installation requires an app that adds the Linux environment to Android such as [UserLAnd](https://play.google.com/store/apps/details?id=tech.ula&hl=en_US).
 
-_Note: Chromebooks / Chrome OS devices should install GAMADV-XTD3 using [these instructions](GAMADV-XTD3-on-Chrome-OS-Devices)._
+_Note: Chromebooks / Chrome OS devices should install GAM7 using [these instructions](GAM7-on-Chrome-OS-Devices)._
 
 1. Install the [UserLAnd](https://play.google.com/store/apps/details?id=tech.ula&hl=en_US) app.
 2. Click Debian to install a Debian environment.

docs/GAM7-on-Chrome-OS-Devices.md

@@ -1,5 +1,5 @@
-# GAMADV-XTD3 on Chrome OS Devices
-Chrome OS devices that [support Linux apps](https://support.google.com/chromebook/answer/9145439?hl=en) can run GAMADV-XTD3. This includes Intel/AMD x86_64 Chromebooks as well as ARM-based Chromebooks with Mediatek or Rockchip 64-bit CPUs.
+!# GAM7 on Chrome OS Devices
+Chrome OS devices that [support Linux apps](https://support.google.com/chromebook/answer/9145439?hl=en) can run GAM7. This includes Intel/AMD x86_64 Chromebooks as well as ARM-based Chromebooks with Mediatek or Rockchip 64-bit CPUs.
 
 1. [Set up Linux on your Chromebook](https://support.google.com/chromebook/answer/9145439?hl=en).
 1. From the Terminal app, run the following commands:

docs/GAM7CSVListings.md

@@ -0,0 +1,434 @@
+- [Printing All Users](#printing-all-users)
+- [Printing All Groups](#printing-all-groups)
+- [Print All Aliases](#print-all-aliases)
+- [Print All Organizational Units](#print-all-organizational-units)
+- [Print All Resource Calendars](#print-all-resource-calendars)
+- [Print All Domains and Domain Aliases](#print-all-domains-and-domain-aliases)
+- [Print Mobile Devices](#print-mobile-devices)
+- [Print Chrome OS Devices](#print-chrome-os-devices)
+- [Print Chrome OS Device Activity](#print-chrome-os-device-activity)
+- [Print Licenses](#print-licenses)
+- [Reports](#reports)
+  - [User Report](#users-report)
+  - [Customer Report](#customer-report)
+  - [Usage Reports](#usage-reports)
+  - [Possible Usage Parameters](#possible-usage-parameters)
+  - [Drive Report](#drive-report)
+  - [Admin Actions Report](#admin-actions-report)
+  - [Calendar Actions Report](#calendar-actions-report)
+  - [Group Actions Report](#group-actions-report)
+  - [Login Audit Report](#login-audit-report)
+  - [Mobile Audit Report](#mobile-audit-report)
+  - [OAuth Token Activities Report](#oauth-token-activities-report)
+
+# Printing All Users
+
+### Syntax
+```
+gam print users [allfields] [custom all|list,of,schemas] [userview] [ims] [emails] [externalids] [relations] [addresses] [organizations] [phones] [licenses] [firstname] [lastname] [emailparts] [deleted_only] [orderby email|firstname|lastname] [ascending|descending] [domain] [query <query>] [fullname] [ou] [suspended] [changepassword] [agreed2terms] [admin] [gal] [id] [creationtime] [lastlogintime] [aliases] [groups] [todrive]
+```
+prints a CSV file of all users in the G Suite Organization. The CSV output can be redirected to a file using the operating system's pipe command (such as "> users.csv") see examples below. By default, the only column printed is the user's full email address. The optional argument allfields adds all fields (except groups which requires per-user API calls) to the CSV. The optional argument deleted\_only prints only users deleted within the past 5 days. The optional custom argument adds custom schemas. If all is specified, all custom schemas will be included. Otherwise only those listed in a comma separated list will be included. The optional userview parameter returns only fields that are viewable by regular users and can be run even if GAM is authenticated against a regular user account. The optional licenses parameter includes a column for all SKUs assigned to each user. The optional query parameter should match the [API search for users](https://developers.google.com/admin-sdk/directory/v1/guides/search-users) format. All other arguments add the respective additional column to the CSV output. Note that adding groups will require 1 additional call to Google's servers <b>per user</b> which will significantly increase the length of time for the command to complete. The optional todrive argument will upload the CSV data to a Google Docs Spreadsheet file in the Administrators Google Drive rather than displaying it locally.
+
+### Example
+This example will generate the csv file users.csv showing with columns many fields
+```
+gam print users allfields > users.csv
+Getting all users in the organization (may take some time on a large G Suite account)...
+
+users.csv contains:
+--
+Email,Firstname,Lastname,Fullname,Username,OU,Suspended,SuspensionReason,ChangePassword,AgreedToTerms,DelegatedAdmin,Admin,CreationTime,LastLoginTime,Aliases,NonEditableAliases,ID,PhotoURL,IncludeInGlobalAddressList
+jsmith@acme.com,Jon,Smith,Jon Smith,jsmith,/Sales,False,,False,True,False,False,2012-03-23T15:04:19.000Z,2013-05-06T16:02:36.000Z,,jsmith@acme-alias.gov,106100537778424449519,,True
+--
+```
+
+---
+
+
+# Printing All Groups
+### Syntax
+```
+gam print groups [name] [description] [admincreated] [id] [aliases] [members] [owners] [managers] [settings] [todrive]
+```
+prints a CSV file of all groups in the G Suite domain. The CSV output can be redirected to a file using the operating system's pipe command (such as "> groups.csv") see examples below. By default, the only column printed is the Group email address. The optional arguments name, description, id and admincreated add the respective additional column to the CSV output. The optional arguments members, owners, managers and settings each perform 1 additional API call per group which may greatly increase the time it takes the command to complete. settings will add multiple columns for the groups advanced settings. The optional todrive argument will upload the CSV data to a Google Docs Spreadsheet file in the Administrators Google Drive rather than displaying it locally.
+
+### Examples
+this example will output all details for all groups to the file groups.csv
+```
+gam print groups name description admincreated id aliases members owners managers settings > groups.csv
+```
+
+---
+
+
+# Print All Aliases
+### Syntax
+```
+gam print aliases [todrive]
+```
+prints a CSV file of all email aliases in the G Suite domain for both users and groups. The CSV output can be redirected to a file using the operating system's pipe command (such as "> nicknames.csv") see examples below. The optional todrive argument will upload the CSV data to a Google Docs Spreadsheet file in the Administrators Google Drive rather than displaying it locally.
+
+### Example
+this example will output all nicknames to the file aliases.csv
+```
+gam print aliases > aliases.csv
+```
+
+---
+
+
+# Print All Organizational Units
+### Syntax
+```
+gam print orgs [name] [description] [parent] [inherit] [allfields] [todrive]
+```
+prints a CSV file of all organizational units in the G Suite account. The CSV output can be redirected to a file using the operating system's pipe command (such as "> orgs.csv") see examples below. By default, the only column output is "Path" (OUs full path). The optional argument allfields will include all possible fields in the CSV. The optional arguments name, description, parent and inherit add the respective additonal column to the CSV output. Only 1 call to Google's servers is done no matter which arguments are specified so the optional arguments should not significantly increase the time it takes for the command to complete. The optional todrive argument will upload the CSV data to a Google Docs Spreadsheet file in the Administrators Google Drive rather than displaying it locally.
+
+### Example
+this example will output all organizations to the file orgs.csv including all optional columns
+```
+gam print orgs name description parent inherit > orgs.csv
+```
+
+---
+
+
+# Print All Resource Calendars
+### Syntax
+```
+gam print resources [description] [type] [allfields] [todrive]
+```
+prints a CSV file of all resource calendars in the G Suite account. The CSV output can be redirected to a file using the operating system's pipe command (such as "> resources.csv") see examples below. The optional arguments description and type add the respective additional column to the CSV output. The optional argument allfields will add all returned fields (including description and type) to the output. The optional todrive argument will upload the CSV data to a Google Docs Spreadsheet file in the Administrators Google Drive rather than displaying it locally.
+
+### Example
+this example will output all resource calendars to the file resources.csv including all optional columns
+```
+gam print resources allfields > resources.csv
+```
+---
+
+# Print All Domains and Domain Aliases
+
+### Syntax
+```
+gam print domains [todrive]
+```
+
+Outputs CSV of all domains. The todrive parameter causes GAM to create a Google Spreadsheet of results rather than outputting a CSV.
+
+---
+
+# Print Mobile Devices
+### Syntax
+```
+gam print mobile [query <query>] [basic|full] [orderby deviceid|email|lastsync|model|name|os|status|type] [ascending|descending] [todrive]
+```
+
+Prints all mobile devices connected to the G Suite instance. All fields are included in the CSV. The optional argument `query` specifies an optional query to limit output results. The format of the query parameter should match the [Search format of the Control Panel](http://support.google.com/a/bin/answer.py?hl=en&answer=1408863#search). The `basic` and `full` arguments control the selection of fields that are output. The `orderby` and `ascending/descending` parameters determine how the CSV output is sorted. The optional `todrive` argument will upload the CSV data to a Google Docs Spreadsheet file in the Administrators Google Drive rather than displaying it locally.
+
+### Example
+This example prints details on all mobile devices in the domain
+```
+gam print mobile
+```
+
+This example prints all of jsmith@acme.org's mobile devices
+```
+gam print mobile query "email:jsmith@acme.org"
+```
+
+---
+
+
+# Print Chrome OS Devices
+### Syntax
+```
+gam print cros [query <query>] [orderby location|user|lastsync|serialnumber|supportenddate] [ascending|descending] [todrive] [allfields|full|basic] [nolists] [listlimit <Number>] <CrOSFieldName>* [fields <CrOSFieldNameList>]
+```
+Print all Chrome OS devices enrolled in the G Suite instance. By default, the only column printed is the deviceId. The optional arguments `allfields/full` add all fields to the output; the optional argument `basic` adds some essential fields to the output. The `<CrOSFieldName>*` and `fields <CrOSFieldNameList>` arguments give you the ability to select the specific fields you want output. The optional parameter `query` specifies a query to perform, limiting the results to matching devices. The query format is described in Google's [help article](http://support.google.com/chrome/a/bin/answer.py?hl=en&answer=1698333). The `orderby` and `ascending/descending` parameters determine sorting of CSV output. The optional `todrive` argument will upload the CSV data to a Google Docs Spreadsheet file in the Administrators Google Drive rather than displaying it locally.
+
+The full data for a Chrome OS device includes two repeating fields, `recentUsers` and `activeTimeRanges`, with multiple entries of two columns each that makes for a large number of columns in the CSV output. Use the `listlimit <Number>` argument to limit each of the repeating fields to `<Number>` entries of two columns each. The `nolists` argument eliminates these two fields from the output. Specifying either or both of `recentusers` or `activetimeranges` as a field includes the fields in the output, but there are only two columns per field per row; multiple rows are written to the CSV output to include all of the values. The `listlimit <Number>` argument limits the rows written to `<Number>`.
+
+### Example
+This example prints basic data for all Chrome OS Devices enrolled in the domain.
+
+```
+gam print cros basic
+```
+
+This example prints all Chrome OS devices annotated as belonging to jsmith@acme.org
+
+```
+gam print cros query "user:jsmith@acme.org"
+```
+
+---
+
+# Print Chrome OS Device Activity
+### Syntax
+```
+gam print crosactivity [query <query>] [todrive] [times] [users] [start <yyyy-mm-dd>] [end <yyyy-mm-dd>]
+```
+Print information about Chrome OS device activity and recent users. Outputs one line per device per daily usage and one line per device with recent users. The optional parameter `query` specifies a query to perform, limiting the results to matching devices. The query format is described in Google's [help article](http://support.google.com/chrome/a/bin/answer.py?hl=en&answer=1698333). The optional `todrive` argument will upload the CSV data to a Google Docs Spreadsheet file in the Administrators Google Drive rather than displaying it locally. The optional times and users arguments specify whether only times or users should be output. By default, both times and users are included in the CSV output. The optional start and end date parameters specify the oldest and newest activity dates that should be included in the output, be default all dates returned by the API are included (usually max 14 entries).
+
+### Example
+This example prints all Chrome OS activity times to a spreadsheet.
+```
+gam print crosactivity todrive
+```
+----
+
+# Print Licenses
+### Syntax
+```
+<ProductID> ::=
+        Google-Apps|
+        Google-Chrome-Device-Management|
+        Google-Coordinate|
+        Google-Drive-storage|
+        Google-Vault|
+        101001|
+        101005|
+        101031
+<ProductIDList> ::= "(<ProductID>|SKUID>)(,<ProductID>|SKUID>)*"
+<SKUID> ::=
+        cloudidentity|identity|1010010001|
+        cloudidentitypremium|identitypremium|1010050001|
+        free|standard|Google-Apps|
+        gafb|gafw|basic|gsuitebasic|Google-Apps-For-Business|
+        gafg|gsuitegovernment|gsuitegov|Google-Apps-For-Government|
+        gams|postini|gsuitegams|gsuitepostini|gsuitemessagesecurity|Google-Apps-For-Postini|
+        gal|lite|gsuitelite|Google-Apps-Lite|
+        gau|unlimited|gsuitebusiness|Google-Apps-Unlimited|
+        gae|enterprise|gsuiteenterprise|1010020020|
+        gsefe|e4e|gsuiteenterpriseeducation|1010310002|
+        chrome|cdm|googlechromedevicemanagement|Google-Chrome-Device-Management|
+        coordinate|googlecoordinate|Google-Coordinate|
+        drive20gb|20gb|googledrivestorage20gb|Google-Drive-storage-20GB|
+        drive50gb|50gb|googledrivestorage50gb|Google-Drive-storage-50GB|
+        drive200gb|200gb|googledrivestorage200gb|Google-Drive-storage-200GB|
+        drive400gb|400gb|googledrivestorage400gb|Google-Drive-storage-400GB|
+        drive1tb|1tb|googledrivestorage1tb|Google-Drive-storage-1TB|
+        drive2tb|2tb|googledrivestorage2tb|Google-Drive-storage-2TB|
+        drive4tb|4tb|googledrivestorage4tb|Google-Drive-storage-4TB|
+        drive8tb|8tb|googledrivestorage8tb|Google-Drive-storage-8TB|
+        drive16tb|16tb|googledrivestorage16tb|Google-Drive-storage-16TB|
+        vault|googlevault|Google-Vault|
+        vfe|googlevaultformeremployee|Google-Vault-Former-Employee
+<SKUIDList> ="<SKUID>(,<SKUID>)*"
+
+gam print license|licenses|licence|licences [todrive] [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
+
+```
+Print G Suite, Google Drive storage and Google Coordinate license assignments for the domain. The optional todrive argument will upload the CSV data to a Google Docs Spreadsheet file in the Administrators Google Drive rather than displaying it locally.
+
+### Example
+This example gets all license assignments for the G Suite instance and uploads the spreadsheet to Google Docs.
+```
+gam print licenses todrive
+```
+
+---
+
+
+# Reports
+## Users Report
+### Syntax
+```
+gam report users [todrive] [date <yyyy-mm-dd>] [user <email>] [filter <filter terms>] [fields <included fields>]
+```
+
+Display or upload to Google Drive a CSV report of current users. The optional todrive parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file. The optional date parameter specifies when the report should be pulled for, when not specified, GAM pulls the most recently available report from Google. The optional user parameter specifies the email address of a single user whose data should be returned, by default all users in the G Suite instance are pulled. The optional filter parameter specifies search terms as described in [Google's API documentation](https://developers.google.com/admin-sdk/reports/v1/reference/userUsageReport/get). The optional fields parameter specifies a comma-separated list of fields (columns) to be included in the output, if not specified all columns are returned. A list of account parameters can be found [here](https://developers.google.com/admin-sdk/reports/v1/reference/usage-ref-appendix-a/users-accounts)
+
+### Example
+This command will pull the most recently available users report and upload to drive.
+```
+gam report users todrive
+```
+
+This command will pull a list of users who have not logged in since the beginning of the year.
+```
+gam report users filter 'accounts:last_login_time<2013-01-01T00:00:00.000Z'
+```
+
+This command will pull a list of users and their usage of Drive and Gmail.
+```
+gam report users parameters accounts:drive_used_quota_in_mb,accounts:gmail_used_quota_in_mb
+```
+
+---
+
+
+## Customer Report
+### Syntax
+```
+gam report customer [todrive] [date <yyyy-mm-dd>]
+```
+Display or upload to Google Drive a CSV report of aggregate user data across the G Suite instance (all users). The optional todrive parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file. The optional date parameter specifies when the report should be pulled for, when not specified, GAM pulls the most recently available report from Google.
+
+### Example
+This example uploads to Google Drive the most recent customer report
+```
+gam report customer todrive
+```
+
+## Usage Reports
+### Syntax
+```
+gam report usage user|customer parameters <comma separated parameters> [start_date yyyy-mm-dd] [end_date yyyy-mm-dd] [orgunit <ou of users>] [skip_dates yyyy-mm-dd...] [skip_days_of_week mon,tue...] [todrive] [users|group|csvfile]
+```
+Provides CSV output of customer or user service usage. When the optional todrive argument is specified a Google Sheet is created and a chart can easily be added to present a graphical timeline. The parameters argument is required and specifies a comma-separated list of which parameters to retrieve. Possible parameter values can be discovered with the [gam report usageparameters](#possible-usage-parameters) command. The optional start_date and end_date arguments specify the date range to retrieve. When not specified, start_date will be one month ago and end_date will be the most recent report (may be 3-4 days old). The optional orgunit argument specifies a Google Organizational unit of users to retrieve report data against, orgunit works only with user, not customer. The optional arguments skip_dates and skip_days_of_week specify precise dates or days of week when usage should not be retrieved. This allows you to remove weekends or holidays from the usage data reducing "camel humping" of the data. By default with the user usage report, all users are retrieved or, if orgunit is specified users of a given orgunit are retrieved. Optionally you can specify a group, list of users or csvfile of users to retrieve. Note that this option can be very slow as an API call will be made per-user, per date.
+
+### Example
+This example generates a Google Sheet of Google Meet total usage across your users. Once in the Sheet a chart can easily be added to provide a graphical timeline of usage trends. Note that total_call_minutes = sum of all user time spent on a meeting, 5 users in a 10 minute meeting = 50 call minutes and total_meeting_minutes = sum of all meeting times, 5 users in a 10 minute meeting = 10 meeting minutes.
+```
+gam report usage customer parameters meet:total_call_minutes,meet:total_meeting_minutes todrive start_date 2020-03-01 skip_days_of_week sat,sun skip_dates 2020-03-06
+```
+----
+## Possible Usage Parameters
+### Syntax
+```
+gam report usageparameters customer|user
+```
+provides a printed list of all possible parameters which can be used with the [gam report usage](#usage-reports) parameters argument.
+
+### Example
+Shows all usage parameters available for customer
+```
+gam report usageparameters customer
+```
+## Drive Report
+### Syntax
+```
+gam report drive [todrive] [user <user email> [ip <ip address>] [start <start time>] [end <end time>] [event view|edit|<other>] [filter <filter>]
+```
+Display or upload to Google Drive a CSV report of Google Drive activities by users in the past 180 days. The optional todrive parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file. The optional user parameter narrows the results down to documents viewed or edited by the given user. The optional ip address parameter narrows results down to activities performed from the given IPv4 or IPv6 address. The optional start and end parameters narrow the results down to actions performed during the given period.
+
+The optional event parameter narrows the results down to specific event types such as just views or just edits. Refer to the [Drive Event Names appendix](https://developers.google.com/admin-sdk/reports/v1/reference/activity-ref-appendix-a/drive-event-names) for details.
+
+For more granular control, use the optional filter parameter and pass in a filter query as documented in the [Reports API documentation](https://developers.google.com/admin-sdk/reports/reference/rest/v1/activities/list#body.QUERY_PARAMETERS.filters). Useful filter parameters include `doc_title` to list all activities for files with a given name and `doc_id` to list all activities for a specific file (both of which might be helpful to identify the owner of a file).
+
+### Example
+This example uploads to Drive a CSV of all doc actions:
+```
+gam report drive todrive
+```
+
+This example narrows the results down to actions performed by john@acme.com on Christmas Day 2013 (GMT):
+```
+gam report drive user john@acme.com start 2013-12-25T00:00:00.000Z end 2013-12-25T23:59:59.999Z
+```
+
+This example narrows the results down to just files with the name _All files in Policies Shared Drive_ and can be used to help identify the owner of a file when all you know is the name (will also match other files with the same name):
+```
+gam report drive filter "doc_title==All files in Policies Shared Drive"
+```
+
+This example narrows the results down to just files with the ID _9gEtJNb85tK87Py2SJl8uwq78BxSMMR_ and can be used to identify the owner of a file when all you know is the ID:
+```
+gam report drive filter "doc_id==9gEtJNb85tK87Py2SJl8uwq78BxSMMR"
+```
+
+
+## Admin Actions Report
+### Syntax
+```
+gam report admin [todrive] [user <user email>] [ip <ip address>] [start <start time>] [end <end time>] [event <event name>]
+```
+Display or upload to Google Drive a CSV report of administrator activities for the G Suite domain. The optional todrive parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file. The optional user parameter narrows the results down to admin activities performed by the given user. The optional ip address parameter narrows results down to activities performed from the given IPv4 or IPv6 address. The optional start and end parameters narrow the results down to actions performed during the given period. The optional event parameter narrows the results down to the given admin event type.
+
+[Details.](https://developers.google.com/admin-sdk/reports/v1/reference/activity-ref-appendix-a/admin-event-names)
+
+### Example
+This example uploads all recent admin changes to Google Drive.
+```
+gam report admin todrive
+```
+
+This example shows the admin activities of joe@schmo.com for 6/9/13 through 6/12/13 (GMT).
+```
+gam report admin todrive user joe@schmo.com start 2013-06-09T00:00:00.000Z end 2013-06-12T11:59:59.999Z
+```
+
+## Calendar Actions Report
+### Syntax
+```
+gam report calendar [todrive] [user <user email>] [ip <ip address>] [start <start time>] [end <end time>] [event <event name>]
+```
+Display or upload to Google Drive a CSV report of calendar activities for the G Suite domain. The optional todrive parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file. The optional user parameter narrows the results down to admin activities performed by the given user. The optional ip address parameter narrows results down to activities performed from the given IPv4 or IPv6 address. The optional start and end parameters narrow the results down to actions performed during the given period. The optional event parameter narrows the results down to the given calendar event type.
+
+[Details.](https://developers.google.com/admin-sdk/reports/v1/reference/activity-ref-appendix-a/calendar-event-names)
+
+This example shows the calendar activities of joe@schmo.com for 6/9/13 through 6/12/13 (GMT).
+```
+gam report calendar user joe@schmo.com start 2013-06-09T00:00:00.000Z end 2013-06-12T11:59:59.999Z
+```
+
+## Group Actions Report
+### Syntax
+```
+gam report groups [todrive] [user <user email>] [ip <ip address>] [start <start time>] [end <end time>] [event <event name>]
+```
+Display or upload to Google Drive a CSV report of group actions for the G Suite domain. The optional todrive parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file. The optional user parameter narrows the results down to group actions performed by the given user. The optional ip address parameter narrows results down to activities performed from the given IPv4 or IPv6 address. The optional start and end parameters narrow the results down to actions performed during the given period. The optional event parameter narrows the results down to the given group event type.
+
+[Details.](https://developers.google.com/admin-sdk/reports/v1/reference/activity-ref-appendix-a/groups-event-names)
+
+### Example
+This example uploads all recent group changes to Google Drive.
+```
+gam report groups todrive
+```
+
+This example shows the group actions of joe@schmo.com for 6/9/13 through 6/12/13 (GMT).
+```
+gam report groups user joe@schmo.com start 2013-06-09T00:00:00.000Z end 2013-06-12T11:59:59.999Z
+```
+
+## Login Audit Report
+### Syntax
+```
+gam report login [todrive] [user <user email>] [ip <ip address>] [start YYYY-MM-DDThh:mm:ss.000Z] [end YYYY-MM-DDThh:mm:ss.000Z] [event <event name>]
+```
+Display or upload to Google Drive a CSV report of user login activities for the G Suite domain. The optional todrive parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file. The optional user parameter narrows the results down to login activities performed by the given user. The optional ip address parameter narrows results down to activities performed from the given IPv4 or IPv6 address. The optional start and end parameters narrow the results down to actions performed during the given period. The optional event parameter narrows the results down to the given login event type.
+
+[Details.](https://developers.google.com/admin-sdk/reports/v1/reference/activity-ref-appendix-a/login-event-names)
+
+### Example
+This example uploads all recent admin changes to Google Drive.
+```
+gam report login todrive
+```
+
+This example shows the login activities of joe@schmo.com.
+```
+gam report login todrive user joe@schmo.com
+```
+
+## Mobile Audit Report
+### Syntax
+```
+gam report mobile [todrive] [user <user email>] [ip <ip address>] [start YYYY-MM-DDThh:mm:ss.000Z] [end YYYY-MM-DDThh:mm:ss.000Z] [event <event name>]
+```
+Display or upload to Google Drive a CSV report of mobile device activities for the G Suite domain. The optional todrive parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file. The optional user parameter narrows the results down to mobile device activities associated with the given user. The optional ip address parameter narrows results down to activities performed from the given IPv4 or IPv6 address. The optional start and end parameters narrow the results down to actions performed during the given period. The optional event parameter narrows the results down to the given mobile event type.
+
+[Details.](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/mobile)
+
+### Example
+This example uploads all recent mobile device activities to Google Drive.
+```
+gam report mobile todrive
+```
+## OAuth Token Activities Report
+### Syntax
+```
+gam report token [todrive] [user <user email>] [ip <ip address>] [start YYYY-MM-DDThh:mm:ss.000Z] [end YYYY-MM-DDThh:mm:ss.000Z] [event <event name>]
+```
+Display or upload to Google Drive a CSV report of OAuth token activities for the G Suite domain. The optional todrive parameter specifies that the results should be uploaded to Google Drive rather than being displayed on screen or piped to a CSV text file. The optional user parameter narrows the results down to OAuth Token activities associated with the given user. The optional ip address parameter narrows results down to activities performed from the given IPv4 or IPv6 address. The optional start and end parameters narrow the results down to actions performed during the given period. The optional event parameter narrows the results down to the given token event type.
+
+[Details.](https://developers.google.com/admin-sdk/reports/v1/reference/activity-ref-appendix-a/token-event-names)
+
+### Example
+This example uploads all recent OAuth Token activities to Google Drive.
+```
+gam report token todrive
+```

docs/GAM7GroupSettings.md

@@ -0,0 +1,448 @@
+- [Enabling Google Groups for Business](#enabling-google-groups-for-business)
+- [Updating  Group Settings](#updating--group-settings)
+  - [Allow External Members](#allow-external-members)
+  - [Message Moderation Level](#message-moderation-level)
+  - [Primary Language](#primary-language)
+  - [Reply To](#reply-to)
+  - [Send Message Deny Notification](#send-message-deny-notification)
+  - [Show In Groups Directory](#show-in-groups-directory)
+  - [Who Can Invite](#who-can-invite)
+  - [Who Can Join](#who-can-join)
+  - [Who Can Post Message](#who-can-post-message)
+  - [Who Can View Group](#who-can-view-group)
+  - [Who Can View Membership](#who-can-view-membership)
+  - [Allow Google Communication](#allow-google-communication)
+  - [Allow Web Posting](#allow-web-posting)
+  - [Archive Only](#archive-only)
+  - [Custom Reply To](#custom-reply-to)
+  - [Is Archived](#is-archived)
+  - [Max Message Bytes](#max-message-bytes)
+  - [Members Can Post As The Group](#members-can-post-as-the-group)
+  - [Message Display Font](#message-display-font)
+  - [Description](#description)
+  - [Group Name](#group-name)
+  - [Spam Moderation Level](#spam-moderation-level)
+  - [Include in Global Address List (GAL)](#include-in-global-address-list-gal)
+  - [Who Can Leave Group](#who-can-leave-group)
+  - [Who Can Contact Owner](#who-can-contact-owner)
+
+# Enabling Google Groups for Business
+In order to make use of the advanced Group Settings for your Google Apps domain, you need to have the Google Groups for Business service enabled for your domain. Please verify that you've enabled the service by [following Google's instructions](http://www.google.com/support/a/bin/answer.py?hl=en&answer=167096).
+
+# Updating  Group Settings
+You can update all of the group settings listed by the
+```
+gam update group <group>
+```
+command. You can also specify any of these group settings during group creation. For example:
+```
+gam create group sales@acme.org max_message_size 25M
+```
+
+The commands below are broken up below to only discuss one group setting for each area but they can easily be combined. For example you could change both the archive status, group name and description with a command like:
+```
+gam update group employees@example.com is_archived true name "Example Employees" description "list of example employees"
+```
+
+## Allow External Members
+### Syntax
+```
+gam update group <group> allow_external_members true|false
+```
+Whether or not **group owners** are allowed to add users outside the Google Apps domain to the group. Google Apps admins should always be able to add external email addresses to the group.
+### Example
+This example prevents group owners from adding users outside the Google Apps domain to the employees group
+```
+gam update group employees@example.com allow_external_members false
+```
+
+---
+
+
+## Message Moderation Level
+### Syntax
+```
+gam update group <group> message_moderation_level moderate_all_messages|moderate_new_members|moderate_none|moderate_non_members
+```
+The level of moderation that the group should have. moderate\_all\_messages will require a owner/manager to approve all messages sent to the group before they are emailed or viewable by group members. moderate\_new\_members places only new group members under moderation. moderate\_none disables group moderation completely. moderate\_non\_members will moderate only messages sent to the group from email addresses that are not a member of the group.
+
+### Example
+This example sets the group to moderate new members
+```
+gam update group coffeetalk@example.com message_moderation_level moderate_new_members
+```
+
+---
+
+
+## Primary Language
+### Syntax
+```
+gam update group <group> primary_language <language>
+```
+Update the primary language used by the group. For a list of valid languages see [here](https://developers.google.com/admin-sdk/email-settings/?csw=1#language_tags).
+
+### Example
+This command sets the primary language for the english majors group to US English.
+```
+gam update group english-majors@acme.edu primary_language en-US
+```
+
+---
+
+
+## Reply To
+### Syntax
+```
+gam update group <group> reply_to reply_to_custom|reply_to_ignore|reply_to_list|reply_to_managers|reply_to_owner|reply_to_sender
+```
+Determine who, by default replies to group messages will be directed to.  reply\_to\_custom will use the email address set with the custom\_reply\_to command (suggest you combine these commands, see example). reply\_to\_ignore allows the group users to decide individually where the reply will go to. reply\_to\_list directs the reply back to the list address. reply\_to\_managers will direct replies to the group's managers/owners. reply\_to\_owner will direct replies to the group's owners. reply\_to\_sender directs replies at the sender of the original message.
+
+### Example
+This command sets the reply to a custom address, the custom address is also set to doodads@acme.com by the custom\_reply\_to command.
+```
+gam update group widgets@acme.com reply_to reply_to_custom custom_reply_to doodads@acme.com
+```
+This command sets the reply to go back to the list
+```
+gam update group widgets@acme.com reply_to reply_to_list
+```
+
+---
+
+
+## Send Message Deny Notification
+### Syntax
+```
+gam update group <group> send_message_deny_notification true|false
+```
+Determine whether or not the text of message\_deny\_notification\_text is sent to the sender of rejected messages. If this setting is true, message\_deny\_notification\_text should also be set to something.
+
+### Example
+This example turns message deny notification off for sales@acme.com.
+```
+gam update group sales@acme.com send_message_deny_notification false
+```
+
+---
+
+
+## Show In Groups Directory
+### Syntax
+```
+gam update group <group> show_in_group_directory true|false
+```
+Should the group be listed in the master list of all groups shown to users.
+
+**Note:** If you have "Group owners can hide groups from the groups directory" unchecked under Settings, Google Groups for Business within the Google Apps Control Panel, this setting will remain true for all groups and attempts to make it false will have no effect.
+
+### Example
+This example removes the secretlabs@acme.com group from the group directory listing.
+```
+gam update group <group> show_in_group_directory false
+```
+
+---
+
+
+## Who Can Invite
+### Syntax
+```
+gam update group <group> who_can_invite ALL_MEMBERS_CAN_INVITE|ALL_MANAGERS_CAN_INVITE|NONE_CAN_INVITE
+```
+Determine who is allowed to invite new members to the group.  ALL\_MEMBERS\_CAN\_INVITE allows anyone who is already a member of the group to invite others to join. ALL\_MANAGERS\_CAN\_INVITE allows only group managers and owners to invite others. NONE\_CAN\_INVITE prevents anyone from inviting new members to the group via the web UI, requiring all members to be added via the API (or GAM).
+
+### Example
+This example allows any existing member of engineers@acme.com to invite others to join the group.
+```
+gam update group engineers@acme.com who_can_invite all_members_can_invite
+```
+
+---
+
+
+## Who Can Join
+### Syntax
+```
+gam update group <group> who_can_join all_in_domain_can_join|anyone_can_join|can_request_to_join|invited_can_join
+```
+Determines who is allowed to become a member of the group. all\_in\_domain\_can\_join allows any domain members to directly join the group. anyone\_can\_join allows any logged in Google Account to join the group. can\_request\_to\_join allows anyone to request membership to join. invited\_can\_join allows only those members who have received invitations to join the group (disable request to join). invited\_can\_join can be used with setting [Who Can Invite](#who-can-invite) to NONE_CAN_INVITE to prevent the addition of new members via the Web UI.
+
+### Example
+This example allows anyone on the Internet to potentially join the deals@acme.com group.
+```
+gam update group deals@acme.com  who_can_join anyone_can_join
+```
+
+---
+
+
+## Who Can Post Message
+### Syntax
+```
+gam update group <group> who_can_post_message all_in_domain_can_post|all_managers_can_post|all_members_can_post|anyone_can_post|none_can_post
+```
+Determine who is allowed to send messages to the group. all\_in\_domain\_can\_post allows any Google Apps user in the domain to send messages (even if they're not a group member). all\_managers\_can\_post limits sending rights to owners and managers. all\_members\_can\_post allows anyone who has joined the group to send messages. anyone\_can\_post allows anyone on the Internet to send email to the group address. none\_can\_post is not normally directly set on a group, it will show as the return value for who\_can\_post if archive\_only is true.
+
+### Example
+This example locks the announcements@acme.com group down to only accept posts from managers and owners.
+```
+gam update group announcements@acme.com who_can_post_message all_managers_can_post
+```
+
+---
+
+
+## Who Can View Group
+### Syntax
+```
+gam update group <group> who_can_view_group all_in_domain_can_view|all_managers_can_view|all_members_can_view|anyone_can_view
+```
+Determine who can view this group including past messages sent to the group if is\_archived is enabled. all\_in\_domain\_can\_view allows any Google Apps users in the domain to view the group. all\_managers\_can\_view limits viewing the group to owners and managers only. all\_members\_can\_view allows anyone who is a member of the group to view it. anyone\_can\_view allows anyone on the Internet to view the group.
+
+### Example
+This example sets membersonly@acme.com to only be viewable by members.
+```
+gam update group membersonly@acme.com who_can_view_group all_members_can_view
+```
+
+---
+
+
+## Who Can View Membership
+### Syntax
+```
+gam update group <group>  who_can_view_membership all_in_domain_can_view|all_managers_can_view|all_members_can_view
+```
+Determine who can view the list of group members. all\_in\_domain\_can\_view opens group membership lists to all Google Apps users in the domain. all\_managers\_can\_view limits group membership lists to group managers and owners. all\_members\_can\_view allows anyone who is a member of the group to see the member list.
+
+### Example
+This example locks down probation@acme.com so that only group managers can see who is a member of the group via the groups interface.
+```
+gam update group probation@acme.com who_can_view_membership all_managers_can_view
+```
+
+---
+
+
+## Allow Google Communication
+### Syntax
+```
+gam update group <group> allow_google_communication true|false
+```
+Determine if Google is allowed to send communications to group managers and owners. Occasionally Google may send updates on the latest features, ask for input on new features, or ask for permission to highlight your group. true allows this communication. false will prevent Google from ever sending these communications to the group.
+
+### Example
+This example prevents Google from directly contacting hr@acme.com managers and owners.
+```
+gam update group hr@acme.com allow_google_communication false
+```
+
+---
+
+
+## Allow Web Posting
+### Syntax
+```
+gam update group <group> allow_web_posting true|false
+```
+Determine if users are allowed to post to the group from the Google Groups web interface or via email only.
+
+### Example
+This example turns off web-based posting for the reports@acme.com group.
+```
+gam update group reports@acme.com allow_web_posting false
+```
+
+---
+
+
+## Archive Only
+### Syntax
+```
+gam update group <group> archive_only true|false
+```
+Determine if the group is limited to archival of old messages or if it is active. Setting archive only prevents new messages from going to the group.
+
+### Example
+This example puts legacy@acme.com into archive only mode.
+```
+gam update group legacy@acme.com archive_only true
+```
+
+---
+
+
+## Custom Reply To
+### Syntax
+```
+gam update group <group> custom_reply_to <email>
+```
+Sets the email address that will be used when reply\_to is set to reply\_to\_custom. When both settings are in place, this address will be the default reply to for messages sent to the group.
+
+### Example
+This example enables reply\_to\_custom for fanclub@acme.com and sets the custom\_reply\_to address to manager@acme.com
+```
+gam update group fanclub@acme.com reply_to reply_to_custom custom_reply_to manager@acme.com
+```
+
+---
+
+
+## Is Archived
+### Syntax
+```
+gam update group <group> is_archived true|false
+```
+Determines whether or not messages sent to the group should be archived and viewable in the Google Groups interface.
+
+### Example
+This example turns archiving off for the hr@acme.com group.
+```
+gam update group hr@acme.com is_archived false
+```
+
+---
+
+
+## Max Message Bytes
+### Syntax
+```
+gam update group <group> max_message_bytes <integer>
+```
+Determines the maximum size of a message sent to the group. Instead of entering a large number, K or M can be used to specify kilobytes or megabytes. For example, 512K or 1M would both be valid values.
+
+### Example
+This example sets Twitter-like size limits for the twitter@acme.com group. We bump it to 4 kilobytes instead of 160 bytes to account for message headers.
+```
+gam update group twitter@acme.com max_message_bytes 4K
+```
+
+---
+
+
+## Members Can Post As The Group
+### Syntax
+```
+gam update group <group> members_can_post_as_the_group true|false
+```
+Determines if members are allowed to send to the group using the group's email address as the From.
+
+### Example
+This example will allow sales@acme.com group members to send out messages to the group as sales@acme.com.
+```
+gam update group sales@acme.com members_can_post_as_the_group true
+```
+
+## Message Display Font
+### Syntax
+```
+gam update group <group> message_display_font default_font|fixed_width_font
+```
+Sets the font that will be used in display group messages from the Google Groups UI. default\_font is the normal. fixed\_width\_font uses a special fixed-width font in the display.
+
+### Example
+This example turns on the fixed\_width\_font for the ascii-fun@acme.com group
+```
+gam update group ascii-fun@acme.com message_display_font fixed_width_font
+```
+
+---
+
+
+## Description
+### Syntax
+```
+gam update group <group> description <group description>
+```
+Change the group description. This is the same group description set by the [group provisioning GAM command](ExamplesProvisioning#Update_Group_Settings). This command exists only to allow changing the group description with the same API call while performing other Group Settings operations.
+
+### Example
+This example changes the party@acme.com group description to be "messages regarding upcoming parties"
+```
+gam update group party@acme.com description "messages regarding upcoming parties"
+```
+
+---
+
+
+## Group Name
+### Syntax
+```
+gam update group <group> name <new name>
+```
+Change the group name. This is the same group name set by the [group provisioning GAM command](ExamplesProvisioning#Update_Group_Settings). This command exists only to allow changing the group name with the same API call while performing other Group Settings operations.
+
+### Example
+This example changes the group name to "Acme Employees"
+```
+gam update group employees@acme.com name "Acme Employees"
+```
+
+---
+
+
+## Spam Moderation Level
+### Syntax
+```
+gam update group <group> spam_moderation_level allow|moderate|silently_moderate|reject
+```
+Change the spam moderation settings for the group. Allow will disable the spam filter and allow all mail from persons allowed to post to the group. moderate will place suspected spam messages in a moderation queue and notify group owners. silenty\_moderate will place suspected spam message in a moderation queue WITHOUT notifying group owners. reject will fail message delivery for messages suspected of being spam.
+
+### Example
+This example turns off spam filtering for the info@acmewidgets.com group
+```
+gam update group info@acmewidgets.com spam_moderation_level allow
+```
+
+---
+
+
+## Include in Global Address List (GAL)
+### Syntax
+```
+gam update group <group> include_in_global_address_list true|false
+```
+Include or remove this group's address from the Google Apps Global Address List (GAL). This setting is the group equivalent of the [Hide/Unhide user profile setting](ExamplesEmailSettings#Changing_a_users_profile_to_hidden/unhidden).  If a group is included (true), they'll show up in autocomplete and contact searches for addresses. If a group is not included (false), users will not be able to discover the groups's address and detailed contact info via autocomplete or contacts search.
+
+**Note:** this setting and the [Show in Groups Directory](GAM3GroupSettings#show-in-groups-directory) setting are not the same. To hide a group completely you should set both to false.
+
+### Example
+This example hides the group topsecret@newwidgets.com from the Global Address List.
+```
+gam update group topsecret@newwidgets.com include_in_global_address_list false
+```
+
+---
+
+
+## Who Can Leave Group
+### Syntax
+```
+gam update group <group> who_can_leave_group NONE_CAN_LEAVE|ALL_MEMBERS_CAN_LEAVE|ALL_MANAGERS_CAN_LEAVE
+```
+Determines if regular users are allowed to leave a group. Setting this to ALL\_MANAGERS\_CAN\_LEAVE prevents regular members from unsubscribing to the group via the Web UI or email. Setting this to NONE\_CAN\_LEAVE prevents all members, including managers and owners, from unsubscribing to the group via the Web UI or email. Note that forcing a user to remain in a group increases the odds that they'll report your group mail as spam so it's strongly recommended to only use this setting for groups containing internal users only.
+
+### Example
+This example prevents regular users from leaving the everyone@acme.com group.
+```
+gam update group everyone@acme.com who_can_leave_group ALL_MANAGERS_CAN_LEAVE
+```
+
+---
+
+
+## Who Can Contact Owner
+### Syntax
+```
+gam update group <group> who_can_contact_owner ANYONE_CAN_CONTACT|ALL_IN_DOMAIN_CAN_CONTACT|ALL_MEMBERS_CAN_CONTACT|ALL_MANAGERS_CAN_CONTACT
+```
+Determines who is allowed to email the special group+owners@domain.com address in order to contact group owners.
+
+### Example
+This example prevents external email addresses from spamming helpdesk+owners@acme.com.
+```
+gam update group helpdesk@acme.com who_can_contact_owner ALL_IN_DOMAIN_CAN_CONTACT
+```
+
+---

docs/Google-Data-Transfers.md

@@ -1,4 +1,4 @@
-# Google Data Transfers
+!# Google Data Transfers
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Display transfer apps](#display-transfer-apps)
@@ -15,7 +15,7 @@
 <DataTransferService> ::=
         calendar|
         currents|
-        datastudio|"google data studio"|
+        datastudio|lookerstudio|"google data studio"|
         drive|gdrive|googledrive|"drive and docs"
 <DataTransferServiceList> ::= "<DataTransferService>(,<DataTransferService>)*"
 
@@ -37,6 +37,7 @@ gam create|add datatransfer|transfer <OldOwnerID> <DataTransferServiceList> <New
         [private|shared|all] [privacy_level private|shared|private,shared]
         [releaseresources [<Boolean>]]
         (<ParameterKey> <ParameterValue>)*
+        [wait <Integer> <Integer>]
 ```
 For`datastudio` and `drive`, there are options to control the privacy level of the files to be transferred.
 * `private` or `privacy_level private` - Transfer files that are not shared with anyone
@@ -54,6 +55,10 @@ As of 2020-06-10, background transfers only transfer future non-private events w
 
 The option `<ParameterKey> <ParameterValue>` is for future expansion.
 
+By default, GAM does not wait for the transfer to complete. The option `wait <Integer> <Integer>` causes GAM to wait
+for the transfer to complete. The first `<Integer>` must be in the range 5-60 and is the number
+of seconds between checks to see if the transfer has completed. The second `<Integer>` is the maximum number of checks to perform.
+
 ## Display transfers
 ```
 gam info datatransfer|transfer <TransferID>
@@ -63,6 +68,7 @@ gam show datatransfers|transfers
 gam print datatransfers|transfers [todrive <ToDriveAttribute>*]
         [olduser|oldowner <UserItem>] [newuser|newowner <UserItem>]
         [status completed|failed|inprogress|<String>] [delimiter <Character>]
+        (addcsvdata <FieldName> <String>)*
 ```
 By default, all data transfer operations are printed, use these options to select specific transfers.
 * `olduser|oldowner <UserItem>`
@@ -72,3 +78,5 @@ By default, all data transfer operations are printed, use these options to selec
 By default, the entries in lists of items are separated by the `csv_output_field_delimiter` from `gam.cfg`.
 * `delimiter <Character>` - Separate list items with `<Character>`
 
+Add additional columns of data from the command line to the output
+* `addcsvdata <FieldName> <String>`

docs/Google-Network-Addresses.md

@@ -1,4 +1,4 @@
-# Google Network Addresses
+!# Google Network Addresses
 
 All GAM calls are made on port 443 (HTTPS) to the following addresses:
 ```

docs/GoogleDriveManagement.md

@@ -0,0 +1,389 @@
+- [Managing Google Drive Files and Folders for users](#managing-google-drive-files-and-folders-for-users)
+  - [Printing User Drive Files to a CSV](#printing-user-drive-files-to-a-csv)
+  - [Creating and Uploading Drive Files for Users](#creating-and-uploading-drive-files-for-users)
+  - [Updating Drive Files for Users](#updating-drive-files-for-users)
+  - [Downloading Drive Files For Users](#downloading-drive-files-for-users)
+  - [Deleting Google Drive Files for Users](#deleting-google-drive-files-for-users)
+  - [Show Drive File Info for Users](#show-drive-file-info-for-users)
+  - [Show Drive File Revisions for Users](#show-drive-file-revisions-for-users)
+  - [Empty Drive Trash for Users](#empty-drive-trash-for-users)
+- [Managing Google Drive Permissions for Users](#managing-google-drive-permissions-for-users)
+  - [Showing the Permissions of a File/Folder for a user](#showing-the-permissions-of-a-filefolder-for-a-user)
+  - [Adding permissions to a file/folder for a user](#adding-permissions-to-a-filefolder-for-a-user)
+  - [Updating permissions to a file/folder for a user](#updating-permissions-to-a-filefolder-for-a-user)
+  - [Removing permissions to a file/folder for a user](#removing-permissions-to-a-filefolder-for-a-user)
+- [Managing shared drives](#managing-shared-drives)
+  - [Creating shared drives](#creating-shared-drives)
+  - [Adding user permissions to shared drives](#adding-user-permissions-to-shared-drives)
+  - [Updating shared drives](#updating-shared-drives)
+  - [Deleting shared drives](#deleting-shared-drives)
+  - [Showing/Printing shared drives](#showingprinting-shared-drives)
+
+GAM now supports Google Drive Management with the ability to add, update, view and delete Drive files and folders for users as well as adding, updating, viewing and deleting file and folder permissions.
+
+# Managing Google Drive Files and Folders for users
+## Printing User Drive Files to a CSV
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users show filelist [todrive] [query|fullquery <query>] [allfields]
+  [createddate] [description] [fileextension] [filesize] [id] [name] [owners] [parents] [permissions] 
+  [restricted] [starred] [trashed] [viewed]
+  [lastmodifyingusername] [lastviewedbymedate] [modifieddate] [originalfilename] [quotaused] [shared] [writerscanshare]
+```
+Outputs a CSV file listing the Google Drive files/folders that the given user(s) own. By default, the output is sent to the screen and only the file owner, title and URL columns are shown. The optional `todrive` argument will upload the CSV data to a Google Docs Spreadsheet file in the Administrator's Google Drive rather than displaying it locally. The optional `query` argument allows the results to be narrowed to files/folders matching the given query. The optional `fullquery` argument is similar to query but omits the "'me' in owners" portion of the query. The query format is described in [Google's documentation](https://developers.google.com/drive/api/v2/search-files). The optional `allfields` arguments causes all possible columns to be included in the output. The optional `createddate`, `description`, `fileextension`, `filesize`, `id`, `name`, `restricted`, `starred`, `trashed`, `viewed`, `lastmodifyingusername`, `lastviewedbymedate`, `modifieddate`, `originalfilename`, `quotaused`, `shared` and `writerscanshare` arguments cause the given columns to be included in the output.
+
+### Example
+This example displays all of Joe Schmo's files
+```
+gam user jschmo@acme.com show filelist
+```
+
+This example displays all files for all users that contain the text "ProjectX". The results are uploaded to a Google spreadsheet for the admin user.
+```
+gam all users show filelist query "fullText contains 'ProjectX'" todrive
+```
+
+This example displays all PDF files that users under the Students OU own.
+
+```
+gam ou_and_children Students show filelist query "mimeType = 'application/pdf'"
+```
+
+---
+
+This example displays all of Joe Schmo's folders.
+
+```
+gam user jschmo@acme.com show filelist query "mimeType = 'application/vnd.google-apps.folder'"
+```
+
+---
+
+## Creating and Uploading Drive Files for Users
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users add drivefile [localfile <filepath>]
+  [drivefilename <filename>] [convert] [ocr] [ocrlanguage <language>] [restricted] [starred] [trashed] [viewed]
+  [lastviewedbyme <date>] [modifieddate <date>] [description <description>] [mimetype <type>] [parentid <folder id>]
+  [parentname <folder name>] [writerscantshare]
+```
+Create or upload a new file to Google Drive for the given user(s). By default, the command will create a new, empty file/folder. If the optional argument localfile is specified along with the full path to a document on the local computer, GAM will upload that file's contents to Drive. The optional argument drivefilename sets the name of the file/folder in Drive. The optional argument convert causes files to be converted into native Google Docs format where possible. The optional argument ocr causes OCR analysis of images and PDF files when they are converted to native Google Docs format. The optional argument ocrlanguage determines what language is used for ocr analysis. The optional argument restricted prevents users who have reader/commenter access to a file from downloading the file content. The optional arguments starred, trashed and viewed cause the respective action to take place on the new file. The optional arguments lastviewedbyme and modifieddate set the respective timestamps for the new file, the date should follow the format YYYY-MM-DDTHH:MM:SS.000Z. For example, 2013-04-20T12:33:47.166Z. The optional argument description gives a description for the new file. The optional argument mimetype forces the given MIME file type to be used for the new file. The optional argument parentid sets a parent folder for the uploaded/created file to show underneath. The optional argument parentname searches for the given folder name to put the file under. The optional argument writerscantshare prevents users who have writer/editor access to the file from adding additional permissions to the file (only owner can add permissions).
+
+### Examples
+This example uploads the file sillycat.mp4 to Google Drive for a user
+```
+gam user jsmith@acme.com add drivefile localfile sillycat.mp4
+```
+
+This example creates a new folder called TPS Reports for all users and then creates a new, empty Google Doc, Spreadsheet, Presentation and Drawing under each user's folder.
+```
+gam all users add drivefile drivefilename "TPS Reports" mimetype gfolder
+gam all users add drivefile drivefilename "TPS Doc" mimetype gdoc parentname 'TPS Reports'
+gam all users add drivefile drivefilename "TPS Sheet" mimetype gsheet parentname 'TPS Reports'
+gam all users add drivefile drivefilename "TPS Presentation" mimetype gpresentation parentname 'TPS Reports'
+gam all users add drivefile drivefilename "TPS Drawing" mimetype gdrawing parentname 'TPS Reports'
+```
+
+This example uploads the MyRamblings.docx file to Google Drive and converts it to Google Doc native format. It also renames the file to a nicer looking "My Ramblings".
+```
+gam user jjones@acme.com add drivefile localfile MyRamblings.docx convert drivefilename "My Ramblings"
+```
+
+---
+
+
+## Updating Drive Files for Users
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users update drivefile [id <drive file id> | drivefilename <filename>] [localfile <filename>] [newfilename <filename>] [convert] [ocr] [ocrlanguage <language>] [restricted true|false] [starred true|false] [trashed true|false] [viewed true|false] [lastviewedbyme <date>] [modifieddate <date>] [description <description>] [mimetype <MIME type>] [parentid <folder id>] [parentname <folder name>] [writerscantshare]
+```
+Update a Drive file's metadata and/or content. In order to determine which file(s) are updated, either the id or drivefilename arguments must be specified. id specifies the exact unique id of the file to be updated. drivefilename performs a search for files matching the given name. The optional argument localfile specifies a local file whose content will completely replace the content of the given drive file (file id, name, etc will remain unchanged). The optional arguments convert, ocr, ocrlanguage, restricted, starred, trashed, description, mimetype and viewed specify updates that should occur to a file's metadata. The optional lastviewedbyme and modifieddate arguments specify new timestamps that should be placed on the Drive file. The date should follow the format YYYY-MM-DDTHH:MM:SS.000Z. For example, 2013-04-20T12:33:47.166Z. The optional parentid and parentname arguments specify folders under which the drive file should be placed. The optional writerscantshare argument prevents file writers/editors from sharing the file with additional users.
+
+### Examples
+This example updates the "My Ramblings" file to be starred and placed under a folder called "Brilliant things I've said" (assumes a folder by that name already exists for the user)
+```
+gam user bsmith@acme.com update drivefile drivefilename "My Ramblings" starred true parentname 'Brilliant things I've said'
+```
+
+This example updates the Drive file DailyReport.pdf with the contents of the local file Report-3-28-2014.pdf.
+```
+gam user hgregg@acme.com update drivefile drivefilename DailyReport.pdf localfile Report-3-28-2014.pdf
+```
+
+---
+
+
+## Downloading Drive Files For Users
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users get drivefile [id <file id> | query <query> | drivefilename <filename>] [format <FileFormatList>] [targetfolder <local path>] [revision <Number>]
+
+<FileFormat> ::= csv|html|txt|tsv|jpeg|jpg|png|svg|pdf|rtf|pptx|xlsx|docx|odt|ods|openoffice|microsoft
+<FileFormatList> ::= '<FileFormat>(,<FileFormat)*'
+microsoft ::= docx,pptx,xlsx
+openoffice ::= ods,odt
+
+```
+Download the given Drive files to the local computer. One of the `id`, `query` or `drivefilename` parameters must be specified to determine which files should be downloaded. By default, Google Docs native format files are downloaded in openoffice format. The optional argument `format` allows you to download the files in other formats by specifying a comma separated list of formats; the first format in the list that is available will be used. The optional argument `targetfolder` allows you to specify where on the local computer the downloaded files should be placed. The optional argument `revision` allows you to specify a specific revision of a file to download.
+
+Note that drive folder hierarchy is NOT maintained when downloading files with this command.
+
+### Examples
+This example downloads the file with Drive ID adifd08 to the current path
+```
+gam user asmith@acme.com get drivefile id adifd08
+```
+
+This example downloads all of a user's files to c:\jsmith-files using Microsoft Office format for downloading native Google Docs.
+```
+gam user jsmith@acme.com get drivefile query "'me' in owners" format microsoft
+```
+
+---
+
+
+## Deleting Google Drive Files for Users
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users delete drivefile <file id> [purge]
+```
+Delete the given Drive files for user(s). The "file id" argument is the exact ID of a Google Drive file or a query to search the user's Drive for files in the format ` "query:<query>" `. By default, deleted folders are simply moved to the user's Trash folder which is purged after 30 days. The optional parameter purge causes the files to be immediately purged from the user's Google Drive so that they are no longer recoverable from Trash.
+
+### Examples
+This example moves the given Drive file to the user's Trash in Drive.
+```
+gam user jsmith@acme.com delete drivefile 8sidfddosa
+```
+
+This example completely purges all files from a user's Drive that are PDFs (danger Will Robinson!!!)
+```
+gam user jsmith@acme.com delete drivefile "query:mimeType = 'application/pdf'" purge
+```
+---
+
+## Show Drive File Info for Users
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users show fileinfo <file id> [allfields]
+  [createddate] [description] [fileextension] [filesize] [id] [name] [restricted] [starred] [trashed] [viewed]
+  [lastmodifyingusername] [lastviewedbymedate] [modifieddate] [originalfilename] [quotaused] [shared] [writerscanshare]
+```
+Outputs detailed information about a specific file. The optional `allfields` arguments causes all possible columns to be included in the output. The optional `createddate`, `description`, `fileextension`, `filesize`, `id`, `name`, `restricted`, `starred`, `trashed`, `viewed`, `lastmodifyingusername`, `lastviewedbymedate`, `modifieddate`, `originalfilename`, `quotaused`, `shared` and `writerscanshare` arguments cause the given fields to be shown.
+
+### Example
+This example shows the file information for Drive ID adifd08
+```
+gam user asmith@acme.com show fileinfo adifd08
+```
+
+---
+
+
+## Show Drive File Revisions for Users
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users show filerevisions <file id>
+```
+Show the revisions for a file. 
+
+### Examples
+This example shows the file revisions for Drive ID adifd08
+```
+gam user asmith@acme.com show filerevisions adifd08
+```
+
+## Empty Drive Trash for Users
+### Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users empty drivetrash
+```
+Empty users' Drive trash. 
+
+### Examples
+This example shows emptying the drive trash for users in the technology group.
+```
+gam group technology@acme.com empty drivetrash
+```
+
+---
+
+
+# Managing Google Drive Permissions for Users
+## Showing the Permissions of a File/Folder for a user
+### Syntax
+```
+gam user <email> show drivefileacl <file id> [asadmin]
+```
+shows the current permissions of a file or folder owned or shared with a given user. The optional asadmin argument specifies that the super admin should use special access to manage a shared drive which they do not normally have access to. This argument may not work on non shared drive resources.
+
+### Example
+This example shows the permissions of one of jsmith's files
+```
+gam user jsmith@acme.org show drivefileacl 0B8aCWH-xLi2NckxXOEp5REUtNEE
+
+John Smith
+ domain: acme.org
+ emailAddress: jsmith@acme.org
+ photoLink: https://lh5.googleusercontent.com/-AzWvbYordY/AAAAAAAAAAE/AAAAAAAAERg/nzagv0IV4yQ/s64/photo.jpg
+ role: owner
+ type: user
+ id: 17297927562723854745
+
+George Wilson
+ domain: gmail.com
+ emailAddress: gwilson@gmail.com
+ photoLink: https://lh5.googleusercontent.com/-woxYfVbgI4w/AAAAAAAAAaI/AAAAAAAAb
+SI/Y0RRW2LWX5U/s64/photo.jpg
+ role: writer
+ type: user
+ id: 00772439636938147216
+```
+
+---
+
+
+## Adding permissions to a file/folder for a user
+### Syntax
+```
+gam user <user email> add drivefileacl <file id> [user|group|domain|anyone <value>] [withlink] [role <reader|commenter|writer|owner|organizer>] [sendemail] [emailmessage <message text>]
+```
+Grants a user, group, domain or anyone permission to the given Drive file/folder. The role parameter determines the level of access the given user(s) have to the file and can be one of reader, commenter, writer, owner or organizer. Specifying owner will change ownership of the file/folder and only works when the source and target accounts are in the same G Suite instance. Organizer replaces and is the equivalent to the owner role for shared drives. The optional withlink parameter specifies that the file is not "discoverable" or indexed. It is only available if the accessing user knows the exact URL. The optional sendemail parameter will send an email to the user(s) who have been granted access to the file (no email sent by default). The optional emailmessage parameter allows you to specify a portion of the email message body sent to the user.
+
+### Examples
+This example silently gives Sally access to Tim's file
+```
+gam user tim@acme.org add drivefileacl 0B8aCWH-xLi2NckxXOEp5REUtNEE user sally@acme.org role writer withlink
+```
+
+This example gives the IT Google Group access to Tim's file and sends an email notification
+```
+gam user tim@acme.org add drivefileacl 0B8aCWH-xLi2NckxXOEp5REUtNEE group it@acme.org role reader sendemail
+```
+
+This example gives anyone in the Acme organization access to Tim's file if they know the URL
+```
+gam user tim@acme.org add drivefileacl 0B8aCWH-xLi2NckxXOEp5REUtNEE domain acme.org role commenter withlink
+```
+
+This example gives anyone on the Internet (logged in to Google or not) access to Tim's file and makes it searchable/discoverable via Google.com search and other search engines
+```
+gam user tim@acme.org add drivefileacl 0B8aCWH-xLi2NckxXOEp5REUtNEE anyone role reader
+```
+
+---
+
+
+## Updating permissions to a file/folder for a user
+### Syntax
+```
+gam user <user email> update drivefileacl <file id> <permission id> [withlink] [role <reader|commenter|writer|owner|organizer>] [asadmin]
+```
+Changes a user or groups permissions to the given Drive file/folder. The permisson id parameter can be an email address or a numeric id as shown when listing a file's permissions. If an email address is used, GAM must first look up the permission id of that email address before updating (2 API calls instead of 1). If using numeric id, you must prefix it with "id:". The role parameter determines the level of access the given user(s) have to the file and can be one of reader, commenter, writer, owner or organizer. Specifying owner will change ownership of the file/folder and only works when the source and target accounts are in the same G Suite instance. Organizer replaces and is the equivalent to the owner role for shared drives. The optional withlink parameter specifies that the file is not "discoverable" or indexed. It is only available if the accessing user knows the exact URL. The optional asadmin argument specifies that the super admin should use special access to manage a shared drive which they do not normally have access to. This argument may not work on non shared drive resources.
+
+### Example
+This example changes Sally from a reader to a writer for the file.
+```
+gam user tim@acme.org update drivefileacl 0B8aCWH-xLi2NckxXOEp5REUtNEE sally@acme.org role writer withlink
+```
+
+### Example
+This example changes Sally from a reader to a writer for the file using her numeric permission ID.
+```
+gam user tim@acme.org update drivefileacl 0B8aCWH-xLi2NckxXOEp5REUtNEE id:65337053707119961365 role writer withlink
+```
+### Example
+This example makes Sally the owner for the file and changes Tim from owner to writer for the file.
+```
+gam user tim@acme.org update drivefileacl 0B8aCWH-xLi2NckxXOEp5REUtNEE sally@acme.org role owner
+```
+
+---
+
+
+## Removing permissions to a file/folder for a user
+### Syntax
+```
+gam user <user email> delete drivefileacl <file id> <permission id> [asadmin]
+```
+Removes the given permission from the file. The permisson id parameter can be an email address or a numeric id as shown when listing a file's permissions. If an email address is used, GAM must first look up the permission id of that email address before updating (2 API calls instead of 1). If using numeric id, you must prefix it with "id:". The optional asadmin argument specifies that the super admin should use special access to manage a shared drive which they do not normally have access to. This argument may not work on non shared drive resources.
+
+### Example
+This example removes Sally's access to Tim's file
+```
+gam user tim@acme.org delete drivefileacl 0B8aCWH-xLi2NckxXOEp5REUtNEE sally@acme.org
+```
+# Managing shared drives
+GAM 4.2 and newer support shared drive management. You can create, update, delete and list shared drives for users. Shared drives can be shared in the same way [Google Drive Files/Folders are shared](#managing-google-drive-permissions-for-users).
+
+Note: Shared drives were previously known as Team Drives.
+
+## Creating shared drives
+### Syntax
+```
+gam user <email> add shareddrive <name>
+```
+Creates a new shared drive. The name argument specifies the name of the shared drive. The specified user will be the first organizer.
+
+### Example
+This example creates a "Sales Reports" shared drive and makes jsalesguy@acme.com the first organizer of the Drive.
+```
+gam user jsalesguy@acme.com add shareddrive "Sales Reports"
+```
+----
+## Adding user permissions to shared drives
+### Syntax
+```
+gam user <user a email> add drivefileacl <DriveFileEntity> user <user b email> role <DriveFileACLRole>) [withlink|(allowfilediscovery|discoverable [<Boolean>])] [expires|expiration <Time>] [sendemail] [emailmessage <String>] [showtitles]
+```
+adds a new "user b" to a shared drive owned by "user a". The specified "user b" will be the set role.
+
+### Example
+This example adds jsalesguy@acme.com to the shared drive owned by jbossguy@acme.com and makes jsalesguy@acme.com a content and permission manager of the Drive.
+```
+gam user jbossguy@acme.com add drivefileacl 0ABXXXXXXXXXX9PVA user jsalesguy@acme.com role contentmanager
+```
+----
+## Updating shared drives
+### Syntax
+```
+gam user <email> update shareddrive <id> [name <name>] [ou <orgunit>] [hidden <true|false>]
+```
+Updates the shared drive specified by the id argument. The name argument updates the shared drive name. The ou argument moves the shared drive to a new orgunit (THIS FEATURE IS CURRENTLY ALPHA). The hidden argument hides or unhides the given shared drive for the given user.
+
+### Example
+This example changes the name of shared drive ID dfdfaskfd23 to "2016 Sales Reports"
+```
+gam user jsalesguy@acme.com update shareddrive dfdfaskfd23 name "2016 Sales Reports"
+```
+
+This example moves a shared drive to the /Shared Drives OrgUnit
+```
+gam user admin@acme.com update shareddrive ou "/Shared Drives"
+```
+----
+## Deleting shared drives
+### Syntax
+```
+gam user <email> delete shareddrive <id> [allowitemdeletion]
+```
+Deletes the shared drive specified by the id argument. By default, if there are any files/folders on the shared drive then deleting it will fail. The optional argument `allowitemdeletion` will delete the shared drive AND all files/folders currently on it and must be performed by a super admin user.
+
+### Example
+This example deletes the dfdfaskfd23 shared drive even if there are files on it.
+```
+----
+gam user jsalesguy@acme.com delete shareddrive dfdfaskfd23 allowitemdeletion
+```
+----
+## Showing/Printing shared drives
+### Syntax
+```
+gam user <email> print|show shareddrives [todrive] [asadmin]
+```
+Prints to CSV or screen the shared drives the given user(s) can access. The print argument will output CSV format or, if todrive is specified, a Google Sheet. The show argument will output a user-legible list of shared drives to the screen. The optional asadmin argument specifies that the super admin should use special access to manage a shared drive which they do not normally have access to. This argument may not work on non shared drive resources.
+
+### Example
+This example creates a Google Sheet of the shared drives accessible to all users in the domain. It will require at least 1 API call per-user.
+```
+gam all users print shareddrives todrive
+```

docs/Groups-Membership.md

@@ -1,5 +1,6 @@
-# Groups - Membership
+ Groups - Membership
 - [API documentation](#api-documentation)
+- [Query documentation](#query-documentation)
 - [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Definitions](#definitions)
 - [Collections of Users](#collections-of-users)
@@ -18,7 +19,30 @@
 ## API documentation
 * https://developers.google.com/admin-sdk/directory/v1/reference/members
 
+## Query documentation
+* https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
+* https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery
+
 ## Definitions
+See [Collections of Items](Collections-of-Items)
+
+* [Command data from Google Docs/Sheets/Storage](Command-Data-From-Google-Docs-Sheets-Storage)
+```
+<StorageBucketName> ::= <String>
+<StorageObjectName> ::= <String>
+<StorageBucketObjectName> ::=
+        https://storage.cloud.google.com/<StorageBucketName>/<StorageObjectName>|
+        https://storage.googleapis.com/<StorageBucketName>/<StorageObjectName>|
+        gs://<StorageBucketName>/<StorageObjectName>|
+        <StorageBucketName>/<StorageObjectName>
+
+<UserGoogleDoc> ::=
+        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
+<UserGoogleSheet> ::=
+        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
+```
 ```
 <DeliverySetting> ::=
         allmail|
@@ -27,18 +51,24 @@
         disabled|
         none|nomail
 <DomainName> ::= <String>(.<String>)+
+<DomainNameList> ::= "<DomainName>(,<DomainName>)*"
+<DomainNameEntity> ::=
+        <DomainNameList> | <FileSelector> | <CSVFileSelector>
 <EmailAddress> ::= <String>@<DomainName>
 <EmailItem> ::= <EmailAddress>|<UniqueID>|<String>
 <UniqueID> ::= id:<String>
 <GroupItem> ::= <EmailAddress>|<UniqueID>|<String>
 <GroupList> ::= "<GroupItem>(,<GroupItem>)*"
-<GroupEntity> ::= <GroupList>|<FileSelector>|<CSVkmdSelector>|<CSVDataSelector>
+<GroupEntity> ::=
+        <GroupList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <GroupRole> ::= owner|manager|member
 <GroupRoleList> ::= "<GroupRole>(,<GroupRole>)*"
 <GroupType> ::= customer|group|user
 <GroupTypeList> ::= "<GroupType>(,<GroupType>)*"
 <QueryGroup> ::= <String>
         See: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
+<QueryGroupList> ::= "<QueryGroup>(,<QueryGroup>)*"
 
 <MembersFieldName> ::=
         delivery|deliverysettings|
@@ -106,7 +136,7 @@ users in a particular archived state. This option can be used with the following
         (query <QueryUser>)|
         (queries <QueryUserList>)
 ```
-Prior to bersion `6.20.05`, the `notarchived|archived` option could only be used with the following `<UserTypeEntity>`:
+Prior to version `6.20.05`, the `notarchived|archived` option could only be used with the following `<UserTypeEntity>`:
 ```
         (group|group_ns|group_susp <GroupItem>)|
         (groups|groups_ns|groups_susp <GroupList>)|
@@ -124,6 +154,11 @@ gam update group|groups <GroupEntity> create|add [<GroupRole>]
         [preview] [actioncsv]
         <UserItem>|<UserTypeEntity>
 ```
+To add a group as a memmber of another group, just specify its email address.
+```
+gam update group group1@domain.com add member group2@domain.com
+```
+
 When `<UserTypeEntity>` specifies a group or groups:
 * `usersonly` - Only the user members from the specified groups are added
 * `groupsonly` - Only the group members from the specified groups are added
@@ -175,6 +210,11 @@ gam update group|groups <GroupEntity> delete|remove [<GroupRole>]
 ```
 `<GroupRole>` is ignored, deletions take place regardless of role.
 
+To remove a group as a memmber of another group, just specify its email address.
+```
+gam update group group1@domain.com remove group2@domain.com
+```
+
 When `<UserTypeEntity>` specifies a group or groups:
 * `usersonly` - Only the user members from the specified groups are deleted
 * `groupsonly` - Only the group members from the specified groups are deleted
@@ -211,8 +251,9 @@ testgroup@domain.com,testuser4@domain.com,MEMBER,Remove Failed,Does not exist
 
 ## Synchronize members in a group
 A synchronize operation gets the current membership for a group and does adds and deletes as necessary to make it match `<UserTypeEntity>`.
+This is done by specific role except for a special case where role is ignored.
 ```
-gam update group|groups <GroupEntity> sync [<GroupRole>]
+gam update group|groups <GroupEntity> sync [<GroupRole>|ignorerole]
         [usersonly|groupsonly] [addonly|removeonly]
         [notsuspended|suspended] [notarchived|archived]
         [remove_domain_nostatus_members]
@@ -221,7 +262,10 @@ gam update group|groups <GroupEntity> sync [<GroupRole>]
         (additionalmembers [<GroupRole>] <EmailAddressEntity>)*
         <UserItem>|<UserTypeEntity>
 ```
-If `<GroupRole>` is not specified, `member` is assumed.
+If `ignorerole` is specified, GAM removes members regardless of role and adds new members with role MEMBER.
+This is a special purpose option, use with caution and ensure that `<UserTypeEntity>` specifies the full desired membership list of all roles.
+
+If neither `<GroupRole>` nor `ignorerole` is specified, `member` is assumed.
 
 When `<UserTypeEntity>` specifies a group or groups:
 * `usersonly` - Only the user members from the specified groups are added/deleted
@@ -263,6 +307,7 @@ If `actioncsv` is specified, a CSV file with columns `group,email,role,action,me
 that shows the actions performed when updating the group.
 
 The option `additionalmembers [<GroupRole>] <EmailAddressEntity>` can be used to specify members in addition to those specified with `<UserTypeEntity>`.
+If a <GroupRole> is specified, it must match the same role as the one used for the group sync.
 
 For example,
 ```
@@ -278,7 +323,7 @@ For example,
 gam config batch_size 20 inter_batch_wait 1 update group testgroup@domain.com sync members file users.lst
 ```
 ### Examples using CSV file and Google sheets:
-* https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Users#examples-using-csv-files-and-google-sheets-to-update-the-membership-of-a-group
+* https://github.com/GAM-team/GAM/wiki/Collections-of-Users#examples-using-csv-files-and-google-sheets-to-update-the-membership-of-a-group
 
 ### Example
 Assume that at your school there is a group for each grade level and the members come from an OU; here is a sample CSV file GradeOU.csv
@@ -288,10 +333,10 @@ seniors@domain.org,/Students/ClassOf2023
 juniors@domain.org,/Students/ClassOf2024
 ...
 ```
-This allows you to do: `gam csv GradeOU.csv gam update group ~Grade sync members ou ~OU`
+This allows you to do: `gam csv GradeOU.csv gam update group "~Grade" sync members ou "~OU"`
 But suppose that at each grade level there are additional group members that are groups of faculty/staff; e.g., senioradvisors@domain.org.
 In this scenario, you can't do the `update group sync` command as the members that are groups will be deleted; the `usersonly` option allows
-the `update group sync` command to work: `gam csv GradeOU.csv gam update group ~Grade sync members usersonly ou ~OU`
+the `update group sync` command to work: `gam csv GradeOU.csv gam update group "~Grade" sync members usersonly ou "~OU"`
 The users from the OU are matched against the user members of the group and adds/deletes are done as necessary to synchronize them;
 the group members of the group are unaffected.
 
@@ -557,7 +602,7 @@ gam info member|group-members <UserItem>|<UserTypeEntity> <GroupEntity>
 By default, delivery information is not displayed.
 ```
 gam print group-members [todrive <ToDriveAttribute>*]
-        [([domain <DomainName>] ([member|showownedby <EmailItem>]|[query <QueryGroup>]))|
+        [([domain|domains <DomainNameEntity>] ([member|showownedby <EmailItem>]|[(query <QueryGroup>)|(queries <QueryGroupList>)]))|
          (group|group_ns|group_susp <GroupItem>)|
          (select <GroupEntity>)]
         [emailmatchpattern [not] <RegularExpression>] [namematchpattern [not] <RegularExpression>]
@@ -570,15 +615,18 @@ gam print group-members [todrive <ToDriveAttribute>*]
         [types <GroupTypeList>]
         [memberemaildisplaypattern|memberemailskippattern <RegularExpression>]
         [userfields <UserFieldNameList>]
+        [allschemas|(schemas|custom|customschemas <SchemaNameList>)]
         [(recursive [noduplicates])|includederivedmembership] [nogroupemail]
         [peoplelookup|(peoplelookupuser <EmailAddress>)]
+        [unknownname <String>] [cachememberinfo [Boolean]]
         [formatjson [quotechar <Character>]]
 ```
 By default, the group membership of all groups in the account are displayed, these options allow selection of subsets of groups:
-* `domain <DomainName>` - Limit display to groups in the domain `<DomainName>`
+* `domain|domains <DomainNameEntity>` - Limit display to groups in the domains specified by `<DomainNameEntity>`
+  * You can predefine this list with the `print_agu_domains` variable in `gam.cfg`.
 * `member <EmailItem>` - Limit display to groups that contain `<EmailItem>` as a member; mutually exclusive with `query <QueryGroup>`
 * `showownedby <EmailItem>` - Limit display to groups that contain `<EmailItem>` as an owner; mutually exclusive with `query <QueryGroup>`
-* `query <QueryGroup>` - Limit display to groups that match `<QueryGroup>`, matching is done at Google; mutually exclusive with `member <UserItem>`
+* `(query <QueryGroup>)|(queries <QueryGroupList>)` - Limit groups to those that match a query; each query is run against each domain
 * `group <GroupItem>` - Limit display to the single group `<GroupItem>`
 * `group_ns <GroupItem>` - Limit display to the single group `<GroupItem>`, display non-suspended members
 * `group_susp <GroupItem>` - Limit display to the single group `<GroupItem>`, display suspended members
@@ -632,13 +680,22 @@ these options specify which fields to display:
 * `<MembersFieldName>*` - Individual field names
 * `fields <MembersFieldNameList>` - A comma separated list of field names
     * `delivery|deliverysettings` - Specify this field to get delivery information; an additional API call per member is required
-* `userfields <UserFieldNameList>` - For members that are users, display these user fields; an additional API call per member is required
+
+For members that are users, you can specify additional information to display; an additional API call per member is required
+* `userfields <UserFieldNameList>` - Display specific user fields
+* `allschemas|(schemas|custom|customschemas <SchemaNameList>)` - Display all or specific custom schema values
+
+The additional API calls can be reduced with the `cachememberinfo` option; a single API call is made for each user/group
+and the data is cached to eliminate to need to repeat the API call; this consumes more memory but dramatically reduces the number of API calls.
 
 If member names are requested, names are not available for users not in the domain; you can request that GAM use the People API to retrieve
 names for these users. Names are not retrieved in all cases and success is dependent on what user is used to perform the retrievals.
 * `peoplelookup` - Use the administrator named in oauth2.txt to perform the retrievals
 * `peoplelookupuser <EmailAddress>` - Use `<EmailAddress>` to perform the retrievals
 
+By default, when `membernames` is specified, GAM displays `Unknown` for members whose names can not be determined.
+Use `unknownname <String>` to specify an alternative value.
+
 By default, the group email address is always shown, you can suppress it with the `nogroupemail` option.
 
 By default, members that are groups are displayed as a single entry of type GROUP; this option recursively expands group members to display their user members.
@@ -673,7 +730,7 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ## Display group membership in hierarchical format
 ```
 gam show group-members
-        [([domain <DomainName>] ([member|showownedby <EmailItem>]|[query <QueryGroup>]))|
+        [([domain|domains <DomainNameEntity>] ([member|showownedby <EmailItem>]|[(query <QueryGroup>)|(queries <QueryGroupList>)]))|
          (group|group_ns|group_susp <GroupItem>)|
          (select <GroupEntity>)]
         [emailmatchpattern [not] <RegularExpression>] [namematchpattern [not] <RegularExpression>]
@@ -686,10 +743,11 @@ gam show group-members
         [includederivedmembership]
 ```
 By default, the group membership of all groups in the account are displayed, these options allow selection of subsets of groups:
-* `domain <DomainName>` - Limit display to groups in the domain `<DomainName>`
+* `domain|domains <DomainNameEntity>` - Limit display to groups in the domains specified by `<DomainNameEntity>`
+  * You can predefine this list with the `print_agu_domains` variable in `gam.cfg`.
 * `member <EmailItem>` - Limit display to groups that contain `<EmailItem>` as a member; mutually exclusive with `query <QueryGroup>`
 * `showownedby <EmailItem>` - Limit display to groups that contain `<EmailItem>` as an owner; mutually exclusive with `query <QueryGroup>`
-* `query <QueryGroup>` - Limit display to groups that match `<QueryGroup>`, matching is done at Google; mutually exclusive with `member <UserItem>`
+* `(query <QueryGroup>)|(queries <QueryGroupList>)` - Limit groups to those that match a query; each query is run against each domain
 * `group <GroupItem>` - Limit display to the single group `<GroupItem>`
 * `group_ns <GroupItem>` - Limit display to the single group `<GroupItem>`, display non-suspended members
 * `group_susp <GroupItem>` - Limit display to the single group `<GroupItem>`, display suspended members

docs/Groups.md

@@ -10,12 +10,14 @@
 - [Definitions](#definitions)
 - [GUI API Group settings mapping](#gui-api-group-settings-mapping)
 - [GUI API Group access type settings mapping](#gui-api-group-access-type-settings-mapping)
+- [whoCanViewMembership and whoCanDiscoverGroup interactions](#whocanviewmembership-and-whocandiscovergroup-interactions)
 - [Manage groups](#manage-groups)
-- [Update a group's settings with JSON data](#update-a-groups-settings-with-JSON-data)
+- [Update a group's settings with JSON data](#update-a-groups-settings-with-json-data)
 - [Display information about specific groups](#display-information-about-specific-groups)
 - [Display information about selected groups](#display-information-about-selected-groups)
 - [Display a group and its parents](#Display-a-group-and-its-parents)
 - [Examples](#Examples)
+- [Display group counts](#display-group-counts)
 
 ## API documentation
 * https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups
@@ -24,7 +26,7 @@
 * https://cloud.google.com/identity/docs/reference/rest/v1/groups
 
 ## Name guidelines
-* https://support.google.com/a/answer/9193374?hl=en
+* https://support.google.com/a/answer/9193374
 
 ## Query documentation
 * https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
@@ -44,20 +46,27 @@
 * https://support.google.com/a/answer/167430
 
 ## Definitions
+See [Collections of Items](Collections-of-Items)
 ```
 <DomainName> ::= <String>(.<String>)+
+<DomainNameList> ::= "<DomainName>(,<DomainName>)*"
+<DomainNameEntity> ::=
+        <DomainNameList> | <FileSelector> | <CSVFileSelector>
 <EmailAddress> ::= <String>@<DomainName>
 <UniqueID> ::= id:<String>
 <EmailItem> ::= <EmailAddress>|<UniqueID>|<String>
 <GroupItem> ::= <EmailAddress>|<UniqueID>|<String>
 <GroupList> ::= "<GroupItem>(,<GroupItem>)*"
-<GroupEntity> ::= <GroupList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<GroupEntity> ::=
+        <GroupList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <GroupRole> ::= owner|manager|member
 <GroupRoleList> ::= "<GroupRole>(,<GroupRole>)*"
 <GroupType> ::= customer|group|user
 <GroupTypeList> ::= "<GroupType>(,<GroupType>)*"
 <QueryGroup> ::= <String>
         See: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
+<QueryGroupList> ::= "<QueryGroup>(,<QueryGroup>)*"
 <QueryDynamicGroup> ::= <String>
         See: https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery
 
@@ -295,6 +304,46 @@ Restricted
   whoCanViewMembership ALL_MEMBERS_CAN_VIEW
 ```
 
+## whoCanViewMembership and whoCanDiscoverGroup interactions
+Some combinations of these two settings are not allowed:
+```
+gam update group group@domain.com whoCanViewMembership ALL_IN_DOMAIN_CAN_VIEW whoCanDiscoverGroup ANYONE_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_OWNERS_CAN_VIEW whoCanDiscoverGroup ANYONE_CAN_DISCOVER
+Group: group@domain.com, Update Failed: Failed request validation in update settings: DONT_USE_OR_ELSE_WHO_CAN_MANAGE_MEMBERS_CANNOT_BE_BROADER_THAN_WHO_CAN_VIEW_MEMBERSHIP
+
+gam update group group@domain.com whoCanViewMembership ALL_MANAGERS_CAN_VIEW whoCanDiscoverGroup ANYONE_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_MEMBERS_CAN_VIEW whoCanDiscoverGroup ANYONE_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_IN_DOMAIN_CAN_VIEW whoCanDiscoverGroup ALL_IN_DOMAIN_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_OWNERS_CAN_VIEW whoCanDiscoverGroup ALL_IN_DOMAIN_CAN_DISCOVER
+Group: group@domain.com, Update Failed: Failed request validation in update settings: DONT_USE_OR_ELSE_WHO_CAN_MANAGE_MEMBERS_CANNOT_BE_BROADER_THAN_WHO_CAN_VIEW_MEMBERSHIP
+
+gam update group group@domain.com whoCanViewMembership ALL_MANAGERS_CAN_VIEW whoCanDiscoverGroup ALL_IN_DOMAIN_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_MEMBERS_CAN_VIEW whoCanDiscoverGroup ALL_IN_DOMAIN_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_IN_DOMAIN_CAN_VIEW whoCanDiscoverGroup ALL_MEMBERS_CAN_DISCOVER
+Group: group@domain.com, Update Failed: Failed request validation in update settings: WHO_CAN_VIEW_MEMBERSHIP_CANNOT_BE_BROADER_THAN_WHO_CAN_SEE_GROUP
+
+gam update group group@domain.com whoCanViewMembership ALL_OWNERS_CAN_VIEW whoCanDiscoverGroup ALL_MEMBERS_CAN_DISCOVER
+Group: group@domain.com, Update Failed: Failed request validation in update settings: DONT_USE_OR_ELSE_WHO_CAN_MANAGE_MEMBERS_CANNOT_BE_BROADER_THAN_WHO_CAN_VIEW_MEMBERSHIP
+
+gam update group group@domain.com whoCanViewMembership ALL_MANAGERS_CAN_VIEW whoCanDiscoverGroup ALL_MEMBERS_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_MEMBERS_CAN_VIEW whoCanDiscoverGroup ALL_MEMBERS_CAN_DISCOVER
+Group: group@domain.com, Updated
+```
+
 ## Manage groups
 
 These commands allow you to create, update and delete groups.
@@ -335,7 +384,7 @@ Getting Group Settings for testgroup4@domain.com (4/4)
 ```
 Perform your experiments and then restore the original settings.
 ```
-$ gam csv ./groups.csv quotechar "'" gam update group ~email json ~JSON-settings
+$ gam csv ./groups.csv quotechar "'" gam update group "~email" json "~JSON-settings"
 Using 4 processes...
 Group: testgroup1@domain.com, Updated
 Group: testgroup2@domain.com, Updated
@@ -402,7 +451,7 @@ By default, Gam displays the information as an indented list of keys and values.
 This command displays information in CSV format.
 ```
 gam print groups [todrive <ToDriveAttribute>*]
-        [([domain <DomainName>] ([member|showownedby <EmailItem>]|[query <QueryGroup>]))|
+        [([domain|domains <DomainNameEntity>] ([member|showownedby <EmailItem>]|[(query <QueryGroup>)|(queries <QueryGroupList>)]))|
          (select <GroupEntity>)]
         [emailmatchpattern [not] <RegularExpression>] [namematchpattern [not] <RegularExpression>]
         [descriptionmatchpattern [not] <RegularExpression>] (matchsetting [not] <GroupAttribute>)*
@@ -421,12 +470,12 @@ gam print groups [todrive <ToDriveAttribute>*]
         [formatjson [quotechar <Character>]]
 ```
 By default, all groups in the account are displayed, these options allow selection of subsets of groups:
-* `domain <DomainName>` - Limit display to groups in the domain `<DomainName>`
+* `domain|domains <DomainNameEntity>` - Limit display to groups in the domains specified by `<DomainNameEntity>`
+  * You can predefine this list with the `print_agu_domains` variable in `gam.cfg`.
 * `member <EmailItem>` - Limit display to groups that contain `<EmailItem>` as a member; mutually exclusive with `query <QueryGroup>`
 * `showownedby <EmailItem>` - Limit display to groups that contain `<EmailItem>` as an owner; mutually exclusive with `query <QueryGroup>`
-* `query <QueryGroup>` - Limit display to groups that match <QueryGroup>, matching is done at Google; mutually exclusive with `member <UserItem>`
+* `(query <QueryGroup>)|(queries <QueryGroupList>)` - Limit groups to those that match a query; each query is run against each domain
 * `select <GroupEntity>` - Limit display to the groups specified in `<GroupEntity>`
-* `showownedby <UserItem>` - Limit display to groups owned by `<UserItem>`
 
 When using `query <QueryGroup>` with the `name:{PREFIX}*` query, `PREFIX` must contain at least three characters.
 
@@ -535,7 +584,7 @@ gam print grouptree <GroupEntity> [todrive <ToDriveAttribute>*]
 ```
 By default, the group parent emails and names are displayed in multiple indexed columns.
 Use options `showparentsaslist [<Boolean>]` and `delimiter <Character>` to display
-the group parent emails and names in two columns as delimited lists .
+the group parent emails and names in two columns as delimited lists.
 
 #### Examples
 ```
@@ -556,3 +605,31 @@ Group,Name,ParentsCount,Parents,ParentsName
 testgroup2@domain.com,Test - Group 2,2,testgroup1@domain.com|testgroup@domain.com,Test Group1|Test Group Org
 testgroup2@domain.com,Test - Group 2,1,testgroup@domain.net,Test Group Net
 ```
+## Display group counts
+Display the number of groups.
+```
+gam print groups
+        [([domain|domains <DomainNameEntity>] ([member|showownedby <EmailItem>]|[(query <QueryGroup>)|(queries <QueryGroupList>)]))|
+         (select <GroupEntity>)]
+        [emailmatchpattern [not] <RegularExpression>] [namematchpattern [not] <RegularExpression>]
+        [descriptionmatchpattern [not] <RegularExpression>] (matchsetting [not] <GroupAttribute>)*
+        [admincreatedmatch <Boolean>]
+        showitemcountonly
+```
+Example
+```
+$ gam print groups showitemcountonly
+Getting all Groups, may take some time on a large Google Workspace Account...
+Got 200 Groups: 1aparents@domain.com - students-genderfood@domain.com
+Got 238 Groups: students-worldculture@domain.com - xcarestaff@domain.com
+238
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print groups showitemcountonly)
+Windows PowerShell
+count = & gam print groups showitemcountonly
+```

docs/HTTPS-Proxy.md

@@ -1,4 +1,4 @@
-# HTTPS Proxy
+!# HTTPS Proxy
 
 GAM should be run on a server with direct access to talk to Google servers via the Internet.
 However, if you must push GAM traffic through an HTTPS proxy this can be done by setting the HTTPS_PROXY environment variable.

docs/Home.md

@@ -0,0 +1,61 @@
+- [Introduction](#introduction)
+- [Requirements](#requirements)
+- [Installation - First time GAM7 installation](#installation---first-time-gam7-installation)
+- [Installation - Upgrading from Legacy GAM](#installation---upgrading-from-legacy-gam)
+
+# Introduction
+GAM7 is a free, open source command line tool for Google Workspace Administrators to manage domain and user settings quickly and easily.
+
+This page provides simple instructions for downloading, installing and starting to use GAM7.
+
+GAM7 requires paid, or Education/Non-profit, editions of Google Workspace. G Suite Legacy Free Edition has limited API support and not all GAM commands work.
+
+GAM7 is a rewrite/extension of Jay Lee's [Legacy GAM], without his efforts, this version wouldn't exist.
+
+GAM7 is backwards compatible with [Legacy GAM], meaning that if your command works with Legacy GAM, it will also work with GAM7. There may be differences in output, but the syntax is compatible.
+
+# Documentation
+Documentation for GAM7 is hosted in the [GitHub GAM7 Wiki] and in Gam*.txt files.
+Legacy GAM documentation is hosted in the [GitHub Legacy Wiki].
+
+# Mailing List / Discussion group
+The GAM mailing list / discussion group is hosted on [Google Groups].  You can join the list and interact via email, or just post from the web itself.
+
+# Source Repository
+The official GAM7 source repository is on [GitHub] in the master branch.
+
+# Author
+GAM7 is maintained by <a href="mailto:ross.scroggs@gmail.com">Ross Scroggs</a>.
+
+# Requirements
+To run all commands properly, GAM7 requires three things:
+* An API project which identifies your install of GAM7 to Google and keeps track of API quotas.
+* Authorization to act as your Google Workspace Administrator in order to perform management functions like add users, modify group settings and membership and pull domain reports.
+* A special service account that is authorized to act on behalf of your users in order to modify user-specific settings and data such as Drive files, Calendars and Gmail messages and settings like signatures.
+
+# Installation - First time GAM7 installation
+Use these steps if you have never used any version of GAM in your domain. They will create a GAM project
+and all necessary authentications.
+
+* Download: [Downloads-Installs](Downloads-Installs)
+* Configuration: [GAM7 Configuration](gam.cfg)
+* Install: [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
+
+# Installation - Upgrading from Legacy GAM
+Use these steps if you have used any version of Legacy GAM in your domain. They will update your GAM project
+and all necessary authentications.
+
+* Download: [Downloads-Installs](Downloads-Installs)
+* Configuration: [GAM7 Configuration](gam.cfg)
+* Upgrade: [How to Upgrade from Legacy GAM](How-to-Upgrade-from-Legacy-GAM)
+
+You can install multiple versions of GAM and GAM7 in different parallel directories.
+
+[Legacy GAM]: https://github.com/GAM-team/GAM/releases?q=6.58&expanded=true
+[GAM7]: https://github.com/GAM-team/GAM
+[GitHub Releases]: https://github.com/GAM-team/GAM/releases
+[GitHub]: https://github.com/GAM-team/GAM/tree/master
+[GitHub Legacy Wiki]: https://github.com/GAM-team/GAM/wiki/
+[GitHub GAM7 Wiki]: https://github.com/GAM-team/GAM/wiki/
+[Google Groups]: https://groups.google.com/group/google-apps-manager
+[GAM Updates]: https://github.com/GAM-team/GAM/wiki/GamUpdates

docs/How-to-Install-GAM7.md

@@ -1,11 +1,11 @@
-# Installing GAMADV-XTD3
+!# Installing GAM7
 Use these steps if you have never used any version of GAM in your domain. They will create your GAM project
 and all necessary authentications.
 
-- [Downloads](Downloads)
-- [GAM Configuration](gam.cfg)
+- [Downloads-Installs](Downloads-Installs)
 - [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
 - [Windows](#windows)
+- [GAM Configuration](gam.cfg)
 
 ## Linux and MacOS and Google Cloud Shell
 
@@ -15,8 +15,8 @@ actual email adddress.
 In these examples, the user home folder is shown as /Users/admin; adjust according to your
 specific situation; e.g., /home/administrator.
 
-This example assumes that GAMADV-XTD3 has been installed in /Users/admin/bin/gamadv-xtd3.
-If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions.
+This example assumes that GAM7 has been installed in /Users/admin/bin/gam7.
+If you've installed GAM7 in another directory, substitute that value in the directions.
 
 ### Set a configuration directory
 
@@ -25,6 +25,11 @@ probably want to select a non-hidden location. This example assumes that the GAM
 configuration directory will be /Users/admin/GAMConfig; If you've chosen another directory,
 substitute that value in the directions.
 
+Make the directory:
+```
+mkdir -p /Users/admin/GAMConfig
+```
+
 Add the following line:
 ```
 export GAMCFGDIR="/Users/admin/GAMConfig"
@@ -37,14 +42,7 @@ to one of these files based on your shell:
 ~/.profile
 ```
 
-You need to enable this setting in the environment. The easiest way is probably to close your terminal and open a new session. This will load the environment variables, including the one you just added. Test this by issuing this command:
-```
-echo $GAMCFGDIR
-```
-
-This should print the name of the directory you used above.
-
-Alternatively, without starting a new session, load the new variable in this session directly: issue the following command replacing `<Filename>` with the name of the file you edited:
+Issue the following command replacing `<Filename>` with the name of the file you edited:
 ```
 source <Filename>
 ```
@@ -54,27 +52,26 @@ You need to make sure the GAM configuration directory actually exists. Test that
 ls -l $GAMCFGDIR
 ```
 
-If this gives you an error, make the directory:
-```
-mkdir -p $GAMCFGDIR
-```
-
 ### Set a working directory
 
 You should establish a GAM working directory; you will store your GAM related
 data in this folder and execute GAM commands from this folder. You should not use
-/Users/admin/bin/gamadv-xtd3 or /Users/admin/GAMConfig for this purpose.
+/Users/admin/bin/gam7 or /Users/admin/GAMConfig for this purpose.
 This example assumes that the GAM working directory will be /Users/admin/GAMWork; If you've chosen
 another directory, substitute that value in the directions.
-* Make the /Users/admin/GAMWork directory before proceeding.
+
+Make the directory:
+```
+mkdir -p /Users/admin/GAMWork
+```
 
 ### Set an alias
-You should set an alias to point to /Users/admin/bin/gamadv-xtd3/gam so you can operate from the /Users/admin/GAMWork directory.
+You should set an alias to point to /Users/admin/bin/gam7/gam so you can operate from the /Users/admin/GAMWork directory.
 Aliases aren't available in scripts, so you may want to set a symlink instead, see below.
 
 Add the following line:
 ```
-alias gam="/Users/admin/bin/gamadv-xtd3/gam"
+alias gam="/Users/admin/bin/gam7/gam"
 ```
 to one of these files based on your shell:
 ```
@@ -93,36 +90,38 @@ source <Filename>
 ### Set a symlink
 Set a symlink in `/usr/local/bin` (or some other location on $PATH) to point to GAM. 
 ```
-ln -s "/Users/admin/bin/gamadv-xtd3/gam" /usr/local/bin/gam
+ln -s "/Users/admin/bin/gam7/gam" /usr/local/bin/gam
 ```
 
-### Initialize GAMADV-XTD3; this should be the first GAMADV-XTD3 command executed.
+### Initialize GAM7; this should be the first GAM7 command executed.
 ```
-admin@server:~$ cd /Users/admin/bin/gamadv-xtd3
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam config drive_dir /Users/admin/GAMWork verify
+admin@server:/Users/admin$ gam config drive_dir /Users/admin/GAMWork verify
 Created: /Users/admin/GAMConfig
 Created: /Users/admin/GAMConfig/gamcache
 Config File: /Users/admin/GAMConfig/gam.cfg, Initialized
 Section: DEFAULT
-  activity_max_results = 100
   ...
-  [long list of all config settings that should match the directories you specified]
+  cache_dir = /Users/admin/GAMConfig/gamcache
+  ...
+  config_dir = /Users/admin/GAMConfig
+  ...
+  drive_dir = /Users/admin/GAMWork
   ...
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Verify initialization, this was a successful installation.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ls -l $GAMCFGDIR
+admin@server:/Users/admin$ ls -l $GAMCFGDIR
 total 48
 -rw-r-----+ 1 admin  staff  1069 Mar  3 09:23 gam.cfg
 drwxr-x---+ 2 admin  staff    68 Mar  3 09:23 gamcache
 -rw-rw-rw-+ 1 admin  staff     0 Mar  3 09:23 oauth2.txt.lock
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 ### Create your project with local browser
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam create project
+admin@server:/Users/admin$ gam create project
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
 
@@ -186,12 +185,12 @@ Enter your Client Secret: CLIENTSECRET
 6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
 That's it! Your GAM Project is created and ready to use.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 ### Create your project without local browser (Google Cloud Shell for instance)
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam config no_browser true save
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam create project
+admin@server:/Users/admin$ gam config no_browser true save
+admin@server:/Users/admin$ gam create project
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
 
@@ -254,70 +253,80 @@ Enter your Client Secret: CLIENTSECRET
 6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
 That's it! Your GAM Project is created and ready to use.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
-### Enable GAMADV-XTD3 client access
+### Enable GAM7 client access
 
 You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
 writes the credentials into the file oauth2.txt.
 
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
-
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
+admin@server:/Users/admin$ gam oauth create
 
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-44[a|r] or s|u|e|c: c
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
 
@@ -333,14 +342,14 @@ Enter verification code or paste "Unable to connect" URL from other computer (on
 The authentication flow has completed.
 Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 
 If clicking on the link in the instructions does not work (i.e. you get a 404 or 400 error message, instead of something about 'unable to connect') the URL in the link is too long. Most likely, you have selected all scopes. Try again with fewer scopes until it works. (there is no harm in repeatedly trying)
 
-### Enable GAMADV-XTD3 service account access.
+### Enable GAM7 service account access.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
 $ gam user admin@domain.com check serviceaccount
 System time status
   Your system time differs from www.googleapis.com by less than 1 second    PASS
@@ -348,35 +357,41 @@ Service Account Private Key Authentication
   Authentication                                                            PASS
 Service Account Private Key age; Google recommends rotating keys on a routine basis
   Service Account Private Key age: 0 days                                   PASS
-Domain-Wide Delegation authentication:, User: admin@domain.com, Scopes: 28
-  https://mail.google.com/                                                  PASS (1/28)
-  https://sites.google.com/feeds                                            PASS (2/28)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (3/28)
-  https://www.googleapis.com/auth/calendar                                  PASS (4/28)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (5/28)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (6/28)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (7/28)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (8/28)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (9/28)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (10/28)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (11/28)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (12/28)
-  https://www.googleapis.com/auth/contacts                                  PASS (13/28)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (14/28)
-  https://www.googleapis.com/auth/datastudio                                PASS (15/28)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (16/28)
-  https://www.googleapis.com/auth/documents                                 PASS (17/28)
-  https://www.googleapis.com/auth/drive                                     PASS (18/28)
-  https://www.googleapis.com/auth/drive.activity                            PASS (19/28)
-  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (20/28)
-  https://www.googleapis.com/auth/drive.labels                              FAIL (21/28)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (22/28)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (23/28)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (24/28)
-  https://www.googleapis.com/auth/keep                                      PASS (25/28)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (26/28)
-  https://www.googleapis.com/auth/tasks                                     PASS (27/28)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (28/28)
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
 Some scopes FAILED!
 To authorize them, please go to:
 
@@ -389,62 +404,68 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
 
-### Verify GAMADV-XTD3 service account access.
+### Verify GAM7 service account access.
 
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
 System time status:
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication:
   Authentication                                                            PASS
-Domain-Wide Delegation authentication:, User: admin@domain.com, Scopes: 28
-  https://mail.google.com/                                                  PASS (1/28)
-  https://sites.google.com/feeds                                            PASS (2/28)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (3/28)
-  https://www.googleapis.com/auth/calendar                                  PASS (4/28)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (5/28)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (6/28)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (7/28)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (8/28)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (9/28)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (10/28)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (11/28)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (12/28)
-  https://www.googleapis.com/auth/contacts                                  PASS (13/28)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (14/28)
-  https://www.googleapis.com/auth/datastudio                                PASS (15/28)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (16/28)
-  https://www.googleapis.com/auth/documents                                 PASS (17/28)
-  https://www.googleapis.com/auth/drive                                     PASS (18/28)
-  https://www.googleapis.com/auth/drive.activity                            PASS (19/28)
-  https://www.googleapis.com/auth/drive.admin.labels                        PASS (20/28)
-  https://www.googleapis.com/auth/drive.labels                              PASS (21/28)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (22/28)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (23/28)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (24/28)
-  https://www.googleapis.com/auth/keep                                      PASS (25/28)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (26/28)
-  https://www.googleapis.com/auth/tasks                                     PASS (27/28)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (28/28)
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
 All scopes PASSED!
 
 Service Account Client name: SVCACCTID is fully authorized.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 ### Update gam.cfg with some basic values
 * `customer_id` - Having this data keeps Gam from having to make extra API calls
 * `domain` - This allows you to omit the domain portion of email addresses
 * `timezone local` - Gam will convert all UTC times to your local timezone
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam info domain
+admin@server:/Users/admin$ gam info domain
 Customer ID: C01234567
 Primary Domain: domain.com
 Customer Creation Time: 2007-06-06T15:47:55.444Z
@@ -452,15 +473,18 @@ Primary Domain Verified: True
 Default Language: en
 ...
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam config customer_id C01234567 domain domain.com timezone local save verify
+admin@server:/Users/admin$ gam config customer_id C01234567 domain domain.com timezone local save verify
 Config File: /Users/admin/GAMConfig/gam.cfg, Saved
 Section: DEFAULT
-  activity_max_results = 100
   ...
-  [long list of all config settings that should match the data you specified]
+  customer_id = C01234567
+  ...
+  domain = domain.com
+  ...
+  timezone = local
   ...
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 
 ## Windows
@@ -468,8 +492,8 @@ admin@server:/Users/admin/bin/gamadv-xtd3$
 In these examples, your Google Super admin is shown as admin@domain.com; replace with the
 actual email adddress.
 
-This example assumes that GAMADV-XTD3 has been installed in C:\GAMADV-XTD3; if you've installed
-GAMADV-XTD3 in another directory, substitute that value in the directions.
+This example assumes that GAM7 has been installed in C:\GAM7; if you've installed
+GAM7 in another directory, substitute that value in the directions.
 
 These steps assume Command Prompt, adjust if you're using PowerShell.
 
@@ -485,13 +509,13 @@ substitute that value in the directions.
 
 You should extablish a GAM working directory; you will store your GAM related
 data in this folder and execute GAM commands from this folder. You should not use
-C:\GAMADV-XTD3 or C:\GAMConfig for this purpose.
+C:\GAM7 or C:\GAMConfig for this purpose.
 This example assumes that the GAM working directory will be C:\GAMWork; If you've chosen
 another directory, substitute that value in the directions.
 * Make the C:\GAMWork directory before proceeding.
 
 ### Set system path and GAM configuration directory
-You should set the system path to point to C:\GAMADV-XTD3 so you can operate from the C:\GAMWork directory.
+You should set the system path to point to C:\GAM7 so you can operate from the C:\GAMWork directory.
 ```
 Start Control Panel
 Click System
@@ -499,9 +523,9 @@ Click Advanced system settings
 Click Environment Variables...
 Click Path under System variables
 Click Edit...
-If C:\GAMADV-XTD3 is already on the Path, skip the next three steps
+If C:\GAM7 is already on the Path, skip the next three steps
   Click New
-  Enter C:\GAMADV-XTD3
+  Enter C:\GAM7
   Click OK
 Click New
 Set Variable name: GAMCFGDIR
@@ -514,24 +538,26 @@ Exit Control Panel
 
 At this point, you should restart Command Prompt so that it has the updated path and environment variables.
 
-### Initialize GAMADV-XTD3; this should be the first GAMADV-XTD3 command executed.
+### Initialize GAM7; this should be the first GAM7 command executed.
 ```
-C:>cd C:\GAMADV-XTD3
-C:\GAMADV-XTD3>gam config drive_dir C:\GAMWork verify
+C:\>gam config drive_dir C:\GAMWork verify
 Created: C:\GAMConfig
 Created: C:\GAMConfig\gamcache
 Config File: C:\GAMConfig\gam.cfg, Initialized
 Section: DEFAULT
-  activity_max_results = 100
   ...
-  [long list of all config settings that should match the directories you specified]
+  cache_dir = C:\GAMConfig\gamcache
+  ...
+  config_dir = C:\GAMConfig
+  ...
+  drive_dir = C:\GAMWork
   ...
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Verify initialization, this was a successful installation.
 ```
-C:\GAMADV-XTD3>dir %GAMCFGDIR%
+C:\>dir %GAMCFGDIR%
  Volume in drive C has no label.
  Volume Serial Number is 663F-DA8B
 
@@ -544,12 +570,12 @@ C:\GAMADV-XTD3>dir %GAMCFGDIR%
 03/03/2017  10:15 AM                 0 oauth2.txt.lock
                2 File(s)         15,769 bytes
                3 Dir(s)  110,532,562,944 bytes free
-C:\GAMADV-XTD3>
+C:\>
 ```
 
 ### Create your project with local browser
 ```
-C:\GAMADV-XTD3>gam create project
+C:\>gam create project
 WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
 WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
 
@@ -613,12 +639,12 @@ Enter your Client Secret: CLIENTSECRET
 6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
 That's it! Your GAM Project is created and ready to use.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Create your project without local browser (headless server for instance)
 ```
-C:\GAMADV-XTD3>gam config no_browser true save
-C:\GAMADV-XTD3>gam create project
+C:\>gam config no_browser true save
+C:\>gam create project
 WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
 WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
 
@@ -681,70 +707,80 @@ Enter your Client Secret: CLIENTSECRET
 6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
 That's it! Your GAM Project is created and ready to use.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
-### Enable GAMADV-XTD3 client access
+### Enable GAM7 client access
 
 You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
 writes the credentials into the file oauth2.txt.
 
 ```
-C:\GAMADV-XTD3>gam oauth create
-
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
+C:\>gam oauth create
 
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-44[a|r] or s|u|e|c: c
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
 
@@ -760,46 +796,52 @@ Enter verification code or paste "Unable to connect" URL from other computer (on
 The authentication flow has completed.
 Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
 
-C:\GAMADV-XTD3>
+C:\>
 ```
-### Enable GAMADV-XTD3 service account access.
+### Enable GAM7 service account access.
 ```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
+C:\>gam user admin@domain.com check serviceaccount
 System time status
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication
   Authentication                                                            PASS
 Service Account Private Key age; Google recommends rotating keys on a routine basis
   Service Account Private Key age: 0 days                                   PASS
-Domain-Wide Delegation authentication:, User: admin@domain.com, Scopes: 28
-  https://mail.google.com/                                                  PASS (1/28)
-  https://sites.google.com/feeds                                            PASS (2/28)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (3/28)
-  https://www.googleapis.com/auth/calendar                                  PASS (4/28)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (5/28)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (6/28)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (7/28)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (8/28)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (9/28)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (10/28)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (11/28)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (12/28)
-  https://www.googleapis.com/auth/contacts                                  PASS (13/28)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (14/28)
-  https://www.googleapis.com/auth/datastudio                                PASS (15/28)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (16/28)
-  https://www.googleapis.com/auth/documents                                 PASS (17/28)
-  https://www.googleapis.com/auth/drive                                     PASS (18/28)
-  https://www.googleapis.com/auth/drive.activity                            PASS (19/28)
-  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (20/28)
-  https://www.googleapis.com/auth/drive.labels                              FAIL (21/28)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (22/28)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (23/28)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (24/28)
-  https://www.googleapis.com/auth/keep                                      PASS (25/28)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (26/28)
-  https://www.googleapis.com/auth/tasks                                     PASS (27/28)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (28/28)
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
 Some scopes FAILED!
 To authorize them, please go to:
 
@@ -812,62 +854,68 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
 
-### Verify GAMADV-XTD3 service account access.
+### Verify GAM7 service account access.
 
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
+C:\>gam user admin@domain.com check serviceaccount
 System time status:
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication:
   Authentication                                                            PASS
-Domain-Wide Delegation authentication:, User: admin@domain.com, Scopes: 28
-  https://mail.google.com/                                                  PASS (1/28)
-  https://sites.google.com/feeds                                            PASS (2/28)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (3/28)
-  https://www.googleapis.com/auth/calendar                                  PASS (4/28)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (5/28)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (6/28)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (7/28)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (8/28)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (9/28)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (10/28)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (11/28)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (12/28)
-  https://www.googleapis.com/auth/contacts                                  PASS (13/28)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (14/28)
-  https://www.googleapis.com/auth/datastudio                                PASS (15/28)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (16/28)
-  https://www.googleapis.com/auth/documents                                 PASS (17/28)
-  https://www.googleapis.com/auth/drive                                     PASS (18/28)
-  https://www.googleapis.com/auth/drive.activity                            PASS (19/28)
-  https://www.googleapis.com/auth/drive.admin.labels                        PASS (20/28)
-  https://www.googleapis.com/auth/drive.labels                              PASS (21/28)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (22/28)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (23/28)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (24/28)
-  https://www.googleapis.com/auth/keep                                      PASS (25/28)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (26/28)
-  https://www.googleapis.com/auth/tasks                                     PASS (27/28)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (28/28)
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
 All scopes PASSED!
 
 Service Account Client name: SVCACCTID is fully authorized.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Update gam.cfg with some basic values
 * `customer_id` - Having this data keeps Gam from having to make extra API calls
 * `domain` - This allows you to omit the domain portion of email addresses
 * `timezone local` - Gam will convert all UTC times to your local timezone
 ```
-C:\GAMADV-XTD3>gam info domain
+C:\>gam info domain
 Customer ID: C01234567
 Primary Domain: domain.com
 Customer Creation Time: 2007-06-06T15:47:55.444Z
@@ -875,13 +923,16 @@ Primary Domain Verified: True
 Default Language: en
 ...
 
-C:\GAMADV-XTD3>gam config customer_id C01234567 domain domain.com timezone local save verify
+C:\>gam config customer_id C01234567 domain domain.com timezone local save verify
 Config File: C:\GAMConfig\gam.cfg, Saved
 Section: DEFAULT
-  activity_max_results = 100
   ...
-  [long list of all config settings that should match the directories you specified]
+  customer_id = C01234567
+  ...
+  domain = domain.com
+  ...
+  timezone = local
   ...
 
-C:\GAMADV-XTD3>
+C:\>
 ```

docs/How-to-Uninstall-GAM7.md

@@ -1,4 +1,4 @@
-# Uninstalling GAMADV-XTD3
+!# Uninstalling GAM7
 
 - [Get Project Info](#get-project-info)
 - [Remove Client API access](#remove-client-api-access)
@@ -38,13 +38,13 @@ In the box that pops up, put the `project_id` value in ther `Project ID*` field
 In these examples, the user home folder is shown as /Users/admin; adjust according to your
 specific situation; e.g., /home/administrator.
 
-This example assumes that GAMADV-XTD3 has been installed in /Users/admin/bin/gamadv-xtd3.
-If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions.
+This example assumes that GAM7 has been installed in /Users/admin/bin/gam7.
+If you've installed GAM7 in another directory, substitute that value in the directions.
 
 ### Delete executable directory
 
 ```
-rm -fr /Users/admin/bin/gamadv-xtd3
+rm -fr /Users/admin/bin/gam7
 ```
 
 ### Delete configuration directory
@@ -69,7 +69,7 @@ rm -fr /Users/admin/GAMConfig
 
 Remove the following line:
 ```
-alias gam="/Users/admin/bin/gamadv-xtd3/gam"
+alias gam="/Users/admin/bin/gam7/gam"
 export GAMCFGDIR="/Users/admin/GAMConfig"
 ```
 from these files based on your shell:
@@ -82,12 +82,12 @@ from these files based on your shell:
 
 ## Windows
 
-This example assumes that GAMADV-XTD3 has been installed in C:\GAMADV-XTD3; if you've installed
-GAMADV-XTD3 in another directory, substitute that value in the directions.
+This example assumes that GAM7 has been installed in C:\GAM7; if you've installed
+GAM7 in another directory, substitute that value in the directions.
 
 ### Delete executable directory
 
-In File Explorer, delete the `C:\GAMADV-XTD3` folder.
+In File Explorer, delete the `C:\GAM7` folder.
 
 ### Delete configuration directory
 
@@ -113,8 +113,8 @@ Click Advanced system settings
 Click Environment Variables...
 Click Path under System variables
 Click Edit...
-If C:\GAMADV-XTD3 is not on the Path, click Cancel and skip the next three steps
-  Click C:\GAMADV-XTD3
+If C:\GAM7 is not on the Path, click Cancel and skip the next three steps
+  Click C:\GAM7
   Click Delete
   Click OK
 If GAMCFGDIR is not in System variables, skip the next two steps

docs/How-to-Update-GAM7.md

@@ -1,19 +1,19 @@
-# Updating GAMADV-XTD3
-Use these steps to update your version of GAMADV-XTD3.
+!# Updating GAM7
+Use these steps to update your version of GAM7.
 
-- [Downloads](Downloads)
-- [GAM Configuration](gam.cfg)
+- [Downloads-Installs](Downloads-Installs)
 - [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
 - [Windows](#windows)
+- [GAM Configuration](gam.cfg)
 
 ## Linux and MacOS and Google Cloud Shell
 
 ### Download the latest version
 
-This example assumes that GAMADV-XTD3 has been installed in /Users/admin/bin/gamadv-xtd3.
-If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions when downloading.
+This example assumes that GAM7 has been installed in /Users/admin/bin/gam7.
+If you've installed GAM7 in another directory, substitute that value in the directions when downloading.
 
-See: [Downloads](Downloads)
+See: [Downloads-Installs](Downloads-Installs)
 
 In these examples, your Google Super admin is shown as admin@domain.com; replace with the
 actual email adddress.
@@ -21,10 +21,10 @@ actual email adddress.
 In these examples, the user home folder is shown as /Users/admin; adjust according to your
 specific situation; e.g., /home/administrator.
 
-### Update your project with local browser to include the additional APIs that GAMADV-XTD3 uses.
+### Update your project with local browser to include the additional APIs that GAM7 uses.
 This step may be omitted if you are updating from a recent version.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam update project
+admin@server:/Users/admin/bin/gam7 gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s): gam-project-abc-123-xyz? admin@domain.com
 
@@ -54,13 +54,13 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin/bin/gam7
 ```
-### Update your project without local browser (Google Cloud Shell for instance) to include the additional APIs that GAMADV-XTD3 uses
+### Update your project without local browser (Google Cloud Shell for instance) to include the additional APIs that GAM7 uses
 This step may be omitted if you are updating from a recent version.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam config no_browser true save
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam update project
+admin@server:/Users/admin/bin/gam7 gam config no_browser true save
+admin@server:/Users/admin/bin/gam7 gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s): gam-project-abc-123-xyz? admin@domain.com
 
@@ -89,70 +89,80 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin/bin/ga7
 ```
-### Update GAMADV-XTD3 client access
+### Update GAM7 client access
 
-You select a list of scopes, GAMADV-XTD3 uses a browser to get final authorization from Google for these scopes and
+You select a list of scopes, GAM7 uses a browser to get final authorization from Google for these scopes and
 writes the credentials into the file oauth2.txt.
 
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
-
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
+admin@server:/Users/admin/bin/gam7 ./gam oauth create
 
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-44[a|r] or s|u|e|c: c
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
 
@@ -168,11 +178,11 @@ Enter verification code or paste "Unable to connect" URL from other computer (on
 The authentication flow has completed.
 Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin/bin/gam7 
 ```
-### Update GAMADV-XTD3 service account access.
+### Update GAM7 service account access.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
+admin@server:/Users/admin/bin/gam7 ./gam user admin@domain.com check serviceaccount
 $ gam user admin@domain.com check serviceaccount
 System time status
   Your system time differs from www.googleapis.com by less than 1 second    PASS
@@ -180,35 +190,41 @@ Service Account Private Key Authentication
   Authentication                                                            PASS
 Service Account Private Key age; Google recommends rotating keys on a routine basis
   Service Account Private Key age: 0 days                                   PASS
-Domain-Wide Delegation authentication:, User: admin@domain.com, Scopes: 28
-  https://mail.google.com/                                                  PASS (1/28)
-  https://sites.google.com/feeds                                            PASS (2/28)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (3/28)
-  https://www.googleapis.com/auth/calendar                                  PASS (4/28)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (5/28)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (6/28)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (7/28)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (8/28)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (9/28)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (10/28)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (11/28)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (12/28)
-  https://www.googleapis.com/auth/contacts                                  PASS (13/28)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (14/28)
-  https://www.googleapis.com/auth/datastudio                                PASS (15/28)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (16/28)
-  https://www.googleapis.com/auth/documents                                 PASS (17/28)
-  https://www.googleapis.com/auth/drive                                     PASS (18/28)
-  https://www.googleapis.com/auth/drive.activity                            PASS (19/28)
-  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (20/28)
-  https://www.googleapis.com/auth/drive.labels                              FAIL (21/28)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (22/28)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (23/28)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (24/28)
-  https://www.googleapis.com/auth/keep                                      PASS (25/28)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (26/28)
-  https://www.googleapis.com/auth/tasks                                     PASS (27/28)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (28/28)
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
 Some scopes FAILED!
 To authorize them, please go to:
 
@@ -221,78 +237,84 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin/bin/gam7
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
 
-### Verify GAMADV-XTD3 service account access.
+### Verify GAM7 service account access.
 
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
+admin@server:/Users/admin/bin/gam7 ./gam user admin@domain.com check serviceaccount
 System time status:
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication:
   Authentication                                                            PASS
-Domain-Wide Delegation authentication:, User: admin@domain.com, Scopes: 28
-  https://mail.google.com/                                                  PASS (1/28)
-  https://sites.google.com/feeds                                            PASS (2/28)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (3/28)
-  https://www.googleapis.com/auth/calendar                                  PASS (4/28)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (5/28)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (6/28)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (7/28)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (8/28)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (9/28)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (10/28)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (11/28)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (12/28)
-  https://www.googleapis.com/auth/contacts                                  PASS (13/28)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (14/28)
-  https://www.googleapis.com/auth/datastudio                                PASS (15/28)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (16/28)
-  https://www.googleapis.com/auth/documents                                 PASS (17/28)
-  https://www.googleapis.com/auth/drive                                     PASS (18/28)
-  https://www.googleapis.com/auth/drive.activity                            PASS (19/28)
-  https://www.googleapis.com/auth/drive.admin.labels                        PASS (20/28)
-  https://www.googleapis.com/auth/drive.labels                              PASS (21/28)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (22/28)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (23/28)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (24/28)
-  https://www.googleapis.com/auth/keep                                      PASS (25/28)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (26/28)
-  https://www.googleapis.com/auth/tasks                                     PASS (27/28)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (28/28)
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
 All scopes PASSED!
 
 Service Account Client name: SVCACCTID is fully authorized.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin/bin/gam7 
 ```
 
 ## Windows
 
 ### Download the latest version
 
-This example assumes that GAMADV-XTD3 has been installed in C:\GAMADV-XTD3.
-If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions when downloading.
+This example assumes that GAM7 has been installed in C:\GAM7.
+If you've installed GAM7 in another directory, substitute that value in the directions when downloading.
 
-See: [Downloads](Downloads)
+See: [Downloads-Installs](Downloads-Installs)
 
 In these examples, your Google Super admin is shown as admin@domain.com; replace with the
 actual email adddress.
 
-This example assumes that GAMADV-XTD3 has been installed in C:\GAMADV-XTD3; if you've installed
-GAMADV-XTD3 in another directory, substitute that value in the directions.
+This example assumes that GAM7 has been installed in C:\GAM7; if you've installed
+GAM7 in another directory, substitute that value in the directions.
 
 These steps assume Command Prompt, adjust if you're using PowerShell.
 
-### Update your project with local browser to include the additional APIs that GAMADV-XTD3 uses.
+### Update your project with local browser to include the additional APIs that GAM7 uses.
 This step may be omitted if you are updating from a recent version.
 ```
-C:\GAMADV-XTD3>gam update project
+C:\GAM7>gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -319,13 +341,13 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-C:\GAMADV-XTD3>
+C:\GAM7>
 ```
-### Update your project without local browser (headless server for instance) to include the additional APIs that GAMADV-XTD3 uses
+### Update your project without local browser (headless server for instance) to include the additional APIs that GAM7 uses
 This step may be omitted if you are updating from a recent version.
 ```
-C:\GAMADV-XTD3>gam config no_browser true save
-C:\GAMADV-XTD3>gam update project
+C:\GAM7>gam config no_browser true save
+C:\GAM7>gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -354,70 +376,80 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-C:\GAMADV-XTD3>
+C:\GAM7>
 ```
-### Update GAMADV-XTD3 client access
+### Update GAM7 client access
 
 You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
 writes the credentials into the file oauth2.txt.
 
 ```
-C:\GAMADV-XTD3>gam oauth create
-
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
+C:\GAM7>gam oauth create
 
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-44[a|r] or s|u|e|c: c
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
 
@@ -433,46 +465,52 @@ Enter verification code or paste "Unable to connect" URL from other computer (on
 The authentication flow has completed.
 Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
 
-C:\GAMADV-XTD3>
+C:\GAM7>
 ```
-### Update GAMADV-XTD3 service account access.
+### Update GAM7 service account access.
 ```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
+C:\GAM7>gam user admin@domain.com check serviceaccount
 System time status
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication
   Authentication                                                            PASS
 Service Account Private Key age; Google recommends rotating keys on a routine basis
   Service Account Private Key age: 0 days                                   PASS
-Domain-Wide Delegation authentication:, User: admin@domain.com, Scopes: 28
-  https://mail.google.com/                                                  PASS (1/28)
-  https://sites.google.com/feeds                                            PASS (2/28)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (3/28)
-  https://www.googleapis.com/auth/calendar                                  PASS (4/28)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (5/28)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (6/28)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (7/28)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (8/28)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (9/28)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (10/28)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (11/28)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (12/28)
-  https://www.googleapis.com/auth/contacts                                  PASS (13/28)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (14/28)
-  https://www.googleapis.com/auth/datastudio                                PASS (15/28)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (16/28)
-  https://www.googleapis.com/auth/documents                                 PASS (17/28)
-  https://www.googleapis.com/auth/drive                                     PASS (18/28)
-  https://www.googleapis.com/auth/drive.activity                            PASS (19/28)
-  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (20/28)
-  https://www.googleapis.com/auth/drive.labels                              FAIL (21/28)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (22/28)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (23/28)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (24/28)
-  https://www.googleapis.com/auth/keep                                      PASS (25/28)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (26/28)
-  https://www.googleapis.com/auth/tasks                                     PASS (27/28)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (28/28)
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
 Some scopes FAILED!
 To authorize them, please go to:
 
@@ -485,53 +523,59 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 
-C:\GAMADV-XTD3>
+C:\GAM7>
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
 
-### Verify GAMADV-XTD3 service account access.
+### Verify GAM7 service account access.
 
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
+C:\GAM7>gam user admin@domain.com check serviceaccount
 System time status:
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication:
   Authentication                                                            PASS
-Domain-Wide Delegation authentication:, User: admin@domain.com, Scopes: 28
-  https://mail.google.com/                                                  PASS (1/28)
-  https://sites.google.com/feeds                                            PASS (2/28)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (3/28)
-  https://www.googleapis.com/auth/calendar                                  PASS (4/28)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (5/28)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (6/28)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (7/28)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (8/28)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (9/28)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (10/28)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (11/28)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (12/28)
-  https://www.googleapis.com/auth/contacts                                  PASS (13/28)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (14/28)
-  https://www.googleapis.com/auth/datastudio                                PASS (15/28)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (16/28)
-  https://www.googleapis.com/auth/documents                                 PASS (17/28)
-  https://www.googleapis.com/auth/drive                                     PASS (18/28)
-  https://www.googleapis.com/auth/drive.activity                            PASS (19/28)
-  https://www.googleapis.com/auth/drive.admin.labels                        PASS (20/28)
-  https://www.googleapis.com/auth/drive.labels                              PASS (21/28)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (22/28)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (23/28)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (24/28)
-  https://www.googleapis.com/auth/keep                                      PASS (25/28)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (26/28)
-  https://www.googleapis.com/auth/tasks                                     PASS (27/28)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (28/28)
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
 All scopes PASSED!
 
 Service Account Client name: SVCACCTID is fully authorized.
 
-C:\GAMADV-XTD3>
+C:\GAM7>
 ```

docs/How-to-Upgrade-Advanced-GAM-to-GAM7.md

@@ -0,0 +1,120 @@
+# Installation - Update Advanced GAM to GAM7
+
+- [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
+- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
+- [Windows](#windows)
+
+## Linux and MacOS and Google Cloud Shell
+
+This example assumes that GAMADV-XTD3 was installed in /Users/admin/bin/gamadv-xtd3.
+If GAMADV-XTD3 was installed in another directory, substitute that value in the directions.
+
+Rename install directory.
+```
+mv /Users/admin/bin/gamadv-xtd3 /Users/admin/bin/gam7
+```
+
+See: [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
+
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page. Choose one of the following:
+
+* Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
+  - Start a terminal session and execute one of the following commands:
+  - Update to latest version, do not create project or authorizations, default path `$HOME/bin`
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l`
+  - Update to latest version, do not create project or authorizations, specify a path
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l -d <Path>`
+
+In these examples, the user home folder is shown as /Users/admin; adjust according to your
+specific situation; e.g., /home/administrator.
+
+### Update gam  alias
+You should set an alias to point to /Users/admin/bin/gam/gam so you can operate from the /Users/admin/GAMWork directory.
+Aliases aren't available in scripts, so you may want to set a symlink instead, see below.
+
+Change the following line:
+```
+alias gam="/Users/admin/bin/gamadv-xtd3/gam"
+```
+to
+```
+alias gam="/Users/admin/bin/gam7/gam"
+```
+in one of these files based on your shell:
+```
+~/.bash_aliases
+~/.bash_profile
+~/.bashrc
+~/.zshrc
+~/.profile
+```
+
+Issue the following command replacing `<Filename>` with the name of the file you edited:
+```
+source <Filename>
+```
+
+### Set a symlink if desired
+Set a symlink in `/usr/local/bin` (or some other location on $PATH) to point to GAM. 
+```
+ln -s "/Users/admin/bin/gam7/gam" /usr/local/bin/gam
+```
+
+### Test
+```
+gam version
+```
+
+## Windows
+
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page.
+
+This example assumes that GAMADV-XTD3 was installed in C:\GAMADV-XTD3.
+If GAMADV-XTD3 was installed in another directory, substitute that value in the directions.
+
+These steps assume Command Prompt, adjust if you're using PowerShell.
+
+Rename install directory.
+```
+ren C:\GAMADV-STD3 C:\GAM7
+```
+
+See: [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
+
+* Executable Archive, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.zip`
+  - Download the archive, extract the contents into C:\GAM7.
+  - Start a Command Prompt/PowerShell session.
+
+* Executable Installer, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.msi`
+  - Download the installer and run it.
+  - Start a Command Prompt/PowerShell session.
+
+### Update system path
+You should set the system path to point to C:\GAM7 so you can operate from the C:\GAMWork directory.
+```
+Start Control Panel
+Click System
+Click Advanced system settings
+Click Environment Variables...
+Click Path under System variables
+Click Edit...
+If you have an existing entry referencing GAMADV-XTD3:
+  Click that entry
+  Click Delete
+If C:\GAM7 is already on the Path, skip the next three steps
+  Click New
+  Enter C:\GAM7
+  Click OK
+Click OK
+Click OK
+Exit Control Panel
+```
+
+At this point, you should restart Command Prompt so that it has the updated path and environment variables.
+
+### Test
+```
+gam version
+```

docs/How-to-Upgrade-from-GAMADV-X-or-GAMADV-XTD.md

@@ -1,510 +0,0 @@
-# Installation - Upgrading from a prior version of GAMADV-X or GAMADV-XTD
-Use these steps if you have used any version of GAMADV-X or GAMADV-XTD in your domain.
-They will update your GAM project and all necessary authentications.
-
-- [Downloads](Downloads)
-- [GAM Configuration](gam.cfg)
-- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
-- [Windows](#windows)
-
-## Linux and MacOS and Google Cloud Shell
-
-In these examples, your Google Super admin is shown as admin@domain.com; replace with the
-actual email adddress.
-
-In these examples, the user home folder is shown as /Users/admin; adjust according to your
-specific situation; e.g., /home/administrator.
-
-This example assumes that GAMADV-XTD3 has been installed in /Users/admin/bin/gamadv-xtd3.
-If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions.
-
-GAMADV-XTD3 uses the same configuration directory and gam.cfg file as GAMADV-X and GAMADV-XTD.
-
-### Update your alias
-You should update your alias to point to /Users/admin/bin/gamadv-xtd3/gam.
-
-Add the following line:
-```
-alias gam="/Users/admin/bin/gamadv-xtd3/gam"
-```
-to one of these files if you're running bash or an equivalent file if you're running some other shell:
-```
-~/.bash_aliases
-~/.bash_profile
-~/.bashrc
-```
-
-If you already have a gam alias for standard GAM and want to run it and GAMADV-XTD3, give your new alias a different name:
-```
-alias gam3="/Users/admin/bin/gamadv-xtd3/gam"
-```
-### Do you have a browser?
-If your computer doesn't support a browser, Google Cloud Shell for instance, execute this command:
-```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam config no_browser true save
-```
-### Update your project to include the additional APIs that GAMADV-XTD3 uses.
-```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam update project
-
-Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
-
-Your browser has been opened to visit:
-
-    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
-
-If your browser is on a different machine then press CTRL+C,
-set no_browser = true in gam.cfg and re-run this command.
-
-Authentication successful.
-API: admin.googleapis.com, already enabled...
-API: appsactivity.googleapis.com, already enabled...
-API: calendar-json.googleapis.com, already enabled...
-API: classroom.googleapis.com, already enabled...
-API: contacts.googleapis.com, already enabled...
-API: drive.googleapis.com, already enabled...
-API: gmail.googleapis.com, already enabled...
-API: groupssettings.googleapis.com, already enabled...
-API: licensing.googleapis.com, already enabled...
-API: plus.googleapis.com, already enabled...
-API: reseller.googleapis.com, already enabled...
-API: siteverification.googleapis.com, already enabled...
-API: vault.googleapis.com, already enabled...
-Enable 3 APIs
-  API: audit.googleapis.com, Enabled (1/3)
-  API: groupsmigration.googleapis.com, Enabled (2/3)
-  API: sheets.googleapis.com, Enabled (3/3)
-
-admin@server:/Users/admin/bin/gamadv-xtd3$
-```
-### Update GAMADV-XTD3 client access.
-
-Update oauth2.txt; it must be updated to reflect the additional capabilites of GAMADV-XTD3.
-
-You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
-writes the credentials into the file oauth2.txt.
-
-If the computer on which you are running GAM does not have access to a browser, issue this command:
-```
-gam config no_browser true oauth update
-```
-You will be given instructions on how to get the authorization on another computer and apply it locally.
-```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth update
-
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
-[*]  0)  Calendar API (supports readonly)
-[*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
-
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-44[a|r] or s|u|e|c: c
-
-Enter your Google Workspace admin email address?admin@domain.com
-
-Your browser has been opened to visit:
-
-    https://accounts.google.com/o/oauth2/v2/auth?client_id=CLIENTID&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.courses+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.announcements+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.coursework.students+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.guardianlinks.students+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.profile.emails+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.profile.photos+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.rosters+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloudprint+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdevstorage.read_only+https%3A%2F%2Fwww.google.com%2Fm8%2Ffeeds+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.datatransfer+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.device.chromeos+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.customer+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.domain+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.group+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.device.mobile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.orgunit+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.resource.calendar+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.rolemanagement+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.userschema+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.user.security+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.user+https%3A%2F%2Fapps-apis.google.com%2Fa%2Ffeeds%2Fcompliance%2Faudit%2F+https%3A%2F%2Fapps-apis.google.com%2Fa%2Ffeeds%2Femailsettings%2F2.0%2F+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.groups.migration+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.groups.settings+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.licensing+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.reports.audit.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.reports.usage.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.order+https%3A%2F%2Fsites.google.com%2Ffeeds+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fediscovery&login_hint=admin%40domain.com&access_type=offline&response_type=code
-
-If your browser is on a different machine then press CTRL+C,
-set no_browser = true in gam.cfg and re-run this command.
-
-Authentication successful.
-Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Updated
-
-admin@server:/Users/admin/bin/gamadv-xtd3$
-```
-### Update GAMADV-XTD3 service account access.
-```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user user@domain.com check serviceaccount
-System time status:
-  Your system time differs by less than 1 second from Google                PASS
-Service Account Private Key Authentication:
-  Authentication                                                            PASS
-Domain-Wide Delegation authentication:, User: user@domain.com, Scopes: 28
-  https://mail.google.com/                                                  PASS (1/28)
-  https://sites.google.com/feeds                                            PASS (2/28)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (3/28)
-  https://www.googleapis.com/auth/calendar                                  PASS (4/28)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (5/28)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (6/28)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (7/28)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (8/28)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (9/28)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (10/28)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (11/28)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (12/28)
-  https://www.googleapis.com/auth/contacts                                  PASS (13/28)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (14/28)
-  https://www.googleapis.com/auth/datastudio                                PASS (15/28)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (16/28)
-  https://www.googleapis.com/auth/documents                                 PASS (17/28)
-  https://www.googleapis.com/auth/drive                                     PASS (18/28)
-  https://www.googleapis.com/auth/drive.activity                            PASS (19/28)
-  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (20/28)
-  https://www.googleapis.com/auth/drive.labels                              FAIL (21/28)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (22/28)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (23/28)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (24/28)
-  https://www.googleapis.com/auth/keep                                      PASS (25/28)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (26/28)
-  https://www.googleapis.com/auth/tasks                                     PASS (27/28)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (28/28)
-Some scopes FAILED! Please go to:
-
-https://admin.google.com/domain.com/ManageOauthClients?clientScopeToAdd=https://mail.google.com/,https://sites.google.com/feeds,https://www.google.com/m8/feeds,https://www.googleapis.com/auth/activity,https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/classroom.announcements,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.topics,https://www.googleapis.com/auth/cloudprint,https://www.googleapis.com/auth/contacts,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.activity,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/iam,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/userinfo.email&clientNameToAdd=SVCACCTID
-
-You will be directed to the Google Workspace admin console. The Client Name and API
-Scopes fields will be pre-populated. Please click Authorize to allow these
-scopes access. After authorizing it may take some time for this test to pass so
-wait a few moments and then try this command again.
-
-admin@server:/Users/admin/bin/gamadv-xtd3$
-```
-The link shown in the error message should take you directly to the authorization screen.
-If not, make sure that you are logged in as a domain admin, then re-enter the link.
-
-### Verify GAMADV-XTD3 service account access.
-
-Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
-for the authorization to complete.
-```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user user@domain.com check serviceaccount
-System time status:
-  Your system time differs by less than 1 second from Google                PASS
-Service Account Private Key Authentication:
-  Authentication                                                            PASS
-Domain-Wide Delegation authentication:, User: user@domain.com, Scopes: 28
-  https://mail.google.com/                                                  PASS (1/28)
-  https://sites.google.com/feeds                                            PASS (2/28)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (3/28)
-  https://www.googleapis.com/auth/calendar                                  PASS (4/28)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (5/28)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (6/28)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (7/28)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (8/28)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (9/28)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (10/28)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (11/28)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (12/28)
-  https://www.googleapis.com/auth/contacts                                  PASS (13/28)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (14/28)
-  https://www.googleapis.com/auth/datastudio                                PASS (15/28)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (16/28)
-  https://www.googleapis.com/auth/documents                                 PASS (17/28)
-  https://www.googleapis.com/auth/drive                                     PASS (18/28)
-  https://www.googleapis.com/auth/drive.activity                            PASS (19/28)
-  https://www.googleapis.com/auth/drive.admin.labels                        PASS (20/28)
-  https://www.googleapis.com/auth/drive.labels                              PASS (21/28)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (22/28)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (23/28)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (24/28)
-  https://www.googleapis.com/auth/keep                                      PASS (25/28)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (26/28)
-  https://www.googleapis.com/auth/tasks                                     PASS (27/28)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (28/28)
-All scopes PASSED!
-Service Account Client name: SVCACCTID is fully authorized.
-
-admin@server:/Users/admin/bin/gamadv-xtd3$
-```
-
-## Windows
-
-In these examples, your Google Super admin is shown as admin@domain.com; replace with the
-actual email adddress.
-
-This example assumes that GAMADV-XTD3 has been installed in C:\GAMADV-XTD3; if you've installed
-GAMADV-XTD3 in another directory, substitute that value in the directions.
-
-GAMADV-XTD3 uses the same configuration directory and gam.cfg file as GAMADV-X and GAMADV-XTD.
-
-### Update system path
-You should update the system path to point to C:\GAMADV-XTD3.
-```
-Start Control Panel
-Click System
-Click Advanced system settings
-Click Environment Variables...
-Click Path under System variables
-Click Edit...
-If you have an existing entry referencing GAMADV-X or GAMADV-XTD:
-  Click that entry
-  Click Delete
-If C:\GAMADV-XTD3 is already on the Path, skip the next three steps
-  Click New
-  Enter C:\GAMADV-XTD3
-  Click OK
-Click OK
-Click OK
-Exit Control Panel
-```
-
-### Do you have a compatible browser?
-If the computer on which you are running GAM does not have access to a browser or
-your default browser is Internet Explorer or Edge, issue this command:
-```
-C:\GAMADV-X>gam config no_browser true save
-```
-### Update your project to include the additional APIs that GAMADV-XTD3 uses.
-```
-C:\GAMADV-XTD3>gam update project
-
-Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
-
-Your browser has been opened to visit:
-
-    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
-
-If your browser is on a different machine then press CTRL+C,
-set no_browser = true in gam.cfg and re-run this command.
-
-Authentication successful.
-API: admin.googleapis.com, already enabled...
-API: appsactivity.googleapis.com, already enabled...
-API: calendar-json.googleapis.com, already enabled...
-API: classroom.googleapis.com, already enabled...
-API: contacts.googleapis.com, already enabled...
-API: drive.googleapis.com, already enabled...
-API: gmail.googleapis.com, already enabled...
-API: groupssettings.googleapis.com, already enabled...
-API: licensing.googleapis.com, already enabled...
-API: plus.googleapis.com, already enabled...
-API: reseller.googleapis.com, already enabled...
-API: siteverification.googleapis.com, already enabled...
-API: vault.googleapis.com, already enabled...
-Enable 3 APIs
-  API: audit.googleapis.com, Enabled (1/3)
-  API: groupsmigration.googleapis.com, Enabled (2/3)
-  API: sheets.googleapis.com, Enabled (3/3)
-
-C:\GAMADV-XTD3>
-```
-### Update GAMADV-XTD3 client access.
-
-Update oauth2.txt; it must be updated to reflect the additional capabilites of GAMADV-XTD3.
-
-If the PC on which you are running GAM does not have access to a browser or if
-your default browser is Internet Explorer or Edge, issue this command:
-```
-gam config no_browser true oauth update
-```
-You will be given instructions on how to get the authorization; this involves a long URL that must be copied/pasted.
-Older versions of Command Prompt and PowerShell (Windows 7/8, Server 2008) can't properly copy/paste multi line strings;
-GAM writes the long URL into the file `gamoauthurl.txt` in the folder with the GAM executable.
-You can open the file with Notepad/Wordpad, do a control-A to select the text, control-C to copy the text,
-start a browser and paste the URL (control-V) into the address bar. Authenticate and copy the Verification code
-back to your Command Prompt/PowerShell window.
-```
-C:\GAMADV-XTD3>gam oauth update
-
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
-[*]  0)  Calendar API (supports readonly)
-[*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
-
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-44[a|r] or s|u|e|c: c
-
-Enter your Google Workspace admin email address? admin@domain.com
-
-Your browser has been opened to visit:
-
-    https://accounts.google.com/o/oauth2/v2/auth?client_id=CLIENTID&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.courses+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.announcements+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.coursework.students+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.guardianlinks.students+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.profile.emails+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.profile.photos+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.rosters+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloudprint+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdevstorage.read_only+https%3A%2F%2Fwww.google.com%2Fm8%2Ffeeds+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.datatransfer+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.device.chromeos+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.customer+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.domain+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.group+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.device.mobile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.orgunit+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.resource.calendar+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.rolemanagement+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.userschema+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.user.security+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.user+https%3A%2F%2Fapps-apis.google.com%2Fa%2Ffeeds%2Fcompliance%2Faudit%2F+https%3A%2F%2Fapps-apis.google.com%2Fa%2Ffeeds%2Femailsettings%2F2.0%2F+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.groups.migration+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.groups.settings+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.licensing+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.reports.audit.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.reports.usage.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.order+https%3A%2F%2Fsites.google.com%2Ffeeds+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fediscovery&login_hint=admin%40domain.com&access_type=offline&response_type=code
-
-If your browser is on a different machine then press CTRL+C,
-set no_browser = true in gam.cfg and re-run this command.
-
-Authentication successful.
-Client OAuth2 File: C:\GAMConfig\oauth2.txt, Updated
-
-C:\GAMADV-XTD3>
-```
-### Enable GAMADV-XTD3 service account access.
-```
-C:\GAMADV-XTD3>gam user user@domain.com check serviceaccount
-System time status:
-  Your system time differs by less than 1 second from Google                PASS
-Service Account Private Key Authentication:
-  Authentication                                                            PASS
-Domain-Wide Delegation authentication:, User: user@domain.com, Scopes: 28
-  https://mail.google.com/                                                  PASS (1/28)
-  https://sites.google.com/feeds                                            PASS (2/28)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (3/28)
-  https://www.googleapis.com/auth/calendar                                  PASS (4/28)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (5/28)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (6/28)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (7/28)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (8/28)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (9/28)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (10/28)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (11/28)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (12/28)
-  https://www.googleapis.com/auth/contacts                                  PASS (13/28)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (14/28)
-  https://www.googleapis.com/auth/datastudio                                PASS (15/28)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (16/28)
-  https://www.googleapis.com/auth/documents                                 PASS (17/28)
-  https://www.googleapis.com/auth/drive                                     PASS (18/28)
-  https://www.googleapis.com/auth/drive.activity                            PASS (19/28)
-  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (20/28)
-  https://www.googleapis.com/auth/drive.labels                              FAIL (21/28)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (22/28)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (23/28)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (24/28)
-  https://www.googleapis.com/auth/keep                                      PASS (25/28)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (26/28)
-  https://www.googleapis.com/auth/tasks                                     PASS (27/28)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (28/28)
-Some scopes FAILED! Please go to:
-
-https://admin.google.com/domain.com/ManageOauthClients?clientScopeToAdd=https://mail.google.com/,https://sites.google.com/feeds,https://www.google.com/m8/feeds,https://www.googleapis.com/auth/activity,https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/classroom.announcements,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.topics,https://www.googleapis.com/auth/cloudprint,https://www.googleapis.com/auth/contacts,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.activity,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/iam,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/userinfo.email&clientNameToAdd=SVCACCTID
-
-You will be directed to the Google Workspace admin console. The Client Name and API
-Scopes fields will be pre-populated. Please click Authorize to allow these
-scopes access. After authorizing it may take some time for this test to pass so
-wait a few moments and then try this command again.
-
-C:\GAMADV-XTD3>
-```
-The link shown in the error message should take you directly to the authorization screen.
-If not, make sure that you are logged in as a domain admin, then re-enter the link.
-
-### Verify GAMADV-XTD3 service account access.
-
-Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
-for the authorization to complete.
-```
-C:\GAMADV-XTD3>gam user user@domain.com check serviceaccount
-System time status:
-  Your system time differs by less than 1 second from Google                PASS
-Service Account Private Key Authentication:
-  Authentication                                                            PASS
-Domain-Wide Delegation authentication:, User: user@domain.com, Scopes: 28
-  https://mail.google.com/                                                  PASS (1/28)
-  https://sites.google.com/feeds                                            PASS (2/28)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (3/28)
-  https://www.googleapis.com/auth/calendar                                  PASS (4/28)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (5/28)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (6/28)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (7/28)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (8/28)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (9/28)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (10/28)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (11/28)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (12/28)
-  https://www.googleapis.com/auth/contacts                                  PASS (13/28)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (14/28)
-  https://www.googleapis.com/auth/datastudio                                PASS (15/28)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (16/28)
-  https://www.googleapis.com/auth/documents                                 PASS (17/28)
-  https://www.googleapis.com/auth/drive                                     PASS (18/28)
-  https://www.googleapis.com/auth/drive.activity                            PASS (19/28)
-  https://www.googleapis.com/auth/drive.admin.labels                        PASS (20/28)
-  https://www.googleapis.com/auth/drive.labels                              PASS (21/28)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (22/28)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (23/28)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (24/28)
-  https://www.googleapis.com/auth/keep                                      PASS (25/28)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (26/28)
-  https://www.googleapis.com/auth/tasks                                     PASS (27/28)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (28/28)
-All scopes PASSED!
-Service Account Client name: SVCACCTID is fully authorized.
-
-C:\GAMADV-XTD3>
-```

docs/Inbound-SSO-Settings.md

@@ -0,0 +1,192 @@
+Beginning with GAM 6.31, you can now manage Workspace / Cloud Identity Inbound SSO settings. You can add SAML SSO profiles, upload certificates for those profiles and assign the profiles to OrgUnits or Groups.
+
+- [Create an Inbound SSO Profile](#create-an-inbound-sso-profile)
+- [Update an Inbound SSO Profile](#update-an-inbound-sso-profile)
+- [Get Info About an Inbound SSO Profile](#get-info-about-an-inbound-sso-profile)
+- [Delete an Inbound SSO Profile](#delete-an-inbound-sso-profile)
+- [Print/show Inbound SSO Profiles](#printshow-inbound-sso-profiles)
+- [Create or Replace Credentials](#create-or-replace-credentials)
+- [Delete Credentials](#delete-credentials)
+- [Print/show Credentials](#printshow-credentials)
+- [Create an Inbound SSO Assignment](#create-an-inbound-sso-assignment)
+- [Update an Inbound SSO Assignment](#update-an-inbound-sso-assignment)
+- [Get Info About an Inbound SSO Assignment](#get-info-about-an-inbound-sso-assignment)
+- [Print/show Inbound SSO Assignments](#printshow-inbound-sso-assignments)
+
+# Create an Inbound SSO Profile
+## Syntax
+```
+gam create inboundssoprofile [name <name>] [entityid <entityid>] [loginurl <url>] [logouturl <url>] [changepasswordurl <url>]
+```
+Creates a new Inbound SSO profile with details about the remote SAML IDP. All fields are optional on create but must be set in order for the profile to be considered complete and assignable to groups/orgunits. Name and entityid specify the name and entity ID for the profile. loginurl, logouturl and changepasswordurl specify the IDP URLs for the respective actions.
+
+## Example
+This example creates a profile for your SimpleSAMLPHP IDP
+```
+gam create inboundssoprofile name "SimpleSAMLPHP" entityid simplesamlphp loginurl "https://dev2.andreas.feide.no/simplesaml/saml2/idp/SSOService.php" logouturl "https://www.google.com" changepasswordurl "https://www.google.com"
+```
+----
+
+# Update an Inbound SSO Profile
+## Syntax
+```
+gam update inboundssoprofile <profile name or id:profile_id> [name <newname>] [entityid <newentityid>] [loginurl <url>] [logouturl <url>] [changepasswordurl <url>]
+```
+Update an existing Inbound SSO Profile. The profile to update can be specified using the profile name like "SimpleSAMLPHP" or the unique ID Of the profile prefixed with "id:". The name, entityid, loginurl, logouturl and changepasswordurl parameters can optionally be entered in order to update those respective fields for the profile.
+
+## Example
+This example updates the logout URL for our profile.
+```
+gam update inboundssoprofile "SimpleSAMLPHP" logouturl "https://dev2.andreas.feide.no/logout.html"
+```
+----
+
+# Get Info About an Inbound SSO Profile
+## Syntax
+```
+gam info inboundssoprofile <profile name or id:profile>
+```
+Show information about an existing profile. The profile can be referenced by name or unique ID prefixed with id:
+
+## Example
+Shows information about a profile
+```
+gam info inboundssoprofile SimpleSAMLPHP
+```
+----
+
+# Delete an Inbound SSO Profile
+## Syntax
+```
+gam delete inboundssoprofile <profile name or id:profile>
+```
+Deletes an existing inboundssoprofile. The profile can be referenced by name or unique ID prefixed with id:
+
+## Example
+Deletes a profile
+```
+gam delete inboundssoprofile SimpleSAMLPHP
+```
+----
+
+# Print/show Inbound SSO Profiles
+## Syntax
+```
+gam print|show inboundssoprofiles [todrive]
+```
+Prints (CSV output) or shows (human readable output) all current Inbound SSO Profiles. On print only, the optional argument todrive causes GAM to generate a Google Sheet of the CSV results rather than printing them to the console.
+
+## Example
+This example shows all current profiles.
+```
+gam show inboundssoprofiles
+```
+----
+
+# Create or Replace Credentials
+## Syntax
+```
+gam create inboundssocredential [profile <profile name or id:profile_id>] [pemfile <filename>] [generate_key] [key_size] [replace_oldest]
+```
+Creates a new key for the given Inbound SSO profile or replaces the oldest one (Google allows 2 credentials per profile). The profile argument is mandatory and specifies which Inbound SSO profile the credentials should be associated with. pemfile "filename" or generate_key must be specified in order to upload a RSA/DSA PEM file's contents or generate a new RSA private key and public certificate and upload the generated certificate. The generated filenames will show on the console. key_size specifies the size of the RSA key GAM should generate. Allowed values are 1024, 2048 and 4096. replace_oldest specifies that if there are already two credentials for the profile (and only if there are two), the oldest credentials should be deleted to make room for the new credential you are creating.
+
+**IMPORTANT** Google ignores any expiration date on public certificates. As long as the public certificate credential exists in the profile Google will allow logins which are signed by the corresponding private key. You should ALWAYS delete old certificates once they should no longer be in use.
+
+## Example
+This example uploads an existing public certificate contained in a PEM file
+```
+gam create inboundssocredential profile SimpleSAMLPHP pemfile new_pub_cert.pem
+```
+This example generates a new 4k key and replaces the oldest key if there are already two.
+```
+gam create inboundssocredential profile SimpleSAMLPHP generate_key key_size 4096 replace_oldest
+```
+----
+
+# Delete Credentials
+## Syntax
+```
+gam delete inboundssocredential <name>
+```
+Deletes an existing Inbound SSO credential. The name is the unique ID Google assigns to a credential.
+
+## Example
+This example deletes an existing credential by name.
+```
+gam delete inboundssocredential inboundSamlSsoProfiles/03h0nwgl1qms6ww/idpCredentials/K8748028
+```
+----
+ 
+# Print/show Credentials
+## Syntax
+```
+gam print|show inboundssocredentials [profiles <name or id:profile>,<another name>] [todrive]
+```
+Print (CSV output) or show (human readable output) the current Inbound SSO credentials. The optional argument profiles specifies the name or ID of Inbound SSO profiles (comma separated) whose credentials should be output. On print, the optional argument todrive causes a Google Sheet to be generated with the CSV output rather than printing it to the console.
+
+## Example
+This example print all credentials to a Google Sheet.
+```
+gam print inboundssocredentials todrive
+```
+This example shows the credentials for a single profile.
+```
+gam show inboundssocredentials profile SimpleSAMLPHP
+```
+----
+
+# Create an Inbound SSO Assignment
+## Syntax
+```
+gam create inboundssoassignment [profile <name or id:profile_id>] [group groupemail@domain.com] [orgunit /OrgUnit/Path] [mode SAML_SSO|SSO_OFF|DOMAIN_WIDE_SAML_IF_ENABLED] [rank <number>] [never_redirect]
+```
+Assigns a given Inbound SSO profile to a group or orgunit. You must specify one of group or orgunit. mode is also a mandatory argument and specifies the SSO behavior of the assignment. Use one of SAML_SSO, SSO_OFF or DOMAIN_WIDE_SAML_IF_ENABLED. If mode is SAML_SSO you must specify the profile to assign with profile. rank is optional for group assignments and specifies the numeric ranking of the assignment for priority. The rank for orgunit assignments is always zero (0). The optional argument never_redirect causes Google to never redirect to the IDP (SP initiated login disabled, IDP initiated login will work).
+
+## Example
+This example assigns a profile to the Sales group
+```
+gam create inboundssoassignment profile SimpleSAMLPHP group sales@acme.com mode SAML_SSO
+```
+----
+
+# Update an Inbound SSO Assignment
+## Syntax
+```
+gam update inboundssoassignment group|orgunit [profile <name or id:profile_id>] [mode SAML_SSO|SSO_OFF|DOMAIN_WIDE_SAML_IF_ENABLED] [rank <number>] [never_redirect]
+```
+Updates an existing Inbound SSO assignment based on the group or orgunit. mode specifies the assigned SSO mode and should be one of SAML_SSO, SSO_OFF or DOMAIN_WIDE_SAML_IF_ENABLED. If mode is SAML_SSO, profile can be specified to update the SSO profile assigned. rank is optional for group assignments and specifies the numeric ranking which sets priority of the assignment, rank for OrgUnits is always 0. never_redirect is optional and disables Google redirecting users to the IDP, IDP-initiated login is still allowed.
+
+## Example
+This example turns SSO on for the root OU
+```
+gam update inboundssoassignment ou:/ mode SAML_SSO profile "SimpleSAMLPHP"
+```
+----
+
+# Get Info About an Inbound SSO Assignment
+## Syntax
+```
+gam info inboundssoassignment group|orgunit
+```
+Displays information about an existing Inbound SSO assignment.
+
+## Example
+These examples shows the assignment status of the root OU and the sales@acme.com group.
+```
+gam info inboundssoassignment ou:/
+gam info inboundssoassignment group:sales@acme.com
+```
+----
+
+# Print/show Inbound SSO Assignments
+## Syntax
+```
+gam print|show inboundssoassignments [todrive]
+```
+Prints (CSV format) or shows (human readable format) all current Inbound SSO assignments. On print, if todrive is specified a Google Sheet of the CSV results is created rather than outputting it to the console.
+
+## Example
+This example shows all current assignments
+```
+gam show inboundssoassignments
+```

docs/Inbound-SSO.md

@@ -1,4 +1,4 @@
-# Inbound SSO
+!# Inbound SSO
 - [Admin Console](#admin-console)
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
@@ -53,6 +53,9 @@ use the `returnnameonly` option to have GAM display just the profile name of the
 This will be useful in scripts that create|update a profile and then want to perform subsequent GAM commands that
 reference the profile.
 
+If `returnnameonly is specified, `inProgress` is returned if the API does not return a complete result.
+
+```
 gam delete inboundssoprofile <SSOProfileItem>
 ```
 

docs/Install-GAM-as-Python-Library.md

@@ -9,12 +9,12 @@ Scroll down to Install Git
 
 You can install GAM as a Python library with pip.
 ```
-pip install git+https://github.com/taers232c/GAMADV-XTD3.git#subdirectory=src --use-pep517
+pip install git+https://github.com/GAM-team/GAM.git#subdirectory=src
 ```
 
 Or as a PEP 508 Requirement Specifier, e.g. in requirements.txt file:
 ```
-advanced-gam-for-google-workspace @ git+https://github.com/taers232c/GAMADV-XTD3.git#subdirectory=src
+advanced-gam-for-google-workspace @ git+https://github.com/GAM-team/GAM.git#subdirectory=src
 ```
 
 Or a pyproject.toml file:
@@ -23,13 +23,13 @@ Or a pyproject.toml file:
 name = "your-project"
 # ...
 dependencies = [
-    "advanced-gam-for-google-workspace @ git+https://github.com/taers232c/GAMADV-XTD3.git#subdirectory=src"
+    "advanced-gam-for-google-workspace @ git+https://github.com/GAM-team/GAM.git#subdirectory=src"
 ]
 ```
 
 Target a specific revision or tag:
 ```
-advanced-gam-for-google-workspace @ git+https://github.com/taers232c/GAMADV-XTD3.git@v6.58.00#subdirectory=src
+advanced-gam-for-google-workspace @ git+https://github.com/GAM-team/GAM.git@v6.76.01#subdirectory=src
 ```
 
 ## Using the library

docs/LicenseExamples.md

@@ -0,0 +1,121 @@
+- [License Types](#license-types)
+- [Adding a License for Users](#adding-a-license-for-users)
+- [Updating a License for Users](#updating-a-license-for-users)
+- [Deleting a License for Users](#deleting-a-license-for-users)
+- [Sync a License for Users](#sync-a-license-for-users)
+
+# License Types
+GAM supports the licenses listed in the "Product SKU ID" column of [Google's Documentation](https://developers.google.com/admin-sdk/licensing/v1/how-tos/products). Additionally, GAM supports abbreviations for some of the SKU names:
+
+| License SKU              | Abbreviation  |
+|--------------------------|---------------|
+| AppSheet Core | appsheetcore |
+| AppSheet Enterprise Standard | appsheetstandard |
+| AppSheet Enterprise Plus | appsheetplus |
+| Assured Controls | assuredcontrols |
+| Beyond Corp Enterprise | bce |
+| Cloud Identity Free | cloudidentity |
+| Cloud Identity Premium | cloudidentitypremium |
+| Cloud Search | cloudsearch |
+| G Suite Basic |  gsuitebasic |
+| G Suite Business | gsuitebusiness |
+| G Suite Business Archived | gsuitebusinessarchived |
+| G Suite Enterprise Archived | gsuiteenterprisearchived |
+| G Suite Enterprise for Education | gsuiteenterpriseeducation |
+| G Suite Enterprise for Education (Student) | gsuiteenterpriseeducationstudent |
+| G Suite Free/Standard | standard |
+| G Suite Government | gsuitegov |
+| G Suite Lite | gsuitelite |
+| G Suite Message Security | postini |
+| Google Chrome Device Management | cdm |
+| Google Drive Storage 20gb | 20gb |
+| Google Drive Storage 50gb | 50gb |
+| Google Drive Storage 200gb | 200gb |
+| Google Drive Storage 400gb | 400gb |
+| Google Drive Storage 1tb | 1tb |
+| Google Drive Storage 2tb | 2tb |
+| Google Drive Storage 4tb | 4tb |
+| Google Drive Storage 8tb | 8tb |
+| Google Drive Storage 16tb | 16tb |
+| Google Meet Global Dialing | meetdialing |
+| Google Vault | vault |
+| Google Vault Former Employee | vfe |
+| Google Voice Starter | voicestarter |
+| Google Voice Standard | voicestandard |
+| Google Voice Premier | voicepremier |
+| Google Workspace Business Starter | wsbizstart |
+| Google Workspace Business Standard | wsbizstan |
+| Google Workspace Business Plus | wsbizplus |
+| Google Workspace Enterprise Essentials | wsentess |
+| Google Workspace Enterprise Standard | wsentstan |
+| Google Workspace Enterprise Plus | wsentplus |
+| Google Workspace Essentials | wsess |
+
+# Adding a License for Users
+## Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users add license <sku>
+```
+Assign a license for the given SKU to a user or number of users.
+## Example
+This example gives members of the sales team a Vault license
+```
+gam group sales add license vault
+```
+
+This example gives users in the "Google Coordinate" OU a license for Google Coordinate
+```
+gam ou "Google Coordinate" add license Google-Coordinate
+```
+
+---
+
+
+# Updating a License for Users
+## Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users update license <sku> from <oldsku>
+```
+Update the license for the given users.
+
+## Example
+This example switches a user from Google Apps Message Security to Google Apps for Work licensing.
+```
+gam user heavydriveuser@acme.org update license gafw from gams
+```
+
+---
+
+
+# Deleting a License for Users
+## Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users delete license <sku>
+```
+Deletes the given SKU license for the users.
+
+## Example
+This example will remove the Coordinate license for all users.
+```
+gam all users delete license coordinate
+```
+
+---
+
+# Sync a License for Users
+## Syntax
+```
+gam user <username>|group <groupname>|ou <ouname>|all users sync license <sku>
+```
+Adds and removes licenses from users based on their inclusion in the specified user list. The inclusion list could be a Google Group, OrgUnit or local text file. Users who are not included in the user list and who have the license applied will have the given license type removed from their account. Users included in the user list and who do not have the license will have it added to their account.
+
+## Example
+This example will create two Google Groups named e4e and e4es, add currently licensed users to the groups and finally sync the license to the group. Because we use group_ns (group no suspended) in the last step, suspended users will have the license removed. Rerunning the final two commands on a recurring basis will keep the licenses aligned with the non-suspended group members.
+
+```
+gam create group e4e "G Suite Enterprise for EDU users"
+gam create group e4es "G Suite Enterprise for EDU Student users"
+gam update group e4e add members license gsuiteenterpriseeducation
+gam update group e4es add members license gsuiteenterpriseeducationstudent
+gam group_ns e4e sync license gsuiteenterpriseforeducation
+gam group_ns e4es sync license gsuiteenterpriseforeducationstudent

docs/Licenses.md

@@ -1,4 +1,4 @@
-# Licenses
+!# Licenses
 - [API documentation](#api-documentation)
 - [License Products and SKUs](#license-products-and-skus)
 - [Definitions](#definitions)
@@ -20,15 +20,19 @@
 |--------------|------------|
 | AppSheet | 101038 |
 | Assured Controls | 101039 |
-| Beyond Corp Enterprise | 101040 |
+| Chrome Enterprise | 101040 |
 | Cloud Identity Free | 101001 |
 | Cloud Identity Premium | 101005 |
 | Cloud Search | 101035 |
+| Colab | 101050 |
+| Education Endpoint Management | 101049 |
+| Gemini | 101047 |
 | Google Chrome Device Management | Google-Chrome-Device-Management |
 | Google Drive Storage | Google-Drive-storage |
 | Google Meet Global Dialing | 101036 |
 | Google Vault |Google-Vault |
 | Google Voice | 101033 |
+| Google Workspace Additional Storage | 101043 |
 | Google Workspace Archived User | 101034 |
 | Google Workspace for Education | 101031 |
 | Google Workspace for Education | 101037 |
@@ -36,18 +40,27 @@
 
 | License Name | License SKU | Abbreviation  |
 |--------------|-------------|---------------|
+| AI Meetings and Messaging | 1010470007 | aimeetingsandmessaging | 
+| AI Security | 1010470006 |  aisecurity |
 | AppSheet Core | 1010380001 | appsheetcore |
 | AppSheet Enterprise Standard | 1010380002 | appsheetstandard |
 | AppSheet Enterprise Plus | 1010380003 | appsheetplus |
 | Assured Controls | 1010390001 | assuredcontrols |
-| Beyond Corp Enterprise | 1010400001 | bce |
+| Chrome Enterprise Premium | 1010400001 | cep | chromeenterprisepremium |
 | Cloud Identity Free | 1010010001 | cloudidentity |
 | Cloud Identity Premium | 1010050001 | cloudidentitypremium |
 | Cloud Search | 1010350001 | cloudsearch |
+| Colab Pro | 1010500001 | colabpro |
+| Colab Pro+ | 1010500002 | colabpro+ | colabproplus |
+| Endpoint Education Upgrade | 1010490001 | eeu |
 | G Suite Basic | Google-Apps-For-Business | gsuitebasic |
 | G Suite Business | Google-Apps-Unlimited | gsuitebusiness |
 | G Suite Legacy | Google-Apps | standard |
 | G Suite Lite | Google-Apps-Lite | gsuitelite |
+| Gemini Business | 1010470003 | geminibiz
+| Gemini Education | 1010470004 | geminiedu |
+| Gemini Education Premium | 1010470005 | geminiedupremium |
+| Gemini Enterprise | 1010470001 | geminient | duetai |
 | Google Apps Message Security | Google-Apps-For-Postini | postini |
 | Google Chrome Device Management | Google-Chrome-Device-Management | cdm |
 | Google Drive Storage 16TB | Google-Drive-storage-16TB | 16tb |
@@ -65,18 +78,22 @@
 | Google Voice Premier | 1010330002 | voicepremier |
 | Google Voice Standard | 1010330004 | voicestandard |
 | Google Voice Starter | 1010330003 | voicestarter |
+| Google Workspace Additional Storage | 1010430001 | gwas |
 | Google Workspace Business - Archived User | 1010340002 | gsuitebusinessarchived |
-| Google Workspace Business Plus - Archived User | 1010340003 | wsbizplusarchived |
 | Google Workspace Business Plus | 1010020025 | wsbizplus |
+| Google Workspace Business Plus - Archived User | 1010340003 | wsbizplusarchived |
 | Google Workspace Business Standard | 1010020028 | wsbizstan |
+| Google Workspace Business Standard - Archived User | 1010340006 | wsbizstanarchived |
 | Google Workspace Business Starter | 1010020027 | wsbizstarter |
+| Google Workspace Business Starter - Archived User | 1010340005 | wsbizstarterarchived |
 | Google Workspace Enterprise Essentials | 1010060003 | wsentess |
-| Google Workspace Enterprise Plus - Archived User | 1010340001 | gsuiteenterprisearchived |
 | Google Workspace Enterprise Plus | 1010020020 | wsentplus |
-| Google Workspace Enterprise Standard - Archived User | 1010340004 | wsentstanarchived |
+| Google Workspace Enterprise Plus - Archived User | 1010340001 | gsuiteenterprisearchived |
 | Google Workspace Enterprise Standard | 1010020026 | wsentstan |
+| Google Workspace Enterprise Standard - Archived User | 1010340004 | wsentstanarchived |
 | Google Workspace Enterprise Starter | 1010020029 | wsentstarter |
 | Google Workspace Essentials | 1010060001 | wsess |
+| Google Workspace Essentials Plus | 1010060005 | wsessplus |
 | Google Workspace Government | Google-Apps-For-Government | gsuitegov |
 | Google Workspace for Education Plus (Extra Student) | 1010310010 | gwepstudent |
 | Google Workspace for Education Plus (Staff) | 1010310009 | gwepstaff |
@@ -87,7 +104,9 @@
 | Google Workspace for Education Standard (Staff) | 1010310006 | gwesstaff |
 | Google Workspace for Education Standard | 1010310005 | gwes |
 | Google Workspace for Education: Teaching and Learning Upgrade | 1010370001 | gwetlu |
-| Google Workspace Frontline | 1010020030 | wsflw,workspacefrontline,workspacefrontlineworker |
+| Google Workspace Frontline Starter | 1010020030 | wsflw |
+| Google Workspace Frontline Standard | 1010020031 | wsflwstan |
+| Google Workspace Labs | 1010470002 | gwlabs | workspacelabs |
 
 ## Definitions
 ```
@@ -104,6 +123,10 @@
         101038 |
         101039 |
         101040 |
+        101043 |
+        101047 |
+        101049 |
+        101050 |
         Google-Apps |
         Google-Chrome-Device-Management |
         Google-Drive-storage |
@@ -121,49 +144,64 @@
         4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
         8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
         16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
-        appsheetcore | 1010380001 |
-        appsheetstandard | appsheetenterprisestandard | 1010380002 |
-        appsheetplus | appsheetenterpriseplus | 1010380003 |
-        assuredcontrols | 1010390001 |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 |
+        aimeetingsandmessaging | 1010470007 | AI Meetings and Messaging |
+        aisecurity | 1010470006 | AI Security |
+        appsheetcore | 1010380001 | AppSheet Core |
+        appsheetstandard | appsheetenterprisestandard | 1010380002 | AppSheet Enterprise Standard |
+        appsheetplus | appsheetenterpriseplus | 1010380003 | AppSheet Enterprise Plus |
+        assuredcontrols | 1010390001 | Assured Controls |
+        bce | beyondcorp | beyondcorpenterprise | cep | chromeenterprisepremium | 1010400001 | Chrome Enterprise Premium |
         cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
-        cloudidentity | identity | 1010010001 |
-        cloudidentitypremium | identitypremium | 1010050001 |
-        cloudsearch | 1010350001 |
+        cloudidentity | identity | 1010010001 | Cloud Identity |
+        cloudidentitypremium | identitypremium | 1010050001 | Cloud Identity Premium |
+        cloudsearch | 1010350001 | Cloud Search |
+        colabpro | 1010500001 | Colab Pro |
+        colabpro+ | colabproplus | 1010500002 | Colab Pro+ |
+        eeu | 1010490001 | SKU Endpoint Education Upgrade |
+        geminibiz | 1010470003 | Gemini Business |
+        geminiedu | 1010470004 | Gemini Education |
+        geminiedupremium| 1010470005 | Gemini Education Premium |
+        geminient| duetai | 1010470001 | Gemini Enterprise |
         gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
         gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
-        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
-        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 |
-        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 |
-        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 |
+        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 | Google Workspace Business - Archived User |
+        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 | Google Workspace Enterprise Plus - Archived User |
+        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 | Google Workspace for Education Plus - Legacy |
+        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 | Google Workspace for Education Plus - Legacy (Student) |
         gsuitegov | gafg | gsuitegovernment | Google-Apps-For-Government |
         gsuitelite | gal | gsl | lite | Google-Apps-Lite |
-        gwep | workspaceeducationplus | 1010310008 |
-        gwepstaff | workspaceeducationplusstaff | 1010310009 |
-        gwepstudent | workspaceeducationplusstudent | 1010310010 |
-        gwes | workspaceeducationstandard | 1010310005 |
-        gwesstaff | workspaceeducationstandardstaff | 1010310006 |
-        gwesstudent | workspaceeducationstandardstudent | 1010310007 |
-        gwetlu | workspaceeducationupgrade | 1010370001 |
-        meetdialing | googlemeetglobaldialing | 1010360001 |
+        gwep | workspaceeducationplus | 1010310008 | Google Workspace for Education Plus |
+        gwepstaff | workspaceeducationplusstaff | 1010310009 | Google Workspace for Education Plus (Staff) |
+        gwepstudent | workspaceeducationplusstudent | 1010310010 | Google Workspace for Education Plus (Extra Student)|
+        gwes | workspaceeducationstandard | 1010310005 | Google Workspace for Education Standard |
+        gwesstaff | workspaceeducationstandardstaff | 1010310006 | Google Workspace for Education Standard (Staff) |
+        gwesstudent | workspaceeducationstandardstudent | 1010310007 | Google Workspace for Education Standard (Extra Student)
+        gwetlu | workspaceeducationupgrade | 1010370001 | Google Workspace for Education: Teaching and Learning Upgrade |
+        gwlabs | workspacelabs | 1010470002 | Google Workspace Labs |
+        meetdialing | googlemeetglobaldialing | 1010360001 |  Google Meet Global Dialing |
         postini | gams | gsuitegams | gsuitepostini | gsuitemessagesecurity | Google-Apps-For-Postini |
         standard | free | Google-Apps |
         vault | googlevault | Google-Vault |
         vfe | googlevaultformeremployee | Google-Vault-Former-Employee |
-        voicepremier | gvpremier | googlevoicepremier | 1010330002 |
-        voicestandard | gvstandard | googlevoicestandard | 1010330004 |
-        voicestarter | gvstarter | googlevoicestarter | 1010330003 |
-        wsbizplus | workspacebusinessplus | 1010020025 |
-        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 |
-        wsbizstan | workspacebusinessstandard | 1010020028 |
-        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 |
-        wsentess | workspaceenterpriseessentials | 1010060003 |
-        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 |
-        wsentstan | workspaceenterprisestandard | 1010020026 |
-        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 |
-        wsentstarter | workspaceenterprisestarter | 1010020029 | wes |
-        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 |
-        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030
+        voicepremier | gvpremier | googlevoicepremier | 1010330002 | Google Voice Premier 
+        voicestandard | gvstandard | googlevoicestandard | 1010330004 | Google Voice Standard |
+        voicestarter | gvstarter | googlevoicestarter | 1010330003 | Google Voice Starter |
+        wsas | plusstorage | 1010430001 | Google Workspace Additional Storage |
+        wsbizplus | workspacebusinessplus | 1010020025 | Google Workspace Business Plus |
+        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 | Google Workspace Business Plus - Archived User |
+        wsbizstan | workspacebusinessstandard | 1010020028 | Google Workspace Business Standard }
+        wsbizstanarchived | workspacebusinessstandardarchived | 1010340006 | Google Workspace Business Standard - Archived User |
+        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 | Google Workspace Business Starter |
+        wsbizstarterarchived | workspacebusinessstarterarchived | 1010340005 | Google Workspace Business Starter - Archived User |
+        wsentess | workspaceenterpriseessentials | 1010060003 | Google Workspace Enterprise Essentials |
+        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 | Google Workspace Enterprise Plus |
+        wsentstan | workspaceenterprisestandard | 1010020026 | Google Workspace Enterprise Standard |
+        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 | Google Workspace Enterprise Standard - Archived User |
+        wsentstarter | workspaceenterprisestarter | wes | 1010020029 | Workspace Enterprise Starter |
+        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 | Google Workspace Essentials |
+        wsessplus | workspaceessentialsplus | 1010060005 | Google Workspace Essentials Plus |
+        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030 | Google Workspace Frontline Starter |
+        wsflwstan | workspacefrontlinestan | workspacefrontlineworkerstan | 1010020031 | Google Workspace Frontline Standard
 <SKUIDList> ::= "<SKUID>(,<SKUID>)*"
 ```
 ## Notes

docs/List-Items.md

@@ -1,4 +1,4 @@
-# List Items
+!# List Items
 - [Lists of basic items](#lists-of-basic-items)
 - [List quoting rules](#list-quoting-rules)
 - [Basic Items](Basic-Items)
@@ -30,12 +30,11 @@
 <CourseWorkIDList> ::= "<CourseWorkID>(,<CourseWorkID>)*"
 <CourseWorkStateList> ::= all|"<CourseWorkState>(,<CourseWorkState>)*"
 <CrOSIDList> ::= "<CrOSID>(,<CrOSID>)*"
-<DataStudioAssetIDList> ::= "<DataStudioAssetID>(,<DataStudioAssetID>)*"
-<DataStudioPermissionList> ::= "<DataStudioPermission>(,<DataStudioPermission>)*"
 <DeviceIDList> ::= "<DeviceID>(,<DeviceID>)*"
 <DeviceUserList> ::= "<DeviceUserID>(,<DeviceUserID>)*"
 <DomainNameList> ::= "<DomainName>(,<DomainName>)*"
 <DriveFileACLRoleList> ::= "<DriveFileACLRole>(,<DriveFileACLRole>)*"
+<DriveFileACLTypeList> ::= "<DriveFileACLType>(,<DriveFileACLType>)*"
 <DriveFileList> ::= "<DriveFileItem>(,<DriveFileItem>)*"
 <DriveFilePermissionList> ::= "<DriveFilePermission>(,<DriveFilePermission>)*"
 <DriveFilePermissionIDList> ::= "<DriveFilePermissionID>(,<DriveFilePermissionID>)*"
@@ -44,6 +43,7 @@
 <DriveFolderNameList> ::= "<DriveFolderName>(,<DriveFolderName>)*"
 <DriveLabelIDList> ::= "<DriveLabelID>(,<DriveLabelID>)*"
 <DriveLabelNameList> ::= "<DriveLabelName>(,<DriveLabelName>)*"
+<DriveLabelPermissionNameList> ::= "<DriveLabelPermissionName>(,<DriveLabelPermissionName>)*"
 <DriveLabelFieldIDList> ::= "<DriveLabelFieldID>(,<DriveLabelFieldID>)*"
 <DriveLabelSelectionIDList> ::= "<DriveLabelSelectionID>(,<DriveLabelSelectionID>)*"
 <EmailAddressList> ::= "<EmailAddress>(,<EmailAddress>)*"
@@ -63,10 +63,13 @@
 <LabelIDList> ::= "<LabelID>(,<LabelID>)*"
 <LabelNameList> ::= "'<LabelName>'(,'<LabelName>')*"
 <LanguageList> ::= "<Language>(,<Language>)*"
+<LookerStudioAssetIDList> ::= "<LookerStudioAssetID>(,<LookerStudioAssetID>)*"
+<LookerStudioPermissionList> ::= "<LookerStudioPermission>(,<LookerStudioPermission>)*"
 <MatterItemList> ::= "<MatterItem>(,<MatterItem>)*"
 <MatterStateList> ::= "<MatterState>(,<MatterState>)*"
 <MessageIDList> ::= "<MessageID>(,<MessageID>)*"
 <MimeTypeList> ::= "<MimeType>(,<MimeType>)*"
+<MimeTypeNameList> ::= "<MimeTypeName>(,<MimeTypeName>)*"
 <NamespaceList> ::= "<Namespace>(,<Namespace>)*"
 <NotesNameList> ::= "<NotesName>(,<NotesName>)*"
 <OrgUnitList> ::= "<OrgUnitItem>(,<OrgUnitItem>)*"
@@ -78,10 +81,11 @@
 <QueryBrowserList> ::= "<QueryBrowser>(,<QueryBrowser>)*"
 <QueryCrOSList> ::= "<QueryCrOS>(,<QueryCrOS>)*"
 <QueryDeviceList> ::= "<QueryDevice>(,<QueryDevice>)*"
+<QueryGroupList> ::= "<QueryGroup>(,<QueryGroup>)*"
 <QueryMobileList> ::= "<QueryMobile>(,<QueryMobile>)*"
 <QueryUserList> ::= "<QueryUser>(,<QueryUser>)*"
 <ResourceIDList> ::= "<ResourceID>(,<ResourceID>)*"
-<SchemaNameList> ::= "<SchemaName>(,<SchemaName>)*"
+<SchemaNameList> ::= "<SchemaName>|<SchemaFieldName>(,<SchemaName>|<SchemaFieldName>)*"
 <SerialNumberList> ::= "<SerialNumber>(,<SerialNumber>)*"
 <ServiceAccountKeyList> ::= "<ServiceAccountKey>(,<ServiceAccountKey>)*"
 <SiteACLScopeList> ::= "<SiteACLScope>(,<SiteACLScope>)*"
@@ -92,10 +96,13 @@
 <SharedDriveIDList> ::= "<SharedDriveID>(,<SharedDriveID>)*"
 <StringList> ::= "<String>(,<String>)*"
 <TasklistIDList> ::= "<TasklistID>(,<TasklistID>)*"
+<TasklistTitleList> ::= "'<TasklistTitle>'(,'<TasklistTitle>')*"
 <TasklistIDTaskIDList> ::= "<TasklistIDTaskID>(,<TasklistIDTaskID>)*"
 <ThreadIDList> ::= "<ThreadID>(,<ThreadID>)*"
 <TimeList> ::= "<Time>(,<Time>)*"
+<URLList> ::= "<URL>(,<URL>)*"
 <UserList> ::= "<UserItem>(,<UserItem>)*"
+<YouTubeChannelIDList> ::= "<YouTubeChannelID>(,<YouTubeChannelID>)*"
 ```
 ## List quoting rules
 Items in a list can be separated by commas or spaces; if an item itself contains a comma, a space or a single quote, special quoting must be used.

docs/List.md

@@ -1,6 +1,6 @@
-# List
+!# List
 
-The list command is used to verify collections of objects. See GamDataSelection.txt/
+The list command is used to verify collections of objects.
 
 ## Commands
 ```
@@ -8,3 +8,42 @@ gam list [todrive <ToDriveAttribute>*] <EntityList> [data <CrOSTypeEntity>|<User
 gam <CrOSTypeEntity>|<UserTypeEntity> list [todrive <ToDriveAttribute>*] [data <EntityList> [delimiter <Character>]]
 ```
 
+Allow mapping of keyfield value in csvkmd selectors.
+    <CSVkmdSelector> ::= csvkmd <FileName> [charset <Charset>]
+        keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <String>]
+        (matchfield <FieldName> <RegularExpression>)*
+        [datafield <FieldName>(:<FieldName)* [delimiter <String>]]
+
+You want to update the membership of a collection of parent groups at your school, the data is coming from a database in a fixed format.
+Example 1, CSV File GroupP1P2.csv, exactly the data you want, keypattern and keyvalue are not required
+Group,P1Email,P2Email
+2017-parents@domain.com,g1member11@domain.com,g1member12@domain.com
+2017-parents@domain.com,g1member21@domain.com,g1member22@domain.com
+2018-parents@domain.com,g2member11@domain.com,g2member11@domain.com
+2018-parents@domain.com,g2member21@domain.com,g2member22@domain.com
+...
+For each row, the value from the Group column is used as the group name.
+Verify data selection: gam list csvkmd GroupP1P2.csv keyfield Group datafield P1Email:P2Email data csvdata P1Email:P2Email
+Execute: gam update groups csvkmd GroupP1P2.csv keyfield Group datafield P1Email:P2Email sync member csvdata P1Email:P2Email
+
+Example 2, CSV File GradYearP1P2.csv, you have to convert GradYear to group name GradYear-parents@domain.com, keyvalue is required
+GradYear,P1Email,P2Email
+2017,g1member11@domain.com,g1member12@domain.com
+2017,g1member21@domain.com,g1member22@domain.com
+2018,g2member11@domain.com,g2member11@domain.com
+2018,g2member21@domain.com,g2member22@domain.com
+...
+For each row, the value from the GradYear column replaces the keyField name in the keyvalue argument and that value is used as the group name.
+Verify data selection: gam list csvkmd GradYearP1P2.csv keyfield GradYear keyvalue GradYear-parents@domain.com datafield P1Email:P2Email data csvdata P1Email:P2Email
+Execute: gam update groups csvkmd GradYearP1P2.csv keyfield GradYear keyvalue GradYear-parents@domain.com datafield P1Email:P2Email sync member csvdata P1Email:P2Email
+
+Example 3, CSV File GradYearP1P2.csv, you have to convert GradYear to group name 'LastTwoDigitsOfGradYear-parents@domain.com', keypattern and keyvalue are required.
+GradYear,P1Email,P2Email
+2017,g1member11@domain.com,g1member12@domain.com
+2017,g1member21@domain.com,g1member22@domain.com
+2018,g2member11@domain.com,g2member11@domain.com
+2018,g2member21@domain.com,g2member22@domain.com
+...
+For each row, the value from the GradYear column is matched against the keypattern, the matched segments are substituted into the keyvalue argument and that value is used as the group name.
+Verify data selection: gam list csvkmd GradYearP1P2.csv keyfield GradYear keypattern '20(..)' keyvalue '\1-parents@domain.com' datafield P1Email:P2Email data csvdata P1Email:P2Email
+Execute: gam update groups csvkmd GradYearP1P2.csv keyfield GradYear keypattern '20(..)' keyvalue '\1-parents@domain.com' datafield P1Email:P2Email sync member csvdata P1Email:P2Email

docs/Managing-Admins.md

@@ -0,0 +1,92 @@
+- [Grant a User an Admin Role](#grant-a-user-an-admin-role)
+- [Delete a User's Admin Role](#delete-a-users-admin-role)
+- [Print All Admin Role Assignments](#print-all-admins)
+- [Print All Admin Roles](#print-all-admin-roles)
+
+# Grant a User an Admin Role
+## Syntax
+```
+gam create admin <user> <role> customer|org_unit <OU> [condition securitygroup|nonsecuritygroup]
+```
+Grants the given user account rights as the given admin role. The command must specify whether the rights are to be granted to the entire customer G Suite domain or to a certain org_unit and it's children org unit's. Note that some roles cannot be granted to org units, they must specify customer. The optional argument condition limits the conditions for delegate admin access. This currently only works with the `_GROUPS_EDITOR_ROLE` and `_GROUPS_READER_ROLE` roles. Condition can be to limit the delegated admin to managing security groups (`securitygroup`) or to non-security groups (`nonsecuritygroup`).
+
+## Examples
+This example makes admin@acme.com a super admin
+```
+gam create admin admin@acme.com _SEED_ADMIN_ROLE customer
+```
+
+This example makes ny-helpdesk@acme.com a helpdesk admin for the /NY Org Unit.
+```
+gam create admin ny-helpdesk@acme.com _HELP_DESK_ADMIN_ROLE org_unit "NY"
+```
+This example allows sfo-helpdesk@acme.com to manage only groups that are NOT marked as security groups:
+```
+gam create admin sfo-helpdesk@acme.com _GROUPS_EDITOR_ROLE customer condition nonsecuritygroup
+```
+----
+
+# Delete a User's Admin Role
+## Syntax
+```
+gam delete admin <role assignment id>
+```
+Removes an admin role assignment. Use [Print All Admins](#print-all-admins) to see existing assignments, you're looking for the roleAssignmentId column. You can also use CSV commands to revoke all rights for a given user.
+
+## Examples
+This example revokes the given user's admin role.
+```
+gam delete admin 8771356963373081
+```
+
+This example revokes ALL admin role assignments for the oldadmin@acme.com user account.
+```
+gam print admins user oldadmin@acme.com | gam csv - gam delete admin ~roleAssignmentId
+```
+----
+
+# Print All Admins
+## Syntax
+```
+gam print admins [user <user>] [role <role>] [condition] [todrive]
+```
+Prints all admin role assignments in the G Suite instance. Note that one user account can be assigned multiple roles and can be assigned one role on multiple orgs so a single user may be returned in multiple rows. 
+
+The optional user argument limits returned role assignments to those granted to the given user.
+
+The optional role argument limits returned role assignments to those of the given role.
+
+The optional condition argument displays any conditions associated with a role assignment.
+
+The optional todrive argument tells GAM to create a Google Docs Spreadsheet instead of outputting the results to CSV.
+
+## Examples
+This example prints out all admin role assignments
+```
+gam print admins
+```
+
+This example prints out all admin role assignments for admin@acme.com
+```
+gam print admins user admin@acme.com
+```
+
+This example prints out all super admin role assignments
+```
+gam print admins role _SEED_ADMIN_ROLE
+```
+----
+
+# Print All Admin Roles
+## Syntax
+```
+gam print roles [todrive]
+```
+Prints all admin roles created within the G Suite Instance. The optional argument todrive causes GAM to create a Google Docs Spreadsheet of results instead of outputting CSV.
+
+## Examples
+This example creates a spreadsheet of all admin roles for a domain.
+```
+gam print roles todrive
+```
+----

docs/Managing-Devices.md

@@ -0,0 +1,94 @@
+- [Printing devices](#printing-devices)
+- [Sync devices with a CSV file](#sync-devices-with-a-csv-file)
+- [Get information about a device](#get-information-about-a-device)
+- [Create a corporate device](#create-a-corporate-device)
+- [Action a device (delete, wipe or cancel wipe)](#action-a-device-delete-wipe-or-cancel-wipe)
+- [Action a device user (delete, wipe, cancel wipe, approve or block)](#action-a-device-user-delete-wipe-cancel-wipe-approve-or-block)
+
+GAM 5.20 adds support for the new [Cloud Identity Devices API calls](https://cloud.google.com/identity/docs/reference/rest/v1/devices). The new API allows management of mobile and desktop devices and also allows managing your [company-owned device inventory](https://support.google.com/a/answer/9090870?hl=en).
+
+# Printing devices
+## Syntax
+```
+gam print devices [filter <filter>] [no_company_devices] [no_personal_devices]
+    [no_users] [to_drive] [sort_headers]
+```
+Prints CSV output of devices registered in your domain. The optional filter parameter limits which devices are returned based on [Google's filter syntax](https://support.google.com/a/answer/7549103). By default, both company-owned and personal/BYOD devices are retrieved. The optional arguments no_company_devices and no_personal_devices reduce which devices are retrieved. By default, information on associated user profiles is also retrieved. The optional argument no_users disables user profile retrieval. The optional argument to_drive creates a Google Sheet with the CSV data rather than outputing it to the screen. The optional argument sort_headers will sort the output columns alphabetically by header.
+
+## Example
+This example prints all devices in the domain.
+```
+gam print devices
+```
+This example prints only company-owned devices
+```
+gam print devices no_personal_devices
+```
+---
+
+# Sync devices with a CSV file
+## Syntax
+```
+gam sync devices [filter <filter>] [csv_file <csv file>] [serial_number_column <column>]
+    [device_type_column <column>] [asset_id_column <column>] [static_device_type <type>]
+    [unassigned_missing_action <delete|wipe|donothing>]
+    [assigned_missing_action <delete|wipe|donothing>]
+```
+Syncs the company-owned inventory of devices with a local CSV file. The optional filter parameter limits which devices are returned based on [Google's filter syntax](https://support.google.com/a/answer/7549103). The filter can be used to only sync the file against one portion of the company-owned inventory such as Windows or Android devices. csv_file is a required argument and specifies the CSV file GAM should read for the sync. By default, GAM looks for columns named serialNumber and deviceType, asset_id is not used. The optional arguments serial_number_column, device_type_column and asset_id_column specify other columns to use if your headers are different. If you know all devices in your CSV are of the same type you can specify static_device_type to use that type for all created devices. By default, GAM will delete any devices that are registered in Google admin company-owned inventory but are not present in (missing from) the CSV file AND have not been assigned to a user yet. Missing devices that are registered to a user will be left alone. The optional arguments unassigned_missing_action and assigned_missing_action specify what action GAM should perform on these devices.
+
+## Example
+This example reads devices.csv which has only the header serialNumber and will create any that are in the file but not in Google as well as delete any that are in Google but not the file and are not yet assigned to a user. The filter ensures that GAM is only comparing against Android devices in the Google inventory.
+```
+gam sync devices csv_file android-devices.csv filter type:android static_device_type android
+```
+----
+
+# Create a corporate device
+## Syntax
+```
+gam create device [serial_number <serial>] [device_type <type>]
+```
+Adds a new device to the Google company-owned inventory. Once a user is assigned and enrolled on the device the device will be considered company-owned for management purposes. The device will also register as company-owned with Google services like [Context-Aware Access (CAA)](https://support.google.com/a/answer/9275380?hl=en). Arguments serial_number and device_type are both required and specify the serial and device type respectively. Device type can be one of ANDROID, IOS, GOOGLE_SYNC, WINDOWS, MAC_OS, LINUX or CHROME_OS.
+
+## Example
+This example creates an Android phone so it is ready to be user-enrolled as a company-owned device
+```
+gam create device serial_number abc123 device_type android
+```
+----
+
+# Action a device (delete, wipe or cancel wipe)
+## Syntax
+```
+gam delete|wipe|cancel_wipe id <device id> [remove_reset_lock]
+```
+deletes, wipes all device data or cancels a pending wipe respectively. id is a required argument and specifies the name/ID of the device to be acted upon. On wipe, the optional argument `remove_reset_lock` will remove [the account lock on the Android or iOS device](https://support.google.com/android/answer/9459346?hl=en). This lock is enabled by default and requires the existing device user to log in after the wipe in order to unlock the device.
+
+## Example
+This example deletes a device so that it will no longer show in the Google admin console. Sync will also break for the user but no user data on device should be removed.
+```
+gam delete device id devices/CiRkMzk4N2RjYS1hODhmLTQwYTAtOTQ1Zi1mZDMwOTY2MmNjNGY%3D
+```
+This example wipes a device (factory reset). All data on the device will be lost.
+```
+gam wipe device id devices/CiRkMzk4N2RjYS1hODhmLTQwYTAtOTQ1Zi1mZDMwOTY2MmNjNGY%3D
+```
+----
+
+# Action a device user (delete, wipe, cancel wipe, approve or block)
+## Syntax
+```
+gam delete|wipe|cancelwipe|approve|block deviceuser id <device id>
+```
+deletes, wipes all device data, cancels a pending wipe respectively, approves or blocks a user profile on a device. id is a required argument and specifies the name/ID of the device user profile to be acted upon.
+
+## Example
+This example deletes a device user so that it will no longer show in the Google admin console. Sync will also break for the user but no user data on device should be removed.
+```
+gam delete deviceuser id devices/CiRjY2RiZjk5Yy01Y2EwLTQyMTUtODY4Yi0zZjI5ZGRkODc2M2M%3D/deviceUsers/0af7153a-f661-4baa-a666-e3868340290e
+```
+This example wipes a device user profile from a device. In the case of Android for Work, the work profile will be removed but the personal profile left alone.
+```
+gam wipe deviceuser id devices/CiRjY2RiZjk5Yy01Y2EwLTQyMTUtODY4Yi0zZjI5ZGRkODc2M2M%3D/deviceUsers/0af7153a-f661-4baa-a666-e3868340290e
+```
+----

docs/Managing-Google-Classroom.md

@@ -0,0 +1,298 @@
+- [Managing Courses](#managing-courses)
+  - [Creating A Course](#creating-a-course)
+  - [Updating A Course](#updating-a-course)
+  - [Getting Course Info](#getting-course-info)
+  - [Deleting A Course](#deleting-a-course)
+- [Managing Course Aliases](#managing-course-aliases)
+  - [Creating An Alias](#creating-an-alias)
+  - [Deleting An Alias](#deleting-an-alias)
+- [Managing Course Participants](#managing-course-participants)
+  - [Adding Students And Teachers To A Course](#adding-students-and-teachers-to-a-course)
+  - [Syncing Students And Teachers To A Course](#syncing-students-and-teachers-to-a-course)
+  - [Removing Students And Teachers From A Course](#removing-students-and-teachers-from-a-course)
+- [Managing Guardians](#managing-guardians)
+  - [Inviting a guardian](#inviting-a-guardian)
+  - [Deleting a guardian](#deleting-a-guardian)
+  - [Printing Guardians](#printing-guardians)
+- [Course And Course Participant Reports](#course-and-course-participant-reports)
+  - [Printing Courses](#printing-courses)
+  - [Printing Course Participants](#printing-course-participants)
+- [Troubleshooting](#troubleshooting)
+  - [403 Error](#403-error)
+
+# Managing Courses
+## Creating A Course
+### Syntax
+```
+gam create course [alias <alias>] [name <name>] [section <section>] [heading <heading>] [description <description>] [room <room>] [teacher <teacher email>] [status <PROVISIONED|ACTIVE|ARCHIVED|DECLINED>]
+```
+Provision a new course. The optional alias parameter provides a unique id which can be used to reference the course. If a course already exists with this alias, an error will be thrown. If no alias is supplied, the course must be managed by the id that is assigned to it by Google when created. The optional name, section, heading, description and room parameters provide additional details for the course. The optional teacher parameter provides the email address of the owner / primary teacher of the course. If no teacher is provided then the admin user running GAM will be the owner / primary teacher of the course. The optional status parameter provides the initial status of the course when created. If no status is provided, courses default to PROVISIONED status.
+
+### Example
+This example creates a course.
+```
+gam create course alias the-republic-s01 name "The Republic" section s01 heading "The definition of justice (δικαιοσύνη), the order and character of the just city-state and the just man" room academy-01 teacher plato@athens.edu
+```
+----
+
+## Updating A Course
+### Syntax
+```
+gam update course <id or alias> [name <name>] [section <section>]
+  [heading <heading>] [description <description>] [room <room>]
+  [status <PROVISIONED|ACTIVE|ARCHIVED|DECLINED>]
+  [owner <teacher email>]
+```
+Updates an existing course. The id or alias of the course is needed to identify the exact course to be updated. The optional name, section, heading, description and room parameters provide additional details for the course. The optional status parameter sets the status of the course. The optional owner argument sets a new owner teacher for the course. The owner email address must already be a teacher of the course and the old owner will remain a teacher of the course.
+
+### Example
+This example updates an existing course to make it active
+```
+gam update course the-republic-s01 status ACTIVE
+```
+
+This example sets a new owner for the course.
+```
+gam update course the-republic-s01 owner aristotle@athens.edu
+```
+----
+## Getting Course Info
+### Syntax
+```
+gam info course <id or alias>
+```
+Prints detailed information about a course.
+
+### Example
+This example prints information about the course
+```
+gam info course the-republic-s01
+updateTime: 2015-07-01T13:47:20.000Z
+room: academy-01
+alternateLink: http://classroom.google.com/c/MtM0NzcxNDY5
+enrollmentCode: 46rvtp
+section: s01
+creationTime: 2015-07-01T13:47:20.000Z
+courseState: ACTIVE
+ownerId: 102043113942954782808
+id: 134781269
+descriptionHeading: The definition of justice (δικαιοσύνη), the order and character of the just city-state and the just man
+name: The Republic
+Aliases:
+  the-republic-s01
+Participants:
+ Teachers:
+  Plato Plato - plato@athens.edu
+ Students:
+```
+----
+
+## Deleting A Course
+### Syntax
+```
+gam delete course <id or alias>
+```
+Deletes the given course.
+
+### Example
+This example deletes the course
+```
+gam delete course the-republic-s01
+```
+----
+
+# Managing Course Aliases
+## Creating An Alias
+### Syntax
+```
+gam course <id or alias> add alias <alias>
+```
+Create a new alias for an existing course.
+
+### Example
+This example creates an alias for a course which already has one alias.
+```
+gam course this-is-an-alias add alias this-is-another-alias
+```
+----
+
+## Deleting An Alias
+### Syntax
+```
+gam course <id or alias> delete alias <alias>
+```
+Delete an alias from an existing course.
+
+### Example
+This example deletes the alias from the add alias example above.
+```
+gam course this-is-an-alias delete alias this-is-another-alias
+```
+----
+
+# Managing Course Participants
+## Adding Students And Teachers To A Course
+### Syntax
+```
+gam course <id or alias> add student|teacher <email address>
+```
+Add the given user email address to the course as a student or teacher.
+
+### Example
+This example adds Aristotle as a student in the course
+```
+gam course the-republic-s01 add student aristotle@athens.edu
+```
+----
+
+## Syncing Students And Teachers To A Course
+### Syntax
+```
+gam course <id or alias> sync students|teachers group <group email> | ou <orgunit> | file <filename> | query <users query> | course <id or alias>
+```
+Syncs the students or teachers for the given course against another list of users. Students/Teachers not in the other list will be removed from the given course. Students/Teachers in the other list but not the course will be added.
+
+### Examples
+This example adds all users in the Google Org Unit /schools/sunnybrook/K-1 into the course. If there are students in the course that are not in this OU, they will be removed.
+```
+gam course sunnybrook-k-1 sync students ou /schools/sunnybrook/K-1
+```
+This example syncs the course teachers against members of the biology-101-teachers@sunnybrook.edu group.
+```
+gam course biology-101-s01 sync teachers group biology-101-teachers@sunnybrook.edu
+```
+This example syncs course students against a CSV file
+```
+gam course history-200-s02 sync students file history-200-s02-students.csv
+```
+----
+
+## Removing Students And Teachers From A Course
+### Syntax
+```
+gam course <id or alias> remove student|teacher <email address>
+```
+removes the given email address from the course as a student or teacher.
+
+### Example
+This example removes John from the course.
+```
+gam course the-republic-s01 remove student john@athens.edu
+```
+----
+
+# Managing Guardians
+## Inviting a Guardian
+### Syntax
+```
+gam create guardianinvite <guardian email> <student email>
+```
+Sends an email to the specified guardian email address inviting them to receive notifications for Classroom activities of given student email. The guardian email address can be any valid recipient but in order to accept the invitation the guardian must login or create a Google account. The guardian Google account does not need to be directly associated to the guardian email address.
+
+Because this command sends out email notifications externally, it is recommended that plenty of internal testing is done with guardian invites before bulk inviting real guardians.
+
+### Examples
+This example invites moma.smith@hotmail.com as a guardian of johnny.smith@acme.edu
+```
+gam create guardianinvite moma.smith@hotmail.com johnny.smith@acme.edu
+```
+Assuming you have a csv file named parents.csv that looks like:
+```
+student-email,parent-email
+johnny.smith@acme.edu,jonathan.t.smith@widgets.com
+jane.smith@acme.edu,jonathan.t.smith@widgets.com
+johnny.smith@acme.edu,judy.r.smith@gizmos.com
+jane.smith@acme.edu,judy.r.smith@gizmos.com
+george.johnson@acme.edu,johnson.fam.5@yahoo.com
+```
+this example bulk invites parents as guardians for their students.
+```
+gam csv parents.csv gam create guardianinvite ~parent-email ~student-email
+```
+----
+
+## Delete a Guardian
+### Syntax
+```
+gam delete guardian <guardian email> <student email>
+```
+Removes the given guardian as a guardian of the given student if guardian has accepted invitation and also cancels any pending invitations. The guardian will receive email notification that they have been removed as a guardian of the student.
+
+### Examples
+This example removes legal.guardian@yahoo.com as a guardian of johnny.smith@acme.edu or cancels any PENDING invitations
+```
+gam delete guardian legal.guardian@yahoo.com johnny.smith@acme.edu
+```
+----
+
+## Printing Guardians
+### Syntax
+```
+gam print guardians [invitations] [student <email>] [invitedguardian <email>] [user <username>|group <email>|ou <ouname>|all users] [states <COMPLETE,PENDING,GUARDIAN_INVITATION_STATE_UNSPECIFIED>] [todrive] [nocsv]
+```
+Prints a report of guardians. Currently you must specify a student or list of users for which to pull guardians. The optional argument invitations pulls information on guardian invitations instead of actual guardians who have been invited and accepted. Guardian invitations with a state of COMPLETE are no longer valid either because they've been accepted or rejected by the guardian, an admin has cancelled the invitation or the invitation has expired. The optional parameter student specifies the email address of a single student whose guardians or guardian invites should be pulled. The optional parameters user <email>, group <email>, ou <ouname> and all users specify a grouping of users whose guardians or guardian invites should be pulled. The optional argument states specifies a comma separated list of guardian invites that should be pulled based on their current state. The optional parameter todrive outputs the results to a Google Sheet instead of CSV. The optional parameter nocsv prints the guardians to the screen in a format that's human-eye friendly.
+
+### Examples
+This example creates a Google Sheet for all existing guardians. It makes one API call per user in the domain so may be very slow for large domains.
+```
+gam print guardians all users todrive
+```
+This example prints all guardian invitations that are still in a pending state for the /Students OU.
+```
+gam print guardians invitations states PENDING ou "/Students"
+```
+This example shows all of johnny.smith@acme.edu's current guardians.
+```
+gam print guardians student johnny.smith@acme.edu
+```
+----
+
+# Course And Course Participant Reports
+## Printing Courses
+### Syntax
+```
+gam print courses [teacher <email>] [student <email>] [state <states>] [todrive] [aliases] [delimiter <String>]
+```
+Output CSV format details of courses. By default, all courses in the organization will be returned. The optional `teacher` and `student` parameters limit the results to courses where the given user is a participant in the course of the given type. The optional state parameter specifies a comma separated list of states (active, archived, provisioned, declined, suspended). Only courses in those states will be included in the results. The optional `todrive` argument creates a Google Drive spreadsheet of the results rather than outputting the information to the console. The optional `aliases` argument uses an additional API call per course to get the course aliases. By default, multiple aliases are delimited by spaces, if you would like a different delimiter, e.g., comma, use the `delimiter <String>` argument.
+
+### Examples
+This example creates a CSV file of all courses
+```
+gam print courses
+```
+this example creates a Google Spreadsheet of all the courses Mr. Smith is teaching
+```
+gam print courses teacher mrsmith@acme.edu todrive
+```
+
+this example limits the CSV output to provisioned and active courses
+```
+gam print courses state active,provisioned
+```
+----
+
+## Printing Course Participants
+### Syntax
+```
+gam print course-participants [course <id or alias>] [student <email>] [teacher <email>] [show teachers|students|all] [todrive]
+```
+Output CSV format details of course participants. The optional course parameter limits results to the given course. Multiple course parameters can be included to pull participants for a subset of courses. If no course parameter is specified then participants will be retrieved for all courses. The optional student and teacher parameters limit the courses returned to those where the given user is a teacher or student. The optional state parameter specifies a comma separated list of states (active, archived, provisioned, declined, suspended). Only courses in those states will be included in the results. The optional show parameter limits the participants to teachers or students, and defaults to all participants. The optional todrive argument creates a Google Drive spreadsheet of the results rather than outputting the information to the console.
+
+### Examples
+This example prints all course participants in all courses.
+```
+gam print course-participants
+```
+this example creates a spreadsheet of the course participants in all three sections of Chemistry.
+```
+gam print course-participants course chemistry-101-s01 course chemistry-101-s02 course chemistry-101-s03 todrive
+```
+this example creates a spreadsheet of only the course teachers in all three sections of Chemistry.
+```
+gam print course-participants course chemistry-101-s01 course chemistry-101-s02 course chemistry-101-s03 show teachers todrive
+```
+----
+# Troubleshooting
+## 403 Error
+If you're using the default Super Admin account _(the very first account in your G Suite organization, that has all the permissions by default)_ you can get a `403: The caller does not have permission - 403 error`. In this case you have to create a new account, and assign Super Admin Role to it, and use that with gam. 
+In addition, with the default Super Admin account, the `gam print courses` will not list all the courses in the organization.

docs/Meta-Commands-and-File-Redirection.md

@@ -1,4 +1,4 @@
-# Meta Commands and File Redirection
+!# Meta Commands and File Redirection
 
 - [GAM Configuration](gam.cfg)
 - [Todrive](Todrive)
@@ -51,11 +51,13 @@ The only `<VariableNames>` recognized in this `<Section>` are:
 * `csv_output_header_filter`
 * `csv_output_header_drop_filter`
 * `csv_output_header_force`
+* `csv_output_header_order`
 * `csv_output_row_filter`
 * `csv_output_row_filter_mode`
 * `csv_output_row_drop_filter`
 * `csv_output_row_drop_filter_mode`
 * `csv_output_row_limit`
+* `csv_output_sort_headers`
 
 ### Select input filter section
 Select an input filter section from gam.cfg and process a GAM command using values from that section.
@@ -112,8 +114,8 @@ You can redirect stdout and stderr to null and stderr can be redirected to stdou
 ```
 <Redirect> ::=
         redirect csv <FileName> [multiprocess] [append] [noheader] [charset <Charset>]
-                     [columndelimiter <Character>] [quotechar <Character>]
-                     [timestampcolumn <String>]
+                     [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
+                     [sortheaders <StringList>] [timestampcolumn <String>]
                      [todrive <ToDriveAttribute>*] |
         redirect stdout <FileName> [multiprocess] [append] |
         redirect stdout null [multiprocess] |
@@ -141,13 +143,19 @@ subsequent GAM commands specify `append noheader`.
 The `charset <Charset>` subargument sets the character set of the CSV file; the default is the value of `charset`
 in `gam.cfg` which defaults to UTF-8.
 
-The `columndelimiter <Character>` sets the intercolumn delimiter of the CSV file; the default value
-is the value of csv_output_column_delimiter` in `gam.cfg` which defaults to comma.
+The `columndelimiter <Character>` subargument sets the intercolumn delimiter of the CSV file; the default value
+is the value of `csv_output_column_delimiter` in `gam.cfg` which defaults to comma.
+
+The `noescapechar <Boolean>` subargument controls whether `\` is used as an escape character when writing the CSV file; the default value
+is the value of `csv_output_no_escape_char` in `gam.cfg` which defaults to False.
 
 The `quotechar <Character>` subargument sets the character used to quote fields in the CSV file
 that contaim special charactere; the default value is the value of `csv_output_quote_char` in `gam.cfg`
 which defaults to double quote.
 
+The `sortheaders <StringList>` argument causes GAM to sort CSV output rows by the column headers specified in `<StringList>`.
+The column headers are case insensitive and if column header does not appear in the CSV output, it is ignored.
+
 The `timestampcolumn <String>` adds a column named `<String>` to the CSV file; the value is the
 timestamp of when the GAM command started.
 
@@ -164,9 +172,9 @@ If the pattern `{{Section}}` appears in `<FileName>`, it will be replaced with t
 ### Examples - redirect CSV
 Suppose that you have a CSV file CourseList.csv with a column labeled CourseId that contains course Ids. You want a single CSV file with participant information for these courses.
 ```
-gam redirect csv ./CourseInfo.csv multiprocess csv CourseList.csv gam print course-participants course ~CourseId
+gam redirect csv ./CourseInfo.csv multiprocess csv CourseList.csv gam print course-participants course "~CourseId"
 ```
-`redirect csv ./CourseInfo.csv multiprocess` causes gam to collect output from all of the processes started by `csv CourseList.csv gam print course-participants course ~CourseId` and produces a single CSV file CourseInfo.csv.
+`redirect csv ./CourseInfo.csv multiprocess` causes gam to collect output from all of the processes started by `csv CourseList.csv gam print course-participants course "~CourseId"` and produces a single CSV file CourseInfo.csv.
 
 Generate a list of CrOS devices and update an existing sheet in a Google spreadsheet. The file ID and sheet IDs are preserved so other appplications can access the data using the file ID and sheet ID.
 By setting 'tdtimestamp true`, the file name will the updated to reflect the time of execution, but the file ID will not change.
@@ -176,23 +184,23 @@ gam redirect csv - todrive tdtitle "CrOS" tdtimestamp true tdfileid 12345-mizZ6Q
 
 For a collection of users, generate a list of files shared with anyone; combine the output for all users into a single file.
 ```
-gam redirect csv - multiprocess todrive tdtitle AnyoneShares-All csv Users.csv gam user ~primaryEmail print filelist fields id,name,permissions pm type anyone em
+gam redirect csv - multiprocess todrive tdtitle AnyoneShares-All csv Users.csv gam user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em
 ```
 
 For a collection of users, generate a list of files shared with anyone; generate a separate file for each user.
 The two forms of the command are equivalent.
 ```
-gam csv Users.csv gam redirect csv - todrive tdtitle "AnyoneShares-~~primaryEmail~~" user ~primaryEmail print filelist fields id,name,permissions pm type anyone em
+gam csv Users.csv gam redirect csv - todrive tdtitle "AnyoneShares-~~primaryEmail~~" user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em
 
-gam csv Users.csv gam user ~primaryEmail print filelist fields id,name,permissions pm type anyone em todrive tdtitle "AnyoneShares-~~primaryEmail~~" 
+gam csv Users.csv gam user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em todrive tdtitle "AnyoneShares-~~primaryEmail~~" 
 ```
 
 ### Examples - Redirect stdout
-The output from each of the `gam info user ~primaryEmail` commands will be combined into the single file Users.txt.
+The output from each of the `gam info user "~primaryEmail"` commands will be combined into the single file Users.txt.
 The value of `show_multiprocess_info` from `gam.cfg` controls whether information identifying the processes is also shown.
 
 ```
-$ gam config show_multiprocess_info false redirect stdout ./Users.txt multiprocess csv Users.csv gam info user ~primaryEmail
+$ gam config show_multiprocess_info false redirect stdout ./Users.txt multiprocess csv Users.csv gam info user "~primaryEmail"
 $ more Users.txt
 User: testuser1@domain.com (1/1)
   Settings:
@@ -207,9 +215,9 @@ User: testuser2@domain.com@ (1/1)
     Full Name: Test User2
 ...
 
-$ gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user ~primaryEmail
+$ gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user "~primaryEmail"
 $ more Users.txt
-stdout:      0, Start: 2017-01-26T11:35:00.897773-08:00, RC:   0, Cmd: /Users/admin/gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user ~primaryEmail
+stdout:      0, Start: 2017-01-26T11:35:00.897773-08:00, RC:   0, Cmd: /Users/admin/gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user "~primaryEmail"
 stdout:      1, Start: 2017-01-26T11:35:00.902709-08:00, RC:   0, Cmd: gam info user testuser1@domain.com
 User: testuser1@domain.com (1/1)
   Settings:
@@ -226,5 +234,5 @@ User: testuser2@domain.com@ (1/1)
     Full Name: Test User2
 ...
 stdout:      2,   End: 2017-01-26T11:35:02.849646-08:00, RC:   0, Cmd: gam info user testuser2@domain.com
-stdout:      0,   End: 2017-01-26T11:35:02.907141-08:00, RC:   0, Cmd: /Users/admin/gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user ~primaryEmail
+stdout:      0,   End: 2017-01-26T11:35:02.907141-08:00, RC:   0, Cmd: /Users/admin/gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user "~primaryEmail"
 ```