actions: disable create contact command that may be actual issue

This reverts commit 38375b1710.

.github/actions/entitlements.plist

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+        <!-- These are required for binaries built by PyInstaller -->
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+</dict>
+</plist>

.github/actions/package_exclusions.txt

@@ -2,6 +2,5 @@ oauth2.txt
 nobrowser.txt
 enabledasa.txt
 lastupdatecheck.txt
-*.json
 *.lck
 *.csv

.github/workflows/codeql-analysis.yml

@@ -38,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

README.md

@@ -1,6 +1,6 @@
 GAM is a command line tool for Google Workspace admins to manage domain and user settings quickly and easily.
 
-![Build Status](https://github.com/GAM-team/GAM/workflows/Build%20and%20test%20GAM/badge.svg)
+[![Build StatusM](https://github.com/GAM-team/GAM/actions/workflows/build.yml/badge.svg)](https://github.com/GAM-team/GAM/actions/workflows/build.yml)
 
 # Quick Start
 
@@ -32,7 +32,7 @@ There is a public chat room hosted in Google Chat. [Instructions to join](https:
 
 # Author
 
-GAM is maintained by [Jay Lee](mailto:jay0lee@gmail.com). Please direct "how do I?" questions to [Google Groups].
+GAM is maintained by [Jay (James) Lee](mailto:jay0lee@gmail.com) and [Ross Scroggs](mailto:ross.scroggs@gmail.com). Please direct "how do I?" questions to [Google Groups].
 
 [GAM release]: https://github.com/GAM-team/GAM/releases
 [GitHub Releases]: https://github.com/GAM-team/GAM/releases

docs/Administrators.md

@@ -851,11 +851,15 @@ gam delete adminrole <RoleItem>
 ## Display administrative roles
 ```
 gam info adminrole <RoleItem> [privileges]
-gam print adminroles|roles [todrive <ToDriveAttribute>*] [privileges]
+gam print adminroles|roles [todrive <ToDriveAttribute>*]
+        [privileges] [oneitemperrow]
 gam show adminroles|roles [todrive <ToDriveAttribute>*] [privileges]
 ```
 * `privileges` - Display privileges associated with each role
 
+By default, all privileges for a role are shown on one row as a repeating item.
+When `oneitemperrow` is specified, each privilege is output on a separate row/line with the other role fields.
+
 ## Create an administrator
 Add an administrator role to an administrator.
 ```
@@ -877,7 +881,8 @@ gam delete admin <RoleAssignmentId>
 ## Display administrators
 ```
 gam print admins [todrive <ToDriveAttribute>*]
-        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
+        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition]
+        [privileges] [oneitemperrow]
 gam show admins
         [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
 ```
@@ -889,6 +894,9 @@ options to limit the display:
 * `condition` - Display any conditions associated with a role assignment
 * `privileges` - Display privileges associated with each role assignment
 
+By default, all role privileges for an admin are shown on one row as a repeating item.
+When `oneitemperrow` is specified, each role privilege is output on a separate row/line with the other admin fields.
+
 In versions prior to 6.07.01, specification of both `user <UserItem>`
 and `role <RoleItem>` generated no output due to an undocumented API rule that disallows both.
 

docs/Aliases.md

@@ -85,7 +85,7 @@ gam <UserTypeEntity> delete aliases
 ```
 
 ## Display aliases
-Display a specific alise.
+Display a specific alias.
 ```
 gam info alias|aliases <EmailAddressEntity>
 ```

docs/Authorization.md

@@ -7,6 +7,7 @@
 - [Definitions](#definitions)
 - [Manage Projects](#manage-projects)
   - [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+  - [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
   - [Authorize GAM to create projects](#authorize-gam-to-create-projects)
   - [Create a new GCP project folder](#create-a-new-gcp-project-folder)
   - [Create a new project for GAM authorization](#create-a-new-project-for-gam-authorization)
@@ -30,6 +31,7 @@
   - [Update an existing Service Account key](#update-an-existing-service-account-key)
   - [Replace all existing Service Account keys](#replace-all-existing-service-account-keys)
   - [Delete Service Account keys](#delete-service-account-keys)
+  - [Upload a Service Account key to a service account with no keys](#upload-a-service-account-key-to-a-service-account-with-no-keys)
   - [Display Service Account keys](#display-service-account-keys)
 - [Manage Service Account access](#manage-service-account-access)
   - [Full Service Account access](#full-service-account-access)
@@ -89,15 +91,6 @@ If you run a Google Workspace Education SKU, verify that the super admin you'll
 * Choose "All users are 18 or older"
 * Click "SAVE"
 
-Verify whether the super admin you'll be using is in an OU where reauthentication is required.
-* Access the admin console and go to Security -> Overview
-* Scroll down and open Google Cloud session control section
-* Select the OU containing the super admin
-* If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
-* If that sounds unappealing, check Exempt Trusted apps
-* Click "OVERRIDE"
-* Follow the steps below to mark GAM as a trusted app
-
 Based on your domain policies, you may have to mark GAM as a trusted app. These steps are performed after a project is created.
 * Access the admin console and go to Security -> Access and data control -> API controls
 * Check Trust internal, domain-owned apps
@@ -114,6 +107,20 @@ Based on your domain policies, you may have to mark GAM as a trusted app. These
 * Click Next/Continue
 * Click Finish
 
+Verify whether the super admin you'll be using is in an OU where reauthentication is required.
+* Access the admin console and go to Security -> Overview
+* Scroll down and open Google Cloud session control section
+* Select the OU containing the super admin
+* If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
+* If that sounds unappealing, check Exempt Trusted apps
+* Click "OVERRIDE"
+* Follow the steps below to mark GAM as a trusted app
+
+Additional steps may be required if errors are encountered.
+* [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+* [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
+* [Authorize GAM to create projects](#authorize-gam-to-create-projects)
+
 ## Headless computers and Cloud Shells
 With many thanks to Jay, `gam oauth create` now uses a new client access authentication flow
 as required by Google for headless computers/cloud shells; this is required as of February 28, 2022.
@@ -199,8 +206,51 @@ perform these steps and then retry the create project command.
 * Click in the Select a role box
 * Type project creator in the Filter box
 * Click Project Creator
+* Click + Add Another Role
+* Type organization policy administrator in the Filter box
+* Click Orgainzation Policy Administrator
 * Click Save
 
+## Authorize Service Account Key Uploads
+
+If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxx`,
+perform these steps and then you should be able to authorize and use your project.
+
+* Login as an existing super admin at console.cloud.google.com
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click the down arrow in the box to the right of Google Cloud
+* Click the three dots at the right and select IAM/Permissions
+* Now you should be at "Permissions for organization ..."
+* Click on Grant Access
+* Enter the new admin address in Principals
+* Click in the Select a role box
+* Type organization policy administrator in the Filter box
+* Click Organization Policy Administrator
+* Click Save
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click the down arrow in the box to the right of Google Cloud
+* Click the three dots at the right and select Manage Resources
+* Click the three dots at the end of the line for the GAM project just created
+* Click Settings
+* Click Organization Policies in the left column
+* Now you should be at "Policies for Gam Project"
+* Click in the Filter box
+* Enter iam.disableServiceAccountKeyUpload
+* Click the three dots at the end of the Disable Service Account Key Upload
+* Choose Edit policy
+* Click Override parent's policy
+* Click Add A Rule
+* Select Enforcement/Off
+* Click Done
+* Click Set Policy
+
+Wait a couple of minutes for the policy updates to complete and then do the following to upload the service account key:
+```
+gam upload sakey [admin <EmailAddress>]
+```
+
 ## Authorize GAM to create projects
 If you try to create a project and get an error saying "This app has been blocked on your domain for either being
 insecure or non-edutational"; you'll have to mark the GAM Project Creation app as trusted.
@@ -265,6 +315,10 @@ gam create project [admin <EmailAddress>] [project <ProjectID>]
         [projectname <ProjectName>] [parent <String>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)|
+         nokey}
 ```
 * `admin <EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `appname <String>` - Application name, defaults to `GAM`
@@ -276,6 +330,10 @@ gam create project [admin <EmailAddress>] [project <ProjectID>]
 * `sadisplayname <ServiceAccountDisplayName>` - Service account display name
 * `sadescription <ServiceAccountDescription>` - Service account description
 
+You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys)
+
+Use `nokey` if you do not want a service account key created for the project.
+
 ## Use an existing project for GAM authorization
 Use an existing project to create and download two files: `client_secrets.json` for the Client and `oauth2service.json` for the Service Account.
 
@@ -285,8 +343,11 @@ Use an existing project to create and download two files: `client_secrets.json`
 * `<ServiceAccountDescription>` - `<ServiceAccountDisplayName>`
 
 ### Basic
-Use an existing project with default values for the service account. This is typically used when
-the system administrators have created a basic project and you now want to configure it as a GAM project.
+Use an existing uninitialized/uncredentialed project and configure it to be a GAM project; this typically used when
+the GCP  administrators have created a basic project because project creation is not available for most users.
+
+See Jay's notes about how to do this: https://github.com/GAM-team/GAM/wiki/GAM-with--minimal-GCP-rights
+
 ```
 gam use project [<EmailAddress>] [project <ProjectID>]
 ```
@@ -301,6 +362,9 @@ can not be re-downloaded.
 gam use project [admin <EmailAddress>] [project <ProjectID>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
 ```
 * `admin <EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `project <ProjectID>` - An existing Google project ID; if omitted, you will be prompted for the ID
@@ -308,6 +372,8 @@ gam use project [admin <EmailAddress>] [project <ProjectID>]
 * `sadisplayname <ServiceAccountDisplayName>` - Service account display name
 * `sadescription <ServiceAccountDescription>` - Service account description
 
+You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys)
+
 ## Update an existing project for GAM authorization
 This command is used when GAM has added new capabilities that require additional APIs to be added to your project.
 ```
@@ -404,60 +470,70 @@ writes the credentials into the file oauth2.txt.
 ```
 gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-42[a|r] or s|u|e|c: 
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
 
@@ -487,60 +563,70 @@ writes the credentials into the file `oauth2.txt`.
 ```
 gam oauth update
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-42[a|r] or s|u|e|c: 
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
 
@@ -625,6 +711,9 @@ file or define a new section in `gam.cfg` that references a different `oauth2ser
 gam create|add svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
 ```
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 
@@ -639,6 +728,8 @@ Use these options to select user-specified values..
 * `sadisplayname <ServiceAccountDisplayName>` - Service account display name
 * `sadescription <ServiceAccountDescription>` - Service account description
 
+You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys)
+
 After adding an additional service account, you can select specific access APIs for it.
 [Selective Service Account access](#selective-service-account-access)
 
@@ -695,6 +786,7 @@ There are several methods for generating private keys:
 * `localkeysize 1024` - Gam generates a 1024 bit key; this is not recommended
 * `localkeysize 2048` - Gam generates a 2048 bit key; this is the default
 * `localkeysize 4096` - Gam generates a 4096 bit key
+* `yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]` - [Using GAM7 with a YubiKey](Using-GAM7-with-a-YubiKey)
 
 When `localkeysize` is specified, the optional argument `validityhours <Number>` sets the length of time during which the key will be valid and should be used when the [GCP constraints/iam.serviceAccountKeyExpiryHours organization policy](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#limit_key_expiry) is in use. Note that in order to account for system clock skew, GAM sets the key to be valid two minutes earlier than the current system time and thus it will also expire two minutes earlier.
 
@@ -720,16 +812,12 @@ The two forms of the command are equivalent; the second form is used by Basic Ga
 ```
 gam create sakey
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 gam rotate sakey retain_existing
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 ```
 To distribute `oauth2service.json` files with unique private keys perform the following steps:
 ```
@@ -750,16 +838,12 @@ The two forms of the command are equivalent; the second form is used by Basic Ga
 ```
 gam update sakey
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
-gam rotate sakey replace_existing
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
+gam rotate sakey replace_current
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 ```
 ## Replace all existing Service Account keys
 Create a new Service Account private key; all existing private keys are revoked.
@@ -773,16 +857,12 @@ The two forms of the command are equivalent; the second form is used by Basic Ga
 ```
 gam replace sakeys
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 gam rotate sakeys retain_none
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 ```
 ## Delete Service Account keys
 You can delete Service Accounts keys thus revoking access for that key. Generally, you will
@@ -790,10 +870,24 @@ delete a service account key for a distributed copy of an `oauth2service.json` f
 that user's service account access.
 
 You can disable your current Service Account key if you specify the `doit` argument. This is your
-acknowledgement that you will have to manually create a new Service Account key in the Developer's Console.
+acknowledgement that you will have to manually create a new Service Account key in the Developer's Console
+or upload a new key with the `gam upload sakey` command.
 ```
 gam delete sakeys <ServiceAccountKeyList>+ [doit]
 ```
+## Upload a Service Account key to a service account with no keys
+There are two cases where you will use this command:
+* Your workspace is configured to disable service account private key uploads and you are creating a project.
+* All of your service account keys have been deleted, either manually or with the `gam delete sakeys` command.
+
+The `oauth2service.json` file is updated with the new private key. If you had previously distributed
+any `oauth2service.json` file to other users, you must redistribute the updated file with the new key.
+```
+gam upload sakey [admin <EmailAddress>]
+        (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
+```
 ## Display Service Account keys
 There are system keys and user keys; user keys are what Gam uses; GCP uses system keys.
 
@@ -817,24 +911,38 @@ By default, the following scopes are verified:
 ```
 https://mail.google.com/
 https://sites.google.com/feeds
-https://www.google.com/m8/feeds
+https://www.googleapis.com/auth/analytics.readonly
 https://www.googleapis.com/auth/apps.alerts
 https://www.googleapis.com/auth/calendar
+https://www.googleapis.com/auth/chat.delete
+https://www.googleapis.com/auth/chat.memberships
+https://www.googleapis.com/auth/chat.messages
+https://www.googleapis.com/auth/chat.spaces
 https://www.googleapis.com/auth/classroom.announcements
 https://www.googleapis.com/auth/classroom.coursework.students
+https://www.googleapis.com/auth/classroom.courseworkmaterials
 https://www.googleapis.com/auth/classroom.profile.emails
+https://www.googleapis.com/auth/classroom.profile.photos
 https://www.googleapis.com/auth/classroom.rosters
 https://www.googleapis.com/auth/classroom.topics
 https://www.googleapis.com/auth/cloud-identity
 https://www.googleapis.com/auth/cloud-platform
-https://www.googleapis.com/auth/cloudprint
 https://www.googleapis.com/auth/contacts
+https://www.googleapis.com/auth/contacts.other.readonly
+https://www.googleapis.com/auth/datastudio
+https://www.googleapis.com/auth/directory.readonly
+https://www.googleapis.com/auth/documents
 https://www.googleapis.com/auth/drive
 https://www.googleapis.com/auth/drive.activity
+https://www.googleapis.com/auth/drive.admin.labels
+https://www.googleapis.com/auth/drive.labels
 https://www.googleapis.com/auth/gmail.modify
 https://www.googleapis.com/auth/gmail.settings.basic
 https://www.googleapis.com/auth/gmail.settings.sharing
+https://www.googleapis.com/auth/keep
 https://www.googleapis.com/auth/spreadsheets
+https://www.googleapis.com/auth/tasks
+https://www.googleapis.com/auth/userinfo.profile
 ```
 This scope is verified when `user_service_account_access_only = true` in `gam.cfg`.
 ```
@@ -862,12 +970,127 @@ gam <UserTypeEntity> update serviceaccount (scope|scopes <APIScopeURLList>)*
 * `<UserTypeEntity>` - Typically `user <EmailAddress>`, a non-Google Workspace administrator.
 * `scopes <APIScopeURLList>` - Verify/enable service account access for a set of specific scopes rather than selecting the scopes.
 
+```
+gam user user@domain.com update serviceaccount
+
+[*]  0)  AlertCenter API
+[*]  1)  Analytics API - read only
+[*]  2)  Analytics Admin API - read only
+[*]  3)  Calendar API (supports readonly)
+[*]  4)  Chat API - Memberships (supports readonly)
+[*]  5)  Chat API - Messages (supports readonly)
+[*]  6)  Chat API - Spaces (supports readonly)
+[*]  7)  Chat API - Spaces Delete
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Profile Emails
+[*] 13)  Classroom API - Profile Photos
+[*] 14)  Classroom API - Rosters (supports readonly)
+[*] 15)  Cloud Identity Devices API (supports readonly)
+[*] 16)  Cloud Resource Manager API v3
+[*] 17)  Docs API (supports readonly)
+[*] 18)  Drive API (supports readonly)
+[*] 19)  Drive API - todrive
+[*] 20)  Drive Activity API v2 - must pair with Drive API
+[*] 21)  Drive Labels API v2beta - Admin (supports readonly)
+[*] 22)  Drive Labels API v2beta - User (supports readonly)
+[*] 23)  Forms API
+[*] 24)  Gmail API - Basic Settings (Filters,IMAP, Language, POP, Vacation) - read/write, Sharing Settings (Delegates, Forwarding, SendAs) - read
+[*] 25)  Gmail API - Full Access (Labels, Messages)
+[*] 26)  Gmail API - Full Access (Labels, Messages) except delete message
+[ ] 27)  Gmail API - Full Access - read only
+[ ] 28)  Gmail API - Send Messages - including todrive
+[*] 29)  Gmail API - Sharing Settings (Delegates, Forwarding, SendAs) - write
+[*] 30)  Identity and Access Management API
+[*] 31)  Keep API (supports readonly)
+[*] 32)  Looker Studio API (supports readonly)
+[*] 33)  OAuth2 API
+[*] 34)  People API (supports readonly)
+[*] 35)  People API - Other Contacts - read only
+[*] 36)  People Directory API - read only
+[*] 37)  Sheets API (supports readonly)
+[*] 38)  Sheets API - todrive
+[*] 39)  Sites API
+[*] 40)  Tasks API (supports readonly)
+[ ] 41)  Youtube API - read only
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+
+Please enter 0-41[a|r] or s|u|e|c: c
+
+System time status
+  Your system time differs from admin.googleapis.com by less than 1 second  PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 364 days                                 WARN
+Domain-wide Delegation authentication:, User: user@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.profile.photos                  PASS (14/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (15/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (16/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (17/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (18/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (19/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (20/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (21/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (22/34)
+  https://www.googleapis.com/auth/documents                                 PASS (23/34)
+  https://www.googleapis.com/auth/drive                                     PASS (24/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (25/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (26/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (27/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (29/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (30/34)
+  https://www.googleapis.com/auth/keep                                      PASS (31/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (32/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (33/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (34/34)
+Some scopes Failed!
+To authorize them, please go to the following link in your browser:
+
+    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,...
+
+You will be directed to the Google Workspace admin console Security > API Controls > Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+```
+
 ## Configure Limited access
 You can configure GAM to allow users limited access to your domain via GAM.
 You can limit both client and service account access.
 You can repeat these steps if you want to configure multiple limited users;
 substitute a unique value for `limited` in each of the steps.
 
+In the Admin console, define a new Admin role with the desired privileges,
+assign it to the limited user and indicate whether it is for all Org Units or a specific Org Unit.
+
 On your computer, perform these initial steps:
 
 Make a subdirectory `limited` under the directory specified in `gam.cfg config_dir`

docs/BNF-Syntax.md

@@ -1,7 +1,7 @@
 # Syntax
 
 ## BNF Syntax
-This Wiki describes the GAM command line syntax in modified BNF.
+This Wiki describes the GAM7 command line syntax in modified BNF.
 * https://en.wikipedia.org/wiki/Backus-Naur_Form
 
 Skip the History section and start reading at Introduction.

docs/Basic-Items.md

@@ -119,7 +119,7 @@
         #7a4706|#8a1c0a|#994a64|#ffffff
 <LanguageCode> ::=
         ach|af|ag|ak|am|ar|az|be|bem|bg|bn|br|bs|ca|chr|ckb|co|crs|cs|cy|da|de|
-        ee|el|en|en-gb|en-us|eo|es|es-419|et|eu|fa|fi|fil|fo|fr|fr-ca|fy|
+        ee|el|en|en-ca|en-gb|en-us|eo|es|es-419|et|eu|fa|fi|fil|fo|fr|fr-ca|fy|
         ga|gaa|gd|gl|gn|gu|ha|haw|he|hi|hr|ht|hu|hy|ia|id|ig|in|is|it|iw|ja|jw|
         ka|kg|kk|km|kn|ko|kri|ku|ky|la|lg|ln|lo|loz|lt|lua|lv|
         mfe|mg|mi|mk|ml|mn|mo|mr|ms|mt|my|ne|nl|nn|no|nso|ny|nyn|oc|om|or|
@@ -222,72 +222,6 @@
         shortcut
 <MimeTypeName> ::= application|audio|font|image|message|model|multipart|text|video
 <MimeType> ::= <MimeTypeShortcut>|(<MimeTypeName>/<String>)
-<ProductID> ::=
-        nv:<String> |
-        101001 |
-        101005 |
-        101031 |
-        101033 |
-        101034 |
-        101035 |
-        101036 |
-        101037 |
-        101039 |
-        101040 |
-        Google-Apps |
-        Google-Chrome-Device-Management |
-        Google-Drive-storage |
-        Google-Vault
-<SKUID> ::=
-        nv:<String>:<String> |
-        20gb | drive20gb | googledrivestorage20gb | Google-Drive-storage-20GB |
-        50gb | drive50gb | googledrivestorage50gb | Google-Drive-storage-50GB |
-        200gb | drive200gb | googledrivestorage200gb | Google-Drive-storage-200GB |
-        400gb | drive400gb | googledrivestorage400gb | Google-Drive-storage-400GB |
-        1tb | drive1tb | googledrivestorage1tb | Google-Drive-storage-1TB |
-        2tb | drive2tb | googledrivestorage2tb | Google-Drive-storage-2TB |
-        4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
-        8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
-        16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
-        assuredcontrols | 1010390001 |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 |
-        cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
-        cloudidentity | identity | 1010010001 |
-        cloudidentitypremium | identitypremium | 1010050001 |
-        cloudsearch | 1010350001 |
-        gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
-        gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
-        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
-        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 |
-        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 |
-        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 |
-        gsuitegov | gafg | gsuitegovernment | Google-Apps-For-Government |
-        gsuitelite | gal | gsl | lite | Google-Apps-Lite |
-        gwep | workspaceeducationplus | 1010310008 |
-        gwepstaff | workspaceeducationplusstaff | 1010310009 |
-        gwepstudent | workspaceeducationplusstudent | 1010310010 |
-        gwes | workspaceeducationstandard | 1010310005 |
-        gwesstaff | workspaceeducationstandardstaff | 1010310006 |
-        gwesstudent | workspaceeducationstandardstudent | 1010310007 |
-        gwetlu | workspaceeducationupgrade | 1010370001 |
-        meetdialing | googlemeetglobaldialing | 1010360001 |
-        postini | gams | gsuitegams | gsuitepostini | gsuitemessagesecurity | Google-Apps-For-Postini |
-        standard | free | Google-Apps |
-        vault | googlevault | Google-Vault |
-        vfe | googlevaultformeremployee | Google-Vault-Former-Employee |
-        voicepremier | gvpremier | googlevoicepremier | 1010330002 |
-        voicestandard | gvstandard | googlevoicestandard | 1010330004 |
-        voicestarter | gvstarter | googlevoicestarter | 1010330003 |
-        wsbizplus | workspacebusinessplus | 1010020025 |
-        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 |
-        wsbizstan | workspacebusinessstandard | 1010020028 |
-        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 |
-        wsentess | workspaceenterpriseessentials | 1010060003 |
-        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 |
-        wsentstan | workspaceenterprisestandard | 1010020026 |
-        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 |
-        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 |
-        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030
 ```
 ## Items built from primitives
 ```
@@ -346,7 +280,7 @@
 <ChannelCustomerID> ::= <String>
 <ChatMember> ::= spaces/<String>/members/<String>
 <ChatMessage> ::= spaces/<String>/messages/<String>
-<ChatSpace> ::= spaces/<String> | <String>
+<ChatSpace> ::= spaces/<String> | space <String> | space spaces/<String>
 <ChatThread> ::= spaces/<String>/threads/<String>
 <ClassroomInvitationID> ::= <String>
 <ClientID> ::= <String>
@@ -421,6 +355,7 @@
 <DriveLabelFieldID> ::= <String>
 <DriveLabelSelectionID> ::= <String>
 <DriveLabelName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]
+<DriveLabelPermissionName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]/permissions/(audiences|groups|people)/<String>
 <EmailAddress> ::= <String>@<DomainName>
 <EmailItem> ::= <EmailAddress>|<UniqueID>|<String>
 <EmailReplacement> ::= <String>
@@ -456,6 +391,13 @@
 <Marker> ::= <String>
 <MatterItem> ::= <UniqueID>|<String>
 <MatterState> ::= open|closed|deleted
+<MeetConferenceName> ::= conferenceRecords/<String>
+<MeetSpaceName> ::= spaces/<String> | <String>
+<MessageContent> ::=
+        (message|textmessage|htmlmessage <String>)|
+        (file|textfile|htmlfile <FileName> [charset <Charset>])|
+        (gdoc|ghtml <UserGoogleDoc>)|
+        (gcsdoc|gcshtml <StorageBucketObjectName>)
 <MessageID> ::= <String>
 <Namespace> ::= <String>
 <NotesName> ::= notes/<String>
@@ -517,6 +459,7 @@
 <ResellerID> ::= <String>
 <ResourceID> ::= <String>
 <SchemaName> ::= <String>
+<SchemaNameField> ::= <SchemaName>.<FieldName>
 <Section> ::= <String>
 <SendAsContent> ::=
         (sig|signature|htmlsig <String>)|
@@ -529,7 +472,7 @@
 <ServiceAccountDisplayName> ::= <String>
         Maximum of 100 characters
 <ServiceAccountDescrition> ::= <String>
-       Maximumof 256 chcracters
+       Maximum of 256 chcracters
 <ServiceAccountEmail> ::= <ServiceAccountName>@<ProjectID>.iam.gserviceaccount.com
 <ServiceAccountUniqueID> ::= <Number>
 <ServiceAccountKey> ::= <String>
@@ -573,6 +516,7 @@
 <Title> ::= <String>
 <ToDriveAttribute> ::=
         (tdaddsheet [<Boolean>])|
+        (tdalert <EmailAddress>)*|
         (tdbackupsheet (id:<Number>)|<String>)|
         (tdcellnumberformat text|number)|
         (tdcellwrap clip|overflow|wrap)|
@@ -580,15 +524,20 @@
         (tdcopysheet (id:<Number>)|<String>)|
         (tddescription <String>)|
         (tdfileid <DriveFileID>)|
+        (tdfrom <EmailAddress>)|
         (tdlocalcopy [<Boolean>])|
         (tdlocale <Locale>)|
         (tdnobrowser [<Boolean>])|
         (tdnoemail [<Boolean>])|
+        (tdnoescapechar [<Boolean>])|
+        (tdnotify [<Boolean>])|
         (tdparent (id:<DriveFolderID>)|<DriveFolderName>)|
-        (tdshare <EmailAddress> commenter|reader|writer)|
+        (tdretaintitle [<Boolean>])|
+        (tdshare <EmailAddress> commenter|reader|writer)*|
         (tdsheet (id:<Number>)|<String>)|
         (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
         (tdsheettitle <String>)|
+        (tdsubject <String>)|
         ([tdsheetdaysoffset <Number>] [tdsheethoursoffset <Number>])|
         (tdtimestamp [<Boolean>] [tdtimeformat <String>]
             [tddaysoffset <Number>] [tdhoursoffset <Number>])|

docs/Bulk-Processing.md

@@ -8,6 +8,7 @@
 - [CSV files](#csv-files)
 - [CSV files with redirection and select](#csv-files-with-redirection-and-select)
 - [Automatic batch processing](#automatic-batch-processing)
+- [Process Google Sheet commands and save results](#process-google-sheet-commands-and-save-results)
 
 ## Introduction
 Batch and CSV file processing can improve performance by executing Gam commands in parallel.
@@ -41,6 +42,8 @@ Batch files can contain the following types of lines:
   * GAM waits for all running GAM commands to complete
   * GAM prints \<String\> and waits for the user to press any key
   * GAM continues
+* sleep \<Integer\> - Batch processing will suspend for \<Integer\> seconds before the next command line is processed
+  * To be effective, this should immediately follow commit-batch
 * print \<String\> - Print \<String\> on stderr
 * set \<KeywordString\> \<ValueString\>
   * Subsequent lines will have %\<KeywordString\>% replaced with \<ValueString\>
@@ -55,7 +58,7 @@ Tbatch files can also contain the following line:
 * You have a CSV file NewStudents.csv with columns: Email,First,Last,GradYear,Password
 * You have a batch file NewStudents.bat containing these commands:
 ```
-gam csv NewStudents.csv gam create user ~Email firstname ~First lastname ~Last org "/Students/~~GradYear~~" password ~Password
+gam csv NewStudents.csv gam create user "~Email" firstname "~First" lastname "~Last" org "/Students/~~GradYear~~" password "~Password"
 commit-batch
 gam update group seniors sync members ou /Students/2020
 gam update group juniors sync members ou /Students/2021
@@ -71,13 +74,13 @@ gam redirect stdout ./NewStudents.out redirect stderr ./NewStudents.err tbatch N
 gam csv <FileName>|-|(gsheet <UserGoogleSheet>)|(gdoc <UserGoogleDoc>) [charset <Charset>] [warnifnodata]
         [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>]
         (matchfield|skipfield <FieldName> <RegularExpression>)* [showcmds [<Boolean>]]
-        [maxrows <Integer>]
+        [skiprows <Integer>] [maxrows <Integer>]
         gam <GAMArgumentList>
 
 gam loop <FileName>|-|(gsheet <UserGoogleSheet>)|(gdoc <UserGoogleDoc>) [charset <Charset>] [warnifnodata]
         [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>]
         (matchfield|skipfield <FieldName> <RegularExpression>)* [showcmds [<Boolean>]]
-        [maxrows <Integer>]
+        [skiprows <Integer>] [maxrows <Integer>]
         gam <GAMArgumentList>
 ```
 * `gam csv` - Use parallel processing
@@ -92,7 +95,10 @@ gam loop <FileName>|-|(gsheet <UserGoogleSheet>)|(gdoc <UserGoogleDoc>) [charset
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings.
 * `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `showcmds` - Write `timestamp,command number/number of commands,command` to stderr when each command starts; write `timestamp, command number/numberof commands,complete` to stderr when command completes
-* `maxrows <Integer>` - Limit the number of filtered rows processed from the CSV file/Google Sheet.
+* `skiprows <Integer>` - Skip filtered rows from the CSV file/Google Sheet.
+  * `skiprows 0` - All rows are processed, this is the default
+  * `skiprows N` - The first N filtered rows are skipped
+* `maxrows <Integer>` - Limit the number of filtered rows processed from the CSV file/Google Sheet after any skipped rows.
   * `maxrows 0` - All rows are processed, this is the default
   * `maxrows N` - N filtered rows are processed
 
@@ -115,7 +121,7 @@ Put a space in front of the `~`: `targetfolder " ~/Documents/GamWork"` to avoid
 * You want a note field that shows their email address as name AT domain.com
 * You have a CSV file Users.csv with columns: primaryEmail,Street,City,State,ZIP
 ```
-gam csv Users.csv gam update user ~primaryEmail address type work unstructured "~~Street~~, ~~City~~, ~~State~~ ~~ZIP~~" primary note text_plain "~~primaryEmail~!~^(.+)@(.+)$~!~\1 AT \2~~"
+gam csv Users.csv gam update user "~primaryEmail" address type work unstructured "~~Street~~, ~~City~~, ~~State~~ ~~ZIP~~" primary note text_plain "~~primaryEmail~!~^(.+)@(.+)$~!~\1 AT \2~~"
 ```
 * You want to do the above using a Google Sheet
 ```
@@ -125,25 +131,44 @@ gam csv gsheet <user> <fileID> "<sheetName>" gam update user "~primaryEmail" add
 ## CSV files with redirection and select
 You should use the `multiprocess` option on any redirected files: `csv`, `stdout`, `stderr`.
 ```
-gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user ~primaryEmail print filelist fields id,title,permissions,owners.emailaddress
+gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
+gam redirect csv - multiprocess todrive csv Users.csv gam user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
 ```
 
 If you want to select a `gam.cfg` section for the command, you can select the section at the outer `gam` and save it
 or select the section at the inner `gam`.
 ```
-gam select <Section> save redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user ~primaryEmail print filelist fields id,title,permissions,owners.emailaddress
-gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam select <Section> user ~primaryEmail print filelist fields id,title,permissions,owners.emailaddress
+gam select <Section> save redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
+gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam select <Section> user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
+gam select <Section> save redirect csv - multiprocess todrive csv Users.csv gam user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
+gam redirect csv - multiprocess todrive csv Users.csv gam select <Section> user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
 ```
 
 ## Automatic batch processing
 You can enable automatic batch (parallel) processing when issuing commands of the form `gam <UserTypeEntity> ...`.
 In the following example, if the number of users in group sales@domain.com exceeds 1, then the `print filelist` command will be processed in parallel.
 ```
-gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,title,permissions,owners.emailaddress
+gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,name,mimetype,basicpermissions
+gam config auto_batch_min 1 redirect csv - multiprocess todrive group sales@domain.com print filelist fields id,name,mimetype,basicpermissions
 ```
 With automatic batch processing, you should use the `multiprocess` option on any redirected files: `csv`, `stdout`, `stderr`.
 
 If you want to select a `gam.cfg` section for the command, you must select and save it for it to be processed correctly.
 ```
-gam select <Section> save config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,title,permissions,owners.emailaddress
+gam select <Section> save config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,name,mimetype,basicpermissions
+```
+
+## Process Google Sheet commands and save results
+You want to process data from a Google Sheet tab and save the results to another tab in the same sheet.
+Make a Google sheet with two tabs: Commands, Results; get the File ID and the two tab IDs.
+Put your command data in the Commands tab.
+
+Run your command, write the results to Results.txt
+```
+gam redirect stdout ./Results.txt multiprocess redirect stderr stdout csv gsheet user@domain.com <FileID> id:<CommandsTabID> gam ... Command
+```
+
+Upload Results.txt to the Results tab of the sheet.
+```
+gam user user@domain.com update drivefile <FileID> localfile Results.txt retainname gsheet id:<ResultsTabID>
 ```

docs/CSV-Input-Filtering.md

@@ -3,6 +3,10 @@
 - [Definitions](#definitions)
 - [Quoting rules](#quoting-rules)
 - [Column row filtering](#column-row-filtering)
+  - [Field names](#field-names)
+  - [Inclusive filters](#inclusive-filters)
+  - [Exclusive filters](#exclusive-filters)
+  - [Matches](#matches)
 - [Column row limiting](#column-row-limiting)
 - [Saving filters in gam.cfg](#saving-filters-in-gamcfg)
 - [Validate filters](#validate-filters)
@@ -39,28 +43,30 @@ These filters can be used alone or in conjunction with the `matchfield|skipfield
 
 <FieldNameFilter> :: = <RegularExpression>
 <RowValueFilter> ::=
-        [(any|all):]count<Operator><Number>|
-        [(any|all):]countrange=<Number>/<Number>|
-        [(any|all):]countrange!=<Number>/<Number>|
-        [(any|all):]date<Operator><Date>|
-        [(any|all):]daterange=<Date>/<Date>|
-        [(any|all):]daterange!=<Date>/<Date>|
-        [(any|all):]length<Operator><Number>|
-        [(any|all):]lengthrange=<Number>/<Number>|
-        [(any|all):]lengthrange!=<Number>/<Number>|
-        [(any|all):]text<Operator><String>|
-        [(any|all):]textrange=<String>/<String>|
-        [(any|all):]textrange!=<String>/<String>|
-        [(any|all):]time<Operator><Time>|
-        [(any|all):]timerange=<Time>/<Time>|
-        [(any|all):]timerange!=<Time>/<Time>|
         [(any|all):]boolean:<Boolean>|
-        [(any|all):]regex:<RegularExpression>|
-        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]count<Operator><Number>|
+        [(any|all):]countrange!=<Number>/<Number>|
+        [(any|all):]countrange=<Number>/<Number>|
+        [(any|all):]data:<DataSelector>|
+        [(any|all):]date<Operator><Date>|
+        [(any|all):]daterange!=<Date>/<Date>|
+        [(any|all):]daterange=<Date>/<Date>|
+        [(any|all):]length<Operator><Number>|
+        [(any|all):]lengthrange!=<Number>/<Number>|
+        [(any|all):]lengthrange=<Number>/<Number>|
+        [(any|all):]notdata:<DataSelector>|
         [(any|all):]notregex:<RegularExpression>|
         [(any|all):]notregexcs:<RegularExpression>|
-        [(any|all):]data:<DataSelector>|
-        [(any|all):]notdata:<DataSelector>|
+        [(any|all):]regex:<RegularExpression>|
+        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]text<Operator><String>|
+        [(any|all):]textrange!=<String>/<String>|
+        [(any|all):]textrange=<String>/<String>|
+        [(any|all):]time<Operator><Time>|
+        [(any|all):]timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timerange!=<Time>/<Time>|
+        [(any|all):]timerange=<Time>/<Time>|
 <RowValueFilterList> ::=
         "'<FieldNameFilter>:<RowValueFilter>'(,'<FieldNameFilter>:<RowValueFilter>')*"
 <RowValueFilterJSONList> ::=
@@ -77,11 +83,17 @@ Name:value form.
 * Each `<FieldNameFilter>:<RowValueFilter>` pair should be enclosed in `'`.
 * If `<FieldNameFilter>` contains a `:` or a space, it should be enclosed in `\"`.
 * If `<RegularExpression>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
+* If `<FieldNameFilter>` or `<RegularExpression>` in `<RowValueFilter>` contain a `\` to escape a special character
+or enter a special sequence, enter `\\\` on Linux and Mac OS, `\\` on Windows,
 
-Example:
+Examples:
 ```
 csv_input_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
 csv_input_row_filter "'email:data:\"csvfile gsheet:email user@domain.com FileID Sheet1\"'"
+Linux and Mac OS
+csv_input_row_filter "'phones.\\\d+.value:regex:(?:^\\\(510\\\) )|(?:^510[- ])\\\d{3}-\\\d{4}'"
+Windows
+csv_input_row_filter "'phones.\\d+.value:regex:(?:^\\(510\\) )|(?:^510[- ])\\d{3}-\\d{4}'"
 ```
 JSON form.
 ```
@@ -156,11 +168,13 @@ In the case of `notregex|notregexcs|notdata`, the filter matches if some (not al
 If neither `any` or `all` is explicitly specified, `any` is the default.
 
 These are the row value filter types:
+* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
 * `count<Operator><Number>` - Used on fields with numbers; a blank field will not match
 * `countrange=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `countrange!=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `<` the left `<Number>` or `>` the right `<Number>`
+* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
 * `date<Operator><Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
 * `daterange=<Date>/<Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
   * The field value must be `>=` the left `<Date>` and `<=` the right `<Date>`
@@ -171,23 +185,25 @@ These are the row value filter types:
   * The field length must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `lengthrange!=<Number>/<Number>` - Used on fields with strings; non string fields will not match
   * The field length must be `<` the left `<Number>` or `>` the right `<Number>`
+* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
+* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
+* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
+* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
+* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
 * `text<Operator><String>` - Used on fields with text
 * `textrange=<String>/<String>` - Used on fields with strings
   * The field value must be `>=` the left `<String>` and `<=` the right `<String>`
 * `textrange!=<String>/<String>` - Used on fields with strings
   * The field value must be `<` the left `<String>` or `>` the right `<String>`
 * `time<Operator><Time>` - Used on fields with times; a blank field will not match
+* `timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `>=` the left `<Hour>:<Minute>` and `<=` the right `<Hour>:<Minute>`
+* `timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `<` the left `<Hour>:<Minute>` or `>` the right `<Hour>:<Minute>`
 * `timerange=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `>=` the left `<Time>` and `<=` the right `<Time>`
 * `timerange!=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `<` the left `<Time>` or `>` the right `<Time>`
-* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
-* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
-* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
-* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
-* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
-* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
-* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
 
 ### **Change in behavior.**
 In versions prior to `5.12.00`, `regex:<RegularExpression>` and `notregex:<RegularExpression>` were processed in a case sensitive manner;

docs/CSV-Output-Filtering.md

@@ -4,6 +4,10 @@
 - [Quoting rules](#quoting-rules)
 - [Column header filtering](#column-header-filtering)
 - [Column row filtering](#column-row-filtering)
+  - [Field names](#field-names)
+  - [Inclusive filters](#inclusive-filters)
+  - [Exclusive filters](#exclusive-filters)
+  - [Matches](#matches)
 - [Column row limiting](#column-row-limiting)
 - [Saving filters in gam.cfg](#saving-filters-in-gamcfg)
 
@@ -44,28 +48,30 @@ on all platforms.
 <FieldNameFilter> :: = <RegularExpression>
 <ColumnFieldNameFilterList> ::= "<FieldNameFilter>(,<FieldNameFilter>)*"
 <RowValueFilter> ::=
-        [(any|all):]count<Operator><Number>|
-        [(any|all):]countrange=<Number>/<Number>|
-        [(any|all):]countrange!=<Number>/<Number>|
-        [(any|all):]date<Operator><Date>|
-        [(any|all):]textrange=<String>/<String>|
-        [(any|all):]textrange!=<String>/<String>|
-        [(any|all):]daterange=<Date>/<Date>|
-        [(any|all):]daterange!=<Date>/<Date>|
-        [(any|all):]length<Operator><Number>|
-        [(any|all):]lengthrange=<Number>/<Number>|
-        [(any|all):]lengthrange!=<Number>/<Number>|
-        [(any|all):]text<Operator><String>|
-        [(any|all):]time<Operator><Time>|
-        [(any|all):]timerange=<Time>/<Time>|
-        [(any|all):]timerange!=<Time>/<Time>|
         [(any|all):]boolean:<Boolean>|
-        [(any|all):]regex:<RegularExpression>|
-        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]count<Operator><Number>|
+        [(any|all):]countrange!=<Number>/<Number>|
+        [(any|all):]countrange=<Number>/<Number>|
+        [(any|all):]data:<DataSelector>|
+        [(any|all):]date<Operator><Date>|
+        [(any|all):]daterange!=<Date>/<Date>|
+        [(any|all):]daterange=<Date>/<Date>|
+        [(any|all):]length<Operator><Number>|
+        [(any|all):]lengthrange!=<Number>/<Number>|
+        [(any|all):]lengthrange=<Number>/<Number>|
+        [(any|all):]notdata:<DataSelector>
         [(any|all):]notregex:<RegularExpression>|
         [(any|all):]notregexcs:<RegularExpression>|
-        [(any|all):]data:<DataSelector>|
-        [(any|all):]notdata:<DataSelector>
+        [(any|all):]regex:<RegularExpression>|
+        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]text<Operator><String>|
+        [(any|all):]textrange!=<String>/<String>|
+        [(any|all):]textrange=<String>/<String>|
+        [(any|all):]time<Operator><Time>|
+        [(any|all):]timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timerange!=<Time>/<Time>|
+        [(any|all):]timerange=<Time>/<Time>|
 <RowValueFilterList> ::=
         "'<FieldNameFilter>:<RowValueFilter>'(,'<FieldNameFilter>:<RowValueFilter>')*"
 <RowValueFilterJSONList> ::=
@@ -83,13 +89,16 @@ Name:value form.
 * If `<FieldNameFilter>` contains a `:` or a space, it should be enclosed in `\"`.
 * If `<RegularExpression>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
 * If `<FieldNameFilter>` or `<RegularExpression>` in `<RowValueFilter>` contain a `\` to escape a special character
-or enter a special sequence, enter `\\\`.
+or enter a special sequence, enter `\\\` on Linux and Mac OS, `\\` on Windows,
 
-Example:
+Examples:
 ```
 csv_output_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
 csv_output_row_filter "'email:data:\"csvfile gsheet:email user@domain.com FileID Sheet1\"'"
+Linux and Mac OS
 csv_output_row_filter "'phones.\\\d+.value:regex:(?:^\\\(510\\\) )|(?:^510[- ])\\\d{3}-\\\d{4}'"
+Windows
+csv_output_row_filter "'phones.\\d+.value:regex:(?:^\\(510\\) )|(?:^510[- ])\\d{3}-\\d{4}'"
 ```
 JSON form.
 ```
@@ -113,7 +122,7 @@ where you get more columns than is desirable.
 * `csv_output_header_filter` - Used to select the column headers to include in the output
 * `csv_output_header_drop_filter` - Used to select the column headers to exclude from the output
 
-Typically, you would use the option that involes typing the fewest column names but both options can be used.
+Typically, you would use the option that involves typing the fewest column names but both options can be used.
 When both options are used, `csv_output_header_drop_filter` is processed first, then `csv_output_header_filter`.
 
 Field names are specified by regular expressions; at its simplest, you specify a complete field name.
@@ -214,11 +223,13 @@ In the case of `notregex|notregexcs|notdata`, the filter matches if some (not al
 If neither `any` or `all` is explicitly specified, `any` is the default.
 
 These are the row value filter types:
+* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
 * `count<Operator><Number>` - Used on fields with numbers; a blank field will not match
 * `countrange=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `countrange!=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `<` the left `<Number>` or `>` the right `<Number>`
+* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
 * `date<Operator><Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
 * `daterange=<Date>/<Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
   * The field value must be `>=` the left `<Date>` and `<=` the right `<Date>`
@@ -229,23 +240,25 @@ These are the row value filter types:
   * The field length must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `lengthrange!=<Number>/<Number>` - Used on fields with strings; non string fields will not match
   * The field length must be `<` the left `<Number>` or `>` the right `<Number>`
+* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
+* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
+* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
+* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
+* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
 * `text<Operator><String>` - Used on fields with text
 * `textrange=<String>/<String>` - Used on fields with strings
   * The field value must be `>=` the left `<String>` and `<=` the right `<String>`
 * `textrange!=<String>/<String>` - Used on fields with strings
   * The field value must be `<` the left `<String>` or `>` the right `<String>`
 * `time<Operator><Time>` - Used on fields with times; a blank field will not match
+* `timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `>=` the left `<Hour>:<Minute>` and `<=` the right `<Hour>:<Minute>`
+* `timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `<` the left `<Hour>:<Minute>` or `>` the right `<Hour>:<Minute>`
 * `timerange=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `>=` the left `<Time>` and `<=` the right `<Time>`
 * `timerange!=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `<` the left `<Time>` or `>` the right `<Time>`
-* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
-* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
-* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
-* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
-* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
-* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
-* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
 
 ### **Change in behavior.**
 In versions prior to `5.12.00`, `regex:<RegularExpression>` and `notregex:<RegularExpression>` were processed in a case sensitive manner;

docs/Calendars-Events.md

@@ -176,8 +176,10 @@ Client access works when accessing Resource calendars.
 <AttendeeStatus> ::= accepted|declined|needsaction|tentative
 
 <EventType> ::=
+        birthday|
         default|
         focustime|
+        fromgmail|
         outofoffice|
         workinglocation
 <EventTypeList> ::= "<EventType>(,<EventType>)*"
@@ -196,6 +198,9 @@ Client access works when accessing Resource calendars.
 
 <EventMatchProperty> ::=
         (matchfield attendees <EmailAddressEntity>)|
+        (matchfield attendeesonlydomainlist <DomainNameList>)|
+        (matchfield attendeesdomainlist <DomainNameList>)|
+        (matchfield attendeesnotdomainlist <DomainNameList>)|
         (matchfield attendeespattern <RegularExpression>)|
         (matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>)|
         (matchfield creatoremail <RegularExpression>)|
@@ -216,7 +221,6 @@ Client access works when accessing Resource calendars.
         (event|events <EventIdList> |
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVSubkeySelector> | <CSVDataSelector>)
         See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
-
 <EventSelectEntity> ::=
         (<EventSelectProperty>+ <EventMatchProperty>*)
 
@@ -229,6 +233,7 @@ Client access works when accessing Resource calendars.
         lavender|peacock|sage|tangerine|tomato
 <PropertyKey> ::= <String>
 <PropertyValue> ::= <String>
+<TimeZone> ::= <String>
 
 <EventAttribute> ::=
         (allday <Date>)|
@@ -237,6 +242,7 @@ Client access works when accessing Resource calendars.
         (attendee <EmailAddress>)|
         (attendeestatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddress>)|
         available|
+        (birthday <Date>)|
         (color <EventColorName>)|
         (colorindex|colorid <EventColorIndex>)|
         (description <String>)|
@@ -257,7 +263,7 @@ Client access works when accessing Resource calendars.
         (privateproperty <PropertyKey> <PropertyValue>)|
         (range <Date> <Date>)|
         (recurrence <RRULE, EXRULE, RDATE and EXDATE line>)|
-        (reminder <Number> email|popup))|
+        (reminder <Number> email|popup)|
         (selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>)|
         (sequence <Integer>)|
         (sharedproperty <PropertyKey> <PropertyValue>)|
@@ -343,7 +349,7 @@ If none of the following options are selected, all events are selected.
 * `<EventSelectProperty>* <EventMatchProperty>*` - Properties used to select events
 
 The Google Calendar API processes `<EventSelectProperty>*`; you may specify none or multiple properties.
-* `after|starttime|timemin <Time>` - Lower bound (inclusive) for an event's end time to filter by. If timeMax is set, timeMin must be smaller than timeMax.
+* `after|starttime|timemin <Time>` - Lower bound (exclusive) for an event's end time to filter by. If timeMax is set, timeMin must be smaller than timeMax.
 * `before|endtime|timemax <Time>` - Upper bound (exclusive) for an event's start time to filter by. If timeMin is set, timeMax must be greater than timeMin.
 * `eventtypes <EventTypeList>` - Select events based on their type.
 * `query <QueryCalendar>` - Free text search terms to find events that match these terms in any field, except for extended properties
@@ -356,7 +362,15 @@ The Google Calendar API processes `<EventSelectProperty>*`; you may specify none
 
 GAM processes `<EventMatchProperty>*`; you may specify none or multiple properties.
 * `matchfield attendees <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
-* `matchfield attendeespattern <RegularExpression>` - Some attendee must match `<RegularExpression>`
+* `matchfield attendeesonlydomainlist <DomainNameList>` - All attendee's email addresses must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with all attendees in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeesdomainlist <DomainNameList>` - Some attendee's email address must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with attendees in specific external domains
+* `matchfield attendeesnotdomainlist <DomainNameList>` - Some attendee's email address must be in a domain not in `<DomainNameList>`
+  * For example, this lets you look for events with attendees not in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeespattern <RegularExpression>` - Some attendee's email address must match `<RegularExpression>`
 * `matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
 and must have the specified values.
     * `<AttendeeAttendance>` - Default is `required`

docs/Chat-Bot.md

@@ -47,6 +47,64 @@ This Wiki page was built directly from Jay Lee's Wiki page; my sincere thanks fo
 <ChatMessageID> ::= client-<String>
         <String> must contain only lowercase letters, numbers, and hyphens up to 56 characters in length.
 ```
+```
+<ChatSpaceFieldName> ::=
+        accesssettings|
+        admininstalled|
+        createtime|
+        displayname|
+        externaluserallowed|
+        importmode|
+        lastactivetime|
+        membershipcount|
+        name|
+        singleuserbotdm|
+        spacedetails|
+        spacehistorystate|
+        spacethreadingstate|threaded|
+        spacetype|type|
+        spaceuri
+<ChatSpaceFieldNameList> ::= "<ChatSpaceFieldName>(,<ChatSpaceFieldName>)*"
+
+<ChatMemberFieldName> ::=
+        createtime|
+        deletetime|
+        groupmember|
+        member|
+        name|
+        role|
+        state|
+<ChatMemberFieldNameList> ::= "<ChatMemberFieldName>(,<ChatMemberFieldName>)*"
+
+<ChatMessageFieldName> ::=
+        accessorywidgets|
+        actionresponse|
+        annotations|
+        argumenttext|
+        attachedgifs|
+        attachment|
+        cards|
+        cardsv2|
+        clientassignedmessageid|
+        createtime|
+        deletetime|
+        deletionmetadata|
+        emojireactionsummaries|
+        fallbacktext|
+        formattedtext|
+        lastupdatetime|
+        matchedurl|
+        name|
+        privatemessageviewer|
+        quotedmessagemetadata|
+        sender|
+        slashcommand|
+        space|
+        text|
+        thread|
+        threadreply
+<ChatMessageFieldNameList> ::= "<ChatMessageFieldName>(,<ChatMessageFieldName>)*"
+```
 
 ## Set up a Chat Bot
 Since GAM 6.04.00, GAM is capable of acting as a Chat Bot and sending messages to Chat Rooms or direct messages to users. You first need to configure your Chat Bot.
@@ -69,6 +127,7 @@ At first you'll have no spaces listed. Try [finding your bot and chatting it](ht
 ### Display information about a specific chat space
 ```
 gam info chatspace space <ChatSpace>
+        [fields <ChatSpaceFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -77,6 +136,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ### Display information about all chat spaces
 ```
 gam show chatspaces
+        [fields <ChatSpaceFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -84,11 +144,12 @@ By default, Gam displays the information as an indented list of keys and values.
 
 ```
 gam print chatspaces [todrive <ToDriveAttribute>*]
+        [fields <ChatSpaceFieldNameList>]
         [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
-
+`
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
 the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
@@ -101,6 +162,7 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ### Display information about a specific chat member
 ```
 gam info chatmember member <ChatMember>
+        [fields <ChatMemberFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -110,6 +172,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ```
 gam show chatmembers space <ChatSpace>
         [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -118,6 +181,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ```
 gam print chatmembers [todrive <ToDriveAttribute>*] space <ChatSpace>
         [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
         [formatjson [quotechar <Character>]]
 ```
 
@@ -238,6 +302,7 @@ Display the given Chat message.
 
 ```
 gam info chatmessage name <ChatMessage>
+        [fields <ChatMessageFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.

docs/Chrome-Browser-Cloud-Management.md

@@ -130,7 +130,7 @@ If you have a CSV file, UpdateBrowsers.csv with two columns: deviceId,notes
 this command will add a new line of notes to the front of the existing notes:
 
 ```
-gam csv UpdateBrowsers.csv gam update browser ~deviceId updatenotes "~~notes~~\n#notes#"
+gam csv UpdateBrowsers.csv gam update browser "~deviceId" updatenotes "~~notes~~\n#notes#"
 ```
 
 ## Move Chrome browsers from one OU to another
@@ -193,7 +193,8 @@ Select the fields to be displayed:
 * `annotated` - Display these fields: deviceId,annotatedAssetId,annotatedLocation,annotatedNotes,annotatedUser
 * `basic` - Display all fields except: browsers, lastDeviceUsers, lastStatusReportTime, machinePloicies; this is the default
 * `allfields/full` - Display all fields
-* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Displaya selected list of fields
+* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
+  * Note that `ou, org and orgunit` are both command line options and field names; use `fields` to include them in the selected list of fields
 
 By default, Gam displays the information as an indented list of keys and values:
 - `formatjson` - Display the fields in JSON format.
@@ -232,7 +233,8 @@ Select the fields to be displayed:
 * `annotated` - Display these fields: deviceId,annotatedAssetId,annotatedLocation,annotatedNotes,annotatedUser
 * `basic` - Display all fields except: browsers, lastDeviceUsers, lastStatusReportTime, machinePloicies; this is the default
 * `allfields/full` - Display all fields
-* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Displaya selected list of fields
+* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
+  * Note that `ou, org and orgunit` are both command line options and field names; use `fields` to include them in the selected list of fields
 
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.

docs/Chrome-Installed-Apps.md

@@ -1,12 +1,11 @@
 # Chrome Installed Apps Counts
 
-- [Chrome Policies](#chrome-policies)
-  - [API documentation](#api-documentation)
-  - [Definitions](#definitions)
-  - [Quoting rules](#quoting-rules)
-  - [Display Chrome installed app details](#display-chrome-installed-app-details)
-  - [Display Chrome installed apps counts](#display-chrome-installed-apps-counts)
-  - [Display Chrome devices with a specific installed application](#display-chrome-devices-with-a-specific-installed-application)
+- [API documentation](#api-documentation)
+- [Definitions](#definitions)
+- [Quoting rules](#quoting-rules)
+- [Display Chrome installed app details](#display-chrome-installed-app-details)
+- [Display Chrome installed apps counts](#display-chrome-installed-apps-counts)
+- [Display Chrome devices with a specific installed application](#display-chrome-devices-with-a-specific-installed-application)
 
 ## API documentation
 

docs/ChromeOS-Devices.md

@@ -71,7 +71,7 @@ gam <Command> cros <CrOSEntity> ...
 ```
 The first form allows more powerful selection of devices with `<CrOSTypeEntity>`.
 
-The second form is backwards compatible with Standard GAM and selection with `<CrOSEntity>` is limited.
+The second form is backwards compatible with Legacy GAM and selection with `<CrOSEntity>` is limited.
 
 ## Definitions
 * [`<CrOSTypeEntity>`](Collections-of-ChromeOS-Devices)
@@ -105,7 +105,10 @@ The second form is backwards compatible with Standard GAM and selection with `<C
         annotatedlocation|location|
         annotateduser|user|
         autoupdateexpiration|
+        autoupdatethrough|
+        backlightinfo|
         bootmode|
+        cpuinfo|
         cpustatusreports|
         deprovisionreason|
         devicefiles|
@@ -115,6 +118,9 @@ The second form is backwards compatible with Standard GAM and selection with `<C
         dockmacaddress|
         ethernetmacaddress|
         ethernetmacaddress0|
+        extendedsupporteligible|
+        extendedsupportstart|
+        extendedsupportenabled|
         firmwareversion|
         firstenrollmenttime|
         lastdeprovisiontimestamp|
@@ -247,6 +253,9 @@ Enter `id:` as the operator. For example, if you are searching for the serial nu
 
 Partial serial number searches are supported, as long as you enter at least three characters in the serial number.
 
+All serial number searches are partial, be careful that you don't enter a partial serial number by mistake
+when actioning/modifying devices as you will affect multiple devices rather than the single desired device.
+
 ### Status
 To view all provisioned or deprovisioned devices, select the status from the left drop-down, and all of the devices that fit this criterion will appear in the view. Alternatively, you can do the following searches from the All devices view:
 
@@ -358,7 +367,7 @@ If you have a CSV file, UpdateCrOS.csv with two columns: deviceId,notes
 this command will add a new line of notes to the front of the existing notes:
 
 ```
-gam csv UpdateCrOS.csv gam update cros ~deviceId updatenotes "~~notes~~\n#notes#"
+gam csv UpdateCrOS.csv gam update cros "~deviceId" updatenotes "~~notes~~\n#notes#"
 ```
 
 ## Add ChromeOS devices to an organizational unit
@@ -385,7 +394,7 @@ given if invalid CrOS deviceIds are specified.
 ### Example: Add ChromeOS devices to a single OU
 Suppose you have a CSV file cros.csv with a single column: deviceId
 ```
-gam update ou /Students/2022 add cros_csvfile cros.csv:deviceId quickcrosmove
+gam update ou /Students/2022 add croscsvfile cros.csv:deviceId quickcrosmove
 ```
 
 ### Example: Add ChromeOS devices to multiple OUs
@@ -459,7 +468,7 @@ gam getcommand cros <CrOSEntity> commandid <CommandID> [times_to_check_status <I
 ### Action Examples
 Remove user profile data from the device; the device will remain enrolled and connected.
 User data not synced to the Cloud including Downloads, Android app data and Crostini Linux VMs will be permanently lost.
-Commands with issuecommand directly after gam will work with standard GAM & GAMADV-XTD3, whereas commands where the issuecommand is after the cros <CrOSTypeEntity> will work only with GAMADV-XTD3. 
+Commands with issuecommand directly after gam will work with Legacy GAM & GAM7, whereas commands where the issuecommand is after the cros <CrOSTypeEntity> will work only with GAM7. 
 ```
 gam issuecommand cros dd1d659a-0ea4-4e94-905e-4726c7a5f1e9 command wipe_users doit
 ```
@@ -551,6 +560,7 @@ gam print cros [todrive <ToDriveAttribute>*]
         [start <Date>] [end <Date>] [listlimit <Number>]
         [reverselists <CrOSListFieldNameList>]
         [timerangeorder ascending|descending] [showdvrsfp]
+        (addcsvdata <FieldName> <String>)*
         [sortheaders]
         [formatjson [quotechar <Character>]]
 ```
@@ -593,6 +603,9 @@ otherwise, the remaining field names will appear in the order specified.
 - `timerangeorder descending` - Change the `activetimeranges` order from ascending (oldest to newest) to descending (newest to oldest); this makes it easy to get the `N` most recent values with `timeranges listlimit N timerangeorder descending`.
 - `showdvrsfp` - Display a field `diskVolumeReports.volumeInfo.storageFreePercentage` which is calculated as: `(diskVolumeReports.volumeInfo.storageFree/diskVolumeReports.volumeInfo.storageTotal)*100`
 
+Add additional columns of data from the command line to the output
+* `addcsvdata <FieldName> <String>`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 
 - `formatjson` - Display the fields in JSON format.
@@ -615,6 +628,7 @@ gam <CrOSTypeEntity> print cros [todrive <ToDriveAttribute>*]
         [start <Date>] [end <Date>] [listlimit <Number>]
         [reverselists <CrOSListFieldNameList>]
         [timerangeorder ascending|descending] [showdvrsfp]
+        (addcsvdata <FieldName> <String>)*
         [sortheaders]
         [formatjson [quotechar <Character>]]
 
@@ -643,6 +657,9 @@ otherwise, the remaining field names will appear in the order specified.
 - `timerangeorder descending` - Change the `activetimeranges` order from ascending (oldest to newest) to descending (newest to oldest); this makes it easy to get the `N` most recent values with `timeranges listlimit N timerangeorder descending`.
 - `showdvrsfp` - Display a field `diskVolumeReports.volumeInfo.storageFreePercentage` which is calculated as: `(diskVolumeReports.volumeInfo.storageFree/diskVolumeReports.volumeInfo.storageTotal)*100`
 
+Add additional columns of data from the command line to the output
+* `addcsvdata <FieldName> <String>`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 
 - `formatjson` - Display the fields in JSON format.
@@ -695,6 +712,23 @@ gam print cros
           (cros_ous <OrgUnitList>)|(cros_ous_and_children <OrgUnitList>)]]
         showitemcountonly
 ```
+Example
+```
+$ gam print cros query "sync:..2020-01-01" showitemcountonly
+Getting all CrOS Devices that match query (sync:..2020-01-01) for /, may take some time on a large Organizational Unit...
+Got 77 CrOS Devices that matched query (sync:..2020-01-01) for /...
+Got 77 CrOS Devices that matched query (sync:..2020-01-01)
+77
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print cros query "sync:..2020-01-01" showitemcountonly)
+Windows PowerShell
+count = & gam print cros query "sync:..2020-01-01" showitemcountonly
+```
 
 ## Print ChromeOS device activity
 
@@ -825,7 +859,7 @@ gam redirect stdout ./CrOSDeviceFiles.out redirect stderr stdout csvkmd cros ./C
 Download the device files in parallel.
 
 ```
-gam redirect stdout ./CrOSDeviceFiles.out multiprocess redirect stderr stdout csv ./CrOSDeviceFiles.csv matchfield deviceFiles.type LOG_FILE gam cros ~deviceId get devicefile select ~deviceFiles.createTime
+gam redirect stdout ./CrOSDeviceFiles.out multiprocess redirect stderr stdout csv ./CrOSDeviceFiles.csv matchfield deviceFiles.type LOG_FILE gam cros "~deviceId" get devicefile select "~deviceFiles".createTime
 ```
 
 Suppose you want only the last device file for each Chromebook.

docs/Classroom-Courses.md

@@ -134,6 +134,7 @@ gam user user@domain.com check|update serviceaccount
         creationtime|
         creator|creatoruserid|
         id|
+        individualstudentsoptions|
         materials|
         scheduledtime|
         state|
@@ -154,6 +155,7 @@ gam user user@domain.com check|update serviceaccount
         creator|creatoruserid|
         description|
         id|
+        individualstudentsoptions|
         materials|
         scheduledtime|
         state|
@@ -179,6 +181,7 @@ gam user user@domain.com check|update serviceaccount
         duedate|
         duetime|
         id|
+        individualstudentsoptions|
         materials|
         maxpoints|
         scheduledtime|
@@ -187,6 +190,7 @@ gam user user@domain.com check|update serviceaccount
         title|
         topicid|
         updatetime|
+        workid|
         worktype
 <CourseWorkFieldNameList> ::= "<CourseWorkFieldName>(,<CourseWorkFieldName>)*"
 
@@ -270,10 +274,14 @@ The options `name <String>` and `teacher <UserItem>` are required when creating
 gam create|add course [id|alias <CourseAlias>] <CourseAttribute>*
         [copyfrom <CourseID>
             [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
             [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
             [workstates <CourseWorkStateList>]
+                [individualstudentcoursework copy|delete|maptoall]
                 [removeduedate [<Boolean>]]
                 [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
             [copymaterialsfiles [<Boolean>]]
             [copytopics [<Boolean>]]
             [markdraftaspublished [<Boolean>]]
@@ -284,10 +292,14 @@ gam create|add course [id|alias <CourseAlias>] <CourseAttribute>*
 gam update course <CourseID> <CourseAttribute>+
         [copyfrom <CourseID>
             [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
             [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
             [workstates <CourseWorkStateList>]
+                [individualstudentcoursework copy|delete|maptoall]
                 [removeduedate [<Boolean>]]
                 [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
             [copymaterialsfiles [<Boolean>]]
             [copytopics [<Boolean>]]
             [markdraftaspublished [<Boolean>]]
@@ -297,10 +309,14 @@ gam update course <CourseID> <CourseAttribute>+
 gam update courses <CourseEntity> <CourseAttribute>+
         [copyfrom <CourseID>
             [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
             [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
             [workstates <CourseWorkStateList>]
+                [individualstudentcoursework copy|delete|maptoall]
                 [removeduedate [<Boolean>]]
                 [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
             [copymaterialsfiles [<Boolean>]]
             [copytopics [<Boolean>]]
             [markdraftaspublished [<Boolean>]]
@@ -311,12 +327,25 @@ gam update courses <CourseEntity> <CourseAttribute>+
 `copyfrom <CourseID>` allows copying of course announcements, work, topics and members from one course to another.
 * Accouncements - By default, no course announcements are copied
     * `announcementstates <CourseAnnouncementStateList>` - Copy class announcements with the specified states
+        * `individualstudentannouncements copy` - Copy individual student announcements; this is the default. You will get an error if a student is not a member of the course
+        * `individualstudentannouncements delete` - Delete individual student announcements
+        * `individualstudentannouncements maptoall` - Map individual student announcements to all student announcements
 * Materials - By default, no course materials are copied
     * `materialstates <CourseMaterialsStateList>` - Copy class materials with the specified states
+        * `individualstudentmaterials copy` - Copy individual student materials; this is the default. You will get an error if a student is not a member of the course
+        * `individualstudentmaterials delete` - Delete individual student materials
+        * `individualstudentmaterials maptoall` - Map individual student materials to all student materials
 * Work - By default, no course work is copied
     * `workstates <CourseWorkStateList>` - Copy class work with the specified states
+        * `individualstudentcoursework copy` - Copy individual student coursework; this is the default. You will get an error if the student is not a member of the course
+        * `individualstudentcoursework delete` - Delete individual student coursework
+        * `individualstudentcoursework maptoall` - Map individual student coursework to all student coursework
         * `removeduedate false` - Remove due dates before the current time; this is the default
         * `removeduedate|removeduedate true` - Remove all due dates
+* For convenience, setting `individualstudentassignments` sets all the following to the same value:
+    * `individualstudentannouncements`
+    * `individualstudentmaterials`
+    * `individualstudentcoursework`
 * Announcements, Materials and Work Materials files
     * `copymaterialsfiles false` - Copy links to files referenced by materials in the `copyfrom` course; this is the default
     * `copymaterialsfiles|copymaterialsfiles true` - Copy files referenced by materials in the `copyfrom` course
@@ -348,7 +377,7 @@ Drive files with `shareMode` `Each student will get a copy` don't seem to be abl
 
 ## Delete courses
 Classes can only be deleted when they are in the ARCHIVED state; to delete a class, you can update its state to ARCHIVED
-and then delete it or you can specify that it be archived as part of the delete command.
+and then delete it or you can specify that it be archived as parot of the delete command.
 ```
 gam delete course <CourseID> [archived]
 gam delete courses <CourseEntity> [archived]
@@ -441,6 +470,24 @@ gam print courses
         [owneremailmatchpattern <RegularExpression>]
         showitemcountonly
 ```
+Example
+```
+$ gam print courses states active showitemcountonly
+Getting all Courses that match query (Course State: ACTIVE), may take some time on a large Google Workspace Account...
+Got 268 Courses...
+Got 272 Courses...
+Got 272 Courses...
+272
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print courses states active showitemcountonly)
+Windows PowerShell
+count = & gam print courses states active showitemcountonly
+```
 
 ## Display course announcements
 ```
@@ -448,8 +495,9 @@ gam print course-announcements [todrive <ToDriveAttribute>*]
         (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
         (courseannouncementids <CourseAnnouncementIDEntity>)|(announcementstates <CourseAnnouncementStateList>)*
         (orderby <CourseAnnouncementOrderByFieldName> [ascending|descending])*)
-        [creatoremail] [fields <CourseAnnouncementFieldNameList>] [formatjson [quotechar <Character>]]
+        [creatoremail] [fields <CourseAnnouncementFieldNameList>]
         [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-announcements` command displays course announcement information for all courses.
 
@@ -478,6 +526,8 @@ By default, all course announcement fields are displayed; use the following opti
 * `creatoremail` - Display course announcement creator email; requires an additional API call per course announcement.
 * `fields <CourseAnnouncementFieldNameList>` - Select specific fields to display.
 
+Use the `countsonly` option to display the number of announcements in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -493,8 +543,9 @@ gam print course-materials [todrive <ToDriveAttribute>*]
         (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
         (materialids <CourseMaterialIDEntity>)|(materialstates <CourseMaterialStateList>)*
         (orderby <CourseMaterialOrderByFieldName> [ascending|descending])*)
-        [showcreatoremails|creatoremail] [showtopicnames] [fields <CourseMaterialFieldNameList>] [formatjson [quotechar <Character>]]
+        [showcreatoremails|creatoremail] [showtopicnames] [fields <CourseMaterialFieldNameList>]
         [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-materials` command displays course materials information for all courses.
 
@@ -524,6 +575,8 @@ By default, all course materials fields are displayed; use the following options
 * `showtopicnames` - Display topic names; requires and additional API call per course.
 * `fields <CourseMaterialsFieldNameList>` - Select specific fields to display.
 
+Use the `countsonly` option to display the number of course materials in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -538,8 +591,8 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 gam print course-topics [todrive <ToDriveAttribute>*]
         (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
         (coursetopicids <CourseTopicIDEntity>)
-        [formatjson [quotechar <Character>]]
         [timefilter updatetime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-topics` command displays course topic information for all courses.
 
@@ -564,6 +617,8 @@ To get information about course topics updated within a particular time frame, u
 * `end|endtime <Date>|<Time>` - specify the end of the time frame; if not specified, the time frame will be open ended at the end
 For the filter to apply, `timefilter` and at least one of `start|starttime` and `end|endtime` must be specified.
 
+Use the `countsonly` option to display the number of topics in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -579,8 +634,10 @@ gam print course-work [todrive <ToDriveAttribute>*]
         (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
         (workids <CourseWorkIDEntity>)|(workstates <CourseWorkStateList>)*
         (orderby <CourseWorkOrderByFieldName> [ascending|descending])*)
-        [showcreatoremails] [showtopicnames] [fields <CourseWorkFieldNameList>] [formatjson [quotechar <Character>]]
+        [showcreatoremails] [showtopicnames] [fields <CourseWorkFieldNameList>]
+        [showstudentsaslist [<Boolean>]] [delimiter <Character>]
         [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-work` command displays course work information for all courses.
 
@@ -601,7 +658,7 @@ To get information about course work created/updated/scheduled within a particul
 * `end|endtime <Date>|<Time>` - specify the end of the time frame; if not specified, the time frame will be open ended at the end
 For the filter to apply, `timefilter` and at least one of `start|starttime` and `end|endtime` must be specified.
 
-By default, all pub`lished course work for a course is displayed; use the following options to select specific course work.
+By default, all published course work for a course is displayed; use the following options to select specific course work.
 * `workids <CourseWorkIDEntity>` - Display course work with the IDs specified in `<CourseWorkIDEntity>`.
 * `workstates <CourseWorkStateList>` - Display course work with any of the specified states.
 
@@ -610,6 +667,11 @@ By default, all course work fields are displayed; use the following options to m
 * `showtopicnames` - Display topic names; requires and additional API call per course.
 * `fields <CourseWorkFieldNameList>` - Select specific fields to display.
 
+By default, when course work is assigned to individual students, the student IDs are displayed in multiple indexed columns.
+Use options `showstudentsaslist [<Boolean>]` and `delimiter <Character>` to display the student IDs is a single column as a delimited list.
+
+Use the `countsonly` option to display the number of course works in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -626,8 +688,9 @@ gam print course-submissions [todrive <ToDriveAttribute>*]
         (workids <CourseWorkIDEntity>)|(workstates <CourseWorkStateList>)*
         (orderby <CourseWorkOrderByFieldName> [ascending|descending])*)
         (submissionids <CourseSubmissionIDEntity>)|(submissionstates <CourseSubmissionStateList>)*) [late|notlate]
-        [fields <CourseSubmissionFieldNameList>] [showuserprofile] [formatjson [quotechar <Character>]]
+        [fields <CourseSubmissionFieldNameList>] [showuserprofile]
         [timefilter creationtime|updatetime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-submissions` command displays course submission information for all course work for all courses.
 
@@ -652,7 +715,7 @@ By default, all course submissions for a course work is displayed; use the follo
 * `late` - Display course submissions marked late.
 * `notlate` - Display course submissions not marked late.
 
-To get information about course submissionss created/updated within a particular time frame, use the following options.
+To get information about course submissions created/updated within a particular time frame, use the following options.
 * `timefilter creationtime|updatetime` - select which event to filter
 * `start|starttime <Date>|<Time>` - specify the start of the time frame; if not specified, the time frame will be open ended at the start
 * `end|endtime <Date>|<Time>` - specify the end of the time frame; if not specified, the time frame will be open ended at the end
@@ -665,6 +728,8 @@ By default, only the numeric userId is displayed; use the `showuserprofile` opti
 You can only get profile information if the scope `https://www.googleapis.com/auth/classroom.profile.emails` is enabled
 for service account access; verify with `gam <UserTypeEntity> update serviceaccount`.
 
+Use the `countsonly` option to display the number of submissions in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 

docs/Classroom-Invitations.md

@@ -3,9 +3,10 @@
 - [Notes](#notes)
 - [Definitions](#definitions)
 - [Create classroom invitations](#create-classroom-invitations)
-- [Accept classroom invitations](#accept-classroom-invitations)
-- [Delete classroom invitations](#delete-classroom-invitations)
+- [Accept classroom invitations by user](#accept-classroom-invitations-by-user)
+- [Delete classroom invitations by user](#delete-classroom-invitations-by-user)
 - [Display classroom invitations by user](#display-classroom-invitations-by-user)
+- [Delete classroom invitations by course](#delete-classroom-invitations-by-course)
 - [Display classroom invitations by course](#display-classroom-invitations-by-course)
 
 ## API documentation
@@ -24,8 +25,6 @@ Scope: https://www.googleapis.com/auth/classroom.rosters           , Checked: FA
 ```
 Follow the directions to authorize the Service Account scopes.
 
-The Classroom API does not support inviting users from outside your domain.
-
 ## Definitions
 ```
 <DomainName> ::= <String>(.<String>)+
@@ -49,12 +48,18 @@ The Classroom API does not support inviting users from outside your domain.
 Invite users to classes.
 ```
 gam <UserTypeEntity> create classroominvitation courses <CourseEntity> [role owner|student|teacher]
-        [adminaccess|asadmin] [csvformat] [todrive <ToDriveAttributes>*] [formatjson [quotechar <Character>]]
+        [adminaccess|asadmin]
+        [csv|csvformat] [todrive <ToDriveAttributes>*] [formatjson [quotechar <Character>]]
 ```
 If `role` is not specified, `student` will be used.
 
+You can only invite a co-teacher to be an owner of a course.
+
 By default, classroom invitations are issued by the owner of the course, the `adminaccess` option causes the invitations to be issued by the admin named in `oauth2.txt`.
 
+By default, when an invitation is created, GAM outputs details of the invitation as indented keywords and values.
+* `csv|csvformat [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]` - Output the details in CSV format.
+
 ### Example
 
 Suppose you have a CSV file CourseStudent.csv  with two columns: Course,Student.
@@ -64,13 +69,15 @@ gam redirect stdout ./Invites.out redirect stderr stdout csvkmd users CourseStud
 ```
 This command will invite all students to their courses in parallel
 ```
-gam redirect stdout ./Invites.out multiprocess redirect stderr stdout multiprocess csv CourseStudent.csv gam user ~Student create classroominvitation role student course ~Course
+gam redirect stdout ./Invites.out multiprocess redirect stderr stdout multiprocess csv CourseStudent.csv gam user "~Student" create classroominvitation role student course "~Course"
 ```
-## Accept classroom invitations
-Accept classroom invitations for users. You can only invite a co-teacher to be an owner of a course.
+## Accept classroom invitations by user
+Accept classroom invitations for users.
 ```
 gam <UserTypeEntity> accept classroominvitation (ids <ClassroomInvitationIDEntity>)|([courses <CourseEntity>] [role all|owner|student|teacher])
 ```
+`<UserTypeEntity>` must specify users in your domain.
+
 By default, all invitations for the specified users will be accepted.
 
 Select specific invitations to accept:
@@ -81,11 +88,13 @@ Select courses and accept invitations for those courses.
 
 By default, invitations for all roles will be accepted; you can limit the acceptances to invitations of a specific role.
 
-## Delete classroom invitations
+## Delete classroom invitations by user
 Delete classroom invitations for users.
 ```
 gam <UserTypeEntity> delete classroominvitation (ids <ClassroomInvitationIDEntity>)|([courses <CourseEntity>] [role all|owner|student|teacher])
 ```
+`<UserTypeEntity>` must specify users in your domain.
+
 By default, all invitations for the specified users will be deleted.
 
 Select specific invitations to delete:
@@ -104,8 +113,23 @@ gam <UserTypeEntity> show classroominvitations [role all|owner|student|teacher]
 gam <UserTypeEntity> print classroominvitations [todrive <ToDriveAttributes>*] [role all|owner|student|teacher]
         [formatjson [quotechar <Character>]]
 ```
+`<UserTypeEntity>` must specify users in your domain.
+
 By default, invitations for all roles will be displayed; you can limit the display to invitations of a specific role.
 
+## Delete classroom invitations by course
+Delete classroom invitations for courses. This command must be used to delete non-domain member invitations.
+```
+gam delete classroominvitation courses <CourseEntity> (ids <ClassroomInvitationIDEntity>)|(role all|owner|student|teacher)
+```
+Select courses and delete invitations for those courses.
+* `courses <CourseEntity>` - Specify courses
+
+Select specific invitations to delete:
+* `ids <ClassroomInvitationIDEntity>` - Specify invitation IDs
+
+Select invitations to delete by role. By default, invitations for all roles will be deleted; you can limit the deletions to invitations of a specific role.
+
 ## Display classroom invitations by course
 ```
 gam show classroominvitations (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])

docs/Classroom-Membership.md

@@ -141,3 +141,26 @@ gam print course-participants
         [show all|students|teachers]
         showitemcountonly
 ```
+Example
+```
+$ gam print course-participants teacher asmith states active show students showitemcountonly
+Getting all Courses that match query (Teacher: asmith@domain.com, Course State: ACTIVE), may take some time on a large Google Workspace Account...
+Got 3 Courses...
+Getting Students for Course: 636981507234 (1/3)
+Got 30 Students...
+Got 43 Students...
+Getting Students for Course: 589346784341 (2/3)
+Got 22 Students...
+Getting Students for Course: 589345535881 (3/3)
+Got 23 Students...
+88
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print course-participants teacher asmith states active show students showitemcountonly)
+Windows PowerShell
+count = & gam print course-participants teacher asmith states active show students showitemcountonly
+```

docs/Cloud-Identity-Devices.md

@@ -235,6 +235,28 @@ gam print devices
         [all|company|personal|nocompanydevices|nopersonaldevices]
         showitemcountonly
 ```
+Example
+```
+$ gam print devices queries "'model:Mac'" showitemcountonly
+Getting all Devices that match query (model:Mac), may take some time on a large Google Workspace Account...
+Got 100 Devices...
+Got 200 Devices...
+Got 300 Devices...
+...
+Got 900 Devices...
+Got 995 Devices...
+Got 995 Devices...
+995
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print devices queries "'model:Mac'" showitemcountonly)
+Windows PowerShell
+count = & gam print devices queries "'model:Mac'" showitemcountonly
+```
 
 ## Approve or block device users
 Approve or block user profiles on a device.
@@ -304,6 +326,29 @@ gam print deviceusers [todrive <ToDriveAttribute>*]
         [(query <QueryDevice>)|(queries <QueryDeviceList>) (querytime<String> <Time>)*]
         showitemcountonly
 ```
+Example
+```
+$ gam print deviceusers queries "'model:Mac'" showitemcountonly
+Getting all Device Users that match query (model:Mac), may take some time on a large Google Workspace Account...
+Got 20 Device Users...
+Got 40 Device Users...
+Got 60 Device Users...
+...
+Got 980 Device Users...
+Got 995 Device Users...
+Got 995 Device Users...
+995
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print deviceusers queries "'model:Mac'" showitemcountonly)
+Windows PowerShell
+count = & gam print deviceusers queries "'model:Mac'" showitemcountonly
+```
+
 
 ## Display device user client state
 ```

docs/Cloud-Identity-Groups-Membership.md

@@ -237,10 +237,10 @@ seniors@domain.org,/Students/ClassOf2018
 juniors@domain.org,/Students/ClassOf2019
 ...
 ```
-This allows you to do: `gam csv GradeOU.csv gam update cigroup ~Grade sync members ou ~OU`
+This allows you to do: `gam csv GradeOU.csv gam update cigroup "~Grade" sync members ou "~OU"`
 But suppose that at each grade level there are additional group members that are groups of faculty/staff; e.g., senioradvisors@domain.org.
 In this scenario, you can't do the `update cigroup sync` command as the members that are groups will be deleted; the `usersonly` option allows
-the `update cigroup sync` command to work: `gam csv GradeOU.csv gam update cigroup ~Grade sync members usersonly ou ~OU`
+the `update cigroup sync` command to work: `gam csv GradeOU.csv gam update cigroup "~Grade" sync members usersonly ou "~OU"`
 The users from the OU are matched against the user members of the group and adds/deletes are done as necessary to synchronize them;
 the group members of the group are unaffected.
 

docs/Cloud-Identity-Groups.md

@@ -387,4 +387,19 @@ gam print cigroups
         [descriptionmatchpattern [not] <RegularExpression>]
         showitemcountonly
 ```
+Example
+```
+$ gam print cigroups showitemcountonly
+Getting all Cloud Identity Groups, may take some time on a large Google Workspace Account...
+Got 242 Cloud Identity Groups: td.current@domain.com - postmaster@domain.com
+242
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
 
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print cigroups showitemcountonly)
+Windows PowerShell
+count = & gam print cidgroups showitemcountonly
+```

docs/Collections-of-ChromeOS-Devices.md

@@ -50,6 +50,8 @@
 
 <UserGoogleDoc> ::=
         <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
 <UserGoogleSheet> ::=
         <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
 

docs/Collections-of-Items.md

@@ -200,12 +200,17 @@ Data fields identified in a `csvkmd` argument.
         all_shortcuts |
         all_3p_shortcuts |
         all_items |
+        my_docs |
         my_files |
         my_folders |
         my_forms |
         my_google_files |
         my_non_google_files |
+        my_presentations |
+        my_publishable_items |
+        my_sheets |
         my_shortcuts |
+        my_slides |
         my_3p_shortcuts |
         my_items |
         my_top_files |
@@ -262,6 +267,8 @@ Data fields identified in a `csvkmd` argument.
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <DriveLabelNameEntity> ::=
         <DriveLabelNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
+<DriveLabelPermissionNameEntity> ::=
+        <DriveLabelPermissionNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
 <EmailAddressEntity> ::=
         <EmailAddressList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <FilterIDEntity> ::=

docs/Collections-of-Users.md

@@ -55,6 +55,8 @@
 
 <UserGoogleDoc> ::=
         <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
 <UserGoogleSheet> ::=
         <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
 ```
@@ -88,8 +90,6 @@
         <SharedDriveIDEntity> |
         <SharedDriveNameEntity>
 
-<SheetEntity> ::= <String>|id:<Number>
-
 <UserTypeEntity> ::=
         (all users|users_ns|users_susp|users_ns_susp)|
         (user <UserItem>)|

docs/Command-Logging-Progress.md

@@ -35,7 +35,7 @@ The log file being written to is always `gam.log`. When this log file is filled,
 
 Commands are logged at completion with a timestamp, return code and the command line
 ```
-2021-08-01T19:350:30.777-07:00,0,/Users/admin/bin/gamadv-xtd3/gam info domain
+2021-08-01T19:350:30.777-07:00,0,/Users/admin/bin/gam7/gam info domain
 ```
 
 Commands that generate sub-commands, `gam batch|tbatch|csv|loop`, log the initial command with a return code of `*`,
@@ -44,14 +44,14 @@ the sub-command lines and the initial command with a numeric return code.
 $ gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv gam info user "~primaryEmail" quick name
 2021-08-01T19:50:38.151-07:00,0/6,Using 6 processes...
 $ more ~/.gam/gam.log
-2021-08-01T19:50:38.120-07:00,*,/Users/admin/bin/gamadv-xtd3/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user ~primaryEmail quick name
+2021-08-01T19:50:38.120-07:00,*,/Users/admin/bin/gam7/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user "~primaryEmail" quick name
 2021-08-01T19:50:39.144-07:00,0,gam info user testuser2 quick name
 2021-08-01T19:50:39.358-07:00,0,gam info user testuser3 quick name
 2021-08-01T19:50:39.358-07:00,0,gam info user testuser1 quick name
 2021-08-01T19:50:39.401-07:00,0,gam info user testuser5 quick name
 2021-08-01T19:50:39.459-07:00,56,gam info user testuserx quick name
 2021-08-01T19:50:39.470-07:00,0,gam info user testuser4 quick name
-2021-08-01T19:50:39.483-07:00,0,/Users/admin/bin/gamadv-xtd3/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user ~primaryEmail quick name
+2021-08-01T19:50:39.483-07:00,0,/Users/admin/bin/gam7/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user "~primaryEmail" quick name
 ```
 
 ## Command Progress

docs/Context-Aware-Access-Levels.md

@@ -23,7 +23,7 @@ gam update project
 ```
 
 ## API documentation
-* https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies/list
+* https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies
 
 ## Grant Service Account Rights to Manage CAA
 In order for GAM to manage CAA access levels, you need to grant your service account a special role for your GCP organization.

docs/Domain-People-Contacts-Profiles.md

@@ -133,7 +133,7 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ## Display Domain Profiles
 ### Display as an indented list of keys and values.
 ```
-gam info people|domainprofiles <PeopleResourceNameEntity>
+gam info domainprofiles|people|peopleprofiles <PeopleResourceNameEntity>
         [allfields|(fields <PeopleFieldNameList>)]
         [formatjson]
 ```
@@ -143,7 +143,7 @@ By default, Gam displays the fields `names,emailaddresses`.
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam show people|domainprofiles
+gam show domainprofiles|people|peopleprofiles
         [query <String>]
         [mergesources <PeopleMergeSourceName>]
         [allfields|(fields <PeopleFieldNameList>)]
@@ -163,7 +163,7 @@ By default, Gam displays the information as an indented list of keys and values.
 
 ### Display as a CSV file.
 ```
-gam print people|domainprofiles [todrive <ToDriveAttribute>*]
+gam print domainprofiles|people|peopleprofiles [todrive <ToDriveAttribute>*]
         [query <String>]
         [mergesources <PeopleMergeSourceName>]
         [allfields|(fields <PeopleFieldNameList>)]

docs/Domains.md

@@ -5,8 +5,10 @@
 - [Promote a domain to be primary](#promote-a-domain-to-be-primary)
 - [Delete a domain](#delete-a-domain)
 - [Display domains](#display-domains)
+- [Display domains count](#display-domains-count)
 - [Create and delete domain aliases](#create-and-delete-domain-aliases)
 - [Display domain aliases](#display-domain-aliases)
+- [Display domain aliases count](#display-domain-aliases-count)
 
 ## API documentation
 * https://developers.google.com/admin-sdk/directory/reference/rest/v1/domains
@@ -30,15 +32,18 @@ gam delete domain <DomainName>
 ```
 ## Display domains
 ```
-gam info domain [<DomainName>] [formatjson]
-gam show domains [formatjson]
+gam info domain [<DomainName>]
+        [formatjson]
+gam show domains
+        [formatjson]
 ```
 For `info`, if `<DomainName>` is omitted, information about the primary domain will be displayed.
 
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam print domains [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]
+gam print domains [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the information as columns of fields.
 * `formatjson` - Display the fields in JSON format.
@@ -49,6 +54,13 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
+## Display domains count
+Display the number of domains.
+```
+gam print|show domains
+        showitemcountonly
+```
+
 ## Create and delete domain aliases
 ```
 gam create domainalias|aliasdomain <DomainAlias> <DomainName>
@@ -56,13 +68,16 @@ gam delete domainalias|aliasdomain <DomainAlias>
 ```
 ## Display domain aliases
 ```
-gam info domainalias|aliasdomain <DomainAlias> [formatjson]
-gam show domainaliases|aliasdomains [formatjson] [formatjson [quotechar <Character>]]
+gam info domainalias|aliasdomain <DomainAlias>
+        [formatjson]
+gam show domainaliases|aliasdomains
+        [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam print domainaliases|aliasdomains [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]
+gam print domainaliases|aliasdomains [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the information as columns of fields.
 * `formatjson` - Display the fields in JSON format.
@@ -73,3 +88,9 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
+## Display domain aliases count
+Display the number of domain aliases.
+```
+gam print|show domainaliases|aliasdomains
+        showitemcountonly
+```

docs/Downloads-Installs-GAM7.md

@@ -0,0 +1,56 @@
+# Downloads-Installs-GAM7
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page.
+Choose one of the following:
+
+* Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
+  - Start a terminal session and execute one of the following commands:
+  - New install, default path `$HOME/bin`
+    - `bash <(curl -s -S -L https://git.io/gam-install)`
+  - New install, specify a path
+    - `bash <(curl -s -S -L https://git.io/gam-install) -d <Path>`
+  - Update to latest version, do not create project or authorizations, default path `$HOME/bin`
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l`
+  - Update to latest version, do not create project or authorizations, specify a path
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l -d <Path>`
+
+By default, a folder, `gam7`, is created in the default or specified path and the files are downloaded into that folder.
+Add the `-s` option to the end of the above commands to suppress creating the `gam7` folder; the files are downloaded directly into the default or specified path.
+
+* Executable Archive, Manual, Linux/Google Cloud Shell
+  - `gam-7.wx.yz-linux-x86_64-glibc2.35.tar.xz`
+  - `gam-7.wx.yz-linux-x86_64-glibc2.31.tar.xz`
+  - `gam-7.wx.yz-linux-x86_64-legacy.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Raspberry Pi/ChromeOS ARM devices
+  - `gam-7.wx.yz-linux-aarch-glibc2.31.tar.xz`
+  - `gam-7.wx.yz-linux-aarch-legacy.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Mac OS versions Big Sur, Monterey, Ventura - M1/M2
+  - `gam-7.wx.yz-macos-aarch.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Mac OS, versions Big Sur, Monterey, Ventura - Intel
+  - `gam-7.wx.yz-macos-x86_64.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.zip`
+  - Download the archive, extract the contents into some directory.
+  - Start a Command Prompt/PowerShell session.
+
+* Executable Installer, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.msi`
+  - Download the installer and run it.
+  - Start a Command Prompt/PowerShell session.
+
+* Source, all platforms
+  - `Source code(zip)`
+  - `Source code(tar.gz)`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal/Command Prompt/PowerShell session.

docs/Downloads-Installs.md

@@ -1,5 +1,5 @@
-# Downloads
-You can download the current GAMADV-XTD3 release from the [GitHub Releases](https://github.com/taers232c/GAMADV-XTD3/releases) page. Choose one of the following:
+# Downloads-Installs
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/taers232c/GAMADV-XTD3/releases) page. Choose one of the following:
 
 * Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
   - Start a terminal session and execute one of the following commands:
@@ -23,52 +23,42 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
   - `gamadv-xtd3-6.wx.yz-linux-x86_64-glibc2.19.tar.xz`
   - `gamadv-xtd3-6.wx.yz-linux-x86_64-legacy.tar.xz`
   - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
+  - Start a terminal session.
 
 * Executable Archive, Manual, Raspberry Pi/ChromeOS ARM devices
   - `gamadv-xtd3-6.wx.yz-linux-arm64-glibc2.31.tar.xz`
   - `gamadv-xtd3-6.wx.yz-linux-arm64-glibc2.27.tar.xz`
   - `gamadv-xtd3-6.wx.yz-linux-arm64-glibc2.23.tar.xz`
   - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
+  - Start a terminal session.
 
 * Executable Archive, Manual, Mac OS versions Big Sur, Monterey, Ventura - M1/M2
   - `gamadv-xtd3-6.wx.yz-macos-arm64.tar.xz`
   - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
+  - Start a terminal session.
 
 * Executable Archive, Manual, Mac OS, versions Big Sur, Monterey, Ventura - Intel
   - `gamadv-xtd3-6.wx.yz-macos-x86_64.tar.xz`
   - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
-
-* Executable Archive, Manual, Mac OS, versions prior to Big Sur
-  - `gamadv-xtd3-6.wx.yz-macos-x86_64-legacy.tar`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
+  - Start a terminal session.
 
 * Executable Archive, Manual, Windows 64 bit
   - `gamadv-xtd3-6.wx.yz-windows-x86_64.zip`
   - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
+  - Start a Command Prompt/PowerShell session.
 
 * Executable Installer, Manual, Windows 64 bit
   - `gamadv-xtd3-6.wx.yz-windows-x86_64.msi`
   - Download the installer and run it.
-  - Start a Command Prompt/PowerShell session and cd to the install directory.
-
-* Executable Archive, Manual, Windows 32 bit
-  - `gamadv-xtd3-6.wx.yz-windows-x86.zip`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
-
-* Executable Installer, Manual, Windows 32 bit
-  - `gamadv-xtd3-6.wx.yz-windows-x86.msi`
-  - Download the installer and run it.
-  - Start a Command Prompt/PowerShell session and cd to the install directory.
+  - Start a Command Prompt/PowerShell session.
 
+* Winget
+  - `winget install taers232c.GAMADV-XTD3 --location C:\GAMADV-XTD3`
+  - Specify an alternate location if desired
+  - Start a Command Prompt/PowerShell session.
+  
 * Source, all platforms
   - `Source code(zip)`
   - `Source code(tar.gz)`
   - Download the archive, extract the contents into some directory.
-  - Start a terminal/Command Prompt/PowerShell session and cd to the install directory.
+  - Start a terminal/Command Prompt/PowerShell session.

docs/Drive-File-Selection.md

@@ -55,12 +55,17 @@
         all_shortcuts |
         all_3p_shortcuts |
         all_items |
+        my_docs |
         my_files |
         my_folders |
         my_forms |
         my_google_files |
         my_non_google_files |
+        my_presentations |
+        my_publishable_items |
+        my_sheets |
         my_shortcuts |
+        my_slides |
         my_3p_shortcuts |
         my_items |
         my_top_files |
@@ -78,7 +83,7 @@
 
 <SharedDriveID> ::= <String>
 <SharedDriveName> ::= <String>
-<SharedDriveIDEntity> ::= (teamdriveid <DriveFileItem>) | (teamdriveid:<DriveFileItem>)
+<SharedDriveIDEntity> ::= (teamdriveid <SharedDriveID>) | (teamdriveid:<SharedDriveID>)
 <SharedDriveNameEntity> ::= (teamdrive <SharedDriveName>) | (teamdrive:<SharedDriveName>)
 <SharedDriveFileNameEntity> ::= (teamdrivefilename <DriveFileName>) | (teamdrivefilename:<DriveFileName>)
 
@@ -182,7 +187,7 @@ gam user testuser show fileinfo anydrivefilename "Test File"
 gam user testuser show fileinfo anydrivefilename:"Test File"
 ```
 ## Select file ownership
-By default, files the user owns are sisplayed; you can select the ownership characteristic.
+By default, files the user owns are displayed; you can select the ownership characteristic.
 ```
 anyowner|(showownedby any|me|others)
 ```
@@ -214,7 +219,7 @@ By default, all types of files and folders are displayed; you can specify a list
 <MimeTypeList> ::= "<MimeType>(,<MimeType>)*"
 ```
 This is the mapping from `<MimeTypeShortcut>` to MIME type.
-* `gdoc|gdocument` - 'application/vnd.google-apps.document
+* `gdoc|gdocument` - application/vnd.google-apps.document
 * `gdrawing` - application/vnd.google-apps.drawing
 * `gfile` - application/vnd.google-apps.file
 * `gfolder|gdirectory` - application/vnd.google-apps.folder
@@ -246,30 +251,37 @@ The options combine ownership and broad MIME type selections.
 ```
 <DriveFileQueryShortcut> ::=
         all_files | all_folders | all_google_files | all_non_google_files | all_items |
-        my_files | my_folders | my_google_files | my_non_google_files | my_items |
+        my_docs | my_files | my_folders | my_forms | my_google_files | my_non_google_files | my_items |
+        my_presentations | my_publishable_items | my_sheets | my_slides |
         my_top_files | my_top_folders | my_top_items |
         others_files | others_folders | others_google_files | others_non_google_files | others_items |
         writable_files
 ```
-* all_files - "mimeType != application/vnd.google-apps.folder"
-* all_folders - "mimeType = application/vnd.google-apps.folder"
-* all_google_files - "mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* all_files - "mimeType != 'application/vnd.google-apps.folder'"
+* all_folders - "mimeType = 'application/vnd.google-apps.folder'"
+* all_google_files - "mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * all_non_google_files - "not mimeType contains 'vnd.google'"
 * all_items - "" (An empty query specifies all files and folders)
-* my_files - "'me' in owners and mimeType != application/vnd.google-apps.folder"
-* my_folders - "'me' in owners and mimeType = application/vnd.google-apps.folder"
-* my_google_files - "'me' in owners and mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* my_docs - "'me' in owners and mimeType = 'application/vnd.google-apps.document'"
+* my_files - "'me' in owners and mimeType != 'application/vnd.google-apps.folder'"
+* my_folders - "'me' in owners and mimeType = 'application/vnd.google-apps.folder'"
+* my_forms - "'me' in owners and mimeType = 'application/vnd.google-apps.form'"
+* my_google_files - "'me' in owners and mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * my_non_google_files - "'me' in owners and not mimeType contains 'vnd.google'"
+* my_presentations - "'me' in owners and mimeType = 'application/vnd.google-apps.presentation'"
+* my_publishable_items - "'me' in owners and (mimeType = 'application/vnd.google-apps.document' or mimeType = 'application/vnd.google-apps.form' or mimeType = 'application/vnd.google-apps.presentation' or mimeType = 'application/vnd.google-apps.spreadsheet')"
+* my_sheets - "'me' in owners and mimeType = 'application/vnd.google-apps.spreadsheet'"
+* my_slides - "'me' in owners and mimeType = 'application/vnd.google-apps.presentation'"
 * my_items - "'me' in owners"
-* my_top_files - "'me' in owners and mimeType != application/vnd.google-apps.folder and 'root' in parents"
-* my_top_folders - "'me' in owners and mimeType = application/vnd.google-apps.folder and 'root' in parents"
+* my_top_files - "'me' in owners and mimeType != 'application/vnd.google-apps.folder' and 'root' in parents"
+* my_top_folders - "'me' in owners and mimeType = 'application/vnd.google-apps.folder' and 'root' in parents"
 * my_top_items - "'me' in owners and 'root' in parents"
-* others_files - "not 'me' in owners and mimeType != application/vnd.google-apps.folder"
-* others_folders - "not 'me' in owners and mimeType = application/vnd.google-apps.folder"
-* others_google_files - "not 'me' in owners and mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* others_files - "not 'me' in owners and mimeType != 'application/vnd.google-apps.folder'"
+* others_folders - "not 'me' in owners and mimeType = 'application/vnd.google-apps.folder'"
+* others_google_files - "not 'me' in owners and mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * others_non_google_files - "not 'me' in owners and not mimeType contains 'vnd.google'"
 * others_items - "not 'me' in owners"
-* writable_files - "'me' in writers and mimeType != application/vnd.google-apps.folder"
+* writable_files - "'me' in writers and mimeType != 'application/vnd.google-apps.folder'"
 
 ## Select based on file size
 For these filters, GAM processes then after the list of files is downloaded. You can combine these
@@ -291,7 +303,7 @@ Use [Permission matches](#permission-matches) to limit the display to files with
 ### Examples
 ```
 gam user testuser show fileinfo query "name='Test File'"
-gam user testuser show fileinfo query:"name='Test Folder' and mimeType=application/vnd.google-apps.folder"
+gam user testuser show fileinfo query:"name='Test Folder' and mimeType='application/vnd.google-apps.folder'"
 gam user testuser print filelist my_non_google_files
 ```
 ## Select root folder
@@ -353,9 +365,9 @@ See: [Drive Query](https://developers.google.com/drive/api/v3/search-files)
         all_files | all_folders | all_google_files | all_non_google_files | all_items
 ```
 Keyword to query mappings for `<DriveFileQueryShortcut>`:
-* all_files - "mimeType != application/vnd.google-apps.folder"
-* all_folders - "mimeType = application/vnd.google-apps.folder"
-* all_google_files - "mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* all_files - "mimeType != 'application/vnd.google-apps.folder'"
+* all_folders - "mimeType = 'application/vnd.google-apps.folder'"
+* all_google_files - "mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * all_non_google_files - "not mimeType contains 'vnd.google'"
 * all_items - "" (An empty query specifies all files and folders)
 

docs/Drive-REST-API-v3.md

@@ -4,7 +4,7 @@ Many of the changes are internal to Gam and have no visible effect. Google has m
 A variable, `drive_v3_native_names` (default value is True), has been added to `gam.cfg` to control the field names on output: when True, the v3 native field names are used; when False, the v3 native field names are mapped to the v2 field names.
 
 If you have scripts that process the output from these print commands, you may have to make modifications to your scripts.
-Run your print/show commands with a version of Standard Gam and save the output.
+Run your print/show commands with a version of Legacy Gam and save the output.
 With drive_v3_native_names = False, run your print/show commands with this version of Gam and compare the output to that saved in the previous run;
 modify your scripts that process the output as appropriate.
 

docs/Find-File-Owner.md

@@ -47,11 +47,8 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 
 ## Display File Ownership for Old files
 If the above commands fail, you can try to loop through all accounts, however this might take a long time if you are on a large Google Workspace Account.
-
-```
-gam config auto_batch_min 1 redirect csv - multiprocess redirect stderr null multiprocess all users print filelist select id <DriveFileID> fields id,name,owners.emailaddress norecursion showownedby any
-```
-Starting with version 6.07.26, this can be made more efficient by terminating processing after the owner is identified.
+If any lines are displayed, the file owner is in the `owners.0.emailAddress` column.
 ```
 gam config auto_batch_min 1 multiprocessexit rc=0 redirect csv - multiprocess redirect stderr null multiprocess all users print filelist select id <DriveFileID> fields id,name,owners.emailaddress norecursion showownedby any
+gam config auto_batch_min 1 multiprocessexit rc=0 redirect csv - multiprocess redirect stderr null multiprocess all users print filelist select name <DriveFileName> fields id,name,owners.emailaddress norecursion showownedby any
 ```

docs/GAM-Return-Codes.md

@@ -1,6 +1,6 @@
 # GAM Return Codes
 
-These are the return codes used by GAMADV-XTD3.
+These are the return codes used by GAM7.
 
 ```
 SUCCESS_RC = 0
@@ -32,6 +32,7 @@ ENTITY_IS_A_USER_ALIAS_RC = 21
 ENTITY_IS_A_GROUP_RC = 22
 ENTITY_IS_A_GROUP_ALIAS_RC = 23
 ENTITY_IS_AN_UNMANAGED_ACCOUNT_RC = 24
+ORGUNIT_NOT_EMPTY_RC = 25
 CHECK_USER_GROUPS_ERROR_RC = 29
 ORPHANS_COLLECTED_RC = 30
 # Warnings/Errors
@@ -61,4 +62,14 @@ TARGET_DRIVE_SPACE_ERROR_RC = 74
 USER_REQUIRED_TO_CHANGE_PASSWORD_ERROR_RC = 75
 USER_SUSPENDED_ERROR_RC = 76
 NO_CSV_DATA_TO_UPLOAD_RC = 77
+NO_SA_ACCESS_CONTEXT_MANAGER_EDITOR_ROLE_RC = 78
+ACCESS_POLICY_ERROR_RC = 79
+YUBIKEY_CONNECTION_ERROR_RC = 80
+YUBIKEY_INVALID_KEY_TYPE_RC = 81
+YUBIKEY_INVALID_SLOT_RC = 82
+YUBIKEY_INVALID_PIN_RC = 83
+YUBIKEY_APDU_ERROR_RC = 84
+YUBIKEY_VALUE_ERROR_RC = 85
+YUBIKEY_MULTIPLE_CONNECTED_RC = 86
+YUBIKEY_NOT_FOUND_RC = 87
 ```

docs/GAM7-on-Android-Devices.md

@@ -0,0 +1,16 @@
+# GAM7 on Android Devices
+GAM7 now runs on 64-bit Android devices such as Google's Pixel phones. The installation requires an app that adds the Linux environment to Android such as [UserLAnd](https://play.google.com/store/apps/details?id=tech.ula&hl=en_US).
+
+_Note: Chromebooks / Chrome OS devices should install GAM7 using [these instructions](GAM7-on-Chrome-OS-Devices)._
+
+1. Install the [UserLAnd](https://play.google.com/store/apps/details?id=tech.ula&hl=en_US) app.
+2. Click Debian to install a Debian environment.
+3. Set a username and password.
+4. Choose SSH for connection type.
+5. Once setup, login with the password to get to a Linux shell.
+6. Run the following commands to install prerequisites:
+```
+    sudo apt update
+    sudo apt install curl python3
+```
+7. [How to Install Advanced GAM](How-to-Install-Advanced-GAM)

docs/GAM7-on-Chrome-OS-Devices.md

@@ -0,0 +1,14 @@
+# GAM7 on Chrome OS Devices
+Chrome OS devices that [support Linux apps](https://support.google.com/chromebook/answer/9145439?hl=en) can run GAM7. This includes Intel/AMD x86_64 Chromebooks as well as ARM-based Chromebooks with Mediatek or Rockchip 64-bit CPUs.
+
+1. [Set up Linux on your Chromebook](https://support.google.com/chromebook/answer/9145439?hl=en).
+1. From the Terminal app, run the following commands:
+```
+    sudo apt update
+    sudo apt install xz-utils
+```
+3. [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
+
+# Google cloud shell
+
+Note that from a Chrome OS device, it might be just as easy to use [Google Cloud Shell](https://cloud.google.com/shell). Especially if you are concerned about network connectivity and/or bandwidth, using a shell instance within Google's server infrastructure is always going to be less resource intensive than sending data back and forth between a Google API and your local machine on your local network.

docs/Google-Data-Transfers.md

@@ -15,7 +15,7 @@
 <DataTransferService> ::=
         calendar|
         currents|
-        datastudio|"google data studio"|
+        datastudio|lookerstudio|"google data studio"|
         drive|gdrive|googledrive|"drive and docs"
 <DataTransferServiceList> ::= "<DataTransferService>(,<DataTransferService>)*"
 
@@ -37,6 +37,7 @@ gam create|add datatransfer|transfer <OldOwnerID> <DataTransferServiceList> <New
         [private|shared|all] [privacy_level private|shared|private,shared]
         [releaseresources [<Boolean>]]
         (<ParameterKey> <ParameterValue>)*
+        [wait <Integer> <Integer>]
 ```
 For`datastudio` and `drive`, there are options to control the privacy level of the files to be transferred.
 * `private` or `privacy_level private` - Transfer files that are not shared with anyone
@@ -54,6 +55,10 @@ As of 2020-06-10, background transfers only transfer future non-private events w
 
 The option `<ParameterKey> <ParameterValue>` is for future expansion.
 
+By default, GAM does not wait for the transfer to complete. The option `wait <Integer> <Integer>` causes GAM to wait
+for the transfer to complete. The first `<Integer>` must be in the range 5-60 and is the number
+of seconds between checks to see if the transfer has completed. The second `<Integer>` is the maximum number of checks to perform.
+
 ## Display transfers
 ```
 gam info datatransfer|transfer <TransferID>

docs/Groups-Membership.md

@@ -1,5 +1,6 @@
  Groups - Membership
 - [API documentation](#api-documentation)
+- [Query documentation](#query-documentation)
 - [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Definitions](#definitions)
 - [Collections of Users](#collections-of-users)
@@ -18,8 +19,30 @@
 ## API documentation
 * https://developers.google.com/admin-sdk/directory/v1/reference/members
 
+## Query documentation
+* https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
+* https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery
+
 ## Definitions
 See [Collections of Items](Collections-of-Items)
+
+* [Command data from Google Docs/Sheets/Storage](Command-Data-From-Google-Docs-Sheets-Storage)
+```
+<StorageBucketName> ::= <String>
+<StorageObjectName> ::= <String>
+<StorageBucketObjectName> ::=
+        https://storage.cloud.google.com/<StorageBucketName>/<StorageObjectName>|
+        https://storage.googleapis.com/<StorageBucketName>/<StorageObjectName>|
+        gs://<StorageBucketName>/<StorageObjectName>|
+        <StorageBucketName>/<StorageObjectName>
+
+<UserGoogleDoc> ::=
+        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
+<UserGoogleSheet> ::=
+        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
+```
 ```
 <DeliverySetting> ::=
         allmail|
@@ -131,6 +154,11 @@ gam update group|groups <GroupEntity> create|add [<GroupRole>]
         [preview] [actioncsv]
         <UserItem>|<UserTypeEntity>
 ```
+To add a group as a memmber of another group, just specify its email address.
+```
+gam update group group1@domain.com add member group2@domain.com
+```
+
 When `<UserTypeEntity>` specifies a group or groups:
 * `usersonly` - Only the user members from the specified groups are added
 * `groupsonly` - Only the group members from the specified groups are added
@@ -182,6 +210,11 @@ gam update group|groups <GroupEntity> delete|remove [<GroupRole>]
 ```
 `<GroupRole>` is ignored, deletions take place regardless of role.
 
+To remove a group as a memmber of another group, just specify its email address.
+```
+gam update group group1@domain.com remove group2@domain.com
+```
+
 When `<UserTypeEntity>` specifies a group or groups:
 * `usersonly` - Only the user members from the specified groups are deleted
 * `groupsonly` - Only the group members from the specified groups are deleted
@@ -274,6 +307,7 @@ If `actioncsv` is specified, a CSV file with columns `group,email,role,action,me
 that shows the actions performed when updating the group.
 
 The option `additionalmembers [<GroupRole>] <EmailAddressEntity>` can be used to specify members in addition to those specified with `<UserTypeEntity>`.
+If a <GroupRole> is specified, it must match the same role as the one used for the group sync.
 
 For example,
 ```
@@ -299,10 +333,10 @@ seniors@domain.org,/Students/ClassOf2023
 juniors@domain.org,/Students/ClassOf2024
 ...
 ```
-This allows you to do: `gam csv GradeOU.csv gam update group ~Grade sync members ou ~OU`
+This allows you to do: `gam csv GradeOU.csv gam update group "~Grade" sync members ou "~OU"`
 But suppose that at each grade level there are additional group members that are groups of faculty/staff; e.g., senioradvisors@domain.org.
 In this scenario, you can't do the `update group sync` command as the members that are groups will be deleted; the `usersonly` option allows
-the `update group sync` command to work: `gam csv GradeOU.csv gam update group ~Grade sync members usersonly ou ~OU`
+the `update group sync` command to work: `gam csv GradeOU.csv gam update group "~Grade" sync members usersonly ou "~OU"`
 The users from the OU are matched against the user members of the group and adds/deletes are done as necessary to synchronize them;
 the group members of the group are unaffected.
 
@@ -581,6 +615,7 @@ gam print group-members [todrive <ToDriveAttribute>*]
         [types <GroupTypeList>]
         [memberemaildisplaypattern|memberemailskippattern <RegularExpression>]
         [userfields <UserFieldNameList>]
+        [allschemas|(schemas|custom|customschemas <SchemaNameList>)]
         [(recursive [noduplicates])|includederivedmembership] [nogroupemail]
         [peoplelookup|(peoplelookupuser <EmailAddress>)]
         [unknownname <String>] [cachememberinfo [Boolean]]
@@ -645,7 +680,10 @@ these options specify which fields to display:
 * `<MembersFieldName>*` - Individual field names
 * `fields <MembersFieldNameList>` - A comma separated list of field names
     * `delivery|deliverysettings` - Specify this field to get delivery information; an additional API call per member is required
-* `userfields <UserFieldNameList>` - For members that are users, display these user fields; an additional API call per member is required
+
+For members that are users, you can specify additional information to display; an additional API call per member is required
+* `userfields <UserFieldNameList>` - Display specific user fields
+* `allschemas|(schemas|custom|customschemas <SchemaNameList>)` - Display all or specific custom schema values
 
 The additional API calls can be reduced with the `cachememberinfo` option; a single API call is made for each user/group
 and the data is cached to eliminate to need to repeat the API call; this consumes more memory but dramatically reduces the number of API calls.

docs/Groups.md

@@ -10,6 +10,7 @@
 - [Definitions](#definitions)
 - [GUI API Group settings mapping](#gui-api-group-settings-mapping)
 - [GUI API Group access type settings mapping](#gui-api-group-access-type-settings-mapping)
+- [whoCanViewMembership and whoCanDiscoverGroup interactions](#whocanviewmembership-and-whocandiscovergroup-interactions)
 - [Manage groups](#manage-groups)
 - [Update a group's settings with JSON data](#update-a-groups-settings-with-json-data)
 - [Display information about specific groups](#display-information-about-specific-groups)
@@ -25,7 +26,7 @@
 * https://cloud.google.com/identity/docs/reference/rest/v1/groups
 
 ## Name guidelines
-* https://support.google.com/a/answer/9193374?hl=en
+* https://support.google.com/a/answer/9193374
 
 ## Query documentation
 * https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
@@ -303,6 +304,46 @@ Restricted
   whoCanViewMembership ALL_MEMBERS_CAN_VIEW
 ```
 
+## whoCanViewMembership and whoCanDiscoverGroup interactions
+Some combinations of these two settings are not allowed:
+```
+gam update group group@domain.com whoCanViewMembership ALL_IN_DOMAIN_CAN_VIEW whoCanDiscoverGroup ANYONE_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_OWNERS_CAN_VIEW whoCanDiscoverGroup ANYONE_CAN_DISCOVER
+Group: group@domain.com, Update Failed: Failed request validation in update settings: DONT_USE_OR_ELSE_WHO_CAN_MANAGE_MEMBERS_CANNOT_BE_BROADER_THAN_WHO_CAN_VIEW_MEMBERSHIP
+
+gam update group group@domain.com whoCanViewMembership ALL_MANAGERS_CAN_VIEW whoCanDiscoverGroup ANYONE_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_MEMBERS_CAN_VIEW whoCanDiscoverGroup ANYONE_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_IN_DOMAIN_CAN_VIEW whoCanDiscoverGroup ALL_IN_DOMAIN_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_OWNERS_CAN_VIEW whoCanDiscoverGroup ALL_IN_DOMAIN_CAN_DISCOVER
+Group: group@domain.com, Update Failed: Failed request validation in update settings: DONT_USE_OR_ELSE_WHO_CAN_MANAGE_MEMBERS_CANNOT_BE_BROADER_THAN_WHO_CAN_VIEW_MEMBERSHIP
+
+gam update group group@domain.com whoCanViewMembership ALL_MANAGERS_CAN_VIEW whoCanDiscoverGroup ALL_IN_DOMAIN_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_MEMBERS_CAN_VIEW whoCanDiscoverGroup ALL_IN_DOMAIN_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_IN_DOMAIN_CAN_VIEW whoCanDiscoverGroup ALL_MEMBERS_CAN_DISCOVER
+Group: group@domain.com, Update Failed: Failed request validation in update settings: WHO_CAN_VIEW_MEMBERSHIP_CANNOT_BE_BROADER_THAN_WHO_CAN_SEE_GROUP
+
+gam update group group@domain.com whoCanViewMembership ALL_OWNERS_CAN_VIEW whoCanDiscoverGroup ALL_MEMBERS_CAN_DISCOVER
+Group: group@domain.com, Update Failed: Failed request validation in update settings: DONT_USE_OR_ELSE_WHO_CAN_MANAGE_MEMBERS_CANNOT_BE_BROADER_THAN_WHO_CAN_VIEW_MEMBERSHIP
+
+gam update group group@domain.com whoCanViewMembership ALL_MANAGERS_CAN_VIEW whoCanDiscoverGroup ALL_MEMBERS_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_MEMBERS_CAN_VIEW whoCanDiscoverGroup ALL_MEMBERS_CAN_DISCOVER
+Group: group@domain.com, Updated
+```
+
 ## Manage groups
 
 These commands allow you to create, update and delete groups.
@@ -343,7 +384,7 @@ Getting Group Settings for testgroup4@domain.com (4/4)
 ```
 Perform your experiments and then restore the original settings.
 ```
-$ gam csv ./groups.csv quotechar "'" gam update group ~email json ~JSON-settings
+$ gam csv ./groups.csv quotechar "'" gam update group "~email" json "~JSON-settings"
 Using 4 processes...
 Group: testgroup1@domain.com, Updated
 Group: testgroup2@domain.com, Updated
@@ -543,7 +584,7 @@ gam print grouptree <GroupEntity> [todrive <ToDriveAttribute>*]
 ```
 By default, the group parent emails and names are displayed in multiple indexed columns.
 Use options `showparentsaslist [<Boolean>]` and `delimiter <Character>` to display
-the group parent emails and names in two columns as delimited lists .
+the group parent emails and names in two columns as delimited lists.
 
 #### Examples
 ```
@@ -575,3 +616,20 @@ gam print groups
         [admincreatedmatch <Boolean>]
         showitemcountonly
 ```
+Example
+```
+$ gam print groups showitemcountonly
+Getting all Groups, may take some time on a large Google Workspace Account...
+Got 200 Groups: 1aparents@domain.com - students-genderfood@domain.com
+Got 238 Groups: students-worldculture@domain.com - xcarestaff@domain.com
+238
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print groups showitemcountonly)
+Windows PowerShell
+count = & gam print groups showitemcountonly
+```

docs/Home.md

@@ -1,70 +1,61 @@
 - [Introduction](#introduction)
 - [Requirements](#requirements)
-- [Installation - First time GAM installation](#installation---first-time-gam-installation)
-- [Installation - Upgrading from a GAM version other than a prior version of GAMADV-X or GAMADV-XTD or GAMADV-XTD3](#installation---upgrading-from-a-gam-version-other-than-a-prior-version-of-gamadv-x-or-gamadv-xtd-or-gamadv-xtd3)
-- [Installation - Upgrading from a prior version of GAMADV-X or GAMADV-XTD or GAMADV-XTD3](#installation---upgrading-from-a-prior-version-of-gamadv-x-or-gamadv-xtd-or-gamadv-xtd3)
+- [Installation - First time GAM7 installation](#installation---first-time-gam7-installation)
+- [Installation - Upgrading from Legacy GAM](#installation---upgrading-from-legacy-gam)
 
 # Introduction
-GAMADV-XTD3 is a free, open source command line tool for Google Workspace Administrators to manage domain and user settings quickly and easily.
+GAM7 is a free, open source command line tool for Google Workspace Administrators to manage domain and user settings quickly and easily.
 
-GAMADV-XTD3 is built with Python 3; as Python 2 support ends on 2020-01-01, this is the version of Advanced GAM that new/existing users should install.
+This page provides simple instructions for downloading, installing and starting to use GAM7.
 
-This page provides simple instructions for downloading, installing and starting to use GAMADV-XTD3.
+GAM7 requires paid, or Education/Non-profit, editions of Google Workspace. G Suite Legacy Free Edition has limited API support and not all GAM commands work.
 
-GAMADV-XTD3 requires paid, or Education/Non-profit, editions of Google Workspace. G Suite Legacy Free Edition has limited API support and not all GAM commands work.
+GAM7 is a rewrite/extension of Jay Lee's [Legacy GAM], without his efforts, this version wouldn't exist.
 
-GAMADV-XTD3 is a rewrite/extension of Jay Lee's [GAM], without his efforts, this version wouldn't exist.
-
-GAMADV-XTD3 is backwards compatible with [GAM], meaning that if your command works with regular GAM, it will also work with GAMADV-XTD3. There may be differences in output, but the syntax is compatible.
+GAM7 is backwards compatible with [Legacy GAM], meaning that if your command works with Legacy GAM, it will also work with GAM7. There may be differences in output, but the syntax is compatible.
 
 # Documentation
-Basic GAM documentation is hosted in the [GitHub Wiki]. Documentation specifically for GAMADV-XTD3 is hosted in the [GitHub GAMADV-XTD3 Wiki] and in Gam*.txt files.
+Documentation for GAM7 is hosted in the [GitHub GAM7 Wiki] and in Gam*.txt files.
+Legacy GAM documentation is hosted in the [GitHub Legacy Wiki].
 
 # Mailing List / Discussion group
 The GAM mailing list / discussion group is hosted on [Google Groups].  You can join the list and interact via email, or just post from the web itself.
 
 # Source Repository
-The official GAMADV-XTD3 source repository is on [GitHub] in the master branch.
+The official GAM7 source repository is on [GitHub] in the master branch.
 
 # Author
-GAMADV-XTD3 is maintained by <a href="mailto:ross.scroggs@gmail.com">Ross Scroggs</a>.
+GAM7 is maintained by <a href="mailto:ross.scroggs@gmail.com">Ross Scroggs</a>.
 
 # Requirements
-To run all commands properly, GAMADV-XTD3 requires three things:
-* An API project which identifies your install of GAMADV-XTD3 to Google and keeps track of API quotas.
+To run all commands properly, GAM7 requires three things:
+* An API project which identifies your install of GAM7 to Google and keeps track of API quotas.
 * Authorization to act as your Google Workspace Administrator in order to perform management functions like add users, modify group settings and membership and pull domain reports.
 * A special service account that is authorized to act on behalf of your users in order to modify user-specific settings and data such as Drive files, Calendars and Gmail messages and settings like signatures.
 
-# Installation - First time GAM installation
+# Installation - First time GAM7 installation
 Use these steps if you have never used any version of GAM in your domain. They will create a GAM project
 and all necessary authentications.
 
-* Download: [Downloads](Downloads)
-* Configuration: [GAM Configuration](gam.cfg)
+* Download: [Downloads-Installs](Downloads-Installs)
+* Configuration: [GAM7 Configuration](gam.cfg)
 * Install: [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
 
-# Installation - Upgrading from a GAM version other than a prior version of GAMADV-X or GAMADV-XTD or GAMADV-XTD3
-Use these steps if you have used any version of GAM in your domain. They will update your GAM project
+# Installation - Upgrading from Legacy GAM
+Use these steps if you have used any version of Legacy GAM in your domain. They will update your GAM project
 and all necessary authentications.
 
-* Download: [Downloads](Downloads)
-* Configuration: [GAM Configuration](gam.cfg)
-* Upgrade: [How to Upgrade from Standard GAM](How-to-Upgrade-from-Standard-GAM)
+* Download: [Downloads-Installs](Downloads-Installs)
+* Configuration: [GAM7 Configuration](gam.cfg)
+* Upgrade: [How to Upgrade from Legacy GAM](How-to-Upgrade-from-Legacy-GAM)
 
-# Installation - Upgrading from a prior version of GAMADV-X or GAMADV-XTD or GAMADV-XTD3
-Use these steps if you already use GAMADV-X or GAMADV-XTD or GAMADV-XTD3. The updates may tell you to update your GAM project
-or authentications because new features have been included.
+You can install multiple versions of GAM and GAM7 in different parallel directories.
 
-* Updates: [GAM Updates]
-* Download: [Downloads](Downloads)
-
-You can install multiple versions of GAM and GAMADV-XTD3 in different parallel directories.
-
-[GAM]: https://github.com/GAM-team/GAM
-[GitHub Releases]: https://github.com/taers232c/GAMADV-XTD3/releases
-[GitHub]: https://github.com/taers232c/GAMADV-XTD3/tree/master
-[GitHub Wiki]: https://github.com/GAM-team/GAM/wiki/
-[GitHub GAMADV-XTD3 Wiki]: https://github.com/taers232c/GAMADV-XTD3/wiki/
+[Legacy GAM]: https://github.com/GAM-team/GAM/releases?q=6.58&expanded=true
+[GAM7]: https://github.com/GAM-team/GAM
+[GitHub Releases]: https://github.com/GAM-team/GAM/releases
+[GitHub]: https://github.com/GAM-team/GAM/tree/master
+[GitHub Legacy Wiki]: https://github.com/GAM-team/GAM/wiki/
+[GitHub GAM7 Wiki]: https://github.com/taers232c/GAMADV-XTD3/wiki/
 [Google Groups]: https://groups.google.com/group/google-apps-manager
 [GAM Updates]: https://github.com/taers232c/GAMADV-XTD3/wiki/GamUpdates
-

docs/How-to-Install-Advanced-Gam.md

@@ -2,10 +2,10 @@
 Use these steps if you have never used any version of GAM in your domain. They will create your GAM project
 and all necessary authentications.
 
-- [Downloads](Downloads)
-- [GAM Configuration](gam.cfg)
+- [Downloads-Installs](Downloads-Installs)
 - [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
 - [Windows](#windows)
+- [GAM Configuration](gam.cfg)
 
 ## Linux and MacOS and Google Cloud Shell
 
@@ -25,6 +25,11 @@ probably want to select a non-hidden location. This example assumes that the GAM
 configuration directory will be /Users/admin/GAMConfig; If you've chosen another directory,
 substitute that value in the directions.
 
+Make the directory:
+```
+mkdir -p /Users/admin/GAMConfig
+```
+
 Add the following line:
 ```
 export GAMCFGDIR="/Users/admin/GAMConfig"
@@ -37,14 +42,7 @@ to one of these files based on your shell:
 ~/.profile
 ```
 
-You need to enable this setting in the environment. The easiest way is probably to close your terminal and open a new session. This will load the environment variables, including the one you just added. Test this by issuing this command:
-```
-echo $GAMCFGDIR
-```
-
-This should print the name of the directory you used above.
-
-Alternatively, without starting a new session, load the new variable in this session directly: issue the following command replacing `<Filename>` with the name of the file you edited:
+Issue the following command replacing `<Filename>` with the name of the file you edited:
 ```
 source <Filename>
 ```
@@ -54,11 +52,6 @@ You need to make sure the GAM configuration directory actually exists. Test that
 ls -l $GAMCFGDIR
 ```
 
-If this gives you an error, make the directory:
-```
-mkdir -p $GAMCFGDIR
-```
-
 ### Set a working directory
 
 You should establish a GAM working directory; you will store your GAM related
@@ -66,7 +59,11 @@ data in this folder and execute GAM commands from this folder. You should not us
 /Users/admin/bin/gamadv-xtd3 or /Users/admin/GAMConfig for this purpose.
 This example assumes that the GAM working directory will be /Users/admin/GAMWork; If you've chosen
 another directory, substitute that value in the directions.
-* Make the /Users/admin/GAMWork directory before proceeding.
+
+Make the directory:
+```
+mkdir -p /Users/admin/GAMWork
+```
 
 ### Set an alias
 You should set an alias to point to /Users/admin/bin/gamadv-xtd3/gam so you can operate from the /Users/admin/GAMWork directory.
@@ -98,31 +95,33 @@ ln -s "/Users/admin/bin/gamadv-xtd3/gam" /usr/local/bin/gam
 
 ### Initialize GAMADV-XTD3; this should be the first GAMADV-XTD3 command executed.
 ```
-admin@server:~$ cd /Users/admin/bin/gamadv-xtd3
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam config drive_dir /Users/admin/GAMWork verify
+admin@server:/Users/admin$ gam config drive_dir /Users/admin/GAMWork verify
 Created: /Users/admin/GAMConfig
 Created: /Users/admin/GAMConfig/gamcache
 Config File: /Users/admin/GAMConfig/gam.cfg, Initialized
 Section: DEFAULT
-  activity_max_results = 100
   ...
-  [long list of all config settings that should match the directories you specified]
+  cache_dir = /Users/admin/GAMConfig/gamcache
+  ...
+  config_dir = /Users/admin/GAMConfig
+  ...
+  drive_dir = /Users/admin/GAMWork
   ...
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Verify initialization, this was a successful installation.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ls -l $GAMCFGDIR
+admin@server:/Users/admin$ ls -l $GAMCFGDIR
 total 48
 -rw-r-----+ 1 admin  staff  1069 Mar  3 09:23 gam.cfg
 drwxr-x---+ 2 admin  staff    68 Mar  3 09:23 gamcache
 -rw-rw-rw-+ 1 admin  staff     0 Mar  3 09:23 oauth2.txt.lock
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 ### Create your project with local browser
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam create project
+admin@server:/Users/admin$ gam create project
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
 
@@ -186,12 +185,12 @@ Enter your Client Secret: CLIENTSECRET
 6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
 That's it! Your GAM Project is created and ready to use.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 ### Create your project without local browser (Google Cloud Shell for instance)
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam config no_browser true save
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam create project
+admin@server:/Users/admin$ gam config no_browser true save
+admin@server:/Users/admin$ gam create project
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
 
@@ -254,7 +253,7 @@ Enter your Client Secret: CLIENTSECRET
 6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
 That's it! Your GAM Project is created and ready to use.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 ### Enable GAMADV-XTD3 client access
 
@@ -262,10 +261,7 @@ You select a list of scopes, GAM uses a browser to get final authorization from
 writes the credentials into the file oauth2.txt.
 
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
-
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
+admin@server:/Users/admin$ gam oauth create
 
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
@@ -274,7 +270,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -284,7 +280,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -314,15 +310,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
@@ -339,14 +342,14 @@ Enter verification code or paste "Unable to connect" URL from other computer (on
 The authentication flow has completed.
 Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 
 If clicking on the link in the instructions does not work (i.e. you get a 404 or 400 error message, instead of something about 'unable to connect') the URL in the link is too long. Most likely, you have selected all scopes. Try again with fewer scopes until it works. (there is no harm in repeatedly trying)
 
 ### Enable GAMADV-XTD3 service account access.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
 $ gam user admin@domain.com check serviceaccount
 System time status
   Your system time differs from www.googleapis.com by less than 1 second    PASS
@@ -401,7 +404,7 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
@@ -411,7 +414,7 @@ If not, make sure that you are logged in as a domain admin, then re-enter the li
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
 System time status:
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication:
@@ -455,14 +458,14 @@ All scopes PASSED!
 
 Service Account Client name: SVCACCTID is fully authorized.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 ### Update gam.cfg with some basic values
 * `customer_id` - Having this data keeps Gam from having to make extra API calls
 * `domain` - This allows you to omit the domain portion of email addresses
 * `timezone local` - Gam will convert all UTC times to your local timezone
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam info domain
+admin@server:/Users/admin$ gam info domain
 Customer ID: C01234567
 Primary Domain: domain.com
 Customer Creation Time: 2007-06-06T15:47:55.444Z
@@ -470,15 +473,18 @@ Primary Domain Verified: True
 Default Language: en
 ...
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam config customer_id C01234567 domain domain.com timezone local save verify
+admin@server:/Users/admin$ gam config customer_id C01234567 domain domain.com timezone local save verify
 Config File: /Users/admin/GAMConfig/gam.cfg, Saved
 Section: DEFAULT
-  activity_max_results = 100
   ...
-  [long list of all config settings that should match the data you specified]
+  customer_id = C01234567
+  ...
+  domain = domain.com
+  ...
+  timezone = local
   ...
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 
 ## Windows
@@ -534,22 +540,24 @@ At this point, you should restart Command Prompt so that it has the updated path
 
 ### Initialize GAMADV-XTD3; this should be the first GAMADV-XTD3 command executed.
 ```
-C:>cd C:\GAMADV-XTD3
-C:\GAMADV-XTD3>gam config drive_dir C:\GAMWork verify
+C:\>gam config drive_dir C:\GAMWork verify
 Created: C:\GAMConfig
 Created: C:\GAMConfig\gamcache
 Config File: C:\GAMConfig\gam.cfg, Initialized
 Section: DEFAULT
-  activity_max_results = 100
   ...
-  [long list of all config settings that should match the directories you specified]
+  cache_dir = C:\GAMConfig\gamcache
+  ...
+  config_dir = C:\GAMConfig
+  ...
+  drive_dir = C:\GAMWork
   ...
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Verify initialization, this was a successful installation.
 ```
-C:\GAMADV-XTD3>dir %GAMCFGDIR%
+C:\>dir %GAMCFGDIR%
  Volume in drive C has no label.
  Volume Serial Number is 663F-DA8B
 
@@ -562,12 +570,12 @@ C:\GAMADV-XTD3>dir %GAMCFGDIR%
 03/03/2017  10:15 AM                 0 oauth2.txt.lock
                2 File(s)         15,769 bytes
                3 Dir(s)  110,532,562,944 bytes free
-C:\GAMADV-XTD3>
+C:\>
 ```
 
 ### Create your project with local browser
 ```
-C:\GAMADV-XTD3>gam create project
+C:\>gam create project
 WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
 WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
 
@@ -631,12 +639,12 @@ Enter your Client Secret: CLIENTSECRET
 6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
 That's it! Your GAM Project is created and ready to use.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Create your project without local browser (headless server for instance)
 ```
-C:\GAMADV-XTD3>gam config no_browser true save
-C:\GAMADV-XTD3>gam create project
+C:\>gam config no_browser true save
+C:\>gam create project
 WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
 WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
 
@@ -699,7 +707,7 @@ Enter your Client Secret: CLIENTSECRET
 6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
 That's it! Your GAM Project is created and ready to use.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Enable GAMADV-XTD3 client access
 
@@ -707,10 +715,7 @@ You select a list of scopes, GAM uses a browser to get final authorization from
 writes the credentials into the file oauth2.txt.
 
 ```
-C:\GAMADV-XTD3>gam oauth create
-
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
+C:\>gam oauth create
 
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
@@ -719,7 +724,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -729,7 +734,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -759,15 +764,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
@@ -784,11 +796,11 @@ Enter verification code or paste "Unable to connect" URL from other computer (on
 The authentication flow has completed.
 Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Enable GAMADV-XTD3 service account access.
 ```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
+C:\>gam user admin@domain.com check serviceaccount
 System time status
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication
@@ -842,7 +854,7 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
@@ -852,7 +864,7 @@ If not, make sure that you are logged in as a domain admin, then re-enter the li
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
+C:\>gam user admin@domain.com check serviceaccount
 System time status:
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication:
@@ -896,14 +908,14 @@ All scopes PASSED!
 
 Service Account Client name: SVCACCTID is fully authorized.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Update gam.cfg with some basic values
 * `customer_id` - Having this data keeps Gam from having to make extra API calls
 * `domain` - This allows you to omit the domain portion of email addresses
 * `timezone local` - Gam will convert all UTC times to your local timezone
 ```
-C:\GAMADV-XTD3>gam info domain
+C:\>gam info domain
 Customer ID: C01234567
 Primary Domain: domain.com
 Customer Creation Time: 2007-06-06T15:47:55.444Z
@@ -911,13 +923,16 @@ Primary Domain Verified: True
 Default Language: en
 ...
 
-C:\GAMADV-XTD3>gam config customer_id C01234567 domain domain.com timezone local save verify
+C:\>gam config customer_id C01234567 domain domain.com timezone local save verify
 Config File: C:\GAMConfig\gam.cfg, Saved
 Section: DEFAULT
-  activity_max_results = 100
   ...
-  [long list of all config settings that should match the directories you specified]
+  customer_id = C01234567
+  ...
+  domain = domain.com
+  ...
+  timezone = local
   ...
 
-C:\GAMADV-XTD3>
+C:\>
 ```

docs/How-to-Install-GAM7.md

@@ -0,0 +1,938 @@
+# Installing GAM7
+Use these steps if you have never used any version of GAM in your domain. They will create your GAM project
+and all necessary authentications.
+
+- [Downloads-Installs](Downloads-Installs)
+- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
+- [Windows](#windows)
+- [GAM Configuration](gam.cfg)
+
+## Linux and MacOS and Google Cloud Shell
+
+In these examples, your Google Super admin is shown as admin@domain.com; replace with the
+actual email adddress.
+
+In these examples, the user home folder is shown as /Users/admin; adjust according to your
+specific situation; e.g., /home/administrator.
+
+This example assumes that GAM7 has been installed in /Users/admin/bin/gam7.
+If you've installed GAM7 in another directory, substitute that value in the directions.
+
+### Set a configuration directory
+
+The default GAM configuration directory is /Users/admin/.gam; for more flexibility you
+probably want to select a non-hidden location. This example assumes that the GAM
+configuration directory will be /Users/admin/GAMConfig; If you've chosen another directory,
+substitute that value in the directions.
+
+Make the directory:
+```
+mkdir -p /Users/admin/GAMConfig
+```
+
+Add the following line:
+```
+export GAMCFGDIR="/Users/admin/GAMConfig"
+```
+to one of these files based on your shell:
+```
+~/.bash_profile
+~/.bashrc
+~/.zshrc
+~/.profile
+```
+
+Issue the following command replacing `<Filename>` with the name of the file you edited:
+```
+source <Filename>
+```
+
+You need to make sure the GAM configuration directory actually exists. Test that like this:
+```
+ls -l $GAMCFGDIR
+```
+
+### Set a working directory
+
+You should establish a GAM working directory; you will store your GAM related
+data in this folder and execute GAM commands from this folder. You should not use
+/Users/admin/bin/gam7 or /Users/admin/GAMConfig for this purpose.
+This example assumes that the GAM working directory will be /Users/admin/GAMWork; If you've chosen
+another directory, substitute that value in the directions.
+
+Make the directory:
+```
+mkdir -p /Users/admin/GAMWork
+```
+
+### Set an alias
+You should set an alias to point to /Users/admin/bin/gam7/gam so you can operate from the /Users/admin/GAMWork directory.
+Aliases aren't available in scripts, so you may want to set a symlink instead, see below.
+
+Add the following line:
+```
+alias gam="/Users/admin/bin/gam7/gam"
+```
+to one of these files based on your shell:
+```
+~/.bash_aliases
+~/.bash_profile
+~/.bashrc
+~/.zshrc
+~/.profile
+```
+
+Issue the following command replacing `<Filename>` with the name of the file you edited:
+```
+source <Filename>
+```
+
+### Set a symlink
+Set a symlink in `/usr/local/bin` (or some other location on $PATH) to point to GAM. 
+```
+ln -s "/Users/admin/bin/gam7/gam" /usr/local/bin/gam
+```
+
+### Initialize GAM7; this should be the first GAM7 command executed.
+```
+admin@server:/Users/admin$ gam config drive_dir /Users/admin/GAMWork verify
+Created: /Users/admin/GAMConfig
+Created: /Users/admin/GAMConfig/gamcache
+Config File: /Users/admin/GAMConfig/gam.cfg, Initialized
+Section: DEFAULT
+  ...
+  cache_dir = /Users/admin/GAMConfig/gamcache
+  ...
+  config_dir = /Users/admin/GAMConfig
+  ...
+  drive_dir = /Users/admin/GAMWork
+  ...
+
+admin@server:/Users/admin$
+```
+### Verify initialization, this was a successful installation.
+```
+admin@server:/Users/admin$ ls -l $GAMCFGDIR
+total 48
+-rw-r-----+ 1 admin  staff  1069 Mar  3 09:23 gam.cfg
+drwxr-x---+ 2 admin  staff    68 Mar  3 09:23 gamcache
+-rw-rw-rw-+ 1 admin  staff     0 Mar  3 09:23 oauth2.txt.lock
+admin@server:/Users/admin$ 
+```
+### Create your project with local browser
+```
+admin@server:/Users/admin$ gam create project
+WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
+WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
+
+Your browser has been opened to visit:
+
+    https://accounts.google.com/o/oauth2/v2/auth?client_id=CLI...response_type=code
+
+If your browser is on a different machine then press CTRL+C,
+set no_browser = true in gam.cfg and re-run this command.
+
+Authentication successful.
+Creating project "GAM Project"...
+Checking project status...
+Project: gam-project-abc-def-ghi, Enable 23 APIs
+  API: admin.googleapis.com, Enabled (1/23)
+  API: alertcenter.googleapis.com, Enabled (2/23)
+  API: appsactivity.googleapis.com, Enabled (3/23)
+  API: audit.googleapis.com, Enabled (4/23)
+  API: calendar-json.googleapis.com, Enabled (5/23)
+  API: chat.googleapis.com, Enabled (6/23)
+  API: classroom.googleapis.com, Enabled (7/23)
+  API: contacts.googleapis.com, Enabled (8/23)
+  API: drive.googleapis.com, Enabled (9/23)
+  API: driveactivity.googleapis.com, Enabled (10/23)
+  API: gmail.googleapis.com, Enabled (11/23)
+  API: groupsmigration.googleapis.com, Enabled (12/23)
+  API: groupssettings.googleapis.com, Enabled (13/23)
+  API: iam.googleapis.com, Enabled (14/23)
+  API: iap.googleapis.com, Enabled (15/23)
+  API: licensing.googleapis.com, Enabled (16/23)
+  API: people.googleapis.com, Enabled (17/23)
+  API: pubsub.googleapis.com, Enabled (18/23)
+  API: reseller.googleapis.com, Enabled (19/23)
+  API: sheets.googleapis.com, Enabled (20/23)
+  API: siteverification.googleapis.com, Enabled (21/23)
+  API: storage-api.googleapis.com, Enabled (22/23)
+  API: vault.googleapis.com, Enabled (23/23)
+Setting GAM project consent screen...
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
+Service Account OAuth2 File: /Users/admin/GAMConfig/oauth2service.json, Service Account Key: SVCACCTKEY, Updated
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
+Please go to:
+
+https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
+
+1. Choose "Desktop App" or "Other" for "Application type".
+2. Enter "GAM" or another desired value for "Name".
+3. Click the blue "Create" button.
+4. Copy your "client ID" value that shows on the next page.
+
+Enter your Client ID: CLIENTID
+
+5. Go back to your browser and copy your "client secret" value.
+Enter your Client Secret: CLIENTSECRET
+6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
+That's it! Your GAM Project is created and ready to use.
+
+admin@server:/Users/admin$ 
+```
+### Create your project without local browser (Google Cloud Shell for instance)
+```
+admin@server:/Users/admin$ gam config no_browser true save
+admin@server:/Users/admin$ gam create project
+WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
+WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
+
+Go to the following link in a browser on other computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?re... m&prompt=consent
+
+Enter verification code: abc...xyz
+
+Authentication successful.
+Creating project "GAM Project"...
+Checking project status...
+Project: gam-project-abc-def-ghi, Enable 23 APIs
+  API: admin.googleapis.com, Enabled (1/23)
+  API: alertcenter.googleapis.com, Enabled (2/23)
+  API: appsactivity.googleapis.com, Enabled (3/23)
+  API: audit.googleapis.com, Enabled (4/23)
+  API: calendar-json.googleapis.com, Enabled (5/23)
+  API: chat.googleapis.com, Enabled (6/23)
+  API: classroom.googleapis.com, Enabled (7/23)
+  API: contacts.googleapis.com, Enabled (8/23)
+  API: drive.googleapis.com, Enabled (9/23)
+  API: driveactivity.googleapis.com, Enabled (10/23)
+  API: gmail.googleapis.com, Enabled (11/23)
+  API: groupsmigration.googleapis.com, Enabled (12/23)
+  API: groupssettings.googleapis.com, Enabled (13/23)
+  API: iam.googleapis.com, Enabled (14/23)
+  API: iap.googleapis.com, Enabled (15/23)
+  API: licensing.googleapis.com, Enabled (16/23)
+  API: people.googleapis.com, Enabled (17/23)
+  API: pubsub.googleapis.com, Enabled (18/23)
+  API: reseller.googleapis.com, Enabled (19/23)
+  API: sheets.googleapis.com, Enabled (20/23)
+  API: siteverification.googleapis.com, Enabled (21/23)
+  API: storage-api.googleapis.com, Enabled (22/23)
+  API: vault.googleapis.com, Enabled (23/23)
+Setting GAM project consent screen...
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
+Service Account OAuth2 File: /Users/admin/GAMConfig/oauth2service.json, Service Account Key: SVCACCTKEY, Updated
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
+Please go to:
+
+https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
+
+1. Choose "Desktop App" or "Other" for "Application type".
+2. Enter "GAM" or another desired value for "Name".
+3. Click the blue "Create" button.
+4. Copy your "client ID" value that shows on the next page.
+
+Enter your Client ID: CLIENTID
+
+5. Go back to your browser and copy your "client secret" value.
+Enter your Client Secret: CLIENTSECRET
+6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
+That's it! Your GAM Project is created and ready to use.
+
+admin@server:/Users/admin$ 
+```
+### Enable GAM7 client access
+
+You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
+writes the credentials into the file oauth2.txt.
+
+```
+admin@server:/Users/admin$ gam oauth create
+
+[*]  0)  Calendar API (supports readonly)
+[*]  1)  Chrome Browser Cloud Management API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
+
+Enter your Google Workspace admin email address? admin@domain.com
+
+Go to the following link in a browser on this computer or on another computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
+
+If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
+click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+The authentication flow has completed.
+Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
+
+admin@server:/Users/admin$ 
+```
+
+If clicking on the link in the instructions does not work (i.e. you get a 404 or 400 error message, instead of something about 'unable to connect') the URL in the link is too long. Most likely, you have selected all scopes. Try again with fewer scopes until it works. (there is no harm in repeatedly trying)
+
+### Enable GAM7 service account access.
+```
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
+$ gam user admin@domain.com check serviceaccount
+System time status
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 0 days                                   PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+Some scopes FAILED!
+To authorize them, please go to:
+
+    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.go...huser=admin@domain.com
+
+You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+
+admin@server:/Users/admin$
+```
+The link shown in the error message should take you directly to the authorization screen.
+If not, make sure that you are logged in as a domain admin, then re-enter the link.
+
+### Verify GAM7 service account access.
+
+Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
+for the authorization to complete.
+```
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
+System time status:
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication:
+  Authentication                                                            PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+All scopes PASSED!
+
+Service Account Client name: SVCACCTID is fully authorized.
+
+admin@server:/Users/admin$ 
+```
+### Update gam.cfg with some basic values
+* `customer_id` - Having this data keeps Gam from having to make extra API calls
+* `domain` - This allows you to omit the domain portion of email addresses
+* `timezone local` - Gam will convert all UTC times to your local timezone
+```
+admin@server:/Users/admin$ gam info domain
+Customer ID: C01234567
+Primary Domain: domain.com
+Customer Creation Time: 2007-06-06T15:47:55.444Z
+Primary Domain Verified: True
+Default Language: en
+...
+
+admin@server:/Users/admin$ gam config customer_id C01234567 domain domain.com timezone local save verify
+Config File: /Users/admin/GAMConfig/gam.cfg, Saved
+Section: DEFAULT
+  ...
+  customer_id = C01234567
+  ...
+  domain = domain.com
+  ...
+  timezone = local
+  ...
+
+admin@server:/Users/admin$
+```
+
+## Windows
+
+In these examples, your Google Super admin is shown as admin@domain.com; replace with the
+actual email adddress.
+
+This example assumes that GAM7 has been installed in C:\GAM7; if you've installed
+GAM7 in another directory, substitute that value in the directions.
+
+These steps assume Command Prompt, adjust if you're using PowerShell.
+
+### Set a configuration directory
+
+The default GAM configuration directory is C:\Users\<UserName>\.gam; for more flexibility you
+probably want to select a non user-specific location. This example assumes that the GAM
+configuration directory will be C:\GAMConfig; If you've chosen another directory,
+substitute that value in the directions.
+* Make the C:\GAMConfig directory before proceeding.
+
+### Set a working directory
+
+You should extablish a GAM working directory; you will store your GAM related
+data in this folder and execute GAM commands from this folder. You should not use
+C:\GAM7 or C:\GAMConfig for this purpose.
+This example assumes that the GAM working directory will be C:\GAMWork; If you've chosen
+another directory, substitute that value in the directions.
+* Make the C:\GAMWork directory before proceeding.
+
+### Set system path and GAM configuration directory
+You should set the system path to point to C:\GAM7 so you can operate from the C:\GAMWork directory.
+```
+Start Control Panel
+Click System
+Click Advanced system settings
+Click Environment Variables...
+Click Path under System variables
+Click Edit...
+If C:\GAM7 is already on the Path, skip the next three steps
+  Click New
+  Enter C:\GAM7
+  Click OK
+Click New
+Set Variable name: GAMCFGDIR
+Set Variable value: C:\GAMConfig
+Click OK
+Click OK
+Click OK
+Exit Control Panel
+```
+
+At this point, you should restart Command Prompt so that it has the updated path and environment variables.
+
+### Initialize GAM7; this should be the first GAM7 command executed.
+```
+C:\>gam config drive_dir C:\GAMWork verify
+Created: C:\GAMConfig
+Created: C:\GAMConfig\gamcache
+Config File: C:\GAMConfig\gam.cfg, Initialized
+Section: DEFAULT
+  ...
+  cache_dir = C:\GAMConfig\gamcache
+  ...
+  config_dir = C:\GAMConfig
+  ...
+  drive_dir = C:\GAMWork
+  ...
+
+C:\>
+```
+### Verify initialization, this was a successful installation.
+```
+C:\>dir %GAMCFGDIR%
+ Volume in drive C has no label.
+ Volume Serial Number is 663F-DA8B
+
+ Directory of C:\GAMConfig
+
+03/03/2017  10:16 AM    <DIR>          .
+03/03/2017  10:16 AM    <DIR>          ..
+03/03/2017  10:15 AM             1,125 gam.cfg
+03/03/2017  10:15 AM    <DIR>          gamcache
+03/03/2017  10:15 AM                 0 oauth2.txt.lock
+               2 File(s)         15,769 bytes
+               3 Dir(s)  110,532,562,944 bytes free
+C:\>
+```
+
+### Create your project with local browser
+```
+C:\>gam create project
+WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
+WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
+
+Your browser has been opened to visit:
+
+    https://accounts.google.com/o/oaut...pe=code
+
+If your browser is on a different machine then press CTRL+C,
+set no_browser = true in gam.cfg and re-run this command.
+
+Authentication successful.
+Creating project "GAM Project"...
+Checking project status...
+Project: gam-project-abc-def-ghi, Enable 23 APIs
+  API: admin.googleapis.com, Enabled (1/23)
+  API: alertcenter.googleapis.com, Enabled (2/23)
+  API: appsactivity.googleapis.com, Enabled (3/23)
+  API: audit.googleapis.com, Enabled (4/23)
+  API: calendar-json.googleapis.com, Enabled (5/23)
+  API: chat.googleapis.com, Enabled (6/23)
+  API: classroom.googleapis.com, Enabled (7/23)
+  API: contacts.googleapis.com, Enabled (8/23)
+  API: drive.googleapis.com, Enabled (9/23)
+  API: driveactivity.googleapis.com, Enabled (10/23)
+  API: gmail.googleapis.com, Enabled (11/23)
+  API: groupsmigration.googleapis.com, Enabled (12/23)
+  API: groupssettings.googleapis.com, Enabled (13/23)
+  API: iam.googleapis.com, Enabled (14/23)
+  API: iap.googleapis.com, Enabled (15/23)
+  API: licensing.googleapis.com, Enabled (16/23)
+  API: people.googleapis.com, Enabled (17/23)
+  API: pubsub.googleapis.com, Enabled (18/23)
+  API: reseller.googleapis.com, Enabled (19/23)
+  API: sheets.googleapis.com, Enabled (20/23)
+  API: siteverification.googleapis.com, Enabled (21/23)
+  API: storage-api.googleapis.com, Enabled (22/23)
+  API: vault.googleapis.com, Enabled (23/23)
+Setting GAM project consent screen...
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
+Service Account OAuth2 File: C:\GAMConfig\oauth2service.json, Service Account Key: SVCACCTKEY, Updated
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
+Please go to:
+
+https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
+
+1. Choose "Desktop App" or "Other" for "Application type".
+2. Enter "GAM" or another desired value for "Name".
+3. Click the blue "Create" button.
+4. Copy your "client ID" value that shows on the next page.
+
+Enter your Client ID: CLIENTID
+
+5. Go back to your browser and copy your "client secret" value.
+Enter your Client Secret: CLIENTSECRET
+6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
+That's it! Your GAM Project is created and ready to use.
+
+C:\>
+```
+### Create your project without local browser (headless server for instance)
+```
+C:\>gam config no_browser true save
+C:\>gam create project
+WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
+WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
+
+Go to the following link in a browser on other computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+Enter verification code: abc...xyz
+
+Authentication successful.
+Creating project "GAM Project"...
+Checking project status...
+Project: gam-project-abc-def-ghi, Enable 23 APIs
+  API: admin.googleapis.com, Enabled (1/23)
+  API: alertcenter.googleapis.com, Enabled (2/23)
+  API: appsactivity.googleapis.com, Enabled (3/23)
+  API: audit.googleapis.com, Enabled (4/23)
+  API: calendar-json.googleapis.com, Enabled (5/23)
+  API: chat.googleapis.com, Enabled (6/23)
+  API: classroom.googleapis.com, Enabled (7/23)
+  API: contacts.googleapis.com, Enabled (8/23)
+  API: drive.googleapis.com, Enabled (9/23)
+  API: driveactivity.googleapis.com, Enabled (10/23)
+  API: gmail.googleapis.com, Enabled (11/23)
+  API: groupsmigration.googleapis.com, Enabled (12/23)
+  API: groupssettings.googleapis.com, Enabled (13/23)
+  API: iam.googleapis.com, Enabled (14/23)
+  API: iap.googleapis.com, Enabled (15/23)
+  API: licensing.googleapis.com, Enabled (16/23)
+  API: people.googleapis.com, Enabled (17/23)
+  API: pubsub.googleapis.com, Enabled (18/23)
+  API: reseller.googleapis.com, Enabled (19/23)
+  API: sheets.googleapis.com, Enabled (20/23)
+  API: siteverification.googleapis.com, Enabled (21/23)
+  API: storage-api.googleapis.com, Enabled (22/23)
+  API: vault.googleapis.com, Enabled (23/23)
+Setting GAM project consent screen...
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
+Service Account OAuth2 File: C:\GAMConfig\oauth2service.json, Service Account Key: SVCACCTKEY, Updated
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
+Please go to:
+
+https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
+
+1. Choose "Desktop App" or "Other" for "Application type".
+2. Enter "GAM" or another desired value for "Name".
+3. Click the blue "Create" button.
+4. Copy your "client ID" value that shows on the next page.
+
+Enter your Client ID: CLIENTID
+
+5. Go back to your browser and copy your "client secret" value.
+Enter your Client Secret: CLIENTSECRET
+6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
+That's it! Your GAM Project is created and ready to use.
+
+C:\>
+```
+### Enable GAM7 client access
+
+You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
+writes the credentials into the file oauth2.txt.
+
+```
+C:\>gam oauth create
+
+[*]  0)  Calendar API (supports readonly)
+[*]  1)  Chrome Browser Cloud Management API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
+
+Enter your Google Workspace admin email address? admin@domain.com
+
+Go to the following link in a browser on this computer or on another computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
+
+If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
+click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+The authentication flow has completed.
+Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
+
+C:\>
+```
+### Enable GAM7 service account access.
+```
+C:\>gam user admin@domain.com check serviceaccount
+System time status
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 0 days                                   PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+Some scopes FAILED!
+To authorize them, please go to:
+
+    https://admin.google.com/ac/owl/domainwide...thuser=admin@domain.com
+
+You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+
+C:\>
+```
+The link shown in the error message should take you directly to the authorization screen.
+If not, make sure that you are logged in as a domain admin, then re-enter the link.
+
+### Verify GAM7 service account access.
+
+Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
+for the authorization to complete.
+```
+C:\>gam user admin@domain.com check serviceaccount
+System time status:
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication:
+  Authentication                                                            PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+All scopes PASSED!
+
+Service Account Client name: SVCACCTID is fully authorized.
+
+C:\>
+```
+### Update gam.cfg with some basic values
+* `customer_id` - Having this data keeps Gam from having to make extra API calls
+* `domain` - This allows you to omit the domain portion of email addresses
+* `timezone local` - Gam will convert all UTC times to your local timezone
+```
+C:\>gam info domain
+Customer ID: C01234567
+Primary Domain: domain.com
+Customer Creation Time: 2007-06-06T15:47:55.444Z
+Primary Domain Verified: True
+Default Language: en
+...
+
+C:\>gam config customer_id C01234567 domain domain.com timezone local save verify
+Config File: C:\GAMConfig\gam.cfg, Saved
+Section: DEFAULT
+  ...
+  customer_id = C01234567
+  ...
+  domain = domain.com
+  ...
+  timezone = local
+  ...
+
+C:\>
+```

docs/How-to-Uninstall-GAM7.md

@@ -0,0 +1,127 @@
+# Uninstalling GAM7
+
+- [Get Project Info](#get-project-info)
+- [Remove Client API access](#remove-client-api-access)
+- [Remove Service Account API access](#remove-service-account-api-access)
+- [Delete GAM Project](#delete-gam-project)
+- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
+- [Windows](#windows)
+
+## Get Project Info
+```
+gam version
+```
+
+Note the `Config File:` path to `gam.cfg`. In that folder will be a file `oauth2service.json`; look at its contents.
+You want these two lines:
+```
+"client_id": "123691089974044844789"
+"project_id": "gam-project-123-456-789"
+```
+
+## Remove Client API access
+```
+gam oauth delete
+```
+
+## Remove Service Account API access
+In a browser, go to `https://admin.google.com`, login and go to the Security/API Controls/Domain-wide Delegation page.
+Find the `Client ID` that matches the `client_id` value from `oauth2service.json`, hover over it and click `Delete`.	
+
+## Delete GAM Project
+In a browser, go to `https://console.cloud.google.com/cloud-resource-manager`, login. Find the `ID` that matches
+the `project_id` value from `oauth2service.json`; click the three dots at the right end of the line and click `Delete`.
+In the box that pops up, put the `project_id` value in ther `Project ID*` field and click `SHUT DOWN`
+
+## Linux and MacOS and Google Cloud Shell
+
+In these examples, the user home folder is shown as /Users/admin; adjust according to your
+specific situation; e.g., /home/administrator.
+
+This example assumes that GAM7 has been installed in /Users/admin/bin/gam7.
+If you've installed GAM7 in another directory, substitute that value in the directions.
+
+### Delete executable directory
+
+```
+rm -fr /Users/admin/bin/gam7
+```
+
+### Delete configuration directory
+
+The default GAM configuration directory is /Users/admin/.gam; for more flexibility you
+probably want to select a non-hidden location. This example assumes that the GAM
+configuration directory will be /Users/admin/GAMConfig; If you've chosen another directory,
+substitute that value in the directions.
+```
+rm -fr /Users/admin/GAMConfig
+```
+
+### Delete  working directory
+
+This example assumes that the GAM working directory is be /Users/admin/GAMWork; If you've chosen
+another directory, substitute that value in the directions.
+```
+rm -fr /Users/admin/GAMConfig
+```
+
+### Remove executable alias and GAM configuration export
+
+Remove the following line:
+```
+alias gam="/Users/admin/bin/gam7/gam"
+export GAMCFGDIR="/Users/admin/GAMConfig"
+```
+from these files based on your shell:
+```
+~/.bash_profile
+~/.bashrc
+~/.zshrc
+~/.profile
+```
+
+## Windows
+
+This example assumes that GAM7 has been installed in C:\GAM7; if you've installed
+GAM7 in another directory, substitute that value in the directions.
+
+### Delete executable directory
+
+In File Explorer, delete the `C:\GAM7` folder.
+
+### Delete configuration directory
+
+The default GAM configuration directory is C:\Users\<UserName>\.gam; for more flexibility you
+probably want to select a non user-specific location. This example assumes that the GAM
+configuration directory will be C:\GAMConfig; If you've chosen another directory,
+substitute that value in the directions.
+
+In File Explorer, delete the `C:\GAMConfig` folder.
+
+### Delete working directory
+
+This example assumes that the GAM working directory will be C:\GAMWork; If you've chosen
+another directory, substitute that value in the directions.
+
+In File Explorer, delete the `C:\GAMWork` folder.
+
+### Reset system path and GAM configuration directory
+```
+Start Control Panel
+Click System
+Click Advanced system settings
+Click Environment Variables...
+Click Path under System variables
+Click Edit...
+If C:\GAM7 is not on the Path, click Cancel and skip the next three steps
+  Click C:\GAM7
+  Click Delete
+  Click OK
+If GAMCFGDIR is not in System variables, skip the next two steps
+  Click GAMCFGDIR
+  Click Delete
+Click OK
+Click OK
+Exit Control Panel
+```
+

docs/How-to-Update-Advanced-GAM-to-GAM7.md

@@ -0,0 +1,120 @@
+# Installation - Update Advanced GAM to GAM7
+
+- [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
+- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
+- [Windows](#windows)
+
+## Linux and MacOS and Google Cloud Shell
+
+This example assumes that GAMADV-XTD3 was installed in /Users/admin/bin/gamadv-xtd3.
+If GAMADV-XTD3 was installed in another directory, substitute that value in the directions.
+
+Rename install directory.
+```
+mv /Users/admin/bin/gamadv-xtd3 /Users/admin/bin/gam7
+```
+
+See: [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
+
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page. Choose one of the following:
+
+* Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
+  - Start a terminal session and execute one of the following commands:
+  - Update to latest version, do not create project or authorizations, default path `$HOME/bin`
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l`
+  - Update to latest version, do not create project or authorizations, specify a path
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l -d <Path>`
+
+In these examples, the user home folder is shown as /Users/admin; adjust according to your
+specific situation; e.g., /home/administrator.
+
+### Update gam  alias
+You should set an alias to point to /Users/admin/bin/gam/gam so you can operate from the /Users/admin/GAMWork directory.
+Aliases aren't available in scripts, so you may want to set a symlink instead, see below.
+
+Change the following line:
+```
+alias gam="/Users/admin/bin/gamadv-xtd3/gam"
+```
+to
+```
+alias gam="/Users/admin/bin/gam7/gam"
+```
+in one of these files based on your shell:
+```
+~/.bash_aliases
+~/.bash_profile
+~/.bashrc
+~/.zshrc
+~/.profile
+```
+
+Issue the following command replacing `<Filename>` with the name of the file you edited:
+```
+source <Filename>
+```
+
+### Set a symlink if desired
+Set a symlink in `/usr/local/bin` (or some other location on $PATH) to point to GAM. 
+```
+ln -s "/Users/admin/bin/gam7/gam" /usr/local/bin/gam
+```
+
+### Test
+```
+gam version
+```
+
+## Windows
+
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page.
+
+This example assumes that GAMADV-XTD3 was installed in C:\GAMADV-XTD3.
+If GAMADV-XTD3 was installed in another directory, substitute that value in the directions.
+
+These steps assume Command Prompt, adjust if you're using PowerShell.
+
+Rename install directory.
+```
+ren C:\GAMADV-STD3 C:\GAM7
+```
+
+See: [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
+
+* Executable Archive, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.zip`
+  - Download the archive, extract the contents into C:\GAM7.
+  - Start a Command Prompt/PowerShell session.
+
+* Executable Installer, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.msi`
+  - Download the installer and run it.
+  - Start a Command Prompt/PowerShell session.
+
+### Update system path
+You should set the system path to point to C:\GAM7 so you can operate from the C:\GAMWork directory.
+```
+Start Control Panel
+Click System
+Click Advanced system settings
+Click Environment Variables...
+Click Path under System variables
+Click Edit...
+If you have an existing entry referencing GAMADV-XTD3:
+  Click that entry
+  Click Delete
+If C:\GAM7 is already on the Path, skip the next three steps
+  Click New
+  Enter C:\GAM7
+  Click OK
+Click OK
+Click OK
+Exit Control Panel
+```
+
+At this point, you should restart Command Prompt so that it has the updated path and environment variables.
+
+### Test
+```
+gam version
+```

docs/How-to-Update-Advanced-Gam.md

@@ -1,10 +1,10 @@
 # Updating GAMADV-XTD3
 Use these steps to update your version of GAMADV-XTD3.
 
-- [Downloads](Downloads)
-- [GAM Configuration](gam.cfg)
+- [Downloads-Installs](Downloads-Installs)
 - [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
 - [Windows](#windows)
+- [GAM Configuration](gam.cfg)
 
 ## Linux and MacOS and Google Cloud Shell
 
@@ -13,7 +13,7 @@ Use these steps to update your version of GAMADV-XTD3.
 This example assumes that GAMADV-XTD3 has been installed in /Users/admin/bin/gamadv-xtd3.
 If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions when downloading.
 
-See: [Downloads](Downloads)
+See: [Downloads-Installs](Downloads-Installs)
 
 In these examples, your Google Super admin is shown as admin@domain.com; replace with the
 actual email adddress.
@@ -99,9 +99,6 @@ writes the credentials into the file oauth2.txt.
 ```
 admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -109,7 +106,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -119,7 +116,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -149,15 +146,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
@@ -297,7 +301,7 @@ admin@server:/Users/admin/bin/gamadv-xtd3$
 This example assumes that GAMADV-XTD3 has been installed in C:\GAMADV-XTD3.
 If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions when downloading.
 
-See: [Downloads](Downloads)
+See: [Downloads-Installs](Downloads-Installs)
 
 In these examples, your Google Super admin is shown as admin@domain.com; replace with the
 actual email adddress.
@@ -382,9 +386,6 @@ writes the credentials into the file oauth2.txt.
 ```
 C:\GAMADV-XTD3>gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -392,7 +393,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -402,7 +403,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -432,15 +433,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com

docs/How-to-Update-GAM7.md

@@ -0,0 +1,581 @@
+# Updating GAM7
+Use these steps to update your version of GAM7.
+
+- [Downloads-Installs](Downloads-Installs)
+- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
+- [Windows](#windows)
+- [GAM Configuration](gam.cfg)
+
+## Linux and MacOS and Google Cloud Shell
+
+### Download the latest version
+
+This example assumes that GAM7 has been installed in /Users/admin/bin/gam7.
+If you've installed GAM7 in another directory, substitute that value in the directions when downloading.
+
+See: [Downloads-Installs](Downloads-Installs)
+
+In these examples, your Google Super admin is shown as admin@domain.com; replace with the
+actual email adddress.
+
+In these examples, the user home folder is shown as /Users/admin; adjust according to your
+specific situation; e.g., /home/administrator.
+
+### Update your project with local browser to include the additional APIs that GAM7 uses.
+This step may be omitted if you are updating from a recent version.
+```
+admin@server:/Users/admin/bin/gam7 gam update project
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s): gam-project-abc-123-xyz? admin@domain.com
+
+Your browser has been opened to visit:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+If your browser is on a different machine then press CTRL+C,
+set no_browser = true in gam.cfg and re-run this command.
+
+Authentication successful.
+API: admin.googleapis.com, already enabled...
+API: appsactivity.googleapis.com, already enabled...
+API: calendar-json.googleapis.com, already enabled...
+API: classroom.googleapis.com, already enabled...
+API: contacts.googleapis.com, already enabled...
+API: drive.googleapis.com, already enabled...
+API: gmail.googleapis.com, already enabled...
+API: groupssettings.googleapis.com, already enabled...
+API: licensing.googleapis.com, already enabled...
+API: plus.googleapis.com, already enabled...
+API: reseller.googleapis.com, already enabled...
+API: siteverification.googleapis.com, already enabled...
+API: vault.googleapis.com, already enabled...
+Enable 3 APIs
+  API: audit.googleapis.com, Enabled (1/3)
+  API: groupsmigration.googleapis.com, Enabled (2/3)
+  API: sheets.googleapis.com, Enabled (3/3)
+
+admin@server:/Users/admin/bin/gam7
+```
+### Update your project without local browser (Google Cloud Shell for instance) to include the additional APIs that GAM7 uses
+This step may be omitted if you are updating from a recent version.
+```
+admin@server:/Users/admin/bin/gam7 gam config no_browser true save
+admin@server:/Users/admin/bin/gam7 gam update project
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s): gam-project-abc-123-xyz? admin@domain.com
+
+Go to the following link in a browser on other computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+Enter verification code: abc...xyz
+
+Authentication successful.
+API: admin.googleapis.com, already enabled...
+API: appsactivity.googleapis.com, already enabled...
+API: calendar-json.googleapis.com, already enabled...
+API: classroom.googleapis.com, already enabled...
+API: contacts.googleapis.com, already enabled...
+API: drive.googleapis.com, already enabled...
+API: gmail.googleapis.com, already enabled...
+API: groupssettings.googleapis.com, already enabled...
+API: licensing.googleapis.com, already enabled...
+API: plus.googleapis.com, already enabled...
+API: reseller.googleapis.com, already enabled...
+API: siteverification.googleapis.com, already enabled...
+API: vault.googleapis.com, already enabled...
+Enable 3 APIs
+  API: audit.googleapis.com, Enabled (1/3)
+  API: groupsmigration.googleapis.com, Enabled (2/3)
+  API: sheets.googleapis.com, Enabled (3/3)
+
+admin@server:/Users/admin/bin/ga7
+```
+### Update GAM7 client access
+
+You select a list of scopes, GAM7 uses a browser to get final authorization from Google for these scopes and
+writes the credentials into the file oauth2.txt.
+
+```
+admin@server:/Users/admin/bin/gam7 ./gam oauth create
+
+[*]  0)  Calendar API (supports readonly)
+[*]  1)  Chrome Browser Cloud Management API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
+
+Enter your Google Workspace admin email address? admin@domain.com
+
+Go to the following link in a browser on this computer or on another computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
+
+If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
+click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+The authentication flow has completed.
+Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
+
+admin@server:/Users/admin/bin/gam7 
+```
+### Update GAM7 service account access.
+```
+admin@server:/Users/admin/bin/gam7 ./gam user admin@domain.com check serviceaccount
+$ gam user admin@domain.com check serviceaccount
+System time status
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 0 days                                   PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+Some scopes FAILED!
+To authorize them, please go to:
+
+    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,https://sites.google.com/feeds,https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/classroom.announcements,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.courseworkmaterials,https://www.googleapis.com/auth/classroom.profile.emails,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.topics,https://www.googleapis.com/auth/cloud-identity,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/contacts,https://www.googleapis.com/auth/contacts.other.readonly,https://www.googleapis.com/auth/datastudio,https://www.googleapis.com/auth/directory.readonly,https://www.googleapis.com/auth/documents,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.activity,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/keep,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/tasks,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email&clientIdToAdd=SVCACCTID&overwriteClientId=true&dn=domain.com&authuser=admin@domain.com
+
+You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+
+admin@server:/Users/admin/bin/gam7
+```
+The link shown in the error message should take you directly to the authorization screen.
+If not, make sure that you are logged in as a domain admin, then re-enter the link.
+
+### Verify GAM7 service account access.
+
+Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
+for the authorization to complete.
+```
+admin@server:/Users/admin/bin/gam7 ./gam user admin@domain.com check serviceaccount
+System time status:
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication:
+  Authentication                                                            PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+All scopes PASSED!
+
+Service Account Client name: SVCACCTID is fully authorized.
+
+admin@server:/Users/admin/bin/gam7 
+```
+
+## Windows
+
+### Download the latest version
+
+This example assumes that GAM7 has been installed in C:\GAM7.
+If you've installed GAM7 in another directory, substitute that value in the directions when downloading.
+
+See: [Downloads-Installs](Downloads-Installs)
+
+In these examples, your Google Super admin is shown as admin@domain.com; replace with the
+actual email adddress.
+
+This example assumes that GAM7 has been installed in C:\GAM7; if you've installed
+GAM7 in another directory, substitute that value in the directions.
+
+These steps assume Command Prompt, adjust if you're using PowerShell.
+
+### Update your project with local browser to include the additional APIs that GAM7 uses.
+This step may be omitted if you are updating from a recent version.
+```
+C:\GAM7>gam update project
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
+
+Your browser has been opened to visit:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+Authentication successful.
+API: admin.googleapis.com, already enabled...
+API: appsactivity.googleapis.com, already enabled...
+API: calendar-json.googleapis.com, already enabled...
+API: classroom.googleapis.com, already enabled...
+API: contacts.googleapis.com, already enabled...
+API: drive.googleapis.com, already enabled...
+API: gmail.googleapis.com, already enabled...
+API: groupssettings.googleapis.com, already enabled...
+API: licensing.googleapis.com, already enabled...
+API: plus.googleapis.com, already enabled...
+API: reseller.googleapis.com, already enabled...
+API: siteverification.googleapis.com, already enabled...
+API: vault.googleapis.com, already enabled...
+Enable 3 APIs
+  API: audit.googleapis.com, Enabled (1/3)
+  API: groupsmigration.googleapis.com, Enabled (2/3)
+  API: sheets.googleapis.com, Enabled (3/3)
+
+C:\GAM7>
+```
+### Update your project without local browser (headless server for instance) to include the additional APIs that GAM7 uses
+This step may be omitted if you are updating from a recent version.
+```
+C:\GAM7>gam config no_browser true save
+C:\GAM7>gam update project
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
+
+Go to the following link in a browser on other computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+Enter verification code: abc...xyz
+
+Authentication successful.
+API: admin.googleapis.com, already enabled...
+API: appsactivity.googleapis.com, already enabled...
+API: calendar-json.googleapis.com, already enabled...
+API: classroom.googleapis.com, already enabled...
+API: contacts.googleapis.com, already enabled...
+API: drive.googleapis.com, already enabled...
+API: gmail.googleapis.com, already enabled...
+API: groupssettings.googleapis.com, already enabled...
+API: licensing.googleapis.com, already enabled...
+API: plus.googleapis.com, already enabled...
+API: reseller.googleapis.com, already enabled...
+API: siteverification.googleapis.com, already enabled...
+API: vault.googleapis.com, already enabled...
+Enable 3 APIs
+  API: audit.googleapis.com, Enabled (1/3)
+  API: groupsmigration.googleapis.com, Enabled (2/3)
+  API: sheets.googleapis.com, Enabled (3/3)
+
+C:\GAM7>
+```
+### Update GAM7 client access
+
+You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
+writes the credentials into the file oauth2.txt.
+
+```
+C:\GAM7>gam oauth create
+
+[*]  0)  Calendar API (supports readonly)
+[*]  1)  Chrome Browser Cloud Management API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
+
+Enter your Google Workspace admin email address? admin@domain.com
+
+Go to the following link in a browser on this computer or on another computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
+
+If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
+click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+The authentication flow has completed.
+Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
+
+C:\GAM7>
+```
+### Update GAM7 service account access.
+```
+C:\GAM7>gam user admin@domain.com check serviceaccount
+System time status
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 0 days                                   PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+Some scopes FAILED!
+To authorize them, please go to:
+
+    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,https://sites.google.com/feeds,https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/classroom.announcements,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.courseworkmaterials,https://www.googleapis.com/auth/classroom.profile.emails,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.topics,https://www.googleapis.com/auth/cloud-identity,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/contacts,https://www.googleapis.com/auth/contacts.other.readonly,https://www.googleapis.com/auth/datastudio,https://www.googleapis.com/auth/directory.readonly,https://www.googleapis.com/auth/documents,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.activity,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/keep,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/tasks,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email&clientIdToAdd=SVCACCTID&overwriteClientId=true&dn=domain.com&authuser=admin@domain.com
+
+You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+
+C:\GAM7>
+```
+The link shown in the error message should take you directly to the authorization screen.
+If not, make sure that you are logged in as a domain admin, then re-enter the link.
+
+### Verify GAM7 service account access.
+
+Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
+for the authorization to complete.
+```
+C:\GAM7>gam user admin@domain.com check serviceaccount
+System time status:
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication:
+  Authentication                                                            PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+All scopes PASSED!
+
+Service Account Client name: SVCACCTID is fully authorized.
+
+C:\GAM7>
+```

docs/How-to-Upgrade-from-GAMADV-X-or-GAMADV-XTD.md

@@ -2,10 +2,10 @@
 Use these steps if you have used any version of GAMADV-X or GAMADV-XTD in your domain.
 They will update your GAM project and all necessary authentications.
 
-- [Downloads](Downloads)
-- [GAM Configuration](gam.cfg)
+- [Downloads-Installs](Downloads-Installs)
 - [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
 - [Windows](#windows)
+- [GAM Configuration](gam.cfg)
 
 ## Linux and MacOS and Google Cloud Shell
 
@@ -23,29 +23,32 @@ GAMADV-XTD3 uses the same configuration directory and gam.cfg file as GAMADV-X a
 ### Update your alias
 You should update your alias to point to /Users/admin/bin/gamadv-xtd3/gam.
 
-Add the following line:
+Add/edit the following line:
 ```
 alias gam="/Users/admin/bin/gamadv-xtd3/gam"
 ```
-to one of these files if you're running bash or an equivalent file if you're running some other shell:
+to one of these files based on your shell:
 ```
 ~/.bash_aliases
 ~/.bash_profile
 ~/.bashrc
+~/.zshrc
+~/.profile
 ```
 
-If you already have a gam alias for standard GAM and want to run it and GAMADV-XTD3, give your new alias a different name:
+Issue the following command replacing `<Filename>` with the name of the file you edited:
 ```
-alias gam3="/Users/admin/bin/gamadv-xtd3/gam"
+source <Filename>
 ```
+
 ### Do you have a browser?
 If your computer doesn't support a browser, Google Cloud Shell for instance, execute this command:
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam config no_browser true save
+admin@server:/Users/admin$ gam config no_browser true save
 ```
 ### Update your project to include the additional APIs that GAMADV-XTD3 uses.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam update project
+admin@server:/Users/admin$ gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -75,7 +78,7 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Update GAMADV-XTD3 client access.
 
@@ -90,7 +93,7 @@ gam config no_browser true oauth update
 ```
 You will be given instructions on how to get the authorization on another computer and apply it locally.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth update
+admin@server:/Users/admin$ gam oauth update
 
 Select the authorized scopes by entering a number.
 Append an 'r' to grant read-only access or an 'a' to grant action-only access.
@@ -165,11 +168,11 @@ set no_browser = true in gam.cfg and re-run this command.
 Authentication successful.
 Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Updated
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Update GAMADV-XTD3 service account access.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user user@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user user@domain.com check serviceaccount
 System time status:
   Your system time differs by less than 1 second from Google                PASS
 Service Account Private Key Authentication:
@@ -218,7 +221,7 @@ Scopes fields will be pre-populated. Please click Authorize to allow these
 scopes access. After authorizing it may take some time for this test to pass so
 wait a few moments and then try this command again.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
@@ -228,7 +231,7 @@ If not, make sure that you are logged in as a domain admin, then re-enter the li
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user user@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user user@domain.com check serviceaccount
 System time status:
   Your system time differs by less than 1 second from Google                PASS
 Service Account Private Key Authentication:
@@ -271,7 +274,7 @@ Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
 All scopes PASSED!
 Service Account Client name: SVCACCTID is fully authorized.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 
 ## Windows
@@ -305,15 +308,17 @@ Click OK
 Exit Control Panel
 ```
 
+At this point, you should restart Command Prompt so that it has the updated path and environment variables.
+
 ### Do you have a compatible browser?
 If the computer on which you are running GAM does not have access to a browser or
 your default browser is Internet Explorer or Edge, issue this command:
 ```
-C:\GAMADV-X>gam config no_browser true save
+C:\>gam config no_browser true save
 ```
 ### Update your project to include the additional APIs that GAMADV-XTD3 uses.
 ```
-C:\GAMADV-XTD3>gam update project
+C:\>gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -343,7 +348,7 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Update GAMADV-XTD3 client access.
 
@@ -361,7 +366,7 @@ You can open the file with Notepad/Wordpad, do a control-A to select the text, c
 start a browser and paste the URL (control-V) into the address bar. Authenticate and copy the Verification code
 back to your Command Prompt/PowerShell window.
 ```
-C:\GAMADV-XTD3>gam oauth update
+C:\>gam oauth update
 
 Select the authorized scopes by entering a number.
 Append an 'r' to grant read-only access or an 'a' to grant action-only access.
@@ -436,11 +441,11 @@ set no_browser = true in gam.cfg and re-run this command.
 Authentication successful.
 Client OAuth2 File: C:\GAMConfig\oauth2.txt, Updated
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Enable GAMADV-XTD3 service account access.
 ```
-C:\GAMADV-XTD3>gam user user@domain.com check serviceaccount
+C:\>gam user user@domain.com check serviceaccount
 System time status:
   Your system time differs by less than 1 second from Google                PASS
 Service Account Private Key Authentication:
@@ -489,7 +494,7 @@ Scopes fields will be pre-populated. Please click Authorize to allow these
 scopes access. After authorizing it may take some time for this test to pass so
 wait a few moments and then try this command again.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
@@ -499,7 +504,7 @@ If not, make sure that you are logged in as a domain admin, then re-enter the li
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-C:\GAMADV-XTD3>gam user user@domain.com check serviceaccount
+C:\>gam user user@domain.com check serviceaccount
 System time status:
   Your system time differs by less than 1 second from Google                PASS
 Service Account Private Key Authentication:
@@ -542,5 +547,5 @@ Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
 All scopes PASSED!
 Service Account Client name: SVCACCTID is fully authorized.
 
-C:\GAMADV-XTD3>
+C:\>
 ```

docs/How-to-Upgrade-from-Standard-GAM.md

@@ -2,10 +2,10 @@
 Use these steps if you have used any version of GAM in your domain. They will update your GAM project
 and all necessary authentications.
 
-- [Downloads](Downloads)
-- [GAM Configuration](gam.cfg)
+- [Downloads-Installs](Downloads-Installs)
 - [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
 - [Windows](#windows)
+- [GAM Configuration](gam.cfg)
 
 ## Linux and MacOS and Google Cloud Shell
 
@@ -25,6 +25,11 @@ probably want to select a non-hidden location. This example assumes that the GAM
 configuration directory will be /Users/admin/GAMConfig; If you've chosen another directory,
 substitute that value in the directions.
 
+Make the directory:
+```
+mkdir -p /Users/admin/GAMConfig
+```
+
 Add the following line:
 ```
 export GAMCFGDIR="/Users/admin/GAMConfig"
@@ -42,7 +47,10 @@ Issue the following command replacing `<Filename>` with the name of the file you
 source <Filename>
 ```
 
-* Make the /Users/admin/GAMConfig directory before proceeding.
+You need to make sure the GAM configuration directory actually exists. Test that like this:
+```
+ls -l $GAMCFGDIR
+```
 
 ### Set a working directory
 
@@ -51,10 +59,15 @@ data in this folder and execute GAM commands from this folder. You should not us
 /Users/admin/bin/gamadv-xtd3 or /Users/admin/GAMConfig for this purpose.
 This example assumes that the GAM working directory will be /Users/admin/GAMWork; If you've chosen
 another directory, substitute that value in the directions.
-* Make the /Users/admin/GAMWork directory before proceeding.
+
+Make the directory:
+```
+mkdir -p /Users/admin/GAMWork
+```
 
 ### Set an alias
 You should set an alias to point to /Users/admin/bin/gamadv-xtd3/gam so you can operate from the /Users/admin/GAMWork directory.
+Aliases aren't available in scripts, so you may want to set a symlink instead, see below.
 
 Add the following line:
 ```
@@ -69,32 +82,44 @@ to one of these files based on your shell:
 ~/.profile
 ```
 
+If you already have an alias for standard GAM but are no longer going to run it, delete these lines:
+```
+function gam() { "/Users/admin/bin/gam/gam" "$@" ; }"
+alias gam="/Users/admin/bin/gam/gam"
+```
+
+If you already have an alias for standard GAM and want to run it and GAMADV-XTD3, give your old alias a different name:
+```
+function gamstd() { "/Users/admin/bin/gam/gam" "$@" ; }"
+alias gamstd="/Users/admin/bin/gam/gam"
+```
+
 Issue the following command replacing `<Filename>` with the name of the file you edited:
 ```
 source <Filename>
 ```
 
-If you already have a gam alias for standard GAM and want to run it and GAMADV-XTD3, give your new alias a different name:
+### Set a symlink
+Set a symlink in `/usr/local/bin` (or some other location on $PATH) to point to GAM. 
 ```
-alias gam3="/Users/admin/bin/gamadv-xtd3/gam"
+ln -s "/Users/admin/bin/gamadv-xtd3/gam" /usr/local/bin/gam
 ```
 
 Set environment variable OLDGAMPATH to point to the existing Gam directory; /Users/admin/bin/gam will be used in this example.
 If your existing Gam is in another directory, substitute that value in the directions.
 ```
-admin@server:~$ cd /Users/admin/bin/gamadv-xtd3
-admin@server:/Users/admin/bin/gamadv-xtd3$ export OLDGAMPATH=/Users/admin/bin/gam
+admin@server:/Users/admin$ export OLDGAMPATH=/Users/admin/bin/gam
 ```
 Verify that OLDGAMPATH points to the correct location.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ls -l $OLDGAMPATH/*.json
+admin@server:/Users/admin$ ls -l $OLDGAMPATH/*.json
 -rw-r-----@ 1 admin  staff   553 Feb 26 10:39 /Users/admin/bin/gam/client_secrets.json
 -rw-r-----@ 1 admin  staff  2377 Feb 26 10:39 /Users/admin/bin/gam/oauth2service.json
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 ### Initialize GAMADV-XTD3; this should be the first GAMADV-XTD3 command executed.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam config drive_dir /Users/admin/GAMWork verify
+admin@server:/Users/admin$ gam config drive_dir /Users/admin/GAMWork verify
 Created: /Users/admin/GAMConfig
 Created: /Users/admin/GAMConfig/gamcache
 Copied: /Users/admin/bin/gam/oauth2service.json, To: /Users/admin/GAMConfig/oauth2service.json
@@ -102,127 +127,19 @@ Copied: /Users/admin/bin/gam/oauth2.txt, To: /Users/admin/GAMConfig/oauth2.txt
 Copied: /Users/admin/bin/gam/client_secrets.json, To: /Users/admin/GAMConfig/client_secrets.json
 Config File: /Users/admin/GAMConfig/gam.cfg, Initialized
 Section: DEFAULT
-  activity_max_results = 100
-  admin_email = ''
-  api_calls_rate_check = false
-  api_calls_rate_limit = 100
-  api_calls_tries_limit = 10
-  auto_batch_min = 0
-  bail_on_internal_error_tries = 2
-  batch_size = 50
-  cacerts_pem = ''
+  ...
   cache_dir = /Users/admin/GAMConfig/gamcache
-  cache_discovery_only = true
-  channel_customer_id = ''
-  charset = utf-8
-  classroom_max_results = 0
-  client_secrets_json = client_secrets.json ; /Users/admin/GAMConfig/client_secrets.json
-  clock_skew_in_seconds = 10
-  cmdlog = ''
-  cmdlog_max_backups = 5
-  cmdlog_max_kilo_bytes = 1000
+  ...
   config_dir = /Users/admin/GAMConfig
-  contact_max_results = 100
-  csv_input_column_delimiter = ,
-  csv_input_quote_char = '"'
-  csv_input_row_drop_filter = ''
-  csv_input_row_drop_filter_mode = anymatch
-  csv_input_row_filter = ''
-  csv_input_row_filter_mode = allmatch
-  csv_input_row_limit = 0
-  csv_output_column_delimiter = ,
-  csv_output_convert_cr_nl = false
-  csv_output_field_delimiter = ' '
-  csv_output_header_drop_filter = ''
-  csv_output_header_filter = ''
-  csv_output_header_force = ''
-  csv_output_line_terminator = lf
-  csv_output_quote_char = '"'
-  csv_output_row_drop_filter = ''
-  csv_output_row_drop_filter_mode = anymatch
-  csv_output_row_filter = ''
-  csv_output_row_filter_mode = allmatch
-  csv_output_row_limit = 0
-  csv_output_subfield_delimiter = '.'
-  csv_output_timestamp_column = ''
-  csv_output_users_audit = false
-  customer_id = my_customer
-  debug_level = 0
-  device_max_results = 200
-  domain = ''
+  ...
   drive_dir = /Users/admin/GAMWork
-  drive_max_results = 1000
-  drive_v3_native_names = true
-  email_batch_size = 50
-  enable_dasa = false
-  event_max_results = 250
-  extra_args = ''
-  inter_batch_wait = 0
-  license_max_results = 100
-  license_skus = ''
-  member_max_results = 200
-  message_batch_size = 50
-  message_max_results = 500
-  mobile_max_results = 100
-  multiprocess_pool_limit = 0
-  never_time = Never
-  no_browser = false
-  no_cache = false
-  no_update_check = true
-  no_verify_ssl = false
-  num_tbatch_threads = 2
-  num_threads = 5
-  oauth2_txt = oauth2.txt ; /Users/admin/GAMConfig/oauth2.txt
-  oauth2service_json = oauth2service.json ; /Users/admin/GAMConfig/oauth2service.json
-  people_max_results = 100
-  print_agu_domains = ''
-  print_cros_ous = ''
-  print_cros_ous_and_children = ''
-  process_wait_limit = 0
-  quick_cros_move = false
-  quick_info_user = false
-  reseller_id = ''
-  retry_api_service_not_available = false
-  section = ''
-  show_api_calls_retry_data = false
-  show_commands = false
-  show_convert_cr_nl = false
-  show_counts_min = 1
-  show_gettings = true
-  show_gettings_got_nl = false
-  show_multiprocess_info = false
-  smtp_fqdn = ''
-  smtp_host = ''
-  smtp_password = ''
-  smtp_username = ''
-  timezone = utc
-  tls_max_version = ''
-  tls_min_version = 'TLSv1_2'
-  todrive_clearfilter = false
-  todrive_clientaccess = false
-  todrive_conversion = true
-  todrive_localcopy = false
-  todrive_locale = ''
-  todrive_nobrowser = false
-  todrive_noemail = true
-  todrive_parent = root
-  todrive_sheet_timeformat = ''
-  todrive_sheet_timestamp = false
-  todrive_timeformat = ''
-  todrive_timestamp = false
-  todrive_timezone = ''
-  todrive_upload_nodata = true
-  todrive_user = ''
-  update_cros_ou_with_id = false
-  use_projectid_as_name = false
-  user_max_results = 500
-  user_service_account_access_only = false
+  ...
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Verify initialization, this was a successful installation.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ls -l $GAMCFGDIR
+admin@server:/Users/admin$ ls -l $GAMCFGDIR
 total 48
 -rw-r-----+ 1 admin  staff   553 Mar  3 09:23 client_secrets.json
 -rw-r-----+ 1 admin  staff  1069 Mar  3 09:23 gam.cfg
@@ -231,21 +148,21 @@ drwxr-x---+ 2 admin  staff    68 Mar  3 09:23 gamcache
 -rw-r-----+ 1 admin  staff  5104 Mar  3 09:23 oauth2.txt
 -rw-rw-rw-+ 1 admin  staff     0 Mar  3 09:23 oauth2.txt.lock
 -rw-r-----+ 1 admin  staff  2377 Mar  3 09:23 oauth2service.json
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 If the verification looks like this, then you'll have to copy client_secrets.json and oauth2service.json manually.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ls -l $GAMCFGDIR
+admin@server:/Users/admin$ ls -l $GAMCFGDIR
 total 40
 -rw-r-----+  1 admin  admin  1427 Nov  1 11:38 gam.cfg
 drwxr-x---+ 16 admin  admin   544 Nov  2 07:25 gamcache
 -rw-r--r--+  1 admin  admin    10 Nov  2 15:31 lastupdatecheck.txt
 -rw-rw-rw-+  1 admin  admin     0 Sep 19 17:28 oauth2.txt.lock
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ cp -p $OLDGAMPATH/client_secrets.json $GAMCFGDIR/
-admin@server:/Users/admin/bin/gamadv-xtd3$ cp -p $OLDGAMPATH/oauth2service.json $GAMCFGDIR/
-admin@server:/Users/admin/bin/gamadv-xtd3$ cp -p $OLDGAMPATH/oauth2.txt $GAMCFGDIR/
-admin@server:/Users/admin/bin/gamadv-xtd3$ ls -l $GAMCFGDIR
+admin@server:/Users/admin$ cp -p $OLDGAMPATH/client_secrets.json $GAMCFGDIR/
+admin@server:/Users/admin$ cp -p $OLDGAMPATH/oauth2service.json $GAMCFGDIR/
+admin@server:/Users/admin$ cp -p $OLDGAMPATH/oauth2.txt $GAMCFGDIR/
+admin@server:/Users/admin$ ls -l $GAMCFGDIR
 total 40
 -rw-r-----+ 1 admin  staff   553 Mar  3 09:23 client_secrets.json
 -rw-r-----+ 1 admin  staff  1069 Mar  3 09:23 gam.cfg
@@ -257,7 +174,7 @@ drwxr-x---+ 2 admin  staff    68 Mar  3 09:23 gamcache
 ```
 ### Update your project with local browser to include the additional APIs that GAMADV-XTD3 uses.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam update project
+admin@server:/Users/admin$ gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -287,12 +204,12 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Update your project without local browser (Google Cloud Shell for instance) to include the additional APIs that GAMADV-XTD3 uses
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam config no_browser true save
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam update project
+admin@server:/Users/admin$ gam config no_browser true save
+admin@server:/Users/admin$ gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -321,7 +238,7 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Enable GAMADV-XTD3 client access
 
@@ -331,20 +248,17 @@ You select a list of scopes, GAM uses a browser to get final authorization from
 writes the credentials into the file oauth2.txt.
 
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ rm -f /Users/admin/GAMConfig/oauth2.txt
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam version
+admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
+admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAMADV-XTD3 6.67.17 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 7.00.02 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.1 64-bit final
-MacOS Sonoma 14.2.1 x86_64
+Python 3.12.5 64-bit final
+MacOS Sonoma 14.5 x86_64
 Path: /Users/admin/bin/gamadv-xtd3
-Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain.com
+Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
-
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
+admin@server:/Users/admin$ gam oauth create
 
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
@@ -353,7 +267,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -363,7 +277,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -393,15 +307,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
@@ -418,11 +339,11 @@ Enter verification code or paste "Unable to connect" URL from other computer (on
 The authentication flow has completed.
 Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Enable GAMADV-XTD3 service account access.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
 $ gam user admin@domain.com check serviceaccount
 System time status
   Your system time differs from www.googleapis.com by less than 1 second    PASS
@@ -477,7 +398,7 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
@@ -487,7 +408,7 @@ If not, make sure that you are logged in as a domain admin, then re-enter the li
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
 System time status:
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication:
@@ -531,14 +452,14 @@ All scopes PASSED!
 
 Service Account Client name: SVCACCTID is fully authorized.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Update gam.cfg with some basic values
 * `customer_id` - Having this data keeps Gam from having to make extra API calls
 * `domain` - This allows you to omit the domain portion of email addresses
 * `timezone local` - Gam will convert all UTC times to your local timezone
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam info domain
+admin@server:/Users/admin$ gam info domain
 Customer ID: C01234567
 Primary Domain: domain.com
 Customer Creation Time: 2007-06-06T15:47:55.444Z
@@ -546,7 +467,7 @@ Primary Domain Verified: True
 Default Language: en
 ...
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam config customer_id C01234567 domain domain.com timezone local save verify
+admin@server:/Users/admin$ gam config customer_id C01234567 domain domain.com timezone local save verify
 Config File: /Users/admin/GAMConfig/gam.cfg, Saved
 Section: DEFAULT
   activity_max_results = 100
@@ -657,12 +578,13 @@ Section: DEFAULT
   todrive_timezone = ''
   todrive_upload_nodata = true
   todrive_user = ''
+  truncate_client_id = false
   update_cros_ou_with_id = false
   use_projectid_as_name = false
   user_max_results = 500
   user_service_account_access_only = false
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 
 ## Windows
@@ -722,12 +644,11 @@ At this point, you should restart Command Prompt so that it has the updated path
 Set environment variable OLDGAMPATH to point to the existing Gam directory; C:\GAM will be used in this example.
 If your existing Gam is in another directory, substitute that value in the directions.
 ```
-C:>cd C:\GAMADV-XTD3
-C:\GAMADV-XTD3>set OLDGAMPATH=C:\GAM
+C:\>set OLDGAMPATH=C:\GAM
 ```
 ### Verify that OLDGAMPATH points to the correct location.
 ```
-C:\GAMADV-XTD3>dir %OLDGAMPATH%\*.json
+C:\>dir %OLDGAMPATH%\*.json
  Volume in drive C has no label.
  Volume Serial Number is 663F-DA8B
 
@@ -742,8 +663,7 @@ C:\GAMADV-XTD3>dir %OLDGAMPATH%\*.json
 ```
 ### Initialize GAMADV-XTD3; this should be the first GAMADV-XTD3 command executed.
 ```
-C:>cd C:\GAMADV-XTD3
-C:\GAMADV-XTD3>gam config drive_dir C:\GAMWork verify
+C:\>gam config drive_dir C:\GAMWork verify
 Created: C:\GAMConfig
 Created: C:\GAMConfig\gamcache
 Copied: C:\GAM\oauth2service.json, To: C:\GAMConfig\oauth2service.json
@@ -859,16 +779,17 @@ Section: DEFAULT
   todrive_timezone = ''
   todrive_upload_nodata = true
   todrive_user = ''
+  truncate_client_id = false
   update_cros_ou_with_id = false
   use_projectid_as_name = false
   user_max_results = 500
   user_service_account_access_only = false
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Verify initialization, this was a successful installation.
 ```
-C:\GAMADV-XTD3>dir %GAMCFGDIR%
+C:\>dir %GAMCFGDIR%
  Volume in drive C has no label.
  Volume Serial Number is 663F-DA8B
 
@@ -885,11 +806,11 @@ C:\GAMADV-XTD3>dir %GAMCFGDIR%
 03/03/2017  10:15 AM             2,377 oauth2service.json
                6 File(s)         15,769 bytes
                3 Dir(s)  110,532,562,944 bytes free
-C:\GAMADV-XTD3>
+C:\>
 ```
 If the verification looks like this, then you'll have to copy client_secrets.json and oauth2service.json manually.
 ```
-C:\GAMADV-XTD3>dir %GAMCFGDIR%
+C:\>dir %GAMCFGDIR%
  Volume in drive C has no label.
  Volume Serial Number is 663F-DA8B
 
@@ -904,13 +825,13 @@ C:\GAMADV-XTD3>dir %GAMCFGDIR%
                3 File(s)          1,135 bytes
                3 Dir(s)  110,532,562,944 bytes free
 
-C:\GAMADV-XTD3>copy %OLDGAMPATH%\client_secrets.json %HOMEPATH%\.gam\
+C:\>copy %OLDGAMPATH%\client_secrets.json %GAMCFGDIR%
         1 file(s) copied.
 
-C:\GAMADV-XTD3>copy %OLDGAMPATH%\oauth2service.json %HOMEPATH%\.gam\
+C:\>copy %OLDGAMPATH%\oauth2service.json %GAMCFGDIR%
         1 file(s) copied.
 
-C:\GAMADV-XTD3>dir %GAMCFGDIR%
+C:\>dir %GAMCFGDIR%
  Volume in drive C has no label.
  Volume Serial Number is 663F-DA8B
 
@@ -929,7 +850,7 @@ C:\GAMADV-XTD3>dir %GAMCFGDIR%
 ```
 ### Update your project with local browser to include the additional APIs that GAMADV-XTD3 uses.
 ```
-C:\GAMADV-XTD3>gam update project
+C:\>gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -956,12 +877,12 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Update your project without local browser (headless server for instance) to include the additional APIs that GAMADV-XTD3 uses
 ```
-C:\GAMADV-XTD3>gam config no_browser true save
-C:\GAMADV-XTD3>gam update project
+C:\>gam config no_browser true save
+C:\>gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -990,7 +911,7 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Enable GAMADV-XTD3 client access
 
@@ -999,20 +920,17 @@ Create oauth2.txt; it must be deleted and recreated because it is in a different
 You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
 writes the credentials into the file oauth2.txt.
 ```
-C:\GAMADV-XTD3>del C:\GAMConfig\oauth2.txt
-C:\GAMADV-XTD3>gam version
+C:\>del C:\GAMConfig\oauth2.txt
+C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAMADV-XTD3 6.67.17 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 7.00.02 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.1 64-bit final
+Python 3.12.5 64-bit final
 Windows-10-10.0.17134 AMD64
 Path: C:\GAMADV-XTD3
-Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, domain.com
+Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 
-C:\GAMADV-XTD3>gam oauth create
-
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
+C:\>gam oauth create
 
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
@@ -1021,7 +939,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -1031,7 +949,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -1061,15 +979,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
@@ -1086,12 +1011,12 @@ Enter verification code or paste "Unable to connect" URL from other computer (on
 The authentication flow has completed.
 Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 
 ### Enable GAMADV-XTD3 service account access.
 ```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
+C:\>gam user admin@domain.com check serviceaccount
 System time status
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication
@@ -1145,7 +1070,7 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
@@ -1155,7 +1080,7 @@ If not, make sure that you are logged in as a domain admin, then re-enter the li
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
+C:\>gam user admin@domain.com check serviceaccount
 System time status:
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication:
@@ -1199,14 +1124,14 @@ All scopes PASSED!
 
 Service Account Client name: SVCACCTID is fully authorized.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Update gam.cfg with some basic values
 * `customer_id` - Having this data keeps Gam from having to make extra API calls
 * `domain` - This allows you to omit the domain portion of email addresses
 * `timezone local` - Gam will convert all UTC times to your local timezone
 ```
-C:\GAMADV-XTD3>gam info domain
+C:\>gam info domain
 Customer ID: C01234567
 Primary Domain: domain.com
 Customer Creation Time: 2007-06-06T15:47:55.444Z
@@ -1214,7 +1139,7 @@ Primary Domain Verified: True
 Default Language: en
 ...
 
-C:\GAMADV-XTD3>gam config customer_id C01234567 domain domain.com timezone local save verify
+C:\>gam config customer_id C01234567 domain domain.com timezone local save verify
 Config File: C:\GAMConfig\gam.cfg, Saved
 Section: DEFAULT
   activity_max_results = 100
@@ -1327,10 +1252,11 @@ Section: DEFAULT
   todrive_timezone = ''
   todrive_upload_nodata = true
   todrive_user = ''
+  truncate_client_id = false
   update_cros_ou_with_id = false
   use_projectid_as_name = false
   user_max_results = 500
   user_service_account_access_only = false
 
-C:\GAMADV-XTD3>
+C:\>
 ```

docs/Inbound-SSO.md

@@ -53,6 +53,8 @@ use the `returnnameonly` option to have GAM display just the profile name of the
 This will be useful in scripts that create|update a profile and then want to perform subsequent GAM commands that
 reference the profile.
 
+If `returnnameonly is specified, `inProgress` is returned if the API does not return a complete result.
+
 ```
 gam delete inboundssoprofile <SSOProfileItem>
 ```

docs/Install-GAM-as-Python-Library.md

@@ -9,7 +9,7 @@ Scroll down to Install Git
 
 You can install GAM as a Python library with pip.
 ```
-pip install git+https://github.com/taers232c/GAMADV-XTD3.git#subdirectory=src --use-pep517
+pip install git+https://github.com/taers232c/GAMADV-XTD3.git#subdirectory=src
 ```
 
 Or as a PEP 508 Requirement Specifier, e.g. in requirements.txt file:
@@ -29,7 +29,7 @@ dependencies = [
 
 Target a specific revision or tag:
 ```
-advanced-gam-for-google-workspace @ git+https://github.com/taers232c/GAMADV-XTD3.git@v6.58.00#subdirectory=src
+advanced-gam-for-google-workspace @ git+https://github.com/taers232c/GAMADV-XTD3.git@v6.76.01#subdirectory=src
 ```
 
 ## Using the library

docs/Licenses.md

@@ -20,11 +20,13 @@
 |--------------|------------|
 | AppSheet | 101038 |
 | Assured Controls | 101039 |
-| Beyond Corp Enterprise | 101040 |
+| Chrome Enterprise | 101040 |
 | Cloud Identity Free | 101001 |
 | Cloud Identity Premium | 101005 |
 | Cloud Search | 101035 |
-| Duet AI | 101047 |
+| Colab | 101050 |
+| Education Endpoint Management | 101049 |
+| Gemini | 101047 |
 | Google Chrome Device Management | Google-Chrome-Device-Management |
 | Google Drive Storage | Google-Drive-storage |
 | Google Meet Global Dialing | 101036 |
@@ -38,19 +40,27 @@
 
 | License Name | License SKU | Abbreviation  |
 |--------------|-------------|---------------|
+| AI Meetings and Messaging | 1010470007 | aimeetingsandmessaging | 
+| AI Security | 1010470006 |  aisecurity |
 | AppSheet Core | 1010380001 | appsheetcore |
 | AppSheet Enterprise Standard | 1010380002 | appsheetstandard |
 | AppSheet Enterprise Plus | 1010380003 | appsheetplus |
 | Assured Controls | 1010390001 | assuredcontrols |
-| Beyond Corp Enterprise | 1010400001 | bce |
+| Chrome Enterprise Premium | 1010400001 | cep | chromeenterprisepremium |
 | Cloud Identity Free | 1010010001 | cloudidentity |
 | Cloud Identity Premium | 1010050001 | cloudidentitypremium |
 | Cloud Search | 1010350001 | cloudsearch |
-| Duet AI | 1010470001 | duetai |
+| Colab Pro | 1010500001 | colabpro |
+| Colab Pro+ | 1010500002 | colabpro+ | colabproplus |
+| Endpoint Education Upgrade | 1010490001 | eeu |
 | G Suite Basic | Google-Apps-For-Business | gsuitebasic |
 | G Suite Business | Google-Apps-Unlimited | gsuitebusiness |
 | G Suite Legacy | Google-Apps | standard |
 | G Suite Lite | Google-Apps-Lite | gsuitelite |
+| Gemini Business | 1010470003 | geminibiz
+| Gemini Education | 1010470004 | geminiedu |
+| Gemini Education Premium | 1010470005 | geminiedupremium |
+| Gemini Enterprise | 1010470001 | geminient | duetai |
 | Google Apps Message Security | Google-Apps-For-Postini | postini |
 | Google Chrome Device Management | Google-Chrome-Device-Management | cdm |
 | Google Drive Storage 16TB | Google-Drive-storage-16TB | 16tb |
@@ -115,6 +125,8 @@
         101040 |
         101043 |
         101047 |
+        101049 |
+        101050 |
         Google-Apps |
         Google-Chrome-Device-Management |
         Google-Drive-storage |
@@ -132,52 +144,64 @@
         4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
         8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
         16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
-        appsheetcore | 1010380001 |
-        appsheetstandard | appsheetenterprisestandard | 1010380002 |
-        appsheetplus | appsheetenterpriseplus | 1010380003 |
-        assuredcontrols | 1010390001 |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 |
+        aimeetingsandmessaging | 1010470007 | AI Meetings and Messaging |
+        aisecurity | 1010470006 | AI Security |
+        appsheetcore | 1010380001 | AppSheet Core |
+        appsheetstandard | appsheetenterprisestandard | 1010380002 | AppSheet Enterprise Standard |
+        appsheetplus | appsheetenterpriseplus | 1010380003 | AppSheet Enterprise Plus |
+        assuredcontrols | 1010390001 | Assured Controls |
+        bce | beyondcorp | beyondcorpenterprise | cep | chromeenterprisepremium | 1010400001 | Chrome Enterprise Premium |
         cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
-        cloudidentity | identity | 1010010001 |
-        cloudidentitypremium | identitypremium | 1010050001 |
-        cloudsearch | 1010350001 |
-        duetai | 1010470001 |
+        cloudidentity | identity | 1010010001 | Cloud Identity |
+        cloudidentitypremium | identitypremium | 1010050001 | Cloud Identity Premium |
+        cloudsearch | 1010350001 | Cloud Search |
+        colabpro | 1010500001 | Colab Pro |
+        colabpro+ | colabproplus | 1010500002 | Colab Pro+ |
+        eeu | 1010490001 | SKU Endpoint Education Upgrade |
+        geminibiz | 1010470003 | Gemini Business |
+        geminiedu | 1010470004 | Gemini Education |
+        geminiedupremium| 1010470005 | Gemini Education Premium |
+        geminient| duetai | 1010470001 | Gemini Enterprise |
         gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
         gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
-        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
-        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 |
-        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 |
-        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 |
+        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 | Google Workspace Business - Archived User |
+        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 | Google Workspace Enterprise Plus - Archived User |
+        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 | Google Workspace for Education Plus - Legacy |
+        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 | Google Workspace for Education Plus - Legacy (Student) |
         gsuitegov | gafg | gsuitegovernment | Google-Apps-For-Government |
         gsuitelite | gal | gsl | lite | Google-Apps-Lite |
-        gwep | workspaceeducationplus | 1010310008 |
-        gwepstaff | workspaceeducationplusstaff | 1010310009 |
-        gwepstudent | workspaceeducationplusstudent | 1010310010 |
-        gwes | workspaceeducationstandard | 1010310005 |
-        gwesstaff | workspaceeducationstandardstaff | 1010310006 |
-        gwesstudent | workspaceeducationstandardstudent | 1010310007 |
-        gwetlu | workspaceeducationupgrade | 1010370001 |
-        gwlabs | workspacelabs | 1010470002
-        meetdialing | googlemeetglobaldialing | 1010360001 |
+        gwep | workspaceeducationplus | 1010310008 | Google Workspace for Education Plus |
+        gwepstaff | workspaceeducationplusstaff | 1010310009 | Google Workspace for Education Plus (Staff) |
+        gwepstudent | workspaceeducationplusstudent | 1010310010 | Google Workspace for Education Plus (Extra Student)|
+        gwes | workspaceeducationstandard | 1010310005 | Google Workspace for Education Standard |
+        gwesstaff | workspaceeducationstandardstaff | 1010310006 | Google Workspace for Education Standard (Staff) |
+        gwesstudent | workspaceeducationstandardstudent | 1010310007 | Google Workspace for Education Standard (Extra Student)
+        gwetlu | workspaceeducationupgrade | 1010370001 | Google Workspace for Education: Teaching and Learning Upgrade |
+        gwlabs | workspacelabs | 1010470002 | Google Workspace Labs |
+        meetdialing | googlemeetglobaldialing | 1010360001 |  Google Meet Global Dialing |
         postini | gams | gsuitegams | gsuitepostini | gsuitemessagesecurity | Google-Apps-For-Postini |
         standard | free | Google-Apps |
         vault | googlevault | Google-Vault |
         vfe | googlevaultformeremployee | Google-Vault-Former-Employee |
-        voicepremier | gvpremier | googlevoicepremier | 1010330002 |
-        voicestandard | gvstandard | googlevoicestandard | 1010330004 |
-        voicestarter | gvstarter | googlevoicestarter | 1010330003 |
-        wsas | plusstorage | 1010430001 |
-        wsbizplus | workspacebusinessplus | 1010020025 |
-        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 |
-        wsbizstan | workspacebusinessstandard | 1010020028 |
-        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 |
-        wsentess | workspaceenterpriseessentials | 1010060003 |
-        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 |
-        wsentstan | workspaceenterprisestandard | 1010020026 |
-        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 |
-        wsentstarter | workspaceenterprisestarter | 1010020029 | wes |
-        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 |
-        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030
+        voicepremier | gvpremier | googlevoicepremier | 1010330002 | Google Voice Premier 
+        voicestandard | gvstandard | googlevoicestandard | 1010330004 | Google Voice Standard |
+        voicestarter | gvstarter | googlevoicestarter | 1010330003 | Google Voice Starter |
+        wsas | plusstorage | 1010430001 | Google Workspace Additional Storage |
+        wsbizplus | workspacebusinessplus | 1010020025 | Google Workspace Business Plus |
+        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 | Google Workspace Business Plus - Archived User |
+        wsbizstan | workspacebusinessstandard | 1010020028 | Google Workspace Business Standard }
+        wsbizstanarchived | workspacebusinessstandardarchived | 1010340006 | Google Workspace Business Standard - Archived User |
+        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 | Google Workspace Business Starter |
+        wsbizstarterarchived | workspacebusinessstarterarchived | 1010340005 | Google Workspace Business Starter - Archived User |
+        wsentess | workspaceenterpriseessentials | 1010060003 | Google Workspace Enterprise Essentials |
+        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 | Google Workspace Enterprise Plus |
+        wsentstan | workspaceenterprisestandard | 1010020026 | Google Workspace Enterprise Standard |
+        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 | Google Workspace Enterprise Standard - Archived User |
+        wsentstarter | workspaceenterprisestarter | wes | 1010020029 | Workspace Enterprise Starter |
+        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 | Google Workspace Essentials |
+        wsessplus | workspaceessentialsplus | 1010060005 | Google Workspace Essentials Plus |
+        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030 | Google Workspace Frontline Starter |
+        wsflwstan | workspacefrontlinestan | workspacefrontlineworkerstan | 1010020031 | Google Workspace Frontline Standard
 <SKUIDList> ::= "<SKUID>(,<SKUID>)*"
 ```
 ## Notes

docs/List-Items.md

@@ -34,6 +34,7 @@
 <DeviceUserList> ::= "<DeviceUserID>(,<DeviceUserID>)*"
 <DomainNameList> ::= "<DomainName>(,<DomainName>)*"
 <DriveFileACLRoleList> ::= "<DriveFileACLRole>(,<DriveFileACLRole>)*"
+<DriveFileACLTypeList> ::= "<DriveFileACLType>(,<DriveFileACLType>)*"
 <DriveFileList> ::= "<DriveFileItem>(,<DriveFileItem>)*"
 <DriveFilePermissionList> ::= "<DriveFilePermission>(,<DriveFilePermission>)*"
 <DriveFilePermissionIDList> ::= "<DriveFilePermissionID>(,<DriveFilePermissionID>)*"
@@ -42,6 +43,7 @@
 <DriveFolderNameList> ::= "<DriveFolderName>(,<DriveFolderName>)*"
 <DriveLabelIDList> ::= "<DriveLabelID>(,<DriveLabelID>)*"
 <DriveLabelNameList> ::= "<DriveLabelName>(,<DriveLabelName>)*"
+<DriveLabelPermissionNameList> ::= "<DriveLabelPermissionName>(,<DriveLabelPermissionName>)*"
 <DriveLabelFieldIDList> ::= "<DriveLabelFieldID>(,<DriveLabelFieldID>)*"
 <DriveLabelSelectionIDList> ::= "<DriveLabelSelectionID>(,<DriveLabelSelectionID>)*"
 <EmailAddressList> ::= "<EmailAddress>(,<EmailAddress>)*"
@@ -67,6 +69,7 @@
 <MatterStateList> ::= "<MatterState>(,<MatterState>)*"
 <MessageIDList> ::= "<MessageID>(,<MessageID>)*"
 <MimeTypeList> ::= "<MimeType>(,<MimeType>)*"
+<MimeTypeNameList> ::= "<MimeTypeName>(,<MimeTypeName>)*"
 <NamespaceList> ::= "<Namespace>(,<Namespace>)*"
 <NotesNameList> ::= "<NotesName>(,<NotesName>)*"
 <OrgUnitList> ::= "<OrgUnitItem>(,<OrgUnitItem>)*"
@@ -82,7 +85,7 @@
 <QueryMobileList> ::= "<QueryMobile>(,<QueryMobile>)*"
 <QueryUserList> ::= "<QueryUser>(,<QueryUser>)*"
 <ResourceIDList> ::= "<ResourceID>(,<ResourceID>)*"
-<SchemaNameList> ::= "<SchemaName>(,<SchemaName>)*"
+<SchemaNameList> ::= "<SchemaName>|<SchemaFieldName>(,<SchemaName>|<SchemaFieldName>)*"
 <SerialNumberList> ::= "<SerialNumber>(,<SerialNumber>)*"
 <ServiceAccountKeyList> ::= "<ServiceAccountKey>(,<ServiceAccountKey>)*"
 <SiteACLScopeList> ::= "<SiteACLScope>(,<SiteACLScope>)*"

docs/List.md

@@ -1,6 +1,6 @@
 # List
 
-The list command is used to verify collections of objects. See GamDataSelection.txt/
+The list command is used to verify collections of objects.
 
 ## Commands
 ```
@@ -8,3 +8,42 @@ gam list [todrive <ToDriveAttribute>*] <EntityList> [data <CrOSTypeEntity>|<User
 gam <CrOSTypeEntity>|<UserTypeEntity> list [todrive <ToDriveAttribute>*] [data <EntityList> [delimiter <Character>]]
 ```
 
+Allow mapping of keyfield value in csvkmd selectors.
+    <CSVkmdSelector> ::= csvkmd <FileName> [charset <Charset>]
+        keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <String>]
+        (matchfield <FieldName> <RegularExpression>)*
+        [datafield <FieldName>(:<FieldName)* [delimiter <String>]]
+
+You want to update the membership of a collection of parent groups at your school, the data is coming from a database in a fixed format.
+Example 1, CSV File GroupP1P2.csv, exactly the data you want, keypattern and keyvalue are not required
+Group,P1Email,P2Email
+2017-parents@domain.com,g1member11@domain.com,g1member12@domain.com
+2017-parents@domain.com,g1member21@domain.com,g1member22@domain.com
+2018-parents@domain.com,g2member11@domain.com,g2member11@domain.com
+2018-parents@domain.com,g2member21@domain.com,g2member22@domain.com
+...
+For each row, the value from the Group column is used as the group name.
+Verify data selection: gam list csvkmd GroupP1P2.csv keyfield Group datafield P1Email:P2Email data csvdata P1Email:P2Email
+Execute: gam update groups csvkmd GroupP1P2.csv keyfield Group datafield P1Email:P2Email sync member csvdata P1Email:P2Email
+
+Example 2, CSV File GradYearP1P2.csv, you have to convert GradYear to group name GradYear-parents@domain.com, keyvalue is required
+GradYear,P1Email,P2Email
+2017,g1member11@domain.com,g1member12@domain.com
+2017,g1member21@domain.com,g1member22@domain.com
+2018,g2member11@domain.com,g2member11@domain.com
+2018,g2member21@domain.com,g2member22@domain.com
+...
+For each row, the value from the GradYear column replaces the keyField name in the keyvalue argument and that value is used as the group name.
+Verify data selection: gam list csvkmd GradYearP1P2.csv keyfield GradYear keyvalue GradYear-parents@domain.com datafield P1Email:P2Email data csvdata P1Email:P2Email
+Execute: gam update groups csvkmd GradYearP1P2.csv keyfield GradYear keyvalue GradYear-parents@domain.com datafield P1Email:P2Email sync member csvdata P1Email:P2Email
+
+Example 3, CSV File GradYearP1P2.csv, you have to convert GradYear to group name 'LastTwoDigitsOfGradYear-parents@domain.com', keypattern and keyvalue are required.
+GradYear,P1Email,P2Email
+2017,g1member11@domain.com,g1member12@domain.com
+2017,g1member21@domain.com,g1member22@domain.com
+2018,g2member11@domain.com,g2member11@domain.com
+2018,g2member21@domain.com,g2member22@domain.com
+...
+For each row, the value from the GradYear column is matched against the keypattern, the matched segments are substituted into the keyvalue argument and that value is used as the group name.
+Verify data selection: gam list csvkmd GradYearP1P2.csv keyfield GradYear keypattern '20(..)' keyvalue '\1-parents@domain.com' datafield P1Email:P2Email data csvdata P1Email:P2Email
+Execute: gam update groups csvkmd GradYearP1P2.csv keyfield GradYear keypattern '20(..)' keyvalue '\1-parents@domain.com' datafield P1Email:P2Email sync member csvdata P1Email:P2Email

docs/Meta-Commands-and-File-Redirection.md

@@ -56,6 +56,7 @@ The only `<VariableNames>` recognized in this `<Section>` are:
 * `csv_output_row_drop_filter`
 * `csv_output_row_drop_filter_mode`
 * `csv_output_row_limit`
+* `csv_output_sort_headers`
 
 ### Select input filter section
 Select an input filter section from gam.cfg and process a GAM command using values from that section.
@@ -113,7 +114,7 @@ You can redirect stdout and stderr to null and stderr can be redirected to stdou
 <Redirect> ::=
         redirect csv <FileName> [multiprocess] [append] [noheader] [charset <Charset>]
                      [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
-                     [timestampcolumn <String>]
+                     [sortheaders <StringList>] [timestampcolumn <String>]
                      [todrive <ToDriveAttribute>*] |
         redirect stdout <FileName> [multiprocess] [append] |
         redirect stdout null [multiprocess] |
@@ -151,6 +152,9 @@ The `quotechar <Character>` subargument sets the character used to quote fields
 that contaim special charactere; the default value is the value of `csv_output_quote_char` in `gam.cfg`
 which defaults to double quote.
 
+The `sortheaders <StringList>` argument causes GAM to sort CSV output rows by the column headers specified in `<StringList>`.
+The column headers are case insensitive and if column header does not appear in the CSV output, it is ignored.
+
 The `timestampcolumn <String>` adds a column named `<String>` to the CSV file; the value is the
 timestamp of when the GAM command started.
 
@@ -167,9 +171,9 @@ If the pattern `{{Section}}` appears in `<FileName>`, it will be replaced with t
 ### Examples - redirect CSV
 Suppose that you have a CSV file CourseList.csv with a column labeled CourseId that contains course Ids. You want a single CSV file with participant information for these courses.
 ```
-gam redirect csv ./CourseInfo.csv multiprocess csv CourseList.csv gam print course-participants course ~CourseId
+gam redirect csv ./CourseInfo.csv multiprocess csv CourseList.csv gam print course-participants course "~CourseId"
 ```
-`redirect csv ./CourseInfo.csv multiprocess` causes gam to collect output from all of the processes started by `csv CourseList.csv gam print course-participants course ~CourseId` and produces a single CSV file CourseInfo.csv.
+`redirect csv ./CourseInfo.csv multiprocess` causes gam to collect output from all of the processes started by `csv CourseList.csv gam print course-participants course "~CourseId"` and produces a single CSV file CourseInfo.csv.
 
 Generate a list of CrOS devices and update an existing sheet in a Google spreadsheet. The file ID and sheet IDs are preserved so other appplications can access the data using the file ID and sheet ID.
 By setting 'tdtimestamp true`, the file name will the updated to reflect the time of execution, but the file ID will not change.
@@ -179,23 +183,23 @@ gam redirect csv - todrive tdtitle "CrOS" tdtimestamp true tdfileid 12345-mizZ6Q
 
 For a collection of users, generate a list of files shared with anyone; combine the output for all users into a single file.
 ```
-gam redirect csv - multiprocess todrive tdtitle AnyoneShares-All csv Users.csv gam user ~primaryEmail print filelist fields id,name,permissions pm type anyone em
+gam redirect csv - multiprocess todrive tdtitle AnyoneShares-All csv Users.csv gam user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em
 ```
 
 For a collection of users, generate a list of files shared with anyone; generate a separate file for each user.
 The two forms of the command are equivalent.
 ```
-gam csv Users.csv gam redirect csv - todrive tdtitle "AnyoneShares-~~primaryEmail~~" user ~primaryEmail print filelist fields id,name,permissions pm type anyone em
+gam csv Users.csv gam redirect csv - todrive tdtitle "AnyoneShares-~~primaryEmail~~" user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em
 
-gam csv Users.csv gam user ~primaryEmail print filelist fields id,name,permissions pm type anyone em todrive tdtitle "AnyoneShares-~~primaryEmail~~" 
+gam csv Users.csv gam user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em todrive tdtitle "AnyoneShares-~~primaryEmail~~" 
 ```
 
 ### Examples - Redirect stdout
-The output from each of the `gam info user ~primaryEmail` commands will be combined into the single file Users.txt.
+The output from each of the `gam info user "~primaryEmail"` commands will be combined into the single file Users.txt.
 The value of `show_multiprocess_info` from `gam.cfg` controls whether information identifying the processes is also shown.
 
 ```
-$ gam config show_multiprocess_info false redirect stdout ./Users.txt multiprocess csv Users.csv gam info user ~primaryEmail
+$ gam config show_multiprocess_info false redirect stdout ./Users.txt multiprocess csv Users.csv gam info user "~primaryEmail"
 $ more Users.txt
 User: testuser1@domain.com (1/1)
   Settings:
@@ -210,9 +214,9 @@ User: testuser2@domain.com@ (1/1)
     Full Name: Test User2
 ...
 
-$ gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user ~primaryEmail
+$ gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user "~primaryEmail"
 $ more Users.txt
-stdout:      0, Start: 2017-01-26T11:35:00.897773-08:00, RC:   0, Cmd: /Users/admin/gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user ~primaryEmail
+stdout:      0, Start: 2017-01-26T11:35:00.897773-08:00, RC:   0, Cmd: /Users/admin/gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user "~primaryEmail"
 stdout:      1, Start: 2017-01-26T11:35:00.902709-08:00, RC:   0, Cmd: gam info user testuser1@domain.com
 User: testuser1@domain.com (1/1)
   Settings:
@@ -229,5 +233,5 @@ User: testuser2@domain.com@ (1/1)
     Full Name: Test User2
 ...
 stdout:      2,   End: 2017-01-26T11:35:02.849646-08:00, RC:   0, Cmd: gam info user testuser2@domain.com
-stdout:      0,   End: 2017-01-26T11:35:02.907141-08:00, RC:   0, Cmd: /Users/admin/gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user ~primaryEmail
+stdout:      0,   End: 2017-01-26T11:35:02.907141-08:00, RC:   0, Cmd: /Users/admin/gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user "~primaryEmail"
 ```

docs/Mobile-Devices.md

@@ -158,3 +158,20 @@ gam print mobile
         [(query <QueryMobile>)|(queries <QueryMobileList>) (querytime<String> <Time>)*]
         showitemcountonly
 ```
+Example
+```
+$ gam print mobile showitemcountonly
+Getting all Mobile Devices, may take some time on a large Google Workspace Account...
+Got 100 Mobile Devices...
+Got 115 Mobile Devices
+115
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print mobile showitemcountonly)
+Windows PowerShell
+count = & gam print mobile showitemcountonly
+```

docs/Organizational-Units.md

@@ -13,8 +13,10 @@
 - [Synchronize ChromeOS devices with an organizational unit](#synchronize-chromeos-devices-with-an-organizational-unit)
 - [Display organizational units](#display-organizational-units)
 - [Print organizational units](#print-organizational-units)
-- [Display orgamizational unit counts](#display-organizational-unit-counts)
+- [Display organizational unit counts](#display-organizational-unit-counts)
 - [Display indented organizational unit tree](#display-indented-organizational-unit-tree)
+- [Check organizational unit for contained items](#check-organizational-unit-for-contained-items)
+- [Delete Empty OUs](#delete-empty-ous)
 - [Special case handling for large number of organizational units](#special-case-handling-for-large-number-of-organizational-units)
 
 ## API documentation
@@ -192,6 +194,7 @@ By default, all users of the org units are displayed:
 * `nousers` - Don't display users of the org units
 * `notsuspended` - Display non-suspended users of the org units
 * `suspended` - Display suspended users of the org units
+* `children|child` - Display users in any child org unit
 
 ## Print organizational units
 This command displays information in CSV format.
@@ -245,6 +248,22 @@ gam print orgs|ous
         [fromparent <OrgUnitItem>] [showparent [Boolean>]] [toplevelonly]
         showitemcountonly
 ```
+Example
+```
+$ gam print orgs showitemcountonly     
+Getting all Organizational Units, may take some time on a large Google Workspace Account...
+Got 98 Organizational Units
+98
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print orgs showitemcountonly)
+Windows PowerShell
+count = & gam print orgs showitemcountonly
+```
 
 ## Display indented organizational unit tree
 ```
@@ -253,6 +272,67 @@ gam show orgtree [fromparent <OrgUnitItem>] [batchsuborgs [<Boolean>]]
 By default, Gam displays the organizational unit tree starting at /.
 * `fromparent <OrgUnitItem>` - Display the organizational unit tree starting at `<OrgUnitItem>`.
 
+## Check organizational unit for contained items
+An organizational unit can be deleted only when it contains no items:
+  * Chrome Browsers
+  * ChromeOS Devices
+  * Shared Drives
+  * Sub Org Units
+  * Users
+
+This command counts those items and displays a CSV file with the item counts.
+  * All counts are zero - A return code of 0 is returned and the `empty` column is `True`
+  * Some count is greater than 0 - A return code of 25 is returned and the `empty` column is `False`
+
+Only items directly within the OU are counted, items in sub-OUs are not counted.
+```
+<OrgUnitCheckName> ::=
+        browsers|
+        devices|
+        shareddrives|
+        subous|
+        users
+<OrgUnitCheckNameList> ::= "<OrgUnitCheckName>(,<OrgUnitCheckName>)*"
+
+gam check org|ou <OrgUnitItem> [todrive <ToDriveAttribute>*]
+        [<OrgUnitCheckName>*|(fields <OrgUnitCheckNameList>)]
+        [filename <FileName>] [movetoou <OrgUnitItem>]
+        [formatjson [quotechar <Character>]]
+```
+By default, GAM checks each of the five items; you can select specfic fields
+with `<OrgUnitCheckName>*` or `fields <OrgUnitCheckNameList>`.
+
+By default, GAM displays the information as columns of fields; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+If `movetoou <OrgUnitItem>` is specified, GAM will create a batch file of GAM commands that will move any remaining items
+in `ou <OrgUnitItem>` to `movetoou <OrgUnitItem>`.
+
+By default, the batch file will be named `CleanOuBatch.txt` and will be created in `gam.cfg/drive_dir`.
+This can be overridden with `filename <FileName>`.
+
+You can inspect the file and execute it if desired; substitute actual filenames as desired.
+```
+gam redirect stdout CleanOuLog.txt multiproces redirect stderr stdout batch CleanOuBatch.txt
+```
+
+### Delete Empty OUs
+```
+# Get list of OUs
+gam redirect csv ./OUs.csv print ous 
+# Check status of each OU
+gam redirect csv ./CheckOUs.csv multiprocess redirect stderr - multiprocess csv OUs.csv gam check ou "~orgUnitId"
+# Delete empty OUs
+gam config csv_input_row_filter "empty:boolean:true" redirect stdout ./DeleteEmptyOUs.txt multiprocess redirect stderr stdout csv CheckOUs.csv gam delete ou "~orgUnitId"
+```
+Repeat the steps until no empty OUs remain.
+
 ## Special case handling for large number of organizational units
 
 By default, the `print orgs` and `show orgtree`  commands issue a single API call to get the

docs/Other-Resources.md

@@ -1,15 +1,19 @@
 # Other Resources
 
-The following are links to contributions of others in support of GAMADV-XTD3.
+The following are links to contributions of others in support of GAM7.
 
 Thank you.
 
-* Gabriel Clifton - https://docs.google.com/document/d/1p32QOBTr89GaG7RfCafSbFuhlUQ9r3qBM_666E0xvQM/edit
-* Steve Larsen - https://docs.google.com/spreadsheets/d/1MzzA-u-cmoQcJnQOovCnZcEKMjvOyFhfkdFdf10X_GI/edit
-* Kevin Melillo -  https://github.com/KevinMelilloIEEE/gam-script
-* James Seymour - https://sites.google.com/jis.edu.bn/gam-commands/home
 * Amado Tejada - https://github.com/amadotejada/GAMpass
-* Workspace Admins YouTube Channel - https://youtube.com/@googleworkspaceadmins
+* Brecht Sannen - https://gcloud.devoteam.com/blog/what-is-google-apps-manager-gam/
+* Gabriel Clifton - https://docs.google.com/document/d/1p32QOBTr89GaG7RfCafSbFuhlUQ9r3qBM_666E0xvQM/edit
 * Goldy Arora - https://www.goldyarora.com/license-notifier/
-* Paul Ogier (Taming.Tech) - GAMADV-XTD3 Tutorials https://www.youtube.com/watch?v=g9LDeyXQNLI&list=PL_dLiK09pJVhKJxZHNk9CHK0q5hkZ856w
-* Paul Ogier (Taming.Tech) - GAMADV-XTD3 Course on Udemy https://taming.tech/GAMCourse
+* Iain Macleod - https://docs.google.com/document/d/1QxWAPdhROcx70OXLpSD9Trh3vs-nJKSMiaMZCTwOOTg/edit?pli=1#heading=h.2a2azzpy36k0
+* James Seymour - https://sites.google.com/view/gam--commands/
+* Kevin Melillo - https://github.com/KevinMelilloIEEE/gam-script
+* Korey Rideout - https://chatgpt.com/g/g-PTxxnVPMG-gam-assist - A helpful tool to assist with, GAM (+Advance) and GYB commands to assist with syntax for Google Workspace Administrators.
+* Paul Ogier (Taming.Tech) - GAM7 Course on Udemy https://taming.tech/GAMCourse
+* Paul Ogier (Taming.Tech) - GAM7 Tutorials https://www.youtube.com/watch?v=g9LDeyXQNLI&list=PL_dLiK09pJVhKJxZHNk9CHK0q5hkZ856w
+* Paul Ogier (Taming.Tech) - https://taming.tech/taming-gam-a-practical-guide-to-gam-and-gamadv-xtd3/
+* Steve Larsen - https://docs.google.com/spreadsheets/d/1MzzA-u-cmoQcJnQOovCnZcEKMjvOyFhfkdFdf10X_GI/edit
+* Workspace Admins YouTube Channel - https://youtube.com/@googleworkspaceadmins

docs/Permission-Matches.md

@@ -18,7 +18,10 @@
         contributor|editor|writer|
         manager|organizer|owner|
         reader|viewer
+<DriveFileACLRoleList> ::= "<DriveFileACLRole>(,<DriveFileACLRole>)*"
+
 <DriveFileACLType> ::= anyone|domain|group|user
+<DriveFileACLTypeList> ::= "<DriveFileACLType>(,<DriveFileACLType>)*"
 
 <EmailAddress> ::= <String>@<DomainName>
 <EmailAddressList> ::= "<EmailAddress>(,<EmailAddress>)*"
@@ -31,13 +34,15 @@
 
 <PermissionMatch> ::=
         pm|permissionmatch [not]
-            [type <DriveFileACLType>] [role|notrole <DriveFileACLRole>]
+            [type|nottype <DriveFileACLType>] [role|notrole <DriveFileACLRole>]
+            [typelist|nottypelist <DriveFileACLTypeList>] [rolelist|notrolelist <DriveFileACLRoleList>]
             [allowfilediscovery|withlink <Boolean>]
             [emailaddress <RegularExpression>] [emailaddressList <EmailAddressList>]
+            [permissionidlist <PermissionIDList>
             [name|displayname <String>]
             [domain|notdomain <RegularExpression>] [domainlist|notdomainlist <DomainNameList>]
             [expirationstart <Time>] [expirationend <Time>]
-            [deleted <Boolean>] [inherited <Boolean>]
+            [deleted <Boolean>] [inherited <Boolean>] [pmtype member|file]
         em|endmatch
 <PermissionMatchMode> ::=
         pmm|permissionmatchmode or|and
@@ -71,12 +76,18 @@ In the `print/show drivefileacls` and `create/delete permissions` commands you c
 ## Define a Match
 * `pm|permissionmatch` - Start of permission match definition.
 * `not` - Negate the match.
-* `type <DriveFileACLType>` - The type of the grantee.
-* `role <DriveFileACLRole>` - The role granted by this permission.
-* `notrole <DriveFileACLRole>` - The role granted by this permission.
+* `type <DriveFileACLType>` - The type of the grantee must match.
+* `nottype <DriveFileACLType>` - The type of the grantee must not match.
+* `typelist <DriveFileACLTypeList>` - The type of the grantee must match any value in the list.
+* `nottypelist <DriveFileACLTypeList>` - The type of the grantee must not match any value in the list.
+* `role <DriveFileACLRole>` - The role granted by this permission must match.
+* `notrole <DriveFileACLRole>` - The role granted by this permission must not match.
+* `rolelist <DriveFileACLRoleList>` - The role granted by this permission must match any value in the list..
+* `notrolelist <DriveFileACLRoleList>` - The role granted by this permission must not match any value in the list..
 * `allowfilediscovery|withlink <Boolean>` - Whether a link is required or whether the file can be discovered through search.
 * `emailaddress <RegularExpression>` - For types user and group, the required email address.
 * `emailaddresslist <EmailAddressList>` - For types user and group, a list of required email addresses; any one of which must match.
+* `permissionidlist <PermissionIDListList>` - A list of required permission IDs; any one of which must match.
 * `name|displayname <RegularExpression>` - For types domain, user and group, the displayable name.
 * `domain <RegularExpression>` - For type domain, the required domain name. For types user and group, the required domain name in the email address.
 * `notdomain <RegularExpression>` - For type domain, any domain name that doesn't match. For types user and group, any domain name that doesn't match in the email address.
@@ -86,6 +97,7 @@ In the `print/show drivefileacls` and `create/delete permissions` commands you c
 * `expirationend <Time>` - For types user and group, will the permission expire before or on <Time>.
 * `deleted <Boolean>` - For types user and groups, has the user or group been deleted.
 * `inherited <Boolean>` - For Shared Drive files/folders, is the permission inherited
+* `pmtype member|file` - For Shared Drive files/folders, is the permission derived from membership or explicitly granted.
 * `em|endmatch` - End of permission match definition
 
 ## File Selection Examples

docs/Rclone.md

@@ -1,10 +1,10 @@
 # Rclone
 
-GAMADV-XTD3 has the capability to upload and download single files between your local computer and Google Drive;
+GAM7 has the capability to upload and download single files between your local computer and Google Drive;
 it has no capability for uploading and dowloading folders. For this you can use Rclone: https://rclone.org/
 
 ## Authorization
-Rclone uses client and service account access to perform its operations; you can use your existing GAMADV-XTD3
+Rclone uses client and service account access to perform its operations; you can use your existing GAM7
 authorization for Rclone, you don't need to create a new project or service account within your project.
 
 You can use your Client ID and Client Secret from `client_secrets.json` and you can use your `oauth2service.json` file with rclone.

docs/Reports.md

@@ -2,6 +2,7 @@
 - [API documentation](#api-documentation)
 - [Collections of Users](Collections-of-Users)
 - [Definitions](#definitions)
+- [Special quoting](#special-quoting)
 - [Activity reports](#activity-reports)
   - [Find Shared Drives with no activity](#find-shared-drives-with-no-activity)
 - [Customer and user reports parameters](#customer-and-user-reports-parameters)
@@ -24,6 +25,17 @@
         never|
         now|today
 ```
+## Special quoting
+If you are going to use `config csv_output_row_filter` when printing reports,
+you'll need special quoting in the filter because of the `:` characters in the parameter names.
+
+See: https://github.com/taers232c/GAMADV-XTD3/wiki/CSV-Output-Filtering#quoting-rules
+
+For example:
+```
+config csv_output_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
+```
+
 ## Activity reports
 ```
 <ActivityApplicationName> ::=
@@ -49,7 +61,8 @@
         rules|
         saml|
         token|tokens|oauthtoken|
-        useraccounts
+        useraccounts|
+        vault
 
 gam report <ActivityApplicationName> [todrive <ToDriveAttributes>*]
         [(user all|<UserItem>)|(orgunit|org|ou <OrgUnitPath> [showorgunit])|(select <UserTypeEntity>)]
@@ -143,7 +156,8 @@ Get Shared Drives ID and Name
 ```
 gam redirect csv ./SharedDrives.csv print shareddrives fields id,name
 ```
-Options:
+
+Options for the `gam report drive` commands below:
 * `maxactivities 1` - Limits the number of activities displayed for Shared Drives with activity.
 * `shownoactivities` - Displays a row for Shared Drives with no activity.
 * `addcsvdata shared_drive_id "~id"` adds the Shared Drive ID to the output.
@@ -186,6 +200,7 @@ gam report usage customer [todrive <ToDriveAttribute>*]
          thismonth|(previousmonths <Integer>)]
         [skipdates <Date>[:<Date>](,<Date>[:<Date>])*] [skipdaysofweek <DayOfWeek>(,<DayOfWeek>)*]
         [fields|parameters <String>]
+        [convertmbtogb]
 ```
 Limit the time period.
 * `start <Date>` - Default value is 30 days prior to `end <Date>`
@@ -194,6 +209,9 @@ Limit the time period.
 * `thismonth` - The current calendar month up to the current time
 * `previousmonths <Integer>` - A number in the range 1 to 6 indicating calendar months previous to the current month
 
+Option `convertmbtogb` causes GAM to convert parameters expressed in megabytes
+(name ends with _in_mb) to gigabytes (name converted to _in_gb) with two decimal places.
+
 ### Example
 Jay provided this example.
 ```
@@ -232,9 +250,10 @@ Customer reports are generally available up to two days before the current date.
 gam report customers|customer|domain [todrive <ToDriveAttributes>*]
         [(date <Date>)|(range <Date> <Date>)|
          yesterday|today|thismonth|(previousmonths <Integer>)]
-        [nodatechange|(fulldatarequired all|<CustomerServiceNameList>)]
+        [(nodatechange | limitdatechanges <Integer>) | (fulldatarequired all|<CustomerServiceNameList>)]
         [(fields|parameters <String>)|(services <CustomerServiceNameList>)]
         [noauthorizedapps]
+        [convertmbtogb]
 ```
 Specify the report date; the default is today's date.
 * `date <Date>` - A single date; there is one API call
@@ -244,8 +263,13 @@ Specify the report date; the default is today's date.
 * `thismonth` - The current calendar month up to the current time; there is an API call per date
 * `previousmonths <Integer>` - A number in the range 1 to 6 indicating calendar months previous to the current month; there is an API call per date
 
+Option `convertmbtogb` causes GAM to convert parameters expressed in megabytes
+(name ends with _in_mb) to gigabytes (name converted to _in_gb) with two decimal places.
+
 If no report is available for the specified date, can an earlier date be used?
-* `nodatechange` - Do not report on an earlier date if no report is available for the specified date.
+* `limitdatechanges -1' - Back up to earlier dates to find report data; this is the default.
+* `limitdatechanges 0 | nodatechange' - Do not report on an earlier date if no report data is available for the specified date.
+* `limitdatechanges N' - Back up to earlier dates to find report data; do not back up more than N times.
 
 If only partial report data is available for the specified date and applications, can an earlier date be used?
 * `fulldatarequired all` - Back up to an earlier date to get complete data until all applications have full report data
@@ -294,6 +318,7 @@ gam report usage user [todrive]
          thismonth|(previousmonths <Integer>)]
         [skipdates <Date>[:<Date>](,<Date>[:<Date>])*] [skipdaysofweek <DayOfWeek>(,<DayOfWeek>)*]
         [fields|parameters <String>]
+        [convertmbtogb]
 ```
 Select the users for whom information is desired.
 * `user all` - All users, the default; there is one API call
@@ -309,6 +334,9 @@ Limit the time period.
 * `thismonth` - The current calendar month up to the current time
 * `previousmonths <Integer>` - A number in the range 1 to 6 indicating calendar months previous to the current month
 
+Option `convertmbtogb` causes GAM to convert parameters expressed in megabytes
+(name ends with _in_mb) to gigabytes (name converted to _in_gb) with two decimal places.
+
 ## User reports
 User reports are generally available up to four days before the current date.
 ```
@@ -326,11 +354,12 @@ gam report users|user [todrive <ToDriveAttributes>*]
         [allverifyuser <UserItem>]
         [(date <Date>)|(range <Date> <Date>)|
          yesterday|today|thismonth|(previousmonths <Integer>)]
-        [nodatechange|(fulldatarequired all|<UserServiceNameList>)]
+        [(nodatechange | limitdatechanges <Integer>) | (fulldatarequired all|<UserServiceNameList>)]
         [filtertime.* <Time>] [filter|filters <String>]
         [(fields|parameters <String>)|(services <UserServiceNameList>)]
         [aggregatebydate|aggregatebyuser [Boolean]]
         [maxresults <Number>]
+        [convertmbtogb]
 ```
 Select the users for whom information is desired.
 * `user all` - All users, the default; there is one API call
@@ -350,13 +379,22 @@ Specify the report date; the default is today's date.
 * `thismonth` - The current calendar month up to the current time; there is an API call per date
 * `previousmonths <Integer>` - A number in the range 1 to 6 indicating calendar months previous to the current month; there is an API call per date
 
+Option `convertmbtogb` causes GAM to convert parameters expressed in megabytes
+(name ends with _in_mb) to gigabytes (name converted to _in_gb) with two decimal places.
+
 If no report is available for the specified date, can an earlier date be used?
-* `nodatechange` - Do not report on an earlier date if no report is available for the specified date.
+* `limitdatechanges -1' - Back up to earlier dates to find report data; this is the default.
+* `limitdatechanges 0 | nodatechange' - Do not report on an earlier date if no report data is available for the specified date.
+* `limitdatechanges N' - Back up to earlier dates to find report data; do not back up more than N times.
 
 If only partial report data is available for the specified date and applications, can an earlier date be used?
 * `fulldatarequired all` - Back up to an earlier date to get complete data until all applications have full report data
 * `fulldatarequired <UserServiceNameList>` - Back up to an earlier date to get complete data until all applications in `<UserServiceNameList>` have full report data
 
+By default, when `user <UserItem>` is specified and no report data is available, there is no output.
+If `csv_output_users_audit = true` in `gam.cfg`, then a row with columns `email,date` will be displayed
+where `date` is the earliest date for which report data was requested.
+
 Apply filters.
 * `filter|filters <String>` - `<String>` is a comma separated list of filter expressions.
 
@@ -389,6 +427,10 @@ Report on users Google Drive usage.
 ```
 gam report users parameters accounts:drive_used_quota_in_mb,accounts:total_quota_in_mb,accounts:used_quota_in_mb,accounts:used_quota_in_percentage
 ```
+Report on users total storage usage.
+```
+gam report users parameters accounts:drive_used_quota_in_mb,accounts:gmail_used_quota_in_mb,accounts:gplus_photos_used_quota_in_mb,accounts:total_quota_in_mb,accounts:used_quota_in_mb,accounts:used_quota_in_percentage
+```
 Report on email activity for individual users.
 ```
 $ gam report users select users testuser1,testuser2,testuser3 fields gmail:num_emails_received,gmail:num_emails_sent range 2023-07-01 2023-07-07 

docs/Reseller.md

@@ -1,6 +1,7 @@
 # Reseller
 - [API documentation](#api-documentation)
 - [Notes](#notes)
+- [Manage Multiple Domains](#manage-multiple-domains)
 - [Definitions](#definitions)
 - [Manage Resold Customers](#manage-resold-customers)
 - [Display Resold Customers](#display-resold-customers)
@@ -25,6 +26,11 @@ Prior to version 6.50.00, this is how the `seats <NumberOfSeats> <MaximumNumberO
 
 Now, you can still use the above option which has been corrected or you can specify `seats <Number>` which will be properly passed in the correct form to the API based on plan name.
 
+## Manage Multiple Domains
+Thanks to Duncan Isaksen-Loxton for a script to help manage multiple domains.
+
+* See: https://gist.github.com/65/b5e9cee9b5812b487b8ae3e8256e262b
+
 ## Definitions
 ```
 <CustomerID> ::= <String>
@@ -53,46 +59,64 @@ Now, you can still use the above option which has been corrected or you can spec
         4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
         8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
         16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
-        assuredcontrols | 1010390001 |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 |
+        aimeetingsandmessaging | 1010470007 | AI Meetings and Messaging |
+        aisecurity | 1010470006 | AI Security |
+        appsheetcore | 1010380001 | AppSheet Core |
+        appsheetstandard | appsheetenterprisestandard | 1010380002 | AppSheet Enterprise Standard |
+        appsheetplus | appsheetenterpriseplus | 1010380003 | AppSheet Enterprise Plus |
+        assuredcontrols | 1010390001 | Assured Controls |
+        bce | beyondcorp | beyondcorpenterprise | cep | chromeenterprisepremium | 1010400001 | Chrome Enterprise Premium |
         cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
-        cloudidentity | identity | 1010010001 |
-        cloudidentitypremium | identitypremium | 1010050001 |
-        cloudsearch | 1010350001 |
+        cloudidentity | identity | 1010010001 | Cloud Identity |
+        cloudidentitypremium | identitypremium | 1010050001 | Cloud Identity Premium |
+        cloudsearch | 1010350001 | Cloud Search |
+        colabpro | 1010500001 | Colab Pro |
+        colabpro+ | colabproplus | 1010500002 | Colab Pro+ |
+        eeu | 1010490001 | SKU Endpoint Education Upgrade |
+        geminibiz | 1010470003 | Gemini Business |
+        geminiedu | 1010470004 | Gemini Education |
+        geminiedupremium| 1010470005 | Gemini Education Premium |
+        geminient| duetai | 1010470001 | Gemini Enterprise |
         gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
         gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
-        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
-        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 |
-        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 |
-        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 |
+        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 | Google Workspace Business - Archived User |
+        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 | Google Workspace Enterprise Plus - Archived User |
+        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 | Google Workspace for Education Plus - Legacy |
+        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 | Google Workspace for Education Plus - Legacy (Student) |
         gsuitegov | gafg | gsuitegovernment | Google-Apps-For-Government |
         gsuitelite | gal | gsl | lite | Google-Apps-Lite |
-        gwep | workspaceeducationplus | 1010310008 |
-        gwepstaff | workspaceeducationplusstaff | 1010310009 |
-        gwepstudent | workspaceeducationplusstudent | 1010310010 |
-        gwes | workspaceeducationstandard | 1010310005 |
-        gwesstaff | workspaceeducationstandardstaff | 1010310006 |
-        gwesstudent | workspaceeducationstandardstudent | 1010310007 |
-        gwetlu | workspaceeducationupgrade | 1010370001 |
-        meetdialing | googlemeetglobaldialing | 1010360001 |
+        gwep | workspaceeducationplus | 1010310008 | Google Workspace for Education Plus |
+        gwepstaff | workspaceeducationplusstaff | 1010310009 | Google Workspace for Education Plus (Staff) |
+        gwepstudent | workspaceeducationplusstudent | 1010310010 | Google Workspace for Education Plus (Extra Student)|
+        gwes | workspaceeducationstandard | 1010310005 | Google Workspace for Education Standard |
+        gwesstaff | workspaceeducationstandardstaff | 1010310006 | Google Workspace for Education Standard (Staff) |
+        gwesstudent | workspaceeducationstandardstudent | 1010310007 | Google Workspace for Education Standard (Extra Student)
+        gwetlu | workspaceeducationupgrade | 1010370001 | Google Workspace for Education: Teaching and Learning Upgrade |
+        gwlabs | workspacelabs | 1010470002 | Google Workspace Labs |
+        meetdialing | googlemeetglobaldialing | 1010360001 |  Google Meet Global Dialing |
         postini | gams | gsuitegams | gsuitepostini | gsuitemessagesecurity | Google-Apps-For-Postini |
         standard | free | Google-Apps |
         vault | googlevault | Google-Vault |
         vfe | googlevaultformeremployee | Google-Vault-Former-Employee |
-        voicepremier | gvpremier | googlevoicepremier | 1010330002 |
-        voicestandard | gvstandard | googlevoicestandard | 1010330004 |
-        voicestarter | gvstarter | googlevoicestarter | 1010330003 |
-        wsbizplus | workspacebusinessplus | 1010020025 |
-        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 |
-        wsbizstan | workspacebusinessstandard | 1010020028 |
-        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 |
-        wsentess | workspaceenterpriseessentials | 1010060003 |
-        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 |
-        wsentstan | workspaceenterprisestandard | 1010020026 |
-        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 |
-        wsentstarter | workspaceenterprisestarter | 1010020029 | wes |
-        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 |
-        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030
+        voicepremier | gvpremier | googlevoicepremier | 1010330002 | Google Voice Premier 
+        voicestandard | gvstandard | googlevoicestandard | 1010330004 | Google Voice Standard |
+        voicestarter | gvstarter | googlevoicestarter | 1010330003 | Google Voice Starter |
+        wsas | plusstorage | 1010430001 | Google Workspace Additional Storage |
+        wsbizplus | workspacebusinessplus | 1010020025 | Google Workspace Business Plus |
+        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 | Google Workspace Business Plus - Archived User |
+        wsbizstan | workspacebusinessstandard | 1010020028 | Google Workspace Business Standard }
+        wsbizstanarchived | workspacebusinessstandardarchived | 1010340006 | Google Workspace Business Standard - Archived User |
+        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 | Google Workspace Business Starter |
+        wsbizstarterarchived | workspacebusinessstarterarchived | 1010340005 | Google Workspace Business Starter - Archived User |
+        wsentess | workspaceenterpriseessentials | 1010060003 | Google Workspace Enterprise Essentials |
+        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 | Google Workspace Enterprise Plus |
+        wsentstan | workspaceenterprisestandard | 1010020026 | Google Workspace Enterprise Standard |
+        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 | Google Workspace Enterprise Standard - Archived User |
+        wsentstarter | workspaceenterprisestarter | wes | 1010020029 | Workspace Enterprise Starter |
+        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 | Google Workspace Essentials |
+        wsessplus | workspaceessentialsplus | 1010060005 | Google Workspace Essentials Plus |
+        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030 | Google Workspace Frontline Starter |
+        wsflwstan | workspacefrontlinestan | workspacefrontlineworkerstan | 1010020031 | Google Workspace Frontline Standard
 ```
 ## Manage Resold Customers
 ```

docs/Resources.md

@@ -1,6 +1,7 @@
 # Resources
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
+- [Region Codes](#region-codes)
 - [Special quoting](#special-quoting)
 - [Manage buildings](#manage-buildings)
 - [Display buildings](#display-buildings)
@@ -121,6 +122,252 @@ See [Collections of Items](Collections-of-Items)
         uservisibledescription
 <ResourceFieldNameList> ::= "<ResourceFieldName>(,<ResourceFieldName>)*"
 ```
+
+## Region Codes
+
+| Region | Code |
+|--------|------|
+| Afghanistan | AF |
+| Aland Islands | AX |
+| Albania | AL |
+| Algeria | DZ |
+| American Samoa | AS |
+| Andorra | AD |
+| Angola | AO |
+| Anguilla | AI |
+| Antarctica | AQ |
+| Antigua & Barbuda | AG |
+| Argentina | AR |
+| Armenia | AM |
+| Aruba | AW |
+| Ascension Island | AC |
+| Australia | AU |
+| Austria | AT |
+| Azerbaijan | AZ |
+| Bahamas | BS |
+| Bahrain | BH |
+| Bangladesh | BD |
+| Barbados | BB |
+| Belarus | BY |
+| Belgium | BE |
+| Belize | BZ |
+| Benin | BJ |
+| Bermuda | BM |
+| Bhutan | BT |
+| Bolivia | BO |
+| Bosnia & Herzegovina | BA |
+| Botswana | BW |
+| Bouvet Island | BV |
+| Brazil | BR |
+| British Indian Ocean Territory | IO |
+| British Virgin Islands | VG |
+| Brunei | BN |
+| Bulgaria | BG |
+| Burkina Faso | BF |
+| Burundi | BI |
+| Cambodia | KH |
+| Cameroon | CM |
+| Canada | CA |
+| Canary Islands | IC |
+| Cape Verde | CV |
+| Caribbean Netherlands | BQ |
+| Cayman Islands | KY |
+| Central African Republic | CF |
+| Ceuta & Melilla | EA |
+| Chad | TD |
+| Chile | CL |
+| China | CN |
+| Christmas Island | CX |
+| Clipperton Island | CP |
+| Cocos (Keeling) Islands | CC |
+| Columbia | CO |
+| Comoros | KM |
+| Congo - Brazzaville | CG |
+| Congo - Kinshasa | CD |
+| Cook Islands | CK |
+| Costa Rica | CR |
+| Cote d’Ivoire | CI |
+| Croatia | HR |
+| Cuba | CU |
+| Curacao | CW |
+| Cyprus | CY |
+| Czech Republic | CZ |
+| Falkland Islands | FK |
+| Faroe Islands | FO |
+| Fiji | FJ |
+| Finland | FI |
+| France | FR |
+| Gabon | GA |
+| Gambia | GM |
+| Georgia | GE |
+| Germany | DE |
+| Ghana | GH |
+| Gibraltar | GI |
+| Greece | GR |
+| Greenland | GL |
+| Grenada | GD |
+| Guadeloupe | GP |
+| Guam | GU |
+| Guatemala | GT |
+| Guernsey | GG |
+| Guinea | GN |
+| Guinea-Bissau | GW |
+| Guyana | GY |
+| Haiti | HT |
+| Heard & McDonald Islands | HM |
+| Honduras | HN |
+| Hong Kong SAR China | HK |
+| Hungary | HU |
+| Iceland | IS |
+| India | IN |
+| Indonesia | ID |
+| Iran | IR |
+| Iraq | IQ |
+| Ireland | IE |
+| Isle of Man | IM |
+| Israel | IL |
+| Italy | IT |
+| Jamaica | JM |
+| Japan | JP |
+| Jersey | JE |
+| Jordan | JO |
+| Kazakhstan | KZ |
+| Kenya | KE |
+| Kiribati | KI |
+| Kosovo | XK |
+| Kuwait | KW |
+| Kyrgyzstan | KG |
+| Laos | LA |
+| Latvia | LV |
+| Lebanon | LB |
+| Lesotho | LS |
+| Liberia | LR |
+| Libya | LY |
+| Liechtenstein | LI |
+| Lithuania | LT |
+| Luxembourg | LU |
+| Macau SAR China | MO |
+| Macedonia | MK |
+| Madagascar | MG |
+| Malawi | MW |
+| Malaysia | MY |
+| Maldives | MV |
+| Mali | ML |
+| Malta | MT |
+| Marshall Islands | MH |
+| Martinique | MQ |
+| Mauritania | MR |
+| Mauritius | MU |
+| Mayotte | YT |
+| Mexico | MX |
+| Micronesia | FM |
+| Moldova | MD |
+| Monaco | MC |
+| Mongolia | MN |
+| Montenegro | ME |
+| Montserrat | MS |
+| Morocco | MA |
+| Mozambique | MZ |
+| Myanmar | MM |
+| Namibia | NA |
+| Nauru | NR |
+| Nepal | NP |
+| Netherlands | NL |
+| New Caledonia | NC |
+| New Zealand | NZ |
+| Nicaragua | NI |
+| Niger | NE |
+| Nigeria | NG |
+| Niue | NU |
+| Norfolk Island | NF |
+| North Korea | KP |
+| Northern Mariana Islands | MP |
+| Norway | NO |
+| Oman | OM |
+| Pakistan | PK |
+| Palau | PW |
+| Palestinia Territories | PS |
+| Panama | PA |
+| Papua New Guinea | PG |
+| Paraguay | PY |
+| Peru | PE |
+| Philippines | PH |
+| Pitcairn Islands | PN |
+| Poland | PL |
+| Portugal | PT |
+| Puerto Rico | PR |
+| Qatar | QA |
+| Reunion | RE |
+| Romania | RO |
+| Russia | RU |
+| Rwanda | RW |
+| Samoa | WS |
+| San Marino | SM |
+| Sao Tomm & Principe | ST |
+| Saudi Arabia | SA |
+| Senegal | SN |
+| Serbia | RS |
+| Seychelles | SC |
+| Sierra Leone | SL |
+| Singapore | SG |
+| Sint Maarten | SX |
+| Slovakia | SK |
+| Slovenia | SI |
+| Solomon Islands | SB |
+| Somalia | SO |
+| South Africa | ZA |
+| South Georgia & South Sandwich Islands | GS |
+| South Korea | KR |
+| South Sudan | SS |
+| Spain | ES |
+| Sri Lanka | LK |
+| St. Barthelemy | BL |
+| St. Helena | SH |
+| St. Kitts & Nevis | KN |
+| St. Lucia | LC |
+| St. Martin | MF |
+| St. Pierre & Miquelon | PM |
+| St. Vincent & Grenadines | VC |
+| Sudan | SD |
+| Suriname | SR |
+| Svalbard & Jan Mayen | SJ |
+| Swaziland | SZ |
+| Sweden | SE |
+| Switzerland | CH |
+| Syria | SY |
+| Taiwan | TW |
+| Tajikistan | TJ |
+| Tanzania | TZ |
+| Thailand | TH |
+| Timor-Leste | TL |
+| Togo | TG |
+| Tokelau | TK |
+| Tonga | TO |
+| Trinidad & Tobago | TT |
+| Tristan da Cunha | TA |
+| Tunisia | TN |
+| Turkey | TR |
+| Turkmenistan | TM |
+| Turks & Caicos Islands | TC |
+| Tuvalu | TV |
+| U.S. Outlying Islands | UM |
+| U.S. Virgin Islands | VI |
+| Uganda | UG |
+| Ukraine | UA |
+| United Arab Emirates | AE |
+| United Kingdom | GB |
+| United States | US |
+| Unknown Region | ZZ |
+| Uraguay | UY |
+| Uzbekistan | UZ |
+| Vanuatu | VU |
+| Vatican City | VA |
+| Venezuela | VE |
+| Vietnam | VN |
+| Yemen | YE |
+| Zambia | ZM |
+| Zimbabwe | ZW |
+
 ## Special quoting
 When entering `<FeatureNameList>` with `<FeatureName>s`containing spaces, enclose the list in `"` and the names containing spaces in `'`.
 ```
@@ -133,10 +380,8 @@ When creating a building, at a minimum you must enter `address|addresslines` and
 
 * Enter a single-line address as `address "123 Main Street"`
 * Enter a multi-line address as `addresslines "123 Main Street\nAnytown, US"`
-
-For `country|regioncode` see: http://www.unicode.org/cldr/charts/30/supplemental/territory_information.html
 ```
-gam create|add building <BuildIngID> <Name> <BuildingAttribute>*
+gam create|add building <Name> <BuildingAttribute>*
 gam update building <BuildIngID> <BuildingAttribute>*
 gam delete building <BuildingID>
 ```
@@ -207,7 +452,7 @@ gam show resources
         [formatjson]
 ```
 Optional data may be displayed for the resource:
-* `acls` - Display the resource calendar ACLs
+* `acls` - Display the resource calendar ACLs. This adds Scope and Role values.
 * `calendar` - Display the resource calendar settings
 
 Option `noselfowner` suppresses the display of ACLs that reference the calendar itself as its owner.
@@ -222,7 +467,7 @@ gam print resources [todrive <ToDriveAttribute>*]
         [formatjson [quotechar <Character>]]
 ```
 Optional data may be displayed for the resource:
-* `acls` - Display the resource calendar ACLs
+* `acls` - Display the resource calendar ACLs. This adds columns: id, role, scope.type, scope.value
 * `calendar` - Display the resource calendar settings
 
 Option `noselfowner` suppresses the display of ACLs that reference the calendar itself as its owner.
@@ -253,18 +498,38 @@ gam print resources
         [query <String>]
         showitemcountonly
 ```
+Example
+```
+$ gam print resources showitemcountonly
+Getting all Resource Calendars, may take some time on a large Google Workspace Account...
+Got 32 Resource Calendars: Back 50 - Video Cameras Class Set
+32
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print resources showitemcountonly)
+Windows PowerShell
+count = & gam print resources showitemcountonly
+```
 
 ## Manage resource calendar ACLs
 These commands operate on a single resource calendar.
 ```
 gam resource <ResourceID> add acls|calendaracls <CalendarACLRole> <CalendarACLScopeEntity>
+        [sendnotifications <Boolean>]
 gam resource <ResourceID> update acls|calendaracls <CalendarACLRole> <CalendarACLScopeEntity>
+        [sendnotifications <Boolean>]
 gam resource <ResourceID> delete acls|calendaracls [<CalendarACLRole>] <CalendarACLScopeEntity>
 ```
 These commands operate on multiple resource calendars.
 ```
 gam resources <ResourceEntity> add acls|calendaracls <CalendarACLRole> <CalendarACLScopeEntity>
+        [sendnotifications <Boolean>]
 gam resources <ResourceEntity> update acls|calendaracls <CalendarACLRole> <CalendarACLScopeEntity>
+        [sendnotifications <Boolean>]
 gam resources <ResourceEntity> delete acls|calendaracls [<CalendarACLRole>] <CalendarACLScopeEntity>
 ```
 ## Display resource calendar ACLs

docs/Running-GAM7-securely-on-a-Google-Compute-Engine.md

@@ -0,0 +1,76 @@
+# Running GAM7 securely on a Google Compute Engine
+- [thanks](#thanks)
+- [Introduction](#introduction)
+- [Setup Steps](#setup-steps)
+
+## Thanks
+
+Thanks to Jay Lee for the original version of this document.
+
+## Introduction
+GAM7 can run on a Linux or Windows Google Compute Engine (GCE) VM and use the attached service account to access Google Workspace APIs. The advantage of this configuration is that no service account private key is accessible to GAM7 directly and there is no risk of the key being stolen/lost.
+
+GAM7 version 6.50.00 or higher is required.
+
+## Setup Steps
+1. Create a [GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).
+
+2. Create [a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) which will be used by GAM7.
+   * Enter a value in `Service account name`
+   * Enter text in `Service account description`
+   * Click `Create` and `Continue`
+   * Click `Continue` under `Grant this service account access to project`
+   * Click `Done` under `Grant users access to this service account`
+ 
+3. Grant the service account rights to generate authentication tokens.
+   * Go to [console.cloud.google.com](https://console.cloud.google.com).
+   * Go to `IAM & Admin` > `Service accounts`
+   * Click on the service account you created (not the default service account).
+   * Copy the email address of your service account to the clipboard.
+   * Click on the `Permissions` tab.
+   * Click `Grant Access`.
+   * In the `New principals` text box, paste the service account email you copied.
+   * Give your service account the `Service Account Token Creator` and `View Service Accounts` roles.
+   * Click `Save`
+
+4. [Create a Windows or Linux virtual machine](https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances).
+   * Scroll down and start at Create a VM and attach the service account
+   * Click `Go to VM instances`
+   * Click `Create Instance`
+   * Enter a value for `Name`
+   * Configure `Manage Tags and Labels`
+   * You can choose a region physically close to you though you may be limited in your choices if you want to use the free tier.
+   * GAM7 can run on the minimal `e2-micro` [free tier VM](https://cloud.google.com/free/docs/free-cloud-features#compute) though performance may suffer. If you are performing batch operations, raising the CPU count will help performance. If you have a very large and busy Workspace instance downloading reports or Drive file lists may require more RAM.
+   * Set `Service account` under `Identity and API access/API and identity management`; choose the service account you created above.
+   * Select `Set access for each API`
+   * Enable `Cloud Platform`
+   * GAM7 does not use a significant amount of storage, unless you have specific storage needs the default disk size should suffice.
+   * Leave other VM instance settings at their defaults unless you know what you are doing.
+   * Click `Create`
+
+5. Install GAM7 on the VM
+   * See: https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Install-GAM7
+
+6. Logout and log back in to the VM, you should now be able to run GAM7 commands like:
+```
+gam version
+```
+
+7. Create the special `oauth2service.json` file GAM7 will use:
+```
+gam create gcpserviceaccount
+```
+If you'd like, take a look at the generated ```oauth2service.json``` file;
+you'll notice that while the file has some fields similar to a normal service account file, there is no `private_key` attribute containing an RSA private key.
+
+8. Enable the Google APIs GAM7 will use:
+```
+gam enable apis
+```
+You are given the option to enable them automatically or manually. Automatic enablement will ask you to authenticate to GAM7. You should authenticate as a user with rights to manage project APIs, probably a project owner. If you are not the project owner you can choose manual enablement and GAM7 will provide two or more URLs which you can send to the project owner. When the owner opens these URLs, they'll be prompted to enable all the APIs GAM7 needs.
+
+9. Perform admin actions (manage users, groups, orgunits, Chrome devices, etc)
+   * [Configure delegated admin service account (DASA)](https://github.com/taers232c/GAMADV-XTD3/wiki/Using-GAMADV-XTD3-with-a-delegated-admin-service-account); start at step 4.
+
+10. Manage user data
+   * Run ```gam user user@domain.com check serviceaccount``` and follow the instructions to perform domain-wide delegation.

docs/Running-GAMADV-XTD3-securely-on-a-Google-Compute-Engine.md

@@ -15,24 +15,38 @@ GAMADV-XTD3 version 6.50.00 or higher is required.
 ## Setup Steps
 1. Create a [GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).
 
-2. Create [a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) which will be used by GAMADV-XTD3. Continue steps 2 and 3 without granting the new service account any special access to the project and without granting users access to the service account.
+2. Create [a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) which will be used by GAMADV-XTD3.
+   * Enter a value in `Service account name`
+   * Enter text in `Service account description`
+   * Click `Create` and `Continue`
+   * Click `Continue` under `Grant this service account access to project`
+   * Click `Done` under `Grant users access to this service account`
  
 3. Grant the service account rights to generate authentication tokens.
-   * go to [console.cloud.google.com](https://console.cloud.google.com).
-   * go to "IAM & Admin" > Service accounts
-   * click on the service account you created (not the default service account).
-   * copy the email address of your service account to the clipboard.
-   * click on the Permissions tab.
-   * click "Grant Access".
-   * In the "New principals text box, paste the service account email you copied.
-   * Give your service account the "Service Account Key Admin", "Service Account Token Creator" and "View Service Accounts" roles.
+   * Go to [console.cloud.google.com](https://console.cloud.google.com).
+   * Go to `IAM & Admin` > `Service accounts`
+   * Click on the service account you created (not the default service account).
+   * Copy the email address of your service account to the clipboard.
+   * Click on the `Permissions` tab.
+   * Click `Grant Access`.
+   * In the `New principals` text box, paste the service account email you copied.
+   * Give your service account the `Service Account Token Creator` and `View Service Accounts` roles.
+   * Click `Save`
 
-4. [Create a Windows or Linux virtual machine](https://cloud.google.com/compute/docs/instances/create-start-instance).
+4. [Create a Windows or Linux virtual machine](https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances).
+   * Scroll down and start at Create a VM and attach the service account
+   * Click `Go to VM instances`
+   * Click `Create Instance`
+   * Enter a value for `Name`
+   * Configure `Manage Tags and Labels`
    * You can choose a region physically close to you though you may be limited in your choices if you want to use the free tier.
    * GAMADV-XTD3 can run on the minimal `e2-micro` [free tier VM](https://cloud.google.com/free/docs/free-cloud-features#compute) though performance may suffer. If you are performing batch operations, raising the CPU count will help performance. If you have a very large and busy Workspace instance downloading reports or Drive file lists may require more RAM.
-   * [DO NOT use the default service account](https://cloud.google.com/iam/docs/best-practices-service-accounts#single-purpose). Choose the service account you created above instead.
+   * Set `Service account` under `Identity and API access/API and identity management`; choose the service account you created above.
+   * Select `Set access for each API`
+   * Enable `Cloud Platform`
    * GAMADV-XTD3 does not use a significant amount of storage, unless you have specific storage needs the default disk size should suffice.
-   * leave other VM instance settings at their defaults unless you know what you are doing.
+   * Leave other VM instance settings at their defaults unless you know what you are doing.
+   * Click `Create`
 
 5. Install GAMADV-XTD3 on the VM
    * See: https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Install-Advanced-GAM

docs/Scripts.md

@@ -1,7 +1,7 @@
 # Scripts
 
 These scripts can be used to enhance GAM's capabilities; all are supported with Advanced GAM,
-many are supported with Standard GAM. They require that Python 3 be installed on you computer.
+many are supported with Legacy GAM. They require that Python 3 be installed on you computer.
 
 * https://github.com/taers232c/GAM-Scripts3
 * https://www.python.org/

docs/Send-Email.md

@@ -241,7 +241,7 @@ Your HTML message will contain lines like this:
 <img src="cid:image2"/>
 ```
 
-Your command line will have: `embedimage file1.jpg image1` embedimage file2.jpg image2`
+Your command line will have: `embedimage file1.jpg image1 embedimage file2.jpg image2`
 
 ## Send an email from a user sendas
 You want to send an email from a user's sendas address.
@@ -312,7 +312,7 @@ Your HTML message will contain lines like this:
 <img src="cid:image2"/>
 ```
 
-Your command line will have: `embedimage file1.jpg image1` embedimage file2.jpg image2`
+Your command line will have: `embedimage file1.jpg image1 embedimage file2.jpg image2`
 
 ### Examples
 Send an email to a user's personal address notifying them of their new Google Workspace account;
@@ -376,7 +376,7 @@ Your HTML message will contain lines like this:
 <img src="cid:image2"/>
 ```
 
-Your command line will have: `embedimage file1.jpg image1` embedimage file2.jpg image2`
+Your command line will have: `embedimage file1.jpg image1 embedimage file2.jpg image2`
 
 ## Send an email to users
 ```
@@ -418,7 +418,7 @@ Your HTML message will contain lines like this:
 <img src="cid:image2"/>
 ```
 
-Your command line will have: `embedimage file1.jpg image1` embedimage file2.jpg image2`
+Your command line will have: `embedimage file1.jpg image1 embedimage file2.jpg image2`
 
 ## Example
 Send a message to a user, save the Message-ID so that a later reminder message can be sent

docs/Shared-Drives.md

@@ -12,7 +12,11 @@
   - [Delete a Shared Drive](#delete-a-shared-drive)
   - [Change Shared Drive visibility](#change-shared-drive-visibility)
 - [Display Shared Drives](#display-shared-drives)
+- [Display List of Shared Drives in an Organizational Unit other than /](#display-list-of-shared-drives-in-an-organizational-unit-other-than-)
 - [Display List of Shared Drives in an Organizational Unit](#display-list-of-shared-drives-in-an-organizational-unit)
+- [Display all Shared Drives with no organizers](#display-all-shared-drives-with-no-organizers)
+- [Display all Shared Drives with a specific organizer](#display-all-shared-drives-with-a-specific-organizer)
+- [Display all Shared Drives without a specific organizer](#display-all-shared-drives-without-a-specific-organizer)
 - [Manage Shared Drive access](#manage-shared-drive-access)
 - [Transfer Shared Drive access](#transfer-shared-drive-access)
 - [Display Shared Drive access](#display-shared-drive-access)
@@ -68,6 +72,26 @@
 ```
 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
 
+<OrgUnitID> ::= id:<String>
+<OrgUnitPath> ::= /|(/<String>)+
+<OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
+
+<DriveFileOrderByFieldName> ::=
+        createddate|createdtime|
+        folder|
+        lastviewedbyme|lastviewedbymedate|lastviewedbymetime|lastviewedbyuser|
+        modifiedbyme|modifiedbymedate|modifiedbymetime|modifiedbyuser|
+        modifieddate|modifiedtime|
+        name|
+        name_natural|
+        quotabytesused|quotaused|
+        recency|
+        sharedwithmedate|sharedwithmetime|
+        starred|
+        title|
+        title_natural|
+        viewedbymedate|viewedbymetime
+
 <DriveFileACLRole> ::=
         manager|organizer|owner|
         contentmanager|fileorganizer|
@@ -367,45 +391,42 @@ Print information about all Shared Drives in the organization.
 gam print teamdrives
 gam user admin@domain.com print teamdrives adminaccess
 ```
-Print information about all Shared Drives in the organization with no organizers.
-```
-gam print teamdrives query "organizerCount = 0"
-gam user admin@domain.com print teamdrives adminaccess teamdriveadminquery "organizerCount = 0"
-```
 Print information about Shared Drives that have admin@domain.com as a member.
 ```
 gam user admin@domain.com print teamdrives
 ```
+## Display all Shared Drives with no organizers
+```
+gam print teamdrives query "organizerCount = 0"
+```
+
+## Display all Shared Drives with a specific organizer
+Substitute actual email address for `organizer@domain.com`.
+```
+gam config csv_output_header_filter "id,name" print teamdriveacls pm emailaddress organizer@domain.com role organizer em pma process pmselect
+```
+
+## Display all Shared Drives without a specific organizer
+Substitute actual email address for `organizer@domain.com`.
+```
+gam config csv_output_header_filter "id,name" print teamdriveacls pm emailaddress organizer@domain.com role organizer em pma skip pmselect
+```
+
+## Display List of Shared Drives in an Organizational Unit other than /
+Get the orgUnitID of OU / and use it (without the id:) in the print|show command. Adjust fields as desired.
+```
+gam info ou / nousers
+gam show teamdrives query "orgUnitId!='00gjdgxs2p9cxyz'" fields id,name,orgunit,createdtime
+gam print teamdrives query "orgUnitId!='00gjdgxs2p9cxyz'" fields id,name,orgunit,createdtime
+```
+
 ## Display List of Shared Drives in an Organizational Unit
-To use this command you must add the `Cloud Identity API` to your project and authorize
-the appropriate scope: `Cloud Identity OrgUnits API`.
-
-You'll have to do `gam update project` and `gam oauth create` to enable this command.
-
+Get the orgUnitID of the desired OU and use it (without the id:) in the print|show command. Adjust fields as desired.
 ```
-gam show oushareddrives
-        [ou|org|orgunit <OrgUnitPath>]                                                                                                                                                                                                                                             
-        [formatjson]
+gam info ou <OrgUnitPath> nousers
+gam show teamdrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
+gam print teamdrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
 ```
-If `ou|org|orgunit <OrgUnitPath>` is not specified, `/` is used.
-
-By default, Gam displays the information as an indented list of keys and values.
-* `formatjson` - Display the fields in JSON format.
-```
-gam print oushareddrives [todrive <ToDriveAttribute>*]
-        [ou|org|orgunit <OrgUnitPath>]
-        [formatjson [quotechar <Character>]]
-```
-If `ou|org|orgunit <OrgUnitPath>` is not specified, `/` is used.
-
-By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
-* `formatjson` - Display the fields in JSON format.
-
-By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
-the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
-When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
-The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
-`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
 ## Manage Shared Drive access
 These commands are used to manage the ACLs on Shared Drives themselves, not the files/folders on the Shared Drives.
@@ -505,7 +526,7 @@ Find all the organizers and file organizers on the Golgafrincham shared drive in
 ```
 
 By default, all Shared Drives specified are displayed; use the following option to select a subset of those Shared Drives.
-* `<PermissionMatch>* [<PermissionMatchAction>] pmselect` - Use permission matching to select Shared Drives
+* `<PermissionMatch>* [<PermissionMatchAction>] pmselect` - Use permission matching to select Shared Drives; all ACLs are displayed for the selected Shared Drives
 
 By default, all ACLS are displayed; use the following option to select a subset of the ACLS to display.
 * `<PermissionMatch>* [<PermissionMatchAction>]` - Use permission matching to display a subset of the ACLs for each Shared Drive; this only applies when `pmselect` is not specified
@@ -544,7 +565,7 @@ By default, all Shared Drives are displayed; use the following options to select
 * `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
 * `matchname <RegularExpression>` - Retrieve Shared Drives with names that match a pattern.
 * `orgunit|org|ou <OrgUnitPath>` - Only Shared Drives in the specified Org Unit are selected
-* `<PermissionMatch>* [<PermissionMatchAction>] pmselect` -  Use permission matching to select Shared Drives
+* `<PermissionMatch>* [<PermissionMatchAction>] pmselect` -  Use permission matching to select Shared Drives; all ACLs are displayed for the selected Shared Drives
 
 By default, Shared Drives with no permissions are not displayed; use the `shownopermissionsdrives` to control whether
 Shared Drives with no permissions are displayed.
@@ -576,10 +597,12 @@ Print ACLs for all Shared Drives in the organization created after November 1, 2
 ```
 gam print teamdriveacls teamdriveadminquery "createdTime > '2017-11-01T00:00:00'"
 ```
+
 Print ACLs for all Shared Drives in the organization with foo@bar.com as an organizer.
 ```
 gam print teamdriveacls user foo@bar.com role organizer
 ```
+
 Print ACLs for all Shared Drives in the organization with foo@bar.com or groups that contain foo@bar.com as a reader.
 ```
 gam print teamdriveacls user foo@bar.com role reader checkgroups

docs/Todrive.md

@@ -174,29 +174,34 @@ direct the uploaded file to a particular user and location and add a timestamp t
 ```
 <ToDriveAttribute> ::=
         (tdaddsheet [<Boolean>])|
+        (tdalert <EmailAddress>)*|
         (tdbackupsheet (id:<Number>)|<String>)|
+        (tdcellnumberformat text|number)|
+        (tdcellwrap clip|overflow|wrap)|
         (tdclearfilter [<Boolean>])|
         (tdcopysheet (id:<Number>)|<String>)|
         (tddescription <String>)|
         (tdfileid <DriveFileID>)|
+        (tdfrom <EmailAddress>)|
         (tdlocalcopy [<Boolean>])|
         (tdlocale <Locale>)|
         (tdnobrowser [<Boolean>])|
         (tdnoemail [<Boolean>])|
         (tdnoescapechar [<Boolean>])|
+        (tdnotify [<Boolean>])|
         (tdparent (id:<DriveFolderID>)|<DriveFolderName>)|
         (tdretaintitle [<Boolean>])|
-        (tdshare <EmailAddress> commenter|reader|writer)|
+        (tdreturnidonly [<Boolean>])|
+        (tdshare <EmailAddress> commenter|reader|writer)*|
         (tdsheet (id:<Number>)|<String>)|
         (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
         (tdsheettitle <String>)|
-        ([tdsheetdaysoffset <Number>] [tdsheethoursoffset <Number])|
-        (tdtimestamp [<Boolean>] [tdtimeformat <String>])|
-        ([tddaysoffset <Number>] [tdhoursoffset <Number])|
+        (tdsubject <String>)|
+        ([tdsheetdaysoffset <Number>] [tdsheethoursoffset <Number>])|
+        (tdtimestamp [<Boolean>] [tdtimeformat <String>]
+            ([tddaysoffset <Number>] [tdhoursoffset <Number>])|
         (tdtimezone <TimeZone>)|
         (tdtitle <String>)|
-        (tdcellwrap clip|overflow|wrap)|
-        (tdcellnumberformat text|plain)|
         (tdupdatesheet [<Boolean>])|
         (tduploadnodata [<Boolean>])|
         (tduser <EmailAddress>)
@@ -213,7 +218,7 @@ It is uploaded to the root folder of the admin user named in `oauth2.txt`.
 ## Create new file
 If `tdfileid <DriveFileID>` is not specified, a new file is created.
 * `tdparent` - An existing/writable parent folder for the uploaded file; if not specified, the `todrive_parent` value from gam.cfg is used; that value defaults to the root folder.
-* `tdshare <EmailAddress> commenter|reader|writer` - Share the new file with `<EmailAddress>` with the specified role. `<EmailAddress>` must be valid within your Google Workspace.
+* `tdshare <EmailAddress> commenter|reader|writer` - Share the new file with `<EmailAddress>` with the specified role. `<EmailAddress>` must be valid within your Google Workspace. You can specify multiple shares.
 
 ## File name, file description and sheet name
 * `tdtitle` - The title for the uploaded file, if not specified, the Gam default title is used.
@@ -226,6 +231,7 @@ If `tdfileid <DriveFileID>` is not specified, a new file is created.
 * `tdtimeformat` - Format of the timestamp added to the title of the uploaded file; if not specified, the `todrive_timeformat` value from gam.cfg is used, that value defaults to '' which selects an ISO format timestamp.
   * See: https://docs.python.org/3/library/datetime.html#strftime-strptime-behavior
 * `tddaysoffset` and `tdhoursoffset` - Values that subtract time from the timestamp, they default to 0. A possible use for these values is as documentation to reflect the end of the time period that the uploaded report covers.
+* `tdsubject <String>` - Use `<String>` as the subject in all emails sent. In `<String>`, `#file#` will, be replaced by the file title and `#sheet#` will be replaced by the sheet/tab title. By default, the subject is the file title.
 
 ## Spreadsheet settings
 * `tdlocale <Locale>` - The Spreadsheet settings Locale value.
@@ -233,9 +239,16 @@ If `tdfileid <DriveFileID>` is not specified, a new file is created.
 * `tdcellwrap clip|overflow|wrap` - The Spreadsheet cell wrapping strategy.
 * `tdcellnumberformat text|number` - The Spreadsheet number format.
 
+## Report action, capture file ID
+* `tdreturnidonly` - If False, a message is written to stdout with the uploaded file URL; if True, only the uploaded file ID is written to stdout
+
+The ID can be captured and used in subsequent commands, `tdfileid <DriveFileID>` that will update the same file.
+
 ## Open browser and send email
-* `tdnobrowser` - If False, a browser is opened to view the file uploaded to Google Drive; if not specified, the `todrive_nobrowser` value from gam.cfg is used.
-* `tdnoemail` - If False, an email is sent to `tduser` informing them of name and URL of the uploaded file; if not specified, the `todrive_noemail` value from gam.cfg is used.
+* `tdnobrowser` - If False, a browser is opened to view the file uploaded to Google Drive; if not specified, the `todrive_nobrowser` value from gam.cfg is used. If True, no browser is opened.
+* `tdnoemail` - If False, an email is sent to `tduser` informing them of name and URL of the uploaded file; if not specified, the `todrive_noemail` value from gam.cfg is used. If True, no email is sent to `tduser`.
+* `tdnotify` - If True, an email is sent to all `tdshare <EmailAddress>` and `tdalert <EmailAddress>` users informing them of name and URL of the uploaded/updated file. If False, no emails are sent.
+* `tdfrom <EmailAddress>` - Emails will be sent with `<EmailAddress>` as the from address. By default, the from address is the Google Workspace Admin in `gam oauth info`.
 
 ## Escape character
 * `tdnoescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `todrive_no_escape_char` from `gam.cfg` will be used
@@ -297,15 +310,15 @@ gam redirect csv - todrive tdtitle "CrOS" tdtimestamp true tdfileid 12345-mizZ6Q
 
 For a collection of users, generate a list of files shared with anyone; combine the output for all users into a single file.
 ```
-gam redirect csv - multiprocess todrive tdtitle AnyoneShares-All csv Users.csv gam user ~primaryEmail print filelist fields id,name,permissions pm type anyone em
+gam redirect csv - multiprocess todrive tdtitle AnyoneShares-All csv Users.csv gam user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em
 ```
 
 For a collection of users, generate a list of files shared with anyone; generate a separate file for each user.
 The two forms of the command are equivalent.
 ```
-gam csv Users.csv gam redirect csv - todrive tdtitle "AnyoneShares-~~primaryEmail~~" user ~primaryEmail print filelist fields id,name,permissions pm type anyone em
+gam csv Users.csv gam redirect csv - todrive tdtitle "AnyoneShares-~~primaryEmail~~" user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em
 
-gam csv Users.csv gam user ~primaryEmail print filelist fields id,name,permissions pm type anyone em todrive tdtitle "AnyoneShares-~~primaryEmail~~" 
+gam csv Users.csv gam user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em todrive tdtitle "AnyoneShares-~~primaryEmail~~" 
 ```
 
 Suppose you have a spreadsheet with sheets `Monday` ... `Friday`, `Backup Monday` ... `Backup Friday` and `Latest`.

docs/Upgrade-Benefits.md

@@ -29,7 +29,7 @@
 
 ## Configuration
 
-GAMADV-XTD3 uses a configuration file, gam.cfg, to store the values of the various environment variables
+GAM7 uses a configuration file, gam.cfg, to store the values of the various environment variables
 and signal files used by earlier versions of GAM. Configuration files client_secrets.json, oauth2.txt, oauth2service.json and extra_args.txt
 are moved to a version independent location. This should simplify upgrading GAM versions in the future.
 Additionally, if you support multiple clients/domains or have multiple users running GAM,
@@ -39,7 +39,7 @@ See: [gam.cfg](gam.cfg)
 
 ## Syntax Checking
 
-GAMADV-XTD3 produces better error messages when syntax errors are found on the command line.
+GAM7 produces better error messages when syntax errors are found on the command line.
 
 ## API error checking
 
@@ -48,14 +48,14 @@ was an operation on multiple items, the items after the failing item are not pro
 you produce a CSV file containing the items you want to process; as each item is an independent excution, API failures for some items
 do not affect other items. Capturing meaningful output from the CSV execution is hard and you have to create the CSV file as a separate step.
 
-In GAMADV-XTD3, every API call is made with error handling; if an API call fails, a message is output and execution continues with additional items if possible.
+In GAM7, every API call is made with error handling; if an API call fails, a message is output and execution continues with additional items if possible.
 
 ## Batch files
 
 GAM uses multiprocessing for processing batch files and CSV files; this offers better performance than using threads. Unfortunately, one
 multiprocess subprocess can not create another subprocess; this prevents using gam csv commands inside GAM batch files.
 
-GAMADV-XTD3 supports two commands for processing batch files, batch and tbatch. gam batch uses multiprocessing and gam tbatch uses threads.
+GAM7 supports two commands for processing batch files, batch and tbatch. gam batch uses multiprocessing and gam tbatch uses threads.
 If you have a batch file that contains gam csv commands, gam tbatch can successfuly process the batch file.
 
 See: [Bulk Processing](Bulk-Processing)
@@ -69,13 +69,13 @@ gam csv File.csv gam <Command> > File.out 2>&1
 ```
 Multiple processes are writing to File.out(.err) simultaneously resulting in interleaved output that can be hard to read.
 
-With GAMADV-XTD3, you can capture the output from the multiple processes such that all of the output from each process is contiguous.
+With GAM7, you can capture the output from the multiple processes such that all of the output from each process is contiguous.
 ```
 gam redirect stdout ./File.out multiprocess redirect stderr ./File.err multiprocess csv File.csv gam <Command>
 gam redirect stdout ./File.out multiprocess redirect stderr stderr csv File.csv gam <Command>
 ```
 
-You can choose to have GAMADV-XTD3 bracket the output from each process with lines that show the command being executed.
+You can choose to have GAM7 bracket the output from each process with lines that show the command being executed.
 ```
 gam config show_multiprocess_info true redirect stdout ./File.out multiprocess redirect stderr ./File.err multiprocess csv File.csv gam <Command>
 gam config show_multiprocess_info true redirect stdout ./File.out multiprocess redirect stderr stderr csv File.csv gam <Command>
@@ -85,7 +85,7 @@ See: [Meta Commands and File Redirection](Meta-Commands-and-File-Redirection)
 
 ## Data selection
 
-GAMADV-XTD3 has many more ways to specify collections of ChromeOS devices, Users and other items.
+GAM7 has many more ways to specify collections of ChromeOS devices, Users and other items.
 
 See: [Collections of ChromeOS Devices](Collections-of-ChromeOS-Devices)
 
@@ -97,7 +97,7 @@ See: [Collections of Items](Collections-of-Items)
 
 GAM specifies drive files in different ways based on the command.
 
-GAMADV-XTD3 has a consistent way of specifying Google Drive files for all commands.
+GAM7 has a consistent way of specifying Google Drive files for all commands.
 
 See: [Drive File Selection](Drive-File-Selection)
 
@@ -106,17 +106,17 @@ See: [Drive File Selection](Drive-File-Selection)
 GAM allows no options when you use the todrive option with a gam print command; the file is always uploaded with a fixed name to the root folder of
 Google Drive for the Google Admin user named in oauth2.txt.
 
-GAMADV-XTD3 allows you to specify the name, location and user for files uploaded with todrive; you can also save a local copy of the file.
+GAM7 allows you to specify the name, location and user for files uploaded with todrive; you can also save a local copy of the file.
 
 See: [Todrive](Todrive)
 
 ## Calendars
 
-GAM can manage the list of calendars a user can view; GAMADV-XTD3 can also create, modify and remove calendars.
+GAM can manage the list of calendars a user can view; GAM7 can also create, modify and remove calendars.
 
-GAM can add and delete events; GAMADV-XTD3 can also update, move, show and print events.
+GAM can add and delete events; GAM7 can also update, move, show and print events.
 
-GAM can add, update, delete and show calendar ACLs; GAMADV-XTD3 can also get ACLs for a single calendar and print a CSV file of calendar ACLs.
+GAM can add, update, delete and show calendar ACLs; GAM7 can also get ACLs for a single calendar and print a CSV file of calendar ACLs.
 
 See: [Calendars - Access](Calendars-Access), [Calendars - Events](Calendars-Events)
 
@@ -130,7 +130,7 @@ See: [Users - Calendars - Transfer](Users-Calendars-Transfer)
 
 ## Contacts
 
-GAMADV-XTD3 supports domain shared contacts and user contacts.
+GAM7 supports domain shared contacts and user contacts.
 
 See: [Domain Shared Contacts](Contacts)
 
@@ -138,48 +138,48 @@ See: [Users - People - Contacts & Profiles](Users-People-Contacts-Profiles)
 
 ## Courses
 
-When updating a course, GAM can only add/delete a single alias; GAMADV-XTD3 can add/delete multiple aliases.
+When updating a course, GAM can only add/delete a single alias; GAM7 can add/delete multiple aliases.
 
-When updating a course's membership, GAM can only add/delete a single student/teacher; GAMADV-XTD3 can
+When updating a course's membership, GAM can only add/delete a single student/teacher; GAM7 can
 add/delete multiple students/teachers.
 
-When creating/updating courses, GAMADV-XTD3 can copy settings from another course.
+When creating/updating courses, GAM7 can copy settings from another course.
 
 See: [Courses](Courses)
 
 ## Data Studio
 
-GAMADV-XTD3 supports commands to display Data Studio assets and display/manage Data Studio permissions
+GAM7 supports commands to display Data Studio assets and display/manage Data Studio permissions
 
 See: [Users - Data Studio](Users-DataStudio)
 
 ## Drive File Copy and Move
 
-GAMADV-XTD3 supports advanced file/folder copying/moving
+GAM7 supports advanced file/folder copying/moving
 
 See: [Users - Drive - Copy/Move](Users-Drive-Copy-Move)
 
 ## Drive File Orphans
 
-GAMADV-XTD3 allows collecting a user's orphaned files.
+GAM7 allows collecting a user's orphaned files.
 
 See: [Users - Drive - Orphans](Users-Drive-Orphans)
 
 ## Drive File Ownership
 
-GAMADV-XTD3 allows transferring ownership of selected folders of a source user to a target user.
+GAM7 allows transferring ownership of selected folders of a source user to a target user.
 
-GAMADV-XTD3 allows claiming ownership of of selected folders to which the user has access.
+GAM7 allows claiming ownership of of selected folders to which the user has access.
 
 See: [Users - Drive - Ownership](Users-Drive-Ownership)
 
 ## Drive File Revisions
 
-GAMADV-XTD3 can manage drive file revisions.
+GAM7 can manage drive file revisions.
 
 ## Drive File Transfer
 
-GAMADV-XTD3 has more capabilites for transferring the Google Drive of a source user to a target user.
+GAM7 has more capabilites for transferring the Google Drive of a source user to a target user.
 
 See: [Users - Drive - Transfer](Users-Drive-Transfer)
 
@@ -187,63 +187,63 @@ See: [Users - Drive - Revisions](Users-Drive-Revisions)
 
 ## Send email messages
 
-GAMADV-XTD3 can send email messages.
+GAM7 can send email messages.
 
 See: [Send Email](Send-Email)
 
 ## Forms
 
-GAMADV-XTD3 supports commands to manage and display Google Forms.
+GAM7 supports commands to manage and display Google Forms.
 
 See: [Users - Forms](Users-Forms)
 
 ## Gmail
 
-GAMADV-XTD3 has commands for displaying Gmail messages.
+GAM7 has commands for displaying Gmail messages.
 
-GAMADV-XTD3 has commands for forwarding Gmail messages.
+GAM7 has commands for forwarding Gmail messages.
 
 See: [Users - Gmail - Messages/Threads](Users-Gmail-Messages-Threads)
 
 ## Groups
 
-GAMADV-XTD3 allows selecting fields with `info group`. The output is much easier to read.
+GAM7 allows selecting fields with `info group`. The output is much easier to read.
 
-When creating/updating groups, GAMADV-XTD3 can copy settings from another group.
+When creating/updating groups, GAM7 can copy settings from another group.
 
 See: [Groups](Groups)
 
-GAMADV-XTD3 has a more powerful `print group-members` command.
+GAM7 has a more powerful `print group-members` command.
 
-GAMADV-XTD3 has a more powerful ways of specifying changes to group membership.
+GAM7 has a more powerful ways of specifying changes to group membership.
 
 See: [Groups Membership](Groups-Membership)
 
-GAMADV-XTD3 has commands to display/manage a user's group membership.
+GAM7 has commands to display/manage a user's group membership.
 
 See: [Users - Group Membership](Users-Group-Membership)
 
 ## Keep
 
-GAMADV-XTD3 supports commands to manage and display Google Keep notes.
+GAM7 supports commands to manage and display Google Keep notes.
 
 See: [Users - Keep](Users-Keep)
 
 ## Organizational Units
 
-GAMADV-XTD3 supports updating multiple org units in a single command.
+GAM7 supports updating multiple org units in a single command.
 
 See: [Organizational Units](Organizational-Units)
 
 ## Resource Calendars
 
-GAMADV-XTD3 supports managing resource calendar ACLs.
+GAM7 supports managing resource calendar ACLs.
 
 See: [Resource Calendars](Resource-Calendars)
 
 ## Shared Drives
 
-GAMADV-XTD3 has more powerful commands for managing Shared Drives.
+GAM7 has more powerful commands for managing Shared Drives.
 
 See: [Shared Drives](Shared-Drives)
 
@@ -251,12 +251,12 @@ See: [Users - Shared Drives](Users-Shared-Drives)
 
 ## Spreadsheets
 
-GAMADV-XTD3 can manipulate Google Sheets.
+GAM7 can manipulate Google Sheets.
 
 See: [Users - Spreadsheets](Users-Spreadsheets)
 
 ## Tasks
 
-GAMADV-XTD3 supports commands to manage and display Google Tasks.
+GAM7 supports commands to manage and display Google Tasks.
 
 See: [Users - Tasks](Users-Tasks)

docs/Users-Backup-Verification-Codes.md

@@ -31,8 +31,10 @@ Exit Status of 0 indicates no errors, and backup codes are sent to stdout.
 
 Exit status of 60 indicates no errors, and that no backup codes are available for this user.
 ```
-gam <UserTypeEntity> print backupcodes|verificationcodes [todrive <ToDriveAttributes>*] [delimiter <Character>]
+gam <UserTypeEntity> print backupcodes|verificationcodes [todrive <ToDriveAttributes>*]
+        [delimiter <Character>] [countsonly]
 ```
-Gam displays the information in CSV form.
+GAM displays the information in CSV form.
 
 * `delimiter <Character>` - Separate `verificationCodes` entries with `<Character>`; the default value is `csv_output_field_delimiter` from `gam.cfg`.
+* `countsonly` - Display only the number of available backup codes but not the codes themselves.

docs/Users-Calendars-Access.md

@@ -37,6 +37,17 @@ Calendar ACL roles (as seen in Calendar GUI):
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>
 
+<CalendarAttribute> ::=
+        (backgroundcolor <ColorValue>)|
+        (color <CalendarColorName>)|
+        (colorindex|colorid <CalendarColorIndex>)|
+        (foregroundcolor <ColorValue>)|
+        (hidden <Boolean>)|
+        (notification clear|(email <CalendarEmailNotificatonEventTypeList>))|
+        (reminder clear|(email|pop <Number>)|(<Number> email|pop))|
+        (selected <Boolean>)|
+        (summary <String>)
+
 <CalendarSettings> ::=
         (description <String>)|
         (location <String>)|
@@ -134,15 +145,15 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ## Transfer calendar ownership
 
 You can transfer ownership of calendars from one user to another; only non-primary calendars owned by the source user can be transferred.
-You can update calendar settings as part of the transfer. In description, location and summary, #email#, #user# and #username# will be replaced
-by the original owner's full email address or just the name portion; #timestamp# will be replaced by the current date and time.
 ```
-gam <UserTypeEntity> transfer calendars <UserItem> <UserCalendarEntity>
+gam <UserTypeEntity> transfer calendars|seccals <UserItem> [<UserCalendarEntity>]
         [keepuser | (retainrole <CalendarACLRole>)] [sendnotifications <Boolean>]
         [noretentionmessages]
         [<CalendarSettings>] [append description|location|summary] [noupdatemessages]
-gam <UserTypeEntity> transfer seccals <UserItem> [keepuser] [sendnotifications <Boolean>]
+        [deletefromoldowner] [addtonewowner <CalendarAttribute>*] [nolistmessages]
 ```
+If `<UserCalendarEntity>` is not specified, all of a user's owned secondary calendars will be transferrdd.
+
 By default, the users in `<UserTypeEntity>` retain no role in the transferred calendars.
 * `keepuser` - The users in `<UserTypeEntity>` retain their ownership.
 * `retainrole <CalendarACLRole>` - The users in `<UserTypeEntity>` retain the specified role.
@@ -150,11 +161,23 @@ By default, the users in `<UserTypeEntity>` retain no role in the transferred ca
 
 By default, when you add or update a calendar ACL, a notification is sent to the affected users; use `sendnotifications false` to suppress sending the notifications.
 
+You can update calendar settings as part of the transfer. In description, location and summary, #email#, #user# and #username# will be replaced
+by the original owner's full email address or just the name portion; #timestamp# will be replaced by the current date and time.
 * `<CalendarSettings>` - The value specified will replace the existing value.
 * `append description|location|summary` - The specified <CalendarSettings> value will be appended to the existing value.
 * `noupdatemessages` - Suppress the settings update messages.
 
+You can manipulate the old and new owner's calendar lists.
+* `deletefromoldowner` - Delete the calendar from the old owner's calendar list
+* `addtonewowner <CalendarAttribute>*` - Add the calendar to the new owner's calendar list; optionally specify attributes
+* `nolistmessages` - Suppress the calendar list add/delete messages.
+
 ### Example
+Transfer a secondary calendar from oldowner to newowner. Remove the calendar from the old owner's calendar list and add to the new owner's  calendar list.
+```
+gam user oldowner@domain.com transfer calendars newowner@domain.com c_aaa123zzz@group.calendar.google.com removefromoldowner addtonewowner
+```
+
 Transfer ownership of all non-primary calendars from oldowner to newowner; append a message to the calendar description noting the old owner and the time of transfer.
 ```
 gam user oldowner@domain.com transfer calendars newowner@domain.com minaccessrole owner description "(Transferred from #user# on #timestamp#)" append description

docs/Users-Calendars-Events.md

@@ -26,6 +26,7 @@
 * https://developers.google.com/calendar/v3/reference/events
 * https://developers.google.com/calendar/v3/reference/events/import
 * https://developers.google.com/calendar/api/guides/working-hours-and-location
+* https://developers.google.com/calendar/api/guides/event-types#birthday
 
 ## Definitions
 * [`<UserTypeEntity>`](Collections-of-Users)
@@ -241,8 +242,10 @@
 ```
 ```
 <EventType> ::=
+        birthday|
         default|
         focustime|
+        fromgmail|
         outofoffice|
         workinglocation
 <EventTypeList> ::= "<EventType>(,<EventType>)*"
@@ -261,6 +264,9 @@
 
 <EventMatchProperty> ::=
         (matchfield attendees <EmailAddressEntity>)|
+        (matchfield attendeesonlydomainlist <DomainNameList>)|
+        (matchfield attendeesdomainlist <DomainNameList>)|
+        (matchfield attendeesnotdomainlist <DomainNameList>)|
         (matchfield attendeespattern <RegularExpression>)|
         (matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>)|
         (matchfield creatoremail <RegularExpression>)|
@@ -302,6 +308,7 @@
         (attendee <EmailAddress>)|
         (attendeestatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddress>)|
         available|
+        (birthday <Date>)|
         (color <EventColorName>)|
         (colorindex|colorid <EventColorIndex>)|
         (description <String>)|
@@ -322,7 +329,7 @@
         (privateproperty <PropertyKey> <PropertyValue>)|
         (range <Date> <Date>)|
         (recurrence <RRULE, EXRULE, RDATE and EXDATE line>)|
-        (reminder <Number> email|popup))|
+        (reminder <Number> email|popup)|
         (selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>)|
         (sequence <Integer>)|
         (sharedproperty <PropertyKey> <PropertyValue>)|
@@ -425,7 +432,7 @@ If none of the following options are selected, all events are selected.
 * `<EventSelectProperty>* <EventMatchProperty>*` - Properties used to select events
 
 The Google Calendar API processes `<EventSelectProperty>*`; you may specify none or multiple properties.
-* `after|starttime|timemin <Time>` - Lower bound (inclusive) for an event's end time to filter by. If timeMax is set, timeMin must be smaller than timeMax.
+* `after|starttime|timemin <Time>` - Lower bound (exclusive) for an event's end time to filter by. If timeMax is set, timeMin must be smaller than timeMax.
 * `before|endtime|timemax <Time>` - Upper bound (exclusive) for an event's start time to filter by. If timeMin is set, timeMax must be greater than timeMin.
 * `eventtypes <EventTypeList>` - Select events based on their type.
 * `query <QueryCalendar>` - Free text search terms to find events that match these terms in any field, except for extended properties
@@ -438,7 +445,15 @@ The Google Calendar API processes `<EventSelectProperty>*`; you may specify none
 
 GAM processes `<EventMatchProperty>*`; you may specify none or multiple properties.
 * `matchfield attendees <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
-* `matchfield attendeespattern <RegularExpression>` - Some attendee must match `<RegularExpression>`
+* `matchfield attendeesonlydomainlist <DomainNameList>` - All attendee's email addresses must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with all attendees in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeesdomainlist <DomainNameList>` - Some attendee's email address must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with attendees in specific external domains
+* `matchfield attendeesnotdomainlist <DomainNameList>` - Some attendee's email address must be in a domain not in `<DomainNameList>`
+  * For example, this lets you look for events with attendees not in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeespattern <RegularExpression>` - Some attendee's email address must match `<RegularExpression>`
 * `matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
 and must have the specified values.
     * `<AttendeeAttendance>` - Default is `required`
@@ -449,6 +464,7 @@ and must have the specified values.
 * `matchfield location <RegularExpression>` - The location must match `<RegularExpression>`
 * `matchfield organizeremail <RegularExpression>` - The organizer email address must match `<RegularExpression>`
 * `matchfield organizername <RegularExpression>` - The orgainzer name must match `<RegularExpression>`
+* `matchfield organizerself <Boolean>` - The user must be/not be the organizer of the event
 * `matchfield status <RegularExpression>` - The summary must match `<RegularExpression>`. The API documented values are:
     * `confirmed`
     * `tentative`
@@ -592,6 +608,13 @@ To empty the calendar trash a temporary calendar is created, the deleted events
 gam <UserTypeEntity> empty calendartrash <UserCalendarEntity>
 ```
 
+## Move calendar events to another calendar
+Generally you won't move all events from one calendar to another; typically, you'll move events created by the event creator
+using `matchfield creatoremail <RegularExpression>` in conjunction with other `<EventSelectProperty>` and `<EventMatchProperty>` options.
+```
+gam <UserTypeEntity> move events <UserCalendarEntity> [<EventEntity>] destination|to <CalendarItem> [<EventNotificationAttribute>]
+```
+
 ## Display calendar events
 ```
 gam <UserTypeEntity> info events <UserCalendarEntity> [<EventEntity>] [maxinstances <Number>]
@@ -713,12 +736,14 @@ The attendee changes are displayed but not processed unless `doit` is specified.
 
 ## Manage focus time events
 You can create and delete focus time events; they can not be updated.
-To update a working location event, delete the working location event and recreate it.
+To update a focus time event, delete the focus time event and recreate it.
 ```
 gam <UserTypeEntity> create focustime
         [chatstatus available|donotdisturb]|
         [declinemode none|all|new] [declinemessage <String>]|
-        (timerange <Time> <Time>)+
+        [summary <String>]
+        (timerange <Time> <Time>
+        (recurrence <RRULE, EXRULE, RDATE and EXDATE line>)*
 
 gam <UserTypeEntity> delete focustime
         (timerange <Time> <Time>)+
@@ -762,17 +787,20 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 
 ## Manage out of office events
 You can create and delete out of office events; they can not be updated.
-To update a working location event, delete the working location event and recreate it.
+To update an out of office event, delete the out of office event and recreate it.
 ```
 gam <UserTypeEntity> create outofoffice
-        [declinemode none|all|new] [declinemessage <String>]|
-        (timerange <Time> <Time>)+
+        [declinemode none|all|new]
+        [declinemessage <String>]
+        [summary <String>]
+        (timerange <Time> <Time>
+        (recurrence <RRULE, EXRULE, RDATE and EXDATE line>)*
 
 gam <UserTypeEntity> delete outofoffice
         (timerange <Time> <Time>)+
 ```
 
-out of office events span a time range:
+Out of office events span a time range:
 * `timerange <Time> <Time>` - A time range, may span multiple days
 
 ## Display out of office events

docs/Users-Chat.md

@@ -3,18 +3,26 @@
 - [Introduction](#introduction)
 - [Set up a Chat Bot](#set-up-a-chat-bot)
 - [Definitions](#definitions)
+- [Chat Space Permissions](#chat-space-permissions)
 - [Manage Chat Spaces](#manage-chat-spaces)
 - [Display Chat Spaces](#display-chat-spaces)
 - [Manage Chat Members](#manage-chat-members)
 - [Display Chat Members](#display-chat-members)
 - [Manage Chat Messages](#manage-chat-messages)
 - [Display Chat Messages](#display-chat-messages)
+- [Display Chat Events](#display-chat-events)
 - [Bulk Operations](#bulk-operations)
 
 ## API documentation
-* https://developers.google.com/chat/concepts
-* https://developers.google.com/chat/reference/rest
+* https://developers.google.com/workspace/chat/overview
+* https://developers.google.com/workspace/chat/api/reference/rest
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.members/list
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.messages/list
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.spaceEvents/list
 * https://support.google.com/chat/answer/7655820
+* https://support.google.com/a/answer/13369245
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces#Space.FIELDS.predefined_permission_settings
 
 ## Introduction
 These features were added in version 6.60.00.
@@ -23,12 +31,23 @@ To use these commands you must update your service account authorization.
 ```
 gam user user@domain.com update serviceaccount
 
-[*]  3)  Chat API - Memberships (supports readonly)
-[*]  4)  Chat API - Messages (supports readonly)
-[*]  5)  Chat API - Spaces (supports readonly)
-[*]  6)  Chat API - Spaces Delete
-
+[*]  4)  Chat API - Memberships (supports readonly)
+[*]  5)  Chat API - Memberships Admin (supports readonly)
+[*]  6)  Chat API - Messages (supports readonly)
+[*]  7)  Chat API - Spaces (supports readonly)
+[*]  8)  Chat API - Spaces Admin (supports readonly)
+[*]  9)  Chat API - Spaces Delete
+[*] 10)  Chat API - Spaces Delete Admin
 ```
+
+Added `use_chat_admin_access` Boolean variable to `gam.cfg`. 
+```
+* When False, GAM uses user access when making all Chat API calls. For calls that support admin access,
+    this can be overridden with the asadmin command line option.
+* When True, GAM uses admin access for Chat API calls that support admin access; other calls will use user access.
+* Default: False
+```
+
 Google requires that you have a Chat Bot configured in order to use the Chat API; set up a Chat Bot as described in the next section.
 
 ## Set up a Chat Bot
@@ -63,6 +82,7 @@ Google requires that you have a Chat Bot configured in order to use the Chat API
          (gdoc <UserGoogleDoc>)|
          (gcsdoc <StorageBucketObjectName>))
 
+<ChatEvent> ::= spaces/<String>/spaceEvents/<String>
 <ChatMember> ::= spaces/<String>/members/<String>
 <ChatMemberList> ::= "<ChatMember>(,<ChatMember>)*"
 <ChatMessage> ::= spaces/<String>/messages/<String>
@@ -76,12 +96,98 @@ Google requires that you have a Chat Bot configured in order to use the Chat API
 <ChatMessageID> ::= client-<String>
         <String> must contain only lowercase letters, numbers, and hyphens up to 56 characters in length.
 ```
+```
+<ChatSpaceFieldName> ::=
+        accesssettings|
+        admininstalled|
+        createtime|
+        displayname|
+        externaluserallowed|
+        importmode|
+        lastactivetime|
+        membershipcount|
+        name|
+        permissionsettings|
+        singleuserbotdm|
+        spacedetails|
+        spacehistorystate|
+        spacethreadingstate|threaded|
+        spacetype|type|
+        spaceuri
+<ChatSpaceFieldNameList> ::= "<ChatSpaceFieldName>(,<ChatSpaceFieldName>)*"
+
+<ChatMemberFieldName> ::=
+        createtime|
+        deletetime|
+        groupmember|
+        member|
+        name|
+        role|
+        state|
+<ChatMemberFieldNameList> ::= "<ChatMemberFieldName>(,<ChatMemberFieldName>)*"
+
+<ChatMessageFieldName> ::=
+        accessorywidgets|
+        actionresponse|
+        annotations|
+        argumenttext|
+        attachedgifs|
+        attachment|
+        cards|
+        cardsv2|
+        clientassignedmessageid|
+        createtime|
+        deletetime|
+        deletionmetadata|
+        emojireactionsummaries|
+        fallbacktext|
+        formattedtext|
+        lastupdatetime|
+        matchedurl|
+        name|
+        privatemessageviewer|
+        quotedmessagemetadata|
+        sender|
+        slashcommand|
+        space|
+        text|
+        thread|
+        threadreply
+<ChatMessageFieldNameList> ::= "<ChatMessageFieldName>(,<ChatMessageFieldName>)*"
+
+```
+
+## Chat Space Permissions
+### Announcement
+| Keyword | Description | Allowed | Default |
+|---------|-------------|---------|---------|
+| manageapps | Manage apps | managers-immutable | managers |
+| managemembersandgroups | Manage members and groups | managers/members | managers |
+| managewebhooks | Manage web hooks | managers-immutable | managers |
+| modifyspacedetails | Modify space details | managers/members | managers |
+| postmessages | Post messages | managers-immutable | managers |
+| replymessages | Reply messages | members/managers | members |
+| togglehistory | Turn history on and off | managers/members | managers |
+| useatmentionall | Use @all | managers-immutable | managers |
+
+### Collaboration
+| Keyword | Description | Allowed | Default |
+|---------|-------------|---------|---------|
+| manageapps | Manage apps | members-immutable | members |
+| managemembersandgroups | Manage members and groups | managers/members | members |
+| managewebhooks | Manage web hooks | managers/members | members |
+| modifyspacedetails | Modify space details | managers/members | members |
+| postmessages | Post messages | members-immutable | members |
+| replymessages | Reply messages | members-immutable | members |
+| togglehistory | Turn history on and off | managers/members | members |
+| useatmentionall | Use @all | managers/members | members |
 
 ## Manage Chat Spaces
 ### Create a chat space
 ```
 gam <UserTypeEntity> create chatspace
-        [type <ChatSpaceType>]
+        [type <ChatSpaceType>] [announcement|collaboration]
+        [restricted|(audience <String>)]
         [externalusersallowed <Boolean>]
         [members <UserTypeEntity>]
         [displayname <String>]
@@ -91,21 +197,22 @@ gam <UserTypeEntity> create chatspace
         [formatjson|returnidonly]
 ```
 For `type space`, the following apply:
-* `member <UserTypeEntity>` - Optional, can not specify more that 20 users
+* `members <UserTypeEntity>` - Optional, can not specify more that 20 users
 * `displayname <String>` - Required
 * `description <String>` - Optional
 * `guidelines <String>` - Optional
 * `history <Boolean>` - Optional
+* `announcement|collaboration` - Initial permission settings; default is `collaboration`; this is in Developer Preview
 
 For `type groupchat`, the following apply:
-* `member <UserTypeEntity>` - Required, must specify between 2 and 20 users
+* `members <UserTypeEntity>` - Required, must specify between 2 and 20 users
 * `displayname <String>` - Ignored
 * `description <String>` - Optional
 * `guidelines <String>` - Optional
 * `history <Boolean>` - Optional
 
 For `type directmessage`, the following apply:
-* `member <UserTypeEntity>` - Required, must specify 1 user
+* `members <UserTypeEntity>` - Required, must specify 1 user
 * `displayname <String>` - Ignored
 * `description <String>` - Ignored
 * `guidelines <String>` - Ignored
@@ -120,29 +227,73 @@ Use the `<ChatContent>` option to send an initial message to the created chatspa
 By default, details about the chatmessage are displayed.
 * `returnidonly` - Display the chatmessage name only
 
-### Update a chat space
+### Update a user's chat space
 ```
 gam <UserTypeEntity> update chatspace <ChatSpace>
-        [type space]
-        [displayname <String>]
-        [description <String>] [guidelines <String>]
-        [history <Boolean>]
+        [restricted|(audience <String>)]|
+        ([displayname <String>]
+         [type space]
+         [description <String>] [guidelines|rules <String>]
+         [history <Boolean>])
+        [managemembersandgroups managers|members]
+        [modifyspacedetails managers|members]
+        [togglehistory managers|members]
+        [useatmentionall managers|members]
+        [manageapps managers|members]
+        [managewebhooks managers|members]
+        [replymessages managers|members]
         [formatjson]
 ```
 A groupchat space can be upgraded to a space by specifying `type space` and `displayname <String>`.
 
+The `restricted|audience` options can not be combined with options `displayname,type,description,guidelines,history`.
+
+You can manage permissions for chat spaces with the following options that are available with Developer Preview.
+        [managemembersandgroups managers|members]
+        [modifyspacedetails managers|members]
+        [togglehistory managers|members]
+        [useatmentionall managers|members]
+        [manageapps managers|members]
+        [managewebhooks managers|members]
+        [postmessages managers|members]
+        [replymessages managers|members]
+
+
 By default, Gam displays the information about the created chatspace as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
-### Delete a chat space
+### Update a chat space, asadmin
+```
+gam <UserItem> update chatspace asadmin <ChatSpace>
+        [restricted|(audience <String>)]|
+        ([displayname <String>]
+         [type space]
+         [description <String>] [guidelines|rules <String>]
+         [history <Boolean>])
+        [formatjson]
+```
+A groupchat space can be upgraded to a space by specifying `type space` and `displayname <String>`.
+
+The `restricted|audience` options can not be combined with options `displayname,type,description,guidelines,history`.
+
+By default, Gam displays the information about the created chatspace as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Delete a user's chat space
 ```
 gam <UserTypeEntity> delete chatspace <ChatSpace>
 ```
 
+### Delete a chat space, asadmin
+```
+gam <UserItem> delete chatspace asadmin <ChatSpace>
+```
+
 ## Display Chat Spaces
 ### Display information about a specific chat space for a user
 ```
 gam <UserTypeEntity> info chatspace <ChatSpace>
+        [fields <ChatSpaceFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -151,6 +302,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ### Display information about a direct message chat space between two users
 ```
 gam <UserTypeEntity> info chatspacedm <UserItem>
+        [fields <ChatSpaceFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -160,16 +312,24 @@ By default, Gam displays the information as an indented list of keys and values.
 ```
 gam <UserTypeEntity> show chatspaces
         [types <ChatSpaceTypeList>]
+        [fields <ChatSpaceFieldNameList>]
         [formatjson]
 ```
+By default, chat spaces of all types are displayed.
+* `types <ChatSpaceTypeList>` - Display specific types of spaces.
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
 ```
 gam <UserTypeEntity> print chatspaces [todrive <ToDriveAttribute>*]
         [types <ChatSpaceTypeList>]
+        [fields <ChatSpaceFieldNameList>]
         [formatjson [quotechar <Character>]]
 ```
+By default, chat spaces of all types are displayed.
+* `types <ChatSpaceTypeList>` - Display specific types of spaces.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -179,7 +339,7 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
-### Display information about all chat spaces
+### Display information about all user's chat spaces
 ```
 # Local file
 gam config auto_batch_min 1 redirect csv ./AllChatSpaces.csv multiprocess redirect stdout - multiprocess redirect stderr stdout all users print chatspaces
@@ -200,8 +360,55 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
+### Display information about a specific chat space, asadmin
+```
+gam <UserItem> info chatspace asadmin <ChatSpace>
+        [fields <ChatSpaceFieldNameList>]
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Display information about all chat spaces, asadmin
+For query and orderby information, see: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+
+Only spaces of `<ChatSpaceType>` `space` are displayed; spaces of `<ChatSpaceType>` `groupchat` and `directmessage` are not displayed.
+```
+gam <UserItem> show chatspaces asadmin
+        [query <String>] [querytime<String> <Time>]
+        [orderby <ChatSpaceAdminOrderByFieldName> [ascending|descending]]
+        [fields <ChatSpaceFieldNameList>]
+        [formatjson]
+```
+By default, all chat spaces of type SPACE are displayed.
+* `query <String> [querytime<String> <Time>]` - Display selected chat spaces
+  * See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam <UserItem> print chatspaces asadmin [todrive <ToDriveAttribute>*]
+        [query <String>] [querytime<String> <Time>]
+        [orderby <ChatSpaceAdminOrderByFieldName> [ascending|descending]]
+        [fields <ChatSpaceFieldNameList>]
+        [formatjson [quotechar <Character>]]
+```
+By default, all chat spaces of type SPACE are displayed.
+* `query <String> [querytime<String> <Time>]` - Display selected chat spaces
+  * See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
 ## Manage Chat Members
-### Add members to a chat space
+### Add members to a user's chat space
 ```
 gam <UserTypeEntity> create chatmember <ChatSpace>
         [type human|bot] [role member|manager]
@@ -213,7 +420,7 @@ By default, Gam displays the information about the chatmember as an indented lis
 * `formatjson` - Display the fields in JSON format.
 * `returnidonly` - Display the chatmember name only
 
-### Delete members from a chat space
+### Delete members from a user's chat space
 Delete members by specifying a chat space and user/group email addresses.
 ```
 gam <UserTypeEntity> delete chatmember <ChatSpace>
@@ -221,36 +428,142 @@ gam <UserTypeEntity> delete chatmember <ChatSpace>
          (group <GroupItem>)|(groups <GroupEntity>))+
 ```
 
-Delete members by specifying chatmember names.
+Delete members from a user's chat space by specifying chatmember names.
 ```
 gam <UserTypeEntity> remove chatmember members <ChatMemberList>
 ```
 
+### Add members to a chat space, asadmin
+```
+gam <UserItem> create chatmember asadmin <ChatSpace>
+        [type human|bot] [role member|manager]
+        (user <UserItem>)* (members <UserTypeEntity>)*
+        (group <GroupItem>)* (groups <GroupEntity>)*
+        [formatjson|returnidonly]
+```
+By default, Gam displays the information about the chatmember as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+* `returnidonly` - Display the chatmember name only
+
+### Delete members from a chat space, asadmin
+Delete members by specifying a chat space and user/group email addresses.
+```
+gam <UserItem> delete chatmember asadmin <ChatSpace>
+        ((user <UserItem>)|(members <UserTypeEntity>)|
+         (group <GroupItem>)|(groups <GroupEntity>))+
+```
+
+Delete members from a chat space by specifying chatmember names, asadmin
+```
+gam <UserItem> remove chatmember members asadmin <ChatMemberList>
+```
+
+### Update a members role in a user's chat space
+Update members by specifying a chat space, user/group email addresses and role.
+```
+gam <UserTypeEntity> update chatmember <ChatSpace>
+        role member|manager
+        ((user <UserItem>)|(members <UserTypeEntity>))+
+```
+Update members by specifying chatmember names and role.
+```
+gam <UserTypeEntity> modify chatmember
+        role member|manager
+        members <ChatMemberList>
+```
+
+### Update a members role in a chat space, asadmin
+Update members by specifying a chat space, user/group email addresses and role.
+```
+gam <UserItem> update chatmember asadmin <ChatSpace>
+        role member|manager
+        ((user <UserItem>)|(members <UserTypeEntity>))+
+```
+Update members by specifying chatmember names and role.
+```
+gam <UserItem> modify chatmember asadmin
+        role member|manager
+        members <ChatMemberList>
+```
+
 ## Display Chat Members
-### Display information about a specific chat members
+### Display information about a user's specific chat members
 ```
 gam <UserTypeEntity> info chatmember members <ChatMemberList>
+        [fields <ChatMemberFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
-### Display information about all chat members in a chat space
+### Display information about members in a user's chat spaces
 ```
-gam <UserTypeEntity> show chatmembers <ChatSpace>
+gam <UserTypeEntity> show chatmembers
+        <ChatSpace>* [types <ChatSpaceTypeList>]
         [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
         [formatjson]
 ```
 
+By default, members for all of a user's chat spaces of all types are displayed.
+* `<ChatSpace>` - Display members for a specific chat space
+* `types <ChatSpaceTypeList>` - Display members for specific types of spaces.
+
+By default, all JOINED user members in a chat space are displayed.
+* `showinvited` - Display `INVITED` members.
+* `showgroups` - Display group members,
+* `filter <String>` - Filter memberships by a member's `role `and `member.type`.
+  * To filter by role, set role to ROLE_MEMBER or ROLE_MANAGER.
+  * To filter by type, set member.type to HUMAN or BOT.
+  * To filter by both role and type, use the AND operator.
+  * To filter by either role or type, use the OR operator.
+
+For example, the following filters are valid:
+```
+role = "ROLE_MANAGER" OR role = "ROLE_MEMBER"
+member.type = "HUMAN" AND role = "ROLE_MANAGER"
+```
+The following filters are invalid:
+```
+member.type = "HUMAN" AND member.type = "BOT"
+role = "ROLE_MANAGER" AND role = "ROLE_MEMBER"
+```
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
 ```
-gam <UserTypeEntity> print chatmembers [todrive <ToDriveAttribute>*] <ChatSpace>
+gam <UserTypeEntity> print chatmembers [todrive <ToDriveAttribute>*]
+        <ChatSpace>* [types <ChatSpaceTypeList>]
         [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
         [formatjson [quotechar <Character>]]
 ```
 
+By default, members for all of a user's chat spaces of all types are displayed.
+* `<ChatSpace>` - Display members for a specific chat space
+* `types <ChatSpaceTypeList>` - Display members for specific types of spaces.
+
+By default, all JOINED user members in a chat space are displayed.
+* `showinvited` - Display `INVITED` members.
+* `showgroups` - Display group members,
+* `filter <String>` - Filter memberships by a member's `role `and `member.type`.
+  * To filter by role, set role to ROLE_MEMBER or ROLE_MANAGER.
+  * To filter by type, set member.type to HUMAN or BOT.
+  * To filter by both role and type, use the AND operator.
+  * To filter by either role or type, use the OR operator.
+
+For example, the following filters are valid:
+```
+role = "ROLE_MANAGER" OR role = "ROLE_MEMBER"
+member.type = "HUMAN" AND role = "ROLE_MANAGER"
+```
+The following filters are invalid:
+```
+member.type = "HUMAN" AND member.type = "BOT"
+role = "ROLE_MANAGER" AND role = "ROLE_MEMBER"
+```
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -260,25 +573,95 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
-By default, only `JOINED` members are displayed; use `showinvited` to also display `INVITED` members.
+### Display information about specific chat members, asadmin
+```
+gam <UserItem> info chatmember asadmin members <ChatMemberList>
+        [fields <ChatMemberFieldNameList>]
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
 
-Use `filter <String>` to filter memberships by a member's `role `and `member.type`.
-* To filter by role, set role to ROLE_MEMBER or ROLE_MANAGER.
-* To filter by type, set member.type to HUMAN or BOT.
-* To filter by both role and type, use the AND operator.
-* To filter by either role or type, use the OR operator.
+### Display information about members all chat spaces, asadmin
+For query and orderby information, see: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+```
+gam <UserItem> show chatmembers asadmin
+        <ChatSpace>*  [query <String>] [querytime<String> <Time>]
+        [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
+        [formatjson]
+```
 
-For example, the following queries are valid:
+By default, members for all chat spaces of type SPACE are displayed.
+* `<ChatSpace>` - Display members for a specific chat space
+* `query <String> [querytime<String> <Time>]` - Display members for selected chat spaces
+  * See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+
+By default, all JOINED user members in a chat space are displayed.
+* `showinvited` - Display `INVITED` members.
+* `showgroups` - Display group members,
+* `filter <String>` - Filter memberships by a member's `role `and `member.type`.
+  * To filter by role, set role to ROLE_MEMBER or ROLE_MANAGER.
+  * To filter by type, set member.type to HUMAN or BOT.
+  * To filter by both role and type, use the AND operator.
+  * To filter by either role or type, use the OR operator.
+
+For example, the following filters are valid:
 ```
 role = "ROLE_MANAGER" OR role = "ROLE_MEMBER"
 member.type = "HUMAN" AND role = "ROLE_MANAGER"
 ```
-The following queries are invalid:
+The following filters are invalid:
 ```
 member.type = "HUMAN" AND member.type = "BOT"
 role = "ROLE_MANAGER" AND role = "ROLE_MEMBER"
 ```
 
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam <UserItem> print chatmembers asadmin  [todrive <ToDriveAttribute>*]
+        <ChatSpace>*  [query <String>] [querytime<String> <Time>]
+        [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
+        [formatjson [quotechar <Character>]]
+```
+
+By default, members for all chat spaces of type SPACE are displayed.
+* `<ChatSpace>` - Display members for a specific chat space
+* `query <String> [querytime<String> <Time>]` - Display members for selected chat spaces
+  * See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+
+By default, all JOINED user members in a chat space are displayed.
+* `showinvited` - Display `INVITED` members.
+* `showgroups` - Display group members,
+* `filter <String>` - Filter memberships by a member's `role `and `member.type`.
+  * To filter by role, set role to ROLE_MEMBER or ROLE_MANAGER.
+  * To filter by type, set member.type to HUMAN or BOT.
+  * To filter by both role and type, use the AND operator.
+  * To filter by either role or type, use the OR operator.
+
+For example, the following filters are valid:
+```
+role = "ROLE_MANAGER" OR role = "ROLE_MEMBER"
+member.type = "HUMAN" AND role = "ROLE_MANAGER"
+```
+The following filters are invalid:
+```
+member.type = "HUMAN" AND member.type = "BOT"
+role = "ROLE_MANAGER" AND role = "ROLE_MEMBER"
+```
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
 ### Delete a user from their `space` and `groupchat` spaces
 There is no way to delete a user from a directmessage space.
 ```
@@ -371,7 +754,7 @@ Display a specific Chat message.
 
 ```
 gam <UserTypeEntity> info chatmessage name <ChatMessage>
-        [filter <String>]
+        [fields <ChatMessageFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -384,16 +767,20 @@ gam user user@domain.com info chatmessage name spaces/AAAADi-pvqc/messages/PKJrx
 
 ### Display information about all chat messages in a chat space
 ```
-gam <UserTypeEntity> show chatmessages <ChatSpace>
+gam <UserTypeEntity> show chatmessages
+        <ChatSpace>+
         [showdeleted [<Boolean>]] [filter <String>]
+        [fields <ChatMessageFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
 ```
-gam <UserTypeEntity> print chatmessages [todrive <ToDriveAttribute>*] <ChatSpace>
+gam <UserTypeEntity> print chatmessages [todrive <ToDriveAttribute>*]
+        <ChatSpace>+
         [showdeleted [<Boolean>]] [filter <String>]
+        [fields <ChatMessageFieldNameList>]
         [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
@@ -440,6 +827,71 @@ filter 'createTime > \"2012-04-21T11:30:00+00:00\" AND createTime < \"2013-01-01
 filter 'thread.name = spaces/AAAAAAAAAAA/threads/123'
 ```
 
+## Display Chat Events
+Display a specific Chat event.
+
+```
+gam <UserTypeEntity> info chatevent name <ChatEvent>
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Example
+```
+gam user user@domain.com info chatevent name spaces/AAAAsUhqjkg/spaceEvents/MTcxMTY4ODM2NDE3OTQzOV81X3VwZGF0ZWQ
+```
+
+### Display information about all chat events in a chat space
+```
+gam <UserTypeEntity> show chatevents
+        <ChatSpace>+
+        filter <String>
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam <UserTypeEntity> print chatevents [todrive <ToDriveAttribute>*]
+        <ChatSpace>+
+        filter <String>
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+Use `filter <String>` to filter events by when they occurred and by the type of event.
+
+To filter events by the date they happened, specify the start_time and end_time with a timestamp in RFC-3339 format and double quotation marks.
+
+You must specify at least one event type (event_types) using the has : operator. To filter by multiple event types, use the OR operator.
+For a list of supported event types, see: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.spaceEvents#SpaceEvent.FIELDS.event_type
+
+For example, the following queries are valid on Linux/MacOS:
+```
+filter 'start_time="2024-03-15T11:30:00-04:00" AND event_types:"google.workspace.chat.message.v1.created"'
+filter 'start_time="2024-03-15T11:30:00+00:00" AND end_time="2024-03-3100:00:00+00:00"event_types:"google.workspace.chat.message.v1.created"'
+```
+
+For example, the following queries are valid on Windows Command Prompt:
+```
+filter "start_time=\"2024-03-15T11:30:00-04:00\" AND event_types:\"google.workspace.chat.message.v1.created\""
+filter "start_time=\"2024-03-15T11:30:00+00:00\" AND end_time=\"2024-03-3100:00:00+00:00\" AND event_types:\"google.workspace.chat.message.v1.created\""
+```
+
+For example, the following queries are valid on Windows PowerShell:
+```
+filter 'start_time=\"2024-03-15T11:30:00-04:00\" AND event_types:\"google.workspace.chat.message.v1.created\"'
+filter 'start_time=\"2024-03-15T11:30:00+00:00\" AND end_time=\"2024-03-3100:00:00+00:00\" AND event_types:\"google.workspace.chat.message.v1.created\"'
+```
+
 ## Bulk Operations
 ### Display information about all chat spaces for a collection of users
 ```

docs/Users-Drive-Activity-Settings.md

@@ -70,7 +70,7 @@ Google has introduced Drive Activity API v2; it adds time and action filtering a
 Drive Activity API v1 has been deprecated.
 * https://developers.google.com/drive/activity/v2/migrating
 ```
-gam <UserTypeEntity> print|show driveactivity [v2] [todrive <ToDriveAttributes>*]
+gam <UserTypeEntity> print driveactivity [v2] [todrive <ToDriveAttributes>*]
         [(fileid <DriveFileID>)|(folderid <DriveFolderID>)|
          (drivefilename <DriveFileName>)|(drivefoldername <DriveFolderName>)|
          (query <QueryDriveFile>)]
@@ -79,7 +79,7 @@ gam <UserTypeEntity> print|show driveactivity [v2] [todrive <ToDriveAttributes>*
         [action|actions [not] <DriveActivityActionList>]
         [consolidationstrategy legacy|none]
         [idmapfile <FileName>|(gsheet <UserGoogleSheet>) [charset <String>] [columndelimiter <Character>] [noescapechar <Boolean>]  [quotechar <Character>]]
-        [formatjson [quotechar <Character>]]
+        [stripcrsfromname] [formatjson [quotechar <Character>]]
 ```
 By default, Drive Activity API v2 is used; the `v2` option is ignored.
 
@@ -128,6 +128,9 @@ must be present in the file; the column `name.fullName` will be used if present.
 
 If you don't use the `idmapfile` option, Gam makes an additional API call per user to get the name and email address.
 
+The `stripcrsfromname` option strips nulls, carriage returns and linefeeds from drive file names.
+Use this option if you discover filenames containing these special characters; it is not common.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -141,10 +144,16 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ```
 gam <UserTypeEntity> print drivesettings [todrive <ToDriveAttribute>*]
         [allfields|<DriveSettingsFieldName>*|(fields <DriveSettingsFieldNameList>)]
-        [delimiter <Character>]
+        [delimiter <Character>] [showusagebytes]
 gam <UserTypeEntity> show drivesettings
         [allfields|<DriveSettingsFieldName>*|(fields <DriveSettingsFieldNameList>)]
-        [delimiter <Character>]
+        [delimiter <Character>] [showusagebytes]
 ```
 If no fields are selected, these fields will be displayed:
     `name,appInstalled,largestChangeId,limit,maxUploadSize,permissionId,rootFolderId,usage,usageInDrive,usageInDriveTrash`
+
+By default, these fields are displayed in formatted form with units: ```usage,usageInDrive,usageInDriveTrash```.
+
+The option `showusagebytes` also displays the following fields in bytes ```usageBytes,usageInDriveBytes,usageInDriveTrashBytes```.
+
+This will be most useful with `print` as the rows can be sorted based on the `usagexxxBytes` columns.

docs/Users-Drive-Cleanup.md

@@ -39,7 +39,7 @@ gam <UserTypeEntity> delete emptydrivefolders
         [<SharedDriveEntity>]
         [pathdelimiter <Character>]
 ```
-By default, empty folders on My Drive are deleted. Use `select <DriveFileEntity>`
+By default, empty folders on My Drive are deleted(purged). Use `select <DriveFileEntity>`
 to select a Shared Drive or an alternate starting point folder on My Drive or a Shared Drive.
 
 By default, folder path components are separated by `/`; use `pathdelimiter <Character>` to use `<Character>` as the separator.

docs/Users-Drive-Comments.md

@@ -0,0 +1,157 @@
+# Users - Drive - Comments
+- [API documentation](#api-documentation)
+- [Query documentation](Users-Drive-Query)
+- [Definitions](#definitions)
+- [Display file comments](#display-file-comments)
+
+## API documentation
+* https://developers.google.com/drive/api/v3/reference/comments
+
+## Definitions
+* [`<DriveFileEntity>`](Drive-File-Selection)
+* [`<UserTypeEntity>`](Collections-of-Users)
+
+```
+<DomainName> ::= <String>(.<String>)+
+<EmailAddress> ::= <String>@<DomainName>
+<UniqueID> ::= id:<String>
+<UserItem> ::= <EmailAddress>|<UniqueID>|<String>
+
+<CommentsAuthorSubfieldName> ::=
+        author.displayname|
+        author.emailaddress|
+        author.me|
+        author.permissionid|
+        author.photolink
+
+<CommentsRepliesSubfieldName> ::=
+        reply.action|
+        reply.author|
+        reply.author.<CommentsAuthorSubfieldName>|
+        reply.content|
+        reply.createddate|createdtime|
+        reply.deleted|
+        reply.htmlcontent|
+        reply.id|
+        reply.modifieddate|modifiedtime
+
+<CommentsFieldName> ::=
+        action|
+        author|
+        content|
+        <CommentsAuthorSubfieldName>|
+        <CommentsRepliesSubfieldName>|
+        createddate|createdtime|
+        deleted|
+        htmlcontent|
+        id|
+        modifieddate|modifiedtime|
+        quotedfilecontent|
+        reply|replies|
+        resolved
+<CommentsFieldNameList> ::= "<CommentsFieldName>(,<CommentsFieldName>)*"
+```
+
+## Display file comments
+### Display as an indented list of keys and values.
+```
+gam <UserTypeEntity> show filecomments <DriveFileEntity>
+        [showdeleted] [start <Date>|<Time>]
+        [fields <CommentsFieldNameList>] [showphotolinks]
+	[countsonly]
+        [formatjson]
+```
+By default, all non-deleted comments for a file are displayed; use these options to modify that behavior.
+* `showdeleted` - Display deleted comments
+* `start <Date>|<Time>` - Display comments modified on or after `<Date>|<Time>`
+
+By default, all comment and reply fields except author photolinks are displayed; use these options to modify that behavior.
+* `fields <CommentsFieldNameList>` - Select fields to display
+* `showphotolinks` - Display author photolinks
+* `countsonly` - Display just the number of comments and replies; no fields
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Display as a CSV file.
+Each comment/reply pair is output on a separate CSV file row.
+```
+gam <UserTypeEntity> print filecomments <DriveFileEntity> [todrive <ToDriveAttribute>*]
+        [showdeleted] [start <Date>|<Time>] [countsonly]
+        [fields <CommentsFieldNameList>] [showphotolinks]
+        (addcsvdata <FieldName> <String>)*
+        [formatjson [quotechar <Character>]]
+```
+By default, all non-deleted comments for a file are displayed; use these options to modify that behavior.
+Files with no comments will not be displayed.
+* `showdeleted` - Display deleted comments
+* `start <Date>|<Time>` - Display comments modified on or after `<Date>|<Time>`
+
+By default, all comment and reply fields except author photolinks are displayed; use these options to modify that behavior.
+* `fields <CommentsFieldNameList>` - Select fields to display
+* `showphotolinks` - Display author photolinks
+* `countsonly` - Display just the number of comments and replies; no fields. Files with no comments will display zero counts.
+
+Add additional columns of data from the command line to the output:
+* `addcsvdata <FieldName> <String>`
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+### Example
+```
+# Get files that may have comments
+$ gam redirect csv ./CheckForComments.csv user testsimple@domain.com print filelist showmimetype gdoc,gpresentation,gsheet fields id,name,mimetype
+Getting all Drive Files/Folders that match query ('me' in owners and (mimeType = 'application/vnd.google-apps.presentation' or mimeType = 'application/vnd.google-apps.spreadsheet' or mimeType = 'application/vnd.google-apps.document')) for testsimple@domain.com
+Got 131 Drive Files/Folders that matched query ('me' in owners and (mimeType = 'application/vnd.google-apps.presentation' or mimeType = 'application/vnd.google-apps.spreadsheet' or mimeType = 'application/vnd.google-apps.document')) for testsimple@domain.com...
+
+# Display file comments
+$ gam redirect csv ./FilesWithComments.csv multiprocess csv CheckForComments.csv gam user "~Owner" print filecomments "~id" addcsvdata fileName "~name" addcsvdata mimeType "~mimeType" fields author.displayName,author.me,content,createdTime,deleted,modifiedTime,resolved,reply.author.displayName,reply.author.me,reply.content,reply.createdTime,reply.deleted,reply.modifiedTime
+2024-03-24T08:04:46.235-07:00,0/131,Using 10 processes...
+2024-03-24T08:04:58.122-07:00,0,Processing item 100/131
+2024-03-24T08:05:01.345-07:00,0,Processing item 131/131
+2024-03-24T08:07:11.731-07:00,0/131,Processing complete
+
+$ more FilesWithCommnts.csv
+User,fileId,fileName,mimeType,commentId,replyId,author.displayName,author.me,content,createdTime,deleted,modifiedTime,resolved,reply.author.displayName,reply.author.me,reply.content,reply.createdTime,reply.deleted,reply.modifiedTime
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwm0,,Test-Simple,True,XXX Comment,2024-03-14T11:34:39-07:00,False,2024-03-14T11:34:39-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwkw,,Test-Simple,True,Grack Comment,2024-03-14T11:26:30-07:00,False,2024-03-14T11:26:30-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwkY,,Test-Simple,True,Again commnt,2024-03-14T11:24:13-07:00,False,2024-03-14T11:24:13-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwkQ,,Test-Simple,True,More Comment,2024-03-14T11:23:48-07:00,False,2024-03-14T11:23:48-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwkA,,Test-Simple,True,Comment 8,2024-03-14T11:23:14-07:00,False,2024-03-14T11:34:01-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwj4,,Test-Simple,True,Comment 7,2024-03-14T11:23:05-07:00,False,2024-03-14T11:23:05-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwj0,,Test-Simple,True,Comment 6,2024-03-14T11:22:55-07:00,False,2024-03-14T11:22:55-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwjs,,Test-Simple,True,Comment 5,2024-03-14T11:22:38-07:00,False,2024-03-14T11:22:38-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwjo,,Test-Simple,True,Comment 4,2024-03-14T11:22:19-07:00,False,2024-03-14T11:22:19-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedtKQ,,Test-Simple,True,End Comment,2024-03-14T10:32:16-07:00,False,2024-03-14T10:32:16-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedtKI,AAABJFedwik,Test-Simple,True,My first comment,2024-03-14T10:32:03-07:00,False,2024-03-14T11:15:05-07:00,False,Test-Simple,True,My first reply,2024-03-14T11:14:13-07:00,False,2024-03-14T11:14:13-07:00
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedtKI,AAABJFedwiw,Test-Simple,True,My first comment,2024-03-14T10:32:03-07:00,False,2024-03-14T11:15:05-07:00,False,Test-Simple,True,Yet another reply,2024-03-14T11:15:05-07:00,False,2024-03-14T11:15:05-07:00
+testsimple@domain.com,yyy,TS Sheet,application/vnd.google-apps.spreadsheet,AAABJM6zbc0,,Test-Simple,True,Sheet Comment,2024-03-14T20:43:18-07:00,False,2024-03-14T20:43:18-07:00,False,,,,,,
+testsimple@domain.com,zzz,TS Pres,application/vnd.google-apps.presentation,AAABJLy5DpA,,Test-Simple,True,Presentation Comment,2024-03-14T20:42:48-07:00,False,2024-03-14T20:42:48-07:00,False,,,,,,
+
+$ gam redirect csv ./FilesWithComments.csv multiprocess csv CheckForComments.csv gam user "~Owner" print filecomments "~id" addcsvdata fileName "~name" addcsvdata mimeType "~mimeType" fields author.displayName,author.me,content,createdTime,deleted,modifiedTime,resolved,reply.author.displayName,reply.author.me,reply.content,reply.createdTime,reply.deleted,,reply.modifiedTime
+2024-03-24T08:04:46.235-07:00,0/131,Using 10 processes...
+2024-03-24T08:04:58.122-07:00,0,Processing item 100/131
+2024-03-24T08:05:01.345-07:00,0,Processing item 131/131
+2024-03-24T08:07:11.731-07:00,0/131,Processing complete
+
+
+# Display file comment counts
+$ gam redirect csv ./FileCommentCounts.csv multiprocess csv CheckForComments.csv gam user "~Owner" print filecomments "~id" addcsvdata fileName "~name" addcsvdata mimeType "~mimeType" countsonly
+2024-03-24T07:51:16.881-07:00,0/131,Using 10 processes...
+2024-03-24T07:51:28.909-07:00,0,Processing item 100/131
+2024-03-24T07:51:32.241-07:00,0,Processing item 131/131
+2024-03-24T07:51:37.404-07:00,0/131,Processing complete
+
+$ more FileCommentCounts.csv
+User,fileId,fileName,mimeType,comments,replies
+...
+testsimple@domain.com,yyy,TS Sheet,application/vnd.google-apps.spreadsheet,1,0
+testsimple@domain.com,aaa,ViewTest,application/vnd.google-apps.document,0,0
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,11,2
+testsimple@domain.com,zzz,TS Pres,application/vnd.google-apps.presentation,1,0
+...
+```

docs/Users-Drive-Files-Display.md

@@ -28,9 +28,10 @@
 - [Display file list](#display-file-list)
   - [File selection by name and entity shortcuts for Display file list](#file-selection-by-name-and-entity-shortcuts-for-display-file-list)
   - [File selection starting point for Display file list](#file-selection-starting-point-for-display-file-list)
-  - [File selection with a particular drive label](#file-selection-with-a-particular-drive-label)
+  - [File selection with or without a particular drive label](#file-selection-with-or-without-a-particular-drive-label)
   - [Handle empty file lists](#handle-empty-file-lists)
 - [Display disk usage](#display-disk-usage)
+- [Display files published to the web](#display-files-published-to-the-web)
 
 ## API documentation
 * https://developers.google.com/drive/api/v3/reference/files
@@ -55,6 +56,16 @@
         never|
         now|today
 
+<SharedDriveID> ::= <String>
+<SharedDriveName> ::= <String>
+<SharedDriveIDEntity> ::= (teamdriveid <SharedDriveID>) | (teamdriveid:<SharedDriveID>)
+<SharedDriveNameEntity> ::= (teamdrive <SharedDriveName>) | (teamdrive:<SharedDriveName>)
+<SharedDriveFileNameEntity> ::= (teamdrivefilename <DriveFileName>) | (teamdrivefilename:<DriveFileName>)
+
+<SharedDriveEntity> ::=
+        <SharedDriveIDEntity> |
+        <SharedDriveNameEntity>
+
 <MimeTypeShortcut> ::=
         gdoc|gdocument|
         gdrawing|
@@ -71,6 +82,7 @@
         g3pshortcut|
         gsite
 <MimeTypeName> ::= application|audio|font|image|message|model|multipart|text|video
+<MimeTypeNameList> ::= "<MimeTypeName>(,<MimeTypeName>)*"
 <MimeType> ::= <MimeTypeShortcut>|(<MimeTypeName>/<String>)
 <MimeTypeList> ::= "<MimeType>(,<MimeType>)*"
 ```
@@ -267,9 +279,10 @@
         <DriveOwnersSubfieldName>|
         parents|
         <DriveParentsSubfieldName>|
+        permissionids|
+        permissiondetails|
         permissions|
         <DrivePermissionsSubfieldName>|
-        permissionids|
         properties|
         quotabytesused|quotaused|
         resourcekey|
@@ -394,22 +407,22 @@ Display file details in indented keyword: value format. The two forms are equiva
 ```
 gam <UserTypeEntity> show fileinfo <DriveFileEntity>
         [returnidonly]
-        [filepath|fullpath] [pathdelimiter <Character>]
+        [filepath|fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
         [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
         [showdrivename] [showshareddrivepermissions]
         [(showlabels details|ids)|(includelabels <DriveLabelIDList>)]
-        [showparentsidsaslist]
+        [showparentsidsaslist] [followshortcuts [<Boolean>]]
         [stripcrsfromname]
         [formatjson]
 gam <UserTypeEntity> info drivefile <DriveFileEntity>
         [returnidonly]
-        [filepath|fullpath] [pathdelimiter <Character>]
+        [filepath|fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
         [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
         [showdrivename] [showshareddrivepermissions]
         [(showlabels details|ids)|(includelabels <DriveLabelIDList>)]
-        [showparentsidsaslist]
+        [showparentsidsaslist] [followshortcuts [<Boolean>]]
         [stripcrsfromname]
         [formatjson]
 ```
@@ -419,6 +432,10 @@ Use `filepath` to display the path(s) to the files in `<DriveFileEntity>`.
 
 Use `fullpath` to add additional path information indicating that a file is an Orphan or Shared with me.
 
+By default, the path to a file includes the file name as the last element of the path.
+Use `folderpathonly` to display only the folder names when displaying the path to a file. This folder only path
+an be used in  `gam <UserTypeEntity> create drivefolderpath` to recreate the folder hierarchy.
+
 By default, file path components are separated by `/`; use `pathdelimiter <Character>` to use `<Character>` as the separator.
 
 When `allfields` is specified (or no fields are specified), use `showdrivename` to display Shared(Team) Drive names.
@@ -469,6 +486,9 @@ gam user user@domain.com show fileinfo <DriveFileEntity> fields id,name,mimetype
 The `stripcrsfromname` option strips nulls, carriage returns and linefeeds from drive file names.
 Use this option if you discover filenames containing these special characters; it is not common.
 
+Starting in version 6.80.10, the option `followshortcuts [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to display information about the target of the shortcut rather than the shortcut itself.
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
@@ -477,16 +497,23 @@ By default, Gam displays the information as an indented list of keys and values.
 gam <UserTypeEntity> show filepath <DriveFileEntity>
         [returnpathonly]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
-        [stripcrsfromname] [fullpath] [pathdelimiter <Character>]
+        [stripcrsfromname]
+        [folderpathonly [<Boolean>]] [fullpath] [pathdelimiter <Character>]
+        [followshortcuts [<Boolean>]]
 gam <UserTypeEntity> print filepath <DriveFileEntity> [todrive <ToDriveAttribute>*]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
-        [stripcrsfromname] [fullpath] [pathdelimiter <Character>]
-        [oneitemperrow]
+        [stripcrsfromname] [oneitemperrow]
+        [fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
+        [followshortcuts [<Boolean>]]
 ```
 Use `returnpathonly` to display just the file path of the files in `<DriveFileEntity>`.
 
 Use `fullpath` to add additional path information indicating that a file is an Orphan or Shared with me.
 
+By default, the path to a file includes the file name as the last element of the path.
+Use `folderpathonly` to display only the folder names when displaying the path to a file. This folder only path
+an be used in  `gam <UserTypeEntity> create drivefolderpath` to recreate the folder hierarchy.
+
 By default, file path components are separated by `/`; use `pathdelimiter <Character>` to use `<Character>` as the separator.
 
 The `stripcrsfromname` option strips nulls, carriage returns and linefeeds from drive file names.
@@ -495,6 +522,9 @@ Use this option if you discover filenames containing these special characters; i
 By default, when printing file paths, all paths for a file are displayed on the same row; use `oneitemperrow` to
 have each file path displayed on a separate row.
 
+Starting in version 6.80.10, the option `followshortcuts [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to display path information for the target of the shortcut rather than the shortcut itself.
+
 ## Select files for Display file counts, list, tree
 Most GAM commands that deal with files require a `<DriveFileEntity>` to be specified; the command
 then processes those files. The `filecounts`, `filelist` and `filetree` commands don't process files, they just list them.
@@ -520,15 +550,22 @@ See: [Drive File Selection](Drive-File-Selection) for details of `<DriveFileName
         all_shortcuts |
         all_3p_shortcuts |
         all_items |
+        my_docs |
         my_files |
         my_folders |
         my_forms |
         my_google_files |
         my_non_google_files |
+        my_presentations |
+        my_publishable_items |
+        my_sheets |
         my_shortcuts |
+        my_slides |
         my_3p_shortcuts |
         my_items |
-        my_forms |
+        my_top_files |
+        my_top_folders |
+        my_top_items |
         others_files |
         others_folders |
         others_forms |
@@ -572,7 +609,7 @@ The `querytime<String> <Time>` value replaces the string `#querytime<String>#` i
 The characters following `querytime` can be any combination of lowercase letters and numbers. This is most useful in scripts
 where you can specify a relative date without having to change the script.
 
-For example, query for files last modified me than 5 years ago:
+For example, query for files last modified more than 5 years ago:
 ```
 querytime5years -5y query "modifiedTime<'#querytime5years#'"
 ```
@@ -610,9 +647,11 @@ By default, all types of files and folders are selected. You can specify a list
 This option updates the current query.
 ```
 showmimetype [not] <MimeTypeList>
+showmimetype category <MimeTypeNameList>
 ```
 * `showmimetype <MimeTypeList>` - Select files and folders with the specified MIME types
 * `showmimetype not <MimeTypeList>` - Select files and folders with MIME types other than those specified
+* `showmimetype category <MimeTypeNameList>` - Select files and folders with the specified MIME type categories
 
 ## File selection by file size
 These options would typically be used with `showmimetype` to select files of a particular type. This
@@ -645,36 +684,52 @@ Print or show file counts by MIME type and/or file name.
 gam <UserTypeEntity> print filecounts [todrive <ToDriveAttribute>*]
         [((query <QueryDriveFile>) | (fullquery <QueryDriveFile>) | <DriveFileQueryShortcut>)
             (querytime<String> <Time>)*]
+        [continueoninvalidquery [<Boolean>]]
         [corpora <CorporaAttribute>]
         [select <SharedDriveEntity>]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
         [excludetrashed]
-        [showsize] [showmimetypesize]
+        [showsize] [showmimetypesize] [showlastmodification]
+        (addcsvdata <FieldName> <String>)*
         [summary none|only|plus] [summaryuser <String>]
 gam <UserTypeEntity> show filecounts
         [((query <QueryDriveFile>) | (fullquery <QueryDriveFile>) | <DriveFileQueryShortcut>)
             (querytime<String> <Time>)*]
+        [continueoninvalidquery [<Boolean>]]
         [corpora <CorporaAttribute>]
         [select <SharedDriveEntity>]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
         [excludetrashed]
-        [showsize] [showmimetypesize]
+        [showsize] [showmimetypesize] [showlastmodification]
         [summary none|only|plus] [summaryuser <String>]
 ```
 
 By default, print filecounts displays counts of all files owned by the specified [`<UserTypeEntity>`](Collections-of-Users).
 
+The option `continueoninvalidquery [<Boolean>] can be used in special cases where a query of the form
+`query "'labels/mRoha85IbwCRl490E00xGLvBsSbkwIiuZ6PRNNEbwxyz' in labels" causes Google to issue an error
+saying that the query is invalid when, in fact, it is but the user does not have a license that suppprts drive file labels.
+When `continueoninvalidquery` is true, GAM prints an error message and proceeds to the next user rather that terminating
+as it does now. Of course, if the query really is invalid, you will get the message for every user.
+
 The `showsize` option displays the total size (in bytes) of the files counted.
 
-The showmimetypesize' displays the total size (in bytes) of each MIME type counted.
+The `showmimetypesize` option displays the total size (in bytes) of each MIME type counted.
+
+The option `showlastmodification` displays the following fields:
+`lastModifiedFileId,lastModifiedFileName,lastModifyingUser,lastModifiedTime`;
+these are for the most recently modified file.
+
+For print filecouts, add additional columns of data from the command line to the output:
+* `addcsvdata <FieldName> <String>` - Add additional columns of data from the command line to the output
 
 See [Select files for Display file counts, list, tree](#select-files-for-display-file-counts-list-tree)
 
@@ -893,7 +948,7 @@ gam <UserTypeEntity> print filetree [todrive <ToDriveAttribute>*]
         [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
             [depth <Number>]]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
@@ -905,7 +960,7 @@ gam <UserTypeEntity> show filetree
         [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
             [depth <Number>]]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
@@ -993,20 +1048,22 @@ Display a list of file/folder details in CSV format.
 gam <UserTypeEntity> print|show filelist [todrive <ToDriveAttribute>*]
         [((query <QueryDriveFile>) | (fullquery <QueryDriveFile>) | <DriveFileQueryShortcut>)
             (querytime<String> <Time>)*]
+        [continueoninvalidquery [<Boolean>]]
         [choose <DriveFileNameEntity>|<DriveFileEntityShortcut>]
         [corpora <CorporaAttribute>]
         [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
             [(norecursion [<Boolean>])|(depth <Number>)] [showparent]]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>] [mimetypeinquery [<Boolean>]]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>] [pmfilter] [oneitemperrow]
         [excludetrashed]
         [maxfiles <Integer>] [nodataheaders <String>]
         [countsonly [summary none|only|plus] [summaryuser <String>]
-	            [showsource] [showsize] [showmimetypesize]] [countsrowfilter]
-        [filepath|fullpath [pathdelimiter <Character>] [addpathstojson] [showdepth]] [buildtree]
+                    [showsource] [showsize] [showmimetypesize]]
+        [countsrowfilter]
+        [filepath|fullpath [folderpathonly [<Boolean>]] [pathdelimiter <Character>] [addpathstojson] [showdepth]] [buildtree]
         [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
         [showdrivename] [showshareddrivepermissions]
         [(showlabels details|ids)|(includelabels <DriveLabelIDList>)]
@@ -1018,10 +1075,20 @@ gam <UserTypeEntity> print|show filelist [todrive <ToDriveAttribute>*]
 ```
 By default, `print filelist` displays all files owned by the specified [`<UserTypeEntity>`](https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Users)
 
+The option `continueoninvalidquery [<Boolean>] can be used in special cases where a query  of the form
+`query "'labels/mRoha85IbwCRl490E00xGLvBsSbkwIiuZ6PRNNEbwxyz' in labels" causes Google to issue an error
+saying that the query is invalid when, in fact, it is but the user does not have a license that suppprts drive file labels.
+When `continueoninvalidquery` is true, GAM prints an error message and proceeds to the next user rather that terminating
+as it does now. Of course, if the query really is invalid, you will get the message for every user.
+
 When `allfields` is specified (or no fields are specified), use `showshareddrivepermissions` to display permissions
 when shared drives are queried/selected. In this case, the Drive API returns the permission IDs
 but not the permissions themselves so GAM makes an additional API call per file to get the permissions.
 
+By default, when `showimimetype` and `filepath|fullpath`are both specified, GAM locally filters files by MimeType;
+this may be slow if the user has a large number of files. Adding the option `mimetypeinquery` or `mimetypeinquery true`
+causes GAM to have Google filter files by MimeType; this will increase performance.
+
 See [Select files for Display file counts, list, tree](#select-files-for-display-file-counts-list-tree)
 
 ## File selection by name and entity shortcuts for Display file list
@@ -1113,13 +1180,13 @@ By default, when a folder is selected, only its contents are displayed.
 ## Choose what fields to display
 If no query or select is performed, use these options to get file path information:
 * `filepath|fullpath` - For files and folders, display the full path(s) to them starting at the root (My Drive)
-* `addcsvdata <FieldName> <String>` - Add additional columns of data from the command line to the output
 * `addpathstojson` - When this option and `formatjson` are specified, the path information will be included in the
 JSON data rather than as additional columns
+* `addcsvdata <FieldName> <String>` - Add additional columns of data from the command line to the output
 
 When used with `filepath` or `fullpath`, `showdepth` will display a `depth` column.
 Files/folders directly in `My Drive` are at depth 0, the depth increases by 1
-for each containing folder. For files with multiple parents, the maximum depth is displayed.
+for each containing folder.
 
 If a query or select is performed, use these options to get file path information:
 * `filepath` - For files, no path information is shown; for folders, the paths of all of its children are shown starting at the selected folder
@@ -1127,6 +1194,10 @@ If a query or select is performed, use these options to get file path informatio
 * `addpathstojson` - When this option and `formatjson` are specified, the path information will be included in the
 JSON data rather than as additional columns
 
+By default, the path to a file includes the file name as the last element of the path.
+Use `folderpathonly` to display only the folder names when displaying the path to a file. This folder only path
+an be used in  `gam <UserTypeEntity> create drivefolderpath` to recreate the folder hierarchy.
+
 By default, file path components are separated by `/`; use `pathdelimiter <Character>` to use `<Character>` as the separator.
 
 By default, only the fields `id` and `webViewLink` are displayed.
@@ -1453,7 +1524,7 @@ testuser@domain.com,Bottom Folder 11,1,My Drive/Top Folder/Middle Folder 1/Botto
 testuser@domain.com,Bottom Sheet 11,1,My Drive/Top Folder/Middle Folder 1/Bottom Folder 11/Bottom Sheet 11
 ```
 
-## File selection with a particular drive label
+## File selection with or without a particular drive label
 The Drive API doesn't support querying for a drive label, so GAM must do the filtering.
 
 Get the label id.
@@ -1463,9 +1534,13 @@ gam show drivelabels
 
 Find the label with properties:title: XXX where XXX is the desired label title, then get its id: value
 
-List the files.
+List the files with the label
 ```
-gam config csv_output_row_filter "labelInfo.labels.0.id:regex:PutLabelIdHere" user user@domain.com print filelist fields id,name,labelinfo includelabels PutLabelIdHere
+gam config csv_output_row_filter "labels:count>0" user user@domain.com print filelist fields id,name,mimetype showlabels ids includelabels PutLabelIdHere
+```
+List the files without the label
+```
+gam config csv_output_row_filter "labels:count=0" user user@domain.com print filelist fields id,name,mimetype showlabels ids includelabels PutLabelIdHere
 ```
 
 Adjust the `fields` list as desired.
@@ -1479,8 +1554,8 @@ Getting all Drive Files/Folders that match query ('me' in owners and name contai
 Got 0 Drive Files/Folders that matched query ('me' in owners and name contains 'abcd') for user@domain.com...
 $ more Files.csv
 Owner
-$ gam csv Files.csv gam user ~Owner show fileinfo ~id permissions
-Command: /Users/admin/bin/gam csv Files.csv gam user ~Owner show fileinfo >>>~id<<< permissions
+$ gam csv Files.csv gam user "~Owner" show fileinfo "~id" permissions
+Command: /Users/admin/bin/gam csv Files.csv gam user "~Owner" show fileinfo >>>~id<<< permissions
 
 ERROR: Header "id" not found in CSV headers of "Owner".
 Help: Syntax in file /Users/admin/bin/gam/GamCommands.txt
@@ -1494,7 +1569,7 @@ Getting all Drive Files/Folders that match query ('me' in owners and name contai
 Got 0 Drive Files/Folders that matched query ('me' in owners and name contains 'abcd') for user@domain.com...
 $ more Files.csv
 Owner,id,name
-$ gam csv Files.csv gam user ~Owner show fileinfo ~id permissions
+$ gam csv Files.csv gam user "~Owner" show fileinfo "~id" permissions
 $
 ```
 
@@ -1538,6 +1613,10 @@ For each folder in `<DriveFileEntity>`, the following items are displayed:
 * `totalFileCount` - The number of files directly in the folder and all of its subfolders
 * `totalFileSize` - The sum of the sizes of the files directly in the folder and all of its subfolders
 * `totalFolderCount` - The number of folders directly in the folder and all of its subfolders
+* `depth` - The depth of the folder
+  * `-1` - The top level folder
+  * `0` - Immediate children of the top level folder
+  * `1` - Immediate children of level 0 folders
 * `path` - The path of the folder
 
 There is a final row detailing files and folders in the trash; it is omitted if `excludetrashed` or `show summary` are specified.
@@ -1554,8 +1633,13 @@ There is a final row detailing files and folders in the trash; it is omitted if
 * `totalFileCount` - The number of files in the trash
 * `totalFileSize` - The sum of the sizes of the files in the trash
 * `totalFolderCount` - The number of folders in the trash
+* `depth` - Always -1
 * `path` - Trash
 
+GAM version `6.71.17` added the `depth` column that can be used to filter the depth of the folders displayed.
+Depth `-1` is the top level folder, depth `0` are its immediate children, depth `2` are the children of depth `1` and so forth.
+For example to limit the display to the top folder and its immediate children, use `config csv_output_row_filter depth:count<1`.
+
 By default, files owned by the user are counted. These options update the current query with the desired ownership.
 * `showownedby me` - Count files owned by the user; this is the default
 * `showownedby any` or `anyowner` - Count files accessible by the user
@@ -1582,27 +1666,67 @@ Use the `show` option to control the display of data:
 
 ### Examples
 ```
-$ gam redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage mydrive 
-User: testsimple@domain.com, Print 1 Drive Disk Usage
+$ gam redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage mydrive 
+User: user@domain.com, Print 1 Drive Disk Usage
 $ more MyDriveUsage.csv
-User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,path
-testsimple@domain.com,testsimple@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,My Drive
-testsimple@domain.com,testsimple@domain.com,456YenC8f12ALfndaQ1NHc0RtUG92Y1BIUUl4bjVBRmNkWG5oakNqVVFDcXJWOHNmdFlwZmc,Classroom,True,False,False,0,0,15,9,6840,17,My Drive/Classroom
+User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
+user@domain.com,user@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
+user@domain.com,user@domain.com,456YenC8f12ALfndaQ1NHc0RtUG92Y1BIUUl4bjVBRmNkWG5oakNqVVFDcXJWOHNmdFlwZmc,Classroom,True,False,False,0,0,15,9,6840,17,0,My Drive/Classroom
+user@domain.com,user@domain.com,0B3YenC8f12ALfmRuX3I4WFlqaTRnMGhXNkVvWV9UUG1zRDQwY1BwVkJhUGx5WHVIcjJKZUU,TestUpdate,True,False,False,2,3420,0,2,3420,0,1,My Drive/Classroom/TestUpdate
+user@domain.com,user@domain.com,1MT5xJ897oYa0Q2OuzBDfLHvig6k_b0EKaovVA2imGYcnrmqZu5hjlJkEPMH-rHKj4qDyy9_j,TS Course,True,False,False,0,0,0,0,0,0,1,My Drive/Classroom/TS Course
+user@domain.com,user@domain.com,1gsbqsbhhwBx9hCF0sqtE213tpUn6Ebj2klLFhHb4xkzBKIdEFkvvwCVtZpYWPgOA796fIPEN,TS Course 2,True,False,False,0,0,0,0,0,0,1,My Drive/Classroom/TS Course 2
 ...
-testsimple@domain.com,testsimple@domain.com,1bHS_Tp77W3KSGRNSs_jP1RhAJhIGRCaI,XferFolder,True,False,False,1,1024,0,1,1024,0,My Drive/XferFolder
-testsimple@domain.com,testsimple@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,Trash
+user@domain.com,user@domain.com,1bHS_Tp77W3KSGRNSs_jP1RhAJhIGRCaI,XferFolder,True,False,False,1,1024,0,1,1024,0,0,My Drive/XferFolder
+user@domain.com,user@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash
 
-$ gam redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage mydrive show summaryandtrash
-User: testsimple@domain.com, Print 1 Drive Disk Usage
-$ more MyDriveUsage.csv 
-User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,path
-testsimple@domain.com,testsimple@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,My Drive
-testsimple@domain.com,testsimple@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,Trash
+$ gam config csv_output_row_filter "depth:count<1" redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage mydrive 
+User: user@domain.com, Print 1 Drive Disk Usage
+$ more MyDriveUsage.csv
+User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
+user@domain.com,user@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
+user@domain.com,user@domain.com,456YenC8f12ALfndaQ1NHc0RtUG92Y1BIUUl4bjVBRmNkWG5oakNqVVFDcXJWOHNmdFlwZmc,Classroom,True,False,False,0,0,15,9,6840,17,0,My Drive/Classroom
+...
+user@domain.com,user@domain.com,1bHS_Tp77W3KSGRNSs_jP1RhAJhIGRCaI,XferFolder,True,False,False,1,1024,0,1,1024,0,0,My Drive/XferFolder
+user@domain.com,user@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash
 
-$ gam redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage shareddriveid 0AL5LiIe4dqxZUk9PVA  show summaryandtrash
-User: testsimple@domain.com, Print 1 Drive Disk Usage
+$ gam redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage mydrive show summaryandtrash
+User: user@domain.com, Print 1 Drive Disk Usage
 $ more MyDriveUsage.csv 
-User,id,name,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,path
-testsimple@domain.com,0125LiIe4dqxZUk9PVA,TS Shared Drive 1,False,False,16,6144,7,42,73799,25,SharedDrives/TS Shared Drive 1
-testsimple@domain.com,Trash,Trash,True,True,1,1024,0,1,1024,0,Trash
+User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
+user@domain.com,user@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
+user@domain.com,user@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash
+
+$ gam redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage shareddriveid 0AL5LiIe4dqxZUk9PVA  show summaryandtrash
+User: user@domain.com, Print 1 Drive Disk Usage
+$ more MyDriveUsage.csv 
+User,id,name,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
+user@domain.com,0125LiIe4dqxZUk9PVA,TS Shared Drive 1,False,False,16,6144,7,42,73799,25,-1,SharedDrives/TS Shared Drive 1
+user@domain.com,Trash,Trash,True,True,1,1024,0,1,1024,0,-1,Trash
+```
+
+## Display files published to the web
+Ths requires version 6.80.13 or later.
+
+You can display files published to the web.
+```
+# Get the published files
+gam config csv_output_header_filter "Owner,id,revisions.0.published,revisions.0.publishedOutsideDomain" csv_output_row_filter "revisions.0.published:boolean:true" auto_batch_min 1 num_threads 20 redirect csv ./PublishedDocs.csv multiprocess redirect stderr - multiprocess <UserTypeEntity> print filerevisions my_publishable_items select last 1
+# Get the files name, MIMEtype and path
+gam redirect csv ./PublishedDocsWithName.csv multiprocess redirect stderr - multiprocess csv ./PublishedDocs.csv gam user "~Owner" print filelist select "~id" fields id,name,mimetype fullpath addcsvdata published "~revisions.0.published" addcsvdata publishedOutsideDomain "~revisions.0.publishedOutsideDomain" 
+```
+
+You can display files published to the web internally for your domain only.
+```
+# Get the internally only published files
+gam config csv_output_header_filter "Owner,id,revisions.0.published,revisions.0.publishedOutsideDomain" csv_output_row_filter "revisions.0.published:boolean:true,revisions.0.publishedOutsideDomain:boolean:false" auto_batch_min 1 num_threads 20 redirect csv ./PublishedDocs.csv multiprocess redirect stderr - multiprocess <UserTypeEntity> print filerevisions my_publishable_items select last 1
+# Get the files name, MIMEtype and path
+gam redirect csv ./PublishedDocsWithName.csv multiprocess redirect stderr - multiprocess csv ./PublishedDocs.csv gam user "~Owner" print filelist select "~id" fields id,name,mimetype fullpath addcsvdata published "~revisions.0.published" addcsvdata publishedOutsideDomain "~revisions.0.publishedOutsideDomain" 
+```
+
+You can display files published to the web externally outside of your domain.
+```
+# Get the externally published files
+gam config csv_output_header_filter "Owner,id,revisions.0.published,revisions.0.publishedOutsideDomain" csv_output_row_filter "revisions.0.published:boolean:true,revisions.0.publishedOutsideDomain:boolean:true" auto_batch_min 1 num_threads 20 redirect csv ./PublishedDocs.csv multiprocess redirect stderr - multiprocess <UserTypeEntity> print filerevisions my_publishable_items select last 1
+# Get the files name, MIMEtype and path
+gam redirect csv ./PublishedDocsWithName.csv multiprocess redirect stderr - multiprocess csv ./PublishedDocs.csv gam user "~Owner" print filelist select "~id" fields id,name,mimetype fullpath addcsvdata published "~revisions.0.published" addcsvdata publishedOutsideDomain "~revisions.0.publishedOutsideDomain" 
 ```

docs/Users-Drive-Files-Manage.md

@@ -19,6 +19,7 @@
 - [Shortcuts](Users-Drive-Shortcuts)
 - [Drive Labels](Users-Drive-Labels)
 - [Download Google Documents as JSON](#download-google-documents-as-json)
+- [Upload changes to Google Documents](#upload-changes-to-google-documents)
 
 ## API documentation
 * https://developers.google.com/drive/api/v3/reference/files
@@ -207,7 +208,7 @@ If `noduplicate` is specfied, GAM will issue a warning and not perform the creat
 exists in the parent folder.
 
 By default, when files are uploaded from local content, they are created with `binary` format, i.e., the data is uploaded
-without any conversion. Standard GAM had an option `convert` that was passed to the Drive API v2 that it used.
+without any conversion. Legacy GAM had an option `convert` that was passed to the Drive API v2 that it used.
 * convert - Whether to convert this file to the corresponding Docs Editors format
 
 Advanced GAM uses Drive API v3 that doesn't support the `convert` option; it uses the `mimetype` argument to cause conversions.
@@ -283,7 +284,7 @@ mary@domain.com, Mary Smith
 
 # Create the student folders on the Shared Drive
 gam redirect csv ./StudentFolders.csv multiprocess csv Students.csv gam user admin@domain.com create drivefile mimetype gfolder drivefilename "~~Name~~ Digital Portfolio" parentid <TeamDriveID> csv addcsvdata primaryEmail "~primaryEmail"
-# Add ACLs granting the students write access to their folders; ~User refers to admin@domain.com
+# Add ACLs granting the students write access to their folders; "~User" refers to admin@domain.com
 gam csv StudentFolders.csv gam user "~User" add drivefileacl "~id" user "~primaryEmail" role fileorganizer
 # Add a shortcut to the folder on the student's My Drive
 gam csv StudentFolders.csv gam user "~primaryEmail" create drivefileshortcut "~id" parentid root
@@ -518,6 +519,7 @@ You can update a specific sheet within a Google spreadsheet or add a new sheet t
 * `addsheet <String>` - Specify a sheet name to be added to the Google Sheets file
 * `charset <Charset>` - Specify the character set of the local file; if not specified, the value of `charset` from `gam.cfg` will be used
 * `columndelimiter <Character>` - Columns are separated by `<Character>`; if not specified, the value of `csv_input_column_delimiter` from `gam.cfg` will be used
+
 If you want the Google spreadsheet to retain its name, specify: `retainname localfile LocalFile.csv`.
 
 By default, the user, file name, updated file name and id values are displayed on stdout.
@@ -542,6 +544,7 @@ gam <UserTypeEntity> get drivefile <DriveFileEntity> [revision <DriveFileRevisio
         [(format <FileFormatList>)|(gsheet|csvsheet <SheetEntity>)] [exportsheetaspdf <String>]
         [targetfolder <FilePath>] [targetname <FileName>|-]
         [donotfollowshortcuts [<Boolean>]] [overwrite [<Boolean>]] [showprogress [<Boolean>]]
+        [acknowledgeabuse [<Boolean>]]
 ```
 By default, Google Docs/Sheets/Slides are converted to Open Office format when downloaded. If you want a
 different format for these files or are downloading a different type of file, you must specify the format.
@@ -611,39 +614,55 @@ When getting a drivefile, you can show download progress information with the `s
 * `showprogress true` - Show download progress information
 * `showprogress false` - Do not show download progress information
 
+You may get the following error from Google when trying to download a file:
+```
+Download Failed: This file has been identified as malware or spam and cannot be downloaded.
+```
+Use the `acknowledgeabuse` option to control downloading the file.
+* `acknowledgeabuse` - Download the file; `the user is acknowledging the risk of downloading known malware or other abusive files`
+* `acknowledgeabuse true` - Download the file; `the user is acknowledging the risk of downloading known malware or other abusive files`
+* `acknowledgeabuse false` - Do not download the file; this is the default
+
 ### Example: Download a CSV file and execute a Gam command on its contents
 Suppose you have a Google Sheets file UserSheet with multiple sheets, one of which is named NewUsers; it has a column labelled primaryEmail.
 
 The following command will download the sheet and show the name for each user in the column.
 ```
-gam user user@domain.com get drivefile drivefilename UserSheet csvsheet NewUsers targetname - | gam redirect stdout - multiprocess csv - gam info user ~primaryEmail name nogroups nolicenses
+gam user user@domain.com get drivefile drivefilename UserSheet csvsheet NewUsers targetname - | gam redirect stdout - multiprocess csv - gam info user "~primaryEmail" name nogroups nolicenses
 ```
 * The `redirect stdout - multiprocess` option produces clean output from the multiple processes
 
 ## Trash files
 Move a file or folder to the trash. If a folder is moved to the trash, all of its child files and folders are moved to the trash.
 ```
-gam <UserTypeEntity> trash drivefile <DriveFileEntity>
-gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> trash
+gam <UserTypeEntity> trash drivefile <DriveFileEntity> [shortcutandtarget [<Boolean>]]
+gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> trash [shortcutandtarget [<Boolean>]]
 ```
 
+Starting in version 6.80.10, the  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to process the shortcut and the target of the shortcut.
+
 ## Untrash files
 Remove a file or folder from the trash. If a folder is removed from the trash, all of its child files and folders are removed from the trash.
 ```
-gam <UserTypeEntity> untrash drivefile <DriveFileEntity>
-gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> untrash
+gam <UserTypeEntity> untrash drivefile <DriveFileEntity> [shortcutandtarget [<Boolean>]]
+gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> untrash [shortcutandtarget [<Boolean>]]
 ```
 
+Starting in version 6.80.10, the  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to process the shortcut and the target of the shortcut.
+
 ## Purge files
 Purging a file permanently deletes it; it can not be recovered. If a folder is purged, all of its child files and folders are purged.
 ```
-gam <UserTypeEntity> purge drivefile <DriveFileEntity>
-gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> purge
+gam <UserTypeEntity> purge drivefile <DriveFileEntity> [shortcutandtarget [<Boolean>]]
+gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> purge [shortcutandtarget [<Boolean>]]
 ```
 
+Starting in version 6.80.10, the  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to process the shortcut and the target of the shortcut.
+
 ## Download Google Documents as JSON
-This command was added in version 5.31.04, you'll have to do `gam update project` and
-`gam <UserTypeEntity> check|update serviceaccount` to enable it.
 ```
 gam <UserTypeEntity> get document <DriveFileEntity>
         [viewmode default|suggestions_inline|preview_suggestions_accepted|preview_without_suggestions]
@@ -666,3 +685,31 @@ By default, when getting a document, an existing local file will not be overwrit
 * `overwrite` - Overwite an existing file
 * `overwrite true` - Overwite an existing file
 * `overwrite false` - Do not overwite an existing file; add a numeric prefix and create a new file
+
+## Upload changes to Google Documents
+
+```
+<DocumentJSONUpdateRequest> ::=
+        '{"requests": [{object (Request)}], "writeControl": {object (WriteControl) }`
+See: https://developers.google.com/docs/api/reference/rest/v1/documents/request
+
+gam <UserTypeEntity> update document <DriveFileEntity>
+        ((json [charset <Charset>] <DocumentJSONUpdateRequest>) |
+         (json file <FileName> [charset <Charset>]))
+        [formatjson]
+```
+The JSON data can be read from a command line argument or a file. On the command line, the
+JSON data is enclosed in single quotes; these should not be present when the JSON data is read from a file.
+
+The output is formatted for human readability. Use the following option to produce JSON output for program parsing.
+* `formatjson` - Display output in JSON format.
+
+### Examples
+Replace Foo with Goo in a document.
+```
+File Update.json contains:
+{ "requests": [{"replaceAllText": {"replaceText": "Goo", "containsText": {"text": "Foo", "matchCase": "True"}}}]}
+
+
+gam user testuser@domain.com update document <DriveFileItem> json file Update.json
+```

docs/Users-Drive-Labels.md

@@ -6,12 +6,15 @@
 - [Introduction](#introduction)
 - [Display Drive Labels](#display-drive-labels)
 - [Process File Drive Labels](#process-file-drive-labels)
+- [Manage Drive Label Permissions](#manage-drive-label-permissions)
+- [Display Drive Label Permissions](#display-drive-label-permissions)
 
 ## API documentation
 * https://support.google.com/a/answer/9292382
 * https://developers.google.com/drive/labels/guides/overview
 * https://developers.google.com/drive/labels/guides/authorize
 * https://developers.google.com/drive/labels/reference/rest/v2beta/labels
+* https://developers.google.com/drive/labels/reference/rest/v2beta/labels.permissions
 * https://developers.google.com/drive/api/guides/about-labels
 * https://developers.google.com/drive/api/v3/reference/files
 
@@ -19,13 +22,15 @@
 To use these commands you must add the 'Drive Labels API' to your project and update your service account authorization.
 ```
 gam update project
-gam user user@domain.com check serviceaccount
+gam user user@domain.com update serviceaccount
 ```
 Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Standard and Education Plus; G Suite Business; Essentials.
 
 ## Definitions
 * [`<DriveFileEntity>`](Drive-File-Selection)
 * [`<UserTypeEntity>`](Collections-of-Users)
+* [`<DriveLabelNameEntity>`, `<DriveLabelPermissionNameEntity'](Collections-of-Items)
+* [`<UserTypeEntity>`](Collections-of-Items)
 
 ```
 <DriveLabelID> ::= <String>
@@ -35,7 +40,11 @@ Supported editions for this feature: Business Standard and Business Plus; Enterp
 <DriveLabelNameList> ::= "<DriveLabelName>(,<DriveLabelName)*"
 <DriveLabelNameEntity> ::=
         <DriveLabelNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+
+<DriveLabelPermissionName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]/permissions/(audiences|groups|people)/<String>
+<DriveLabelPermissionNameList> ::= "<DriveLabelPermissionName>(,<DriveLabelPermissionName>)*"
+<DriveLabelPermissionNameEntity> ::=
+        <DriveLabelPermissionNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
 
 <DriveLabelFieldID> ::= <String>
 <DriveLabelSelectionID> ::= <String>
@@ -86,9 +95,9 @@ A domain administrator with the Drive and Docs administrator privilege can searc
 owned by their organization, regardless of the admin's membership in any given Shared Drive.
 
 Three forms of the commands are available:
-* `gam action ...` - The administrator named in oauth2.txt is used, domain administrator access implied and labels of type `SHARED` and `ADMIN`can be written
-* `gam <UserTypeEntity> action ... adminaccess` - The user named in `<UserTypeEntty>` is used, adminaccess indicates that labels of type `SHARED` and `ADMIN`can be written
-* `gam <UserTypeEntity> action ...` - The user named in `<UserTypeEntty>` is used, access is limited, onlylabels of type `SHARED` can be written
+* `gam action ...` - The administrator named in oauth2.txt is used, domain administrator access implied and labels of type `SHARED` and `ADMIN`can be processed
+* `gam <UserTypeEntity> action ... adminaccess` - The user named in `<UserTypeEntty>` is used, adminaccess indicates that labels of type `SHARED` and `ADMIN`can be processed
+* `gam <UserTypeEntity> action ...` - The user named in `<UserTypeEntty>` is used, access is limited, onlylabels of type `SHARED` can be processed
 
 ## Display Drive Labels
 
@@ -156,3 +165,51 @@ gam <UserTypeEntity> process filedrivelabels <DriveFileEntity>
 
 By default, details of the process labels are displayed, use `nodetails` to suppress this display.
 
+## Manage Drive Label Permissions
+Create a permission for a Drive Label by specifying the label name and the principal.
+```
+gam [<UserTypeEntity>] create drivelabelpermission <DriveLabelNameEntity>
+        (user <UserItem>) | (group <GroupItem) | (audience <String>)
+        role applier|editor|organizer|reader
+        [nodetails|formatjson] [adminaccess|asadmin]
+```
+
+By default, when a permission is created, GAM outputs details of the permission as indented keywords and values.
+* `nodetails` - Suppress the details output.
+* `formatjson` - Output the details in JSON format.
+
+Delete a Drive Label permission by specifying the label name and the principal.
+```
+gam [<UserTypeEntity>] delete drivelabelpermission <DriveLabelNameEntity>
+        (user <UserItem>) | (group <GroupItem) | (audience <String>)
+        [adminaccess|asadmin]
+```
+
+Delete a Drive Label permission by specifying the label permission name.
+```
+gam [<UserTypeEntity>] remove drivelabelpermission <DriveLabelPermissionNameEntity>
+        [adminaccess|asadmin]
+```
+## Display Drive Label Permissions
+Display permissions for a collection of Drive Label permission names.
+```
+gam [<UserTypeEntity>] show drivelabelpermissions <DriveLabelNameEntity>
+        [formatjson] [adminaccess|asadmin]
+```
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam [<UserTypeEntity>] print drivelabelpermissions <DriveLabelNameEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]] [adminaccess|asadmin]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+

docs/Users-Drive-Ownership.md

@@ -63,6 +63,10 @@ gam <UserTypeEntity> transfer ownership <DriveFileEntity> <UserItem>
         (orderby <DriveOrderByFieldName> [ascending|descending])*
         [preview] [filepath] [pathdelimiter <Character>] [buildtree] [todrive <ToDriveAttribute>*]
 ```
+`<DriveFileEntity>` specifies a file/folder owned by the source user `<UserTypeEntity>`.
+
+The target user is specified by `<UserItem>`.
+
 By default, there is no change of parents for the transferred files/folders, they remain in their current location.
 * `<DriveFileParentAttribute>` - Specify a parent folder in the My Drive of the target user `<UserItem>`.
 
@@ -92,7 +96,7 @@ point to control the students further access to the files.
 ```
 gam <UserTypeEntity> claim ownership <DriveFileEntity>
         [<DriveFileParentAttribute>] [includetrashed]
-        [skipids <DriveFileEntity>] [skipusers <UserTypeEntity>] [subdomains <DomainNameEntity>]
+        [skipids <DriveFileEntity>] [onlyusers|skipusers <UserTypeEntity>] [subdomains <DomainNameEntity>]
         [restricted [<Boolean>]] [writerscanshare|writerscantshare [<Boolean>]]
         [keepuser | (retainrole reader|commenter|writer|editor|none)] [noretentionmessages]
         (orderby <DriveOrderByFieldName> [ascending|descending])*
@@ -107,8 +111,11 @@ By default, files in the trash are not transferred.
 Specify order of file processing.
 * `(orderby <DriveOrderByFieldName> [ascending|descending])*`
 
-These options handle special cases where you want to prevent ownership from being transferred for selected files/folders.
+This option handles special cases where you want to prevent ownership from being transferred for selected files/folders.
 * `skipids <DriveFileEntity>` - Do not transfer ownership for files/folders with the specified IDs.
+
+These mutually exclusive  options handle special cases where you want to prevent ownership from being transferred based on the current file/folder owner.
+* `onlyusers <UserTypeEntity>` - Only transfer ownership for files/folders owned by the specified users.
 * `skipusers <UserTypeEntity>` - Do not transfer ownership for files/folders owned by the specified users.
 
 By default, only files owned by users in the same domain as the claiming user have their ownership transferred.

docs/Users-Drive-Permissions.md

@@ -8,6 +8,7 @@
 - [Display file permissions/sharing](#display-file-permissionssharing)
 - [Delete all ACLs except owner from a file](#delete-all-acls-except-owner-from-a-file)
 - [Change shares to User1 to shares to User2](#change-shares-to-user1-to-shares-to-user2)
+- [Map All ACLs from an old domain to a new domain](#map-all-acls-from-an-old-domain-to-a-new-domain)
 
 ## API documentation
 * https://developers.google.com/drive/api/v3/reference/permissions
@@ -24,6 +25,22 @@
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>
 
+<DriveFileOrderByFieldName> ::=
+        createddate|createdtime|
+        folder|
+        lastviewedbyme|lastviewedbymedate|lastviewedbymetime|lastviewedbyuser|
+        modifiedbyme|modifiedbymedate|modifiedbymetime|modifiedbyuser|
+        modifieddate|modifiedtime|
+        name|
+        name_natural|
+        quotabytesused|quotaused|
+        recency|
+        sharedwithmedate|sharedwithmetime|
+        starred|
+        title|
+        title_natural|
+        viewedbymedate|viewedbymetime
+
 <DrivePermissionsFieldName> ::=
         additionalroles|
         allowfilediscovery|
@@ -316,4 +333,26 @@ gam redirect csv ./FilesSharedWithU1Settings.csv multiprocess csv FilesSharedWit
 gam redirect stdout ./DeleteU1Sharing.txt multiprocess redirect stderr stdout csv FilesSharedWithU1Settings.csv gam user "~Owner" delete drivefileacl "~id" "~permissions.0.emailAddress"
 # For each of these files, add the share to User2 with the same role that User1 had
 gam redirect stdout ./AddUser2Sharing.txt multiprocess redirect stderr stdout csv FilesSharedWithU1Settings.csv gam user "~Owner" create drivefileacl "~id" user user2@domain.com role "~permissions.0.role"
-```
+```
+
+## Map All ACLs from an old domain to a new domain
+* Get ACLs
+```
+gam redirect csv ./allUsersFiles.csv multiprocess all users print filelist fields name,id,basicpermissions oneitemperrow pmfilter pm domain olddomain.com em
+```
+
+* Delete ACLs with olddomain.com
+```
+gam redirect stdout ./DeleteOldDomainACLs.txt multiprocess redirect stderr stdout csv ./allUsersFiles.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
+```
+
+* Add user/group ACLs replacing olddomain.com with newdomain.com
+```
+gam config csv_input_row_filter "permission.type:regex:user|group" redirect stdout ./AddNewDomainACLsUserGroupShares.txt multiprocess redirect stderr stdout csv ./allUsersFiles.csv gam user "~Owner" create drivefileacl "~id" "~permission.type" "~permission.emailAddress" role "~permission.role" mappermissionsdomain olddomain.com newdomain.com
+```
+
+* Add domain ACLs replacing olddomain.com with newdomain.com
+```
+gam config csv_input_row_filter "permission.type:regex:domain" redirect stdout ./AddNewDomainACLsDomainShares.txt multiprocess redirect stderr stdout csv ./allUsersFiles.csv gam user "~Owner" create drivefileacl "~id" "~permission.type" "~permission.domain" role "~permission.role" allowfilediscovery "~permission.allowFileDiscovery" mappermissionsdomain olddomain.com newdomain.com
+```
+    

docs/Users-Drive-Revisions.md

@@ -85,6 +85,8 @@ gam <UserTypeEntity> update filerevisions <DriveFileEntity> select <DriveFileRev
 ```
 When `select <DriveFileRevisionIDEntity>` is omitted, all revisions are updated. 
 
+* `keepforever true` - Keep revision forever, even if it is no longer the head revision
+* `keepforever false` - Do not keep revision forever
 * `published true` - Publish these revision to the web
 * `published false` - Do not publish these revision to the web
 * `publishauto true` - Automaticaly publish subsequent revisions to the web

docs/Users-Drive-Transfer.md

@@ -19,6 +19,22 @@
 <EmailAddress> ::= <String>@<DomainName>
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>
+
+<DriveFileOrderByFieldName> ::=
+        createddate|createdtime|
+        folder|
+        lastviewedbyme|lastviewedbymedate|lastviewedbymetime|lastviewedbyuser|
+        modifiedbyme|modifiedbymedate|modifiedbymetime|modifiedbyuser|
+        modifieddate|modifiedtime|
+        name|
+        name_natural|
+        quotabytesused|quotaused|
+        recency|
+        sharedwithmedate|sharedwithmetime|
+        starred|
+        title|
+        title_natural|
+        viewedbymedate|viewedbymetime
 ```
 ## GAM Data Transfers
 ```

docs/Users-Gmail-CSE.md

@@ -0,0 +1,217 @@
+# Users - Gmail - Client Side Encryption
+- [API documentation](#api-documentation)
+- [Notes](#notes)
+- [Definitions](#definitions)
+- [Create Gmail CSE Identity](#create-gmail-cse-identity)
+- [Update Gmail CSE Identity](#update-gmail-cse-identity)
+- [Delete Gmail CSE Identity](#delete-gmail-cse-identity)
+- [Display Gmail CSE Identities](#display-gmail-cse-identities)
+- [Create Gmail CSE Key Pair](#create-gmail-cse-key-pair)
+- [Action Gmail CSE Key Pairs](#action-gmail-cse-key-pairs)
+- [Display Gmail CSE Key Pairs](#display-gmail-cse-key-pairs)
+
+## API documentation
+* https://developers.google.com/gmail/api/reference/rest/v1/users.settings.cse.identities
+* https://developers.google.com/gmail/api/reference/rest/v1/users.settings.cse.keypairs
+
+## Notes
+
+This is an initial, minimally tested release; proceed with care and report all issues.
+
+Setting up Client Side Encryption is not for the faint of heart; here is a start.
+* https://support.google.com/a/answer/10741897?hl=en&ref_topic=10742486&sjid=10342493441460488213-NA
+
+Do I personally understand what's going on here? No, I just added the API calls to GAM.
+
+Two sets of files are required for Gmail CSE, these two variables in `gam.cfg` control where GAM looks for these files.
+You must edit `gam.cfg` to set the paths you currently use.
+```
+gmail_cse_incert_dir
+        Directory for the S/MIME certificate files used by Gmail Client Side Encryption.
+        Default: Blank
+gmail_cse_inkey_dir
+        Directory for the Key Access Control List (KACL) wrapped private key data files used by Gmail Client Side Encryption.
+        Default: Blank
+```
+
+## Definitions
+* [`<UserTypeEntity>`](Collections-of-Users)
+
+```
+<DomainName> ::= <String>(.<String>)+
+<EmailAddress> ::= <String>@<DomainName>
+<FilePath> ::= <String>
+<Password> ::= <String>
+<KeyPairID> ::= <String>
+```
+## Create Gmail CSE Identity
+Creates and configures a client-side encryption identity that's authorized to send mail from the user account.
+Google publishes the S/MIME certificate to a shared domain-wide directory so that people within a Google Workspace organization can encrypt and send mail to the identity.
+
+```
+gam <UserTypeEntity> create cseidentity
+        (primarykeypairid <KeyPairID>) | (signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>)
+        [kpemail <EmailAddress>]
+        [formatjson]
+```
+One of the following is required:
+* `primarykeypairid <KeyPairID>` - The configuration of a CSE identity that uses the same key pair for signing and encryption.
+* `signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>` - The configuration of a CSE identity that uses different key pairs for signing and encryption.
+
+If `kpemail <EmailAddress>` is not specified, the user's primary email address is used for the identity.
+
+By default, Gam displays the identity as an indented list of keys and values; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+## Update Gmail CSE Identity
+Associates a different key pair with an existing client-side encryption identity. The updated key pair must validate against Google's S/MIME certificate profiles.
+```
+gam <UserTypeEntity> update cseidentity
+        (primarykeypairid <KeyPairID>) | (signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>)
+        [kpemail <EmailAddress>]
+        [formatjson]
+```
+One of the following is required:
+* `primarykeypairid <KeyPairID>` - The configuration of a CSE identity that uses the same key pair for signing and encryption.
+* `signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>` - The configuration of a CSE identity that uses different key pairs for signing and encryption.
+
+bIf `kpemail <EmailAddress>` is not specified, the key pair for the user's primary email address is identity updated.
+
+By default, Gam displays the identity as an indented list of keys and values; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+## Delete Gmail CSE Identity
+Deletes a client-side encryption identity. The authenticated user can no longer use the identity to send encrypted messages.
+You cannot restore the identity after you delete it. Instead, use the `create cseidentity`  to create another identity with the same configuration.
+
+```
+gam <UserTypeEntity> delete cseidentity [kpemail <EmailAddress>]
+```
+If `kpemail <EmailAddress>` is not specified, the identity for the user's primary email address is deleted.
+
+## Display Gmail CSE Identities
+### Display a client-side encryption identity configuration.
+```
+gam <UserTypeEntity> info cseidentity [kpemail <EmailAddress>]
+        [formatjson]
+```
+If `kpemail <EmailAddress>` is not specified, the user's primary email address is used for the identity.
+
+
+### Display all of the client-side encrypted identities for an authenticated user.
+```
+gam <UserTypeEntity> show cseidentities
+        [formatjson]
+```
+By default, Gam displays the identity as an indented list of keys and values; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam <UserTypeEntity> print cseidentities [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+## Create Gmail CSE Key Pair
+Create a CSE Key Pair for the primary address of a user.
+```
+gam <UserTypeEntity> create csekeypair
+        [incertdir <FilePath>] [inkeydir <FilePath>]
+        [addidentity [<Boolean>]] [kpemail <EmailAddress>]
+        [showpem] [showkaclsdata] [formatjson|returnidonly]
+```
+* The S/MIME certificate files for the users are in the `incertdir <FilePath>` folder/directory.
+* If this option is not specified, the directory is taken from `gam.cfg/gmail_cse_incert_dir`.
+* The files must be named `user@domain.com.p7pem`.
+* The certificate contains the public key and its certificate chain. The chain must be in PKCS#7 format and use PEM encoding and ASCII armor.
+
+* The Key Access Control List (KACL) wrapped private key data files are in the `inkeydir <FilePath>` folder/directory.
+* If this option is not specified, the directory is taken from `gam.cfg/gmail_cse_inkey_dir`.
+* The files must be named `user@domain.com.wrap`.
+* The files are in JSON format with two keys:
+    * `kacls_url` - The URI of the key access control list service that manages the private key.
+    * `wrapped_private_key` - Opaque data generated and used by the key access control list service.
+
+By default, the `pem` and `kaclsdata` fields will not be displayed unless the corresponding `showpem` and `showkaclsdata` option is specified.
+
+By default, Gam displays the new key pair as an indented list of keys and values; the following options cause the output to be displayed in alternate forms.
+* `formatjson` - Display the fields in JSON format.
+* `returnidonly` - Display just the new `<KeyPairID>`.
+
+If 'addidentity` or `addidentity true` is specified, a client-side encryption identity is created with the new key pair.
+If `kpemail <EmailAddress>` is not specified, the user's primary email address is used for the identity.
+
+By default, Gam displays the identity as an indented list of keys and values; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+* `returnidonly` - Display just the new `<KeyPairID>-<EmailAddress>`.
+
+
+## Action Gmail CSE Key Pairs
+### Display pem and kaclsdata fields
+By default, the `pem` and `kaclsdata` fields will not be displayed unless the corresponding `showpem` and `showkaclsdata` option is specified.
+
+### Disable
+Turns off a client-side encryption key pair. The authenticated user can no longer use the key pair to decrypt incoming CSE message texts or sign outgoing CSE mail.
+```
+gam <UserTypeEntity> disable csekeypair <KeyPairID>
+        [showpem] [showkaclsdata] [formatjson]
+```
+By default, Gam displays the disabled key pair as an indented list of keys and values; the following option causes the output to be displayed in alternate forms.
+* `formatjson` - Display the fields in JSON format.
+
+### Enable
+Turn on a client-side encryption key pair that was turned off. The key pair becomes active again for any associated client-side encryption identities.
+```
+gam <UserTypeEntity> ensable csekeypair <KeyPairID>
+        [showpem] [showkaclsdata] [formatjson]
+```
+By default, Gam displays the enabled key pair as an indented list of keys and values; the following option causes the output to be displayed in alternate forms.
+* `formatjson` - Display the fields in JSON format.
+
+### Obliterate
+Delete a client-side encryption key pair permanently and immediately. You can only permanently delete key pairs that have been turned off for more than 30 days.
+To turn off a key pair, use `disable csekeypair`.
+```
+gam <UserTypeEntity> obliterate csekeypair <KeyPairID>
+```
+
+Gmail can't restore or decrypt any messages that were encrypted by an obliterated key. Authenticated users and Google Workspace administrators lose access to reading the encrypted messages.
+
+## Display Gmail CSE Key Pairs
+### Display pem and kaclsdata fields
+By default, the `pem` and `kaclsdata` fields will not be displayed unless the corresponding `showpem` and `showkaclsdata` option is specified.
+
+### Display an existing client-side encryption key pair.
+```
+gam <UserTypeEntity> info csekeypair <KeyPairID>
+        [showpem] [showkaclsdata] [formatjson]
+```
+By default, Gam displays the key pairs as an indented list of keys and values; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+
+### Display all client-side encryption key pairs for an authenticated user.
+```
+gam <UserTypeEntity> show csekeypairs
+        [showpem] [showkaclsdata] [formatjson]
+```
+By default, Gam displays the key pairs as an indented list of keys and values; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam <UserTypeEntity> print csekeypairs [todrive <ToDriveAttribute>*]
+        [showpem] [showkaclsdata] [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the key pairs as columns of fields; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

docs/Users-Gmail-Delegates.md

@@ -10,7 +10,8 @@
 
 ## API documentation
 * https://developers.google.com/gmail/api/v1/reference/users/settings/delegates
-* https://support.google.com/a/answer/7223765?hl=en
+* https://support.google.com/a/answer/7223765
+* https://support.google.com/a/answer/11946994
 
 ## Definitions
 * [`<UserTypeEntity>`](Collections-of-Users)

docs/Users-Gmail-Forwarding.md

@@ -87,3 +87,8 @@ Show forwarding addresses for all users with forwarding on.
 gam config auto_batch_min 1 num_threads 5 redirect csv ./FowardEnabledUsers.csv multiprocess redirect stdout - multiprocess redirect stderr stdout all users print forward enabledonly
 gam redirect csv ./FowardEnabledUsersForwardingAddresses.csv multiprocess redirect stdout - multiprocess redirect stderr stdout csv ./FowardEnabledUsers.csv gam user "~User" print forwardingaddresses
 ```
+
+Show forwarding addresses that are not your domain for all users with forwarding on.
+```
+gam config csv_output_row_drop_filter "forwardTo:regex:yourdomain.com" auto_batch_min 1 num_threads 20 redirect csv ./NonDomainForwards.csv multiprocess redirect stdout - multiprocess redirect stderr stdout all users print forward enabledonly
+```

docs/Users-Gmail-Labels.md

@@ -88,11 +88,17 @@ all parent labels are created as necessary.
 Example: `gam user user@domain.com add label "Top/Middle/Bottom" buildpath`
 
 ## Update a label's settings
+The two commands are equivalent; in the first you specify a `<LabelName>`, in the second you specify a `<LabelId>`.
 ```
 gam <UserTypeEntity> update labelsettings <LabelName> [name <String>]
         [messagelistvisibility hide|show] [labellistvisibility hide|show|showifunread]
         [backgroundcolor "<LabelColorHex>|<LabelBackgroundColorHex>|custom:<ColorHex>"]
         [textcolor "<LabelColorHex>|<LabelTextColorHex>|custom:<ColorHex>"]
+
+gam <UserTypeEntity> update labelid <LabelID> [name <String>]
+        [messagelistvisibility hide|show] [labellistvisibility hide|show|showifunread]
+        [backgroundcolor "<LabelColorHex>|<LabelBackgroundColorHex>|custom:<ColorHex>"]
+        [textcolor "<LabelColorHex>|<LabelTextColorHex>|custom:<ColorHex>"]
 ```
 `<LabelColorHex>` values should be enclosed in " to keep the command shell on MacOS and Linux from mis-interpreting them.
 

docs/Users-Gmail-Messages-Threads.md

@@ -1,4 +1,5 @@
 # Users - Gmail - Messages/Threads
+- [Notes](#notes)
 - [API documentation](#api-documentation)
 - [Query documentation](#query-documentation)
 - [Definitions](#definitions)
@@ -22,9 +23,17 @@
   - [Print only options](#print-only-options)
   - [Show only options](#show-only-options)
   - [Download attachments](#download-attachments)
+  - [Upload attachments](#upload-attachments)
   - [Display messages sent by delegates for delegator](#display-messages-sent-by-delegates-for-delegator)
 - [User attribute `replace <Tag> <UserReplacement>` processing](Tag-Replace)
 
+## Notes
+Restrict email messages to authorized addresses or domains only
+* https://support.google.com/a/answer/2640542
+
+Block emails between specific user groups
+* https://support.google.com/a/answer/9175444
+
 ## API documentation
 * https://developers.google.com/gmail/api/v1/reference/users/messages
 * https://developers.google.com/gmail/api/v1/reference/users/threads
@@ -172,6 +181,20 @@
         (gdoc|ghtml <UserGoogleDoc>)|
         (gcsdoc|gcshtml <StorageBucketObjectName>)|
         (emlfile <FileName> [charset <Charset>]))
+
+<DriveFolderID> ::= <String>
+<DriveFolderName> ::= <String>
+<SharedDriveID> ::= <String>
+<SharedDriveName> ::= <String>
+
+<DriveFileParentAttribute> ::=
+        (parentid <DriveFolderID>)|
+        (parentname <DriveFolderName>)|
+        (anyownerparentname <DriveFolderName>)|
+        (teamdriveparentid <DriveFolderID>)|
+        (teamdriveparent <SharedDriveName>)|
+        (teamdriveparentid <SharedDriveID> teamdriveparentname <DriveFolderName>)|
+        (teamdriveparent <SharedDriveName> teamdriveparentname <DriveFolderName>)
 ```
 ## Message queries with dates
 ```
@@ -221,7 +244,7 @@ gam <UserTypeEntity> draft message
 * `file|htmlfile <FileName> [charset <Charset>]` - Read the message from `<FileName>`
 * `gdoc|ghtml <UserGoogleDoc>` - Read the message from `<UserGoogleDoc>`
 * `gcsdoc|gcshtml <StorageBucketObjectName>` - Read the message from the Google Cloud Storage file `<StorageBucketObjectName>`
-* `emlfile <FileName> [charset <Charset>]` - Read the message from the EML message file `<FileName>`. SMTP headers specified in the command will replace those in the message file. The default `chatser` is `ascii`.
+* `emlfile <FileName> [charset <Charset>]` - Read the message from the EML message file `<FileName>`. SMTP headers specified in the command will replace those in the message file. The default `charset` is `ascii`.
 
 The `<SMTPDateHeader> <Time>` argument  requires `<Time>` values which will be converted to RFC2822 dates. If you have these headers with values that
 are not in `<Time>` format, use the argument `header <SMTPDateHeader> <String>`.
@@ -238,7 +261,7 @@ Your HTML message will contain lines like this:
 <img src="cid:image2"/>
 ```
 
-Your command line will have: `embedimage file1.jpg image1` embedimage file2.jpg image2`
+Your command line will have: `embedimage file1.jpg image1 embedimage file2.jpg image2`
 
 ## Import messages
 Import a message into a user's mailbox, with standard email delivery scanning and classification similar to receiving via SMTP.
@@ -337,20 +360,35 @@ Your command line will have: `embedimage file1.jpg image1` embedimage file2.jpg
 gam <UserTypeEntity> archive messages <GroupItem>
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_archive <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 ```
 
 Messages are archived to the group specified by `<GroupItem>`.
 
+By default, the command results are displayed as indented keys and values. Use the `csv` option
+to display the command results in CSV form.
+```
+$ gam user user@domain.com archive messages ids 18e9fc6581b9acab,18e9fc58c5491f4c    
+User: user@domain.com, Archive 2 Messages
+  User: user@domain.com, Message: 18e9fc6581b9acab, Archived (1/2)
+  User: user@domain.com, Message: 18e9fc58c5491f4c, Archived (2/2)
+$ gam user user@domain.com archive messages ids 18e9fc6581b9acab,18e9fc58c5491f4c csv
+User: user@domain.com, Archive 2 Messages
+User,id,action,error
+user@domain.com,18e9fc6581b9acab,Archived,
+user@domain.com,18e9fc58c5491f4c,Archived,
+```
+
 See below for message selection.
 
 ## Export messages/threads
 Export messages in EML format.
 ```
 gam <UserTypeEntity> export message|messages
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_export <Number>])|(ids <MessageIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [max_to_export <Number>])|(ids <MessageIDEntity>)
         [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]
 gam <UserTypeEntity> export thread|threads
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_export <Number>])|(ids <ThreadIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [max_to_export <Number>])|(ids <ThreadIDEntity>)
         [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]
 ```
 
@@ -398,20 +436,40 @@ See below for message selection.
 gam <UserTypeEntity> delete messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_delete <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> modify messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_modify <Number>])|(ids <MessageIDEntity>)
-        (addlabel <LabelName>)* (removelabel <LabelName>)*
+        ((addlabel <LabelName>)|(removelabel <LabelName>))+
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> spam messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_spam <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> trash messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_trash <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> untrash messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_untrash <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 ```
+
+By default, the command results are displayed as indented keys and values. Use the `csv` option
+to display the command results in CSV form.
+```
+$ gam user user@domain.com delete messages ids 18e9fc6581b9acab,18e9fc58c5491f4c    
+User: user@domain.com, Delete 2 Messages
+  User: user@domain.com, Message: 18e9fc6581b9acab, Deleted (1/2)
+  User: user@domain.com, Message: 18e9fc58c5491f4c, Deleted (2/2)
+$ gam user user@domain.com delete messages ids 18e9fc6581b9acab,18e9fc58c5491f4c csv
+User: user@domain.com, Delete 2 Messages
+User,id,action,error
+user@domain.com,18e9fc6581b9acab,Deleted,
+user@domain.com,18e9fc58c5491f4c,Deleted,
+```
+
 ### Manage a specific set of messages
 * `ids <MessageIDEntity>` - A list of message ids
 
@@ -498,6 +556,7 @@ By default, Gam displays all messages.
   * `labelmatchpattern xyz` - Label must start with xyz
   * `labelmatchpattern .*xyz.*` - Label must contain xyz
   * `labelmatchpattern .*xyz` - Label must end with xyz
+  * `labelmatchpattern ^xyz$` - Label must extctly match xyz
 * `sendermatchpattern <RegularExpression>` - Only display messages if the sender matches the `<RegularExpression>`
 
 When `matchlabel <LabelName>` is specified, the following characters are replaced with a `-` in the generated query.
@@ -524,7 +583,7 @@ By default, the Message ID and these SMTP headers are displayed: `Date, Subject,
 Use these options to customize the display.
 
 By default, the `<SMTPDateHeader>` values are displayed in RFC2822 format; the `dateheaderformat iso|rfc2822|<String>` option allows reformatting it:
-* `iso` - Format is `%Y-%m-%dT%H:%M:%S%z`
+* `iso` - Format is `%Y-%m-%dT%H:%M:%S%:z`
 * `rfc2822` - Format is `%a, %d %b %Y %H:%M:%S %z`
 * `<String>` - Format according to: https://docs.python.org/3/library/datetime.html#strftime-strptime-behavior
 If the `Date` header value can't be parsed as RFC2822, it is left unchanged.
@@ -587,6 +646,16 @@ By default, when downloading attachments, an existing local file will not be ove
 * `overwrite true` - Overwite an existing file
 * `overwrite false` - Do not overwite an existing file; add a numeric prefix and create a new file
 
+## Upload attachments
+These options are valid with `show'.
+
+By default, message attachments are not uploaded to Google Drive.
+* `uploadattachments` - Upload message attachments
+* `attachmentnamepattern <RegularExpression>` - Limit the attachments uploaded to those whose names match `<RegularExpression>`
+
+By default, message attachments are uploaded to the root of the user's My Drive.
+* `<DriveFileParentAttributeh>` - Specify an alternate location for the uploaded attachments
+
 ## Display messages sent by delegates for delegator
 Display messages sent by a particular delegate for a delegator; the message is
 from the delegator but sent by the delegate.

docs/Users-Gmail-Send-As-Signature-Vacation.md

@@ -9,6 +9,7 @@
 - [Manage vacation](#manage-vacation)
 - [Display vacation](#display-vacation)
 - [User attribute `replace <Tag> <UserReplacement>` processing](Tag-Replace)
+- [Standardize user signatures](#standardize-user-signatures)
 
 ## API documentation
 * https://developers.google.com/gmail/api/reference/rest/v1/users.settings.sendAs
@@ -209,11 +210,13 @@ gam config csv_output_row_filter "signature:boolean:false"
 
 ## Manage vacation
 ```
-gam <UserTypeEntity> vacation <Boolean> subject <String>
+gam <UserTypeEntity> vacation [<Boolean>] [subject <String>]
         [<VacationMessageContent> (replace <Tag> <UserReplacement>)*]
         [html [<Boolean>]] [contactsonly [<Boolean>]] [domainonly [<Boolean>]]
         [start|startdate <Date>|Started] [end|enddate <Date>|NotSpecified]
 ```
+The initial `<Boolean>` can be omitted to allow updates to other fields without affecting the current responder state.
+
 `<VacationMessageContent>` is the vacation message, there are four ways to specify it:
 * `message|textmessage|htmlmessage <String>` - Use `<String>` as the vacation message
 * `file|htmlfile <FileName> [charset <Charset>]` - Read the vacation message from `<FileName>`
@@ -245,3 +248,37 @@ Gam displays the information in CSV form.
 * `compact` - Strip carriage returns and newlines in original HTML; this makes these values easier to process in the CSV file
 and can be used as input to GAM.
 * `enabledonly` - Do not display users with vacation autoreply disabled.
+
+## Standardize user signatures
+You can standardize user signatures by creating a signature template and a CSV file with data for each user.
+
+You can create a signature template by defining the signature in the Gmail Settings GUI of a test user.
+You must use the default signature `My signature`.
+Use text like `{FirstName}` and `{Email}` in the locations where the actual values will go.
+
+Once you're created the template signature, do the following:
+```
+$ gam user testuser@domain.com show signature compact > SimpleSig.html
+$ more SimpleSig.html
+SendAs Address: <testuser@domain.com>
+  IsPrimary: True
+  Default: True
+  Signature: <div dir="ltr">--<div>Name: {FirstName} {LastName}<div>Phone: {Phone}</div><div>Email: {Email}</div></div><div><br></div><div>Company Name</div><div>Company Address</div><div><br></div></div>\n
+```
+Edit SimpleSig.html and delete all text from `SendAs ` through `Signature: `.
+The result should be:
+```
+<div dir="ltr">--<div>Name: {FirstName} {LastName}<div>Phone: {Phone}</div><div>Email: {Email}</div></div><div><br></div><div>Company Name</div><div>Company Address</div><div><br></div></div>\n
+```
+
+This is a sample Users.csv file.
+```
+email,first,last,phone
+bsmith@domain.com,Bob,Smith,510-555-1212 x 123
+mjones@domain.com,Mary,Jones,510-555-1212 x 456
+```
+
+This command will update the user's signatures.
+```
+gam csv Users.csv gam user "~email" signature htmlfile SimpleSig.html replace FirstName "~first"  replace LastName "~last" replace Phone "~phone" replace Email "~email"
+```

docs/Users-Group-Membership.md

@@ -14,6 +14,8 @@
   - [Display group details in CSV format](#display-group-details-in-csv-format)
   - [Display group counts as an indented list](#display-group-counts-as-an-indented-list)
   - [Display group counts in CSV format](#display-group-counts-in-csv-format)
+  - [Display total group counts as an indented list](#display-total-group-counts-as-an-indented-list)
+  - [Display total group counts in CSV format](#display-total-group-counts-in-csv-format)
   - [Display group addresses in CSV format](#display-group-addresses-in-csv-format)
   - [Display groups and their parents](#display-groups-and-their-parents)
 - [Add a target user to the same groups as a source user](#add-a-target-user-to-the-same-groups-as-a-source-user)
@@ -81,7 +83,7 @@ $ gam csvkmd users UserGroupRole.csv keyfield User print groups
 User,Group,Role,Status,Delivery
 
 # Add users to groups
-$ gam redirect stdout - multiprocess csv UserGroupRole.csv gam user ~User add group ~Role ~Delivery ~Group
+$ gam redirect stdout - multiprocess csv UserGroupRole.csv gam user "~User" add group "~Role" "~Delivery" "~Group"
 Using 5 processes...
 User: testuser1@domain.com, Add to 1 Group
   Group: testgroup1@domain.com, Owner: testuser1@domain.com, Added
@@ -249,7 +251,7 @@ testuser2@domain.com,testgroup2@domain.com,MANAGER,ACTIVE,DAILY
 testuser3@domain.com,testgroup2@domain.com,OWNER,ACTIVE,DIGEST
 
 # Update roles/delivery settings
-$ gam redirect stdout - multiprocess csv UserGroupRoleNew.csv gam user ~User update group ~Role ~Delivery ~Group
+$ gam redirect stdout - multiprocess csv UserGroupRoleNew.csv gam user "~User" update group "~Role" "~Delivery" "~Group"
 Using 3 processes...
 User: testuser2@domain.com, Update to 1 Group
   Group: testgroup2@domain.com, Manager: testuser2@domain.com, Updated
@@ -357,7 +359,7 @@ testuser3@domain.com,testgroup1@domain.com,MEMBER,ACTIVE,ALL_MAIL
 testuser3@domain.com,testgroup2@domain.com,OWNER,ACTIVE,ALL_MAIL
 
 # Update roles/delivery settings
-$ gam redirect stdout - multiprocess csv UserGroupRole.csv gam user ~User update group ~Role ~Delivery ~Group
+$ gam redirect stdout - multiprocess csv UserGroupRole.csv gam user "~User" update group "~Role" "~Delivery" "~Group"
 Using 5 processes...
 User: testuser2@domain.com, Update to 1 Group
   Group: testgroup1@domain.com, Member: testuser2@domain.com, Updated
@@ -461,6 +463,10 @@ gam <UserTypeEntity> show groups
         [(domain <DomainName>)|(customerid <CustomerID>)]
         [roles <GroupRoleList>] countsonly
 ```
+By default, all groups to which a member belongs are displayed, these options allow selection of subsets of groups:
+* `domain <DomainName>` - Limit display to groups in the domain `<DomainName>` of which they are a member
+* `customerid <CustomerID>` - For resellers, display all groups in a resold workspace of which they are a member
+* `roles <GroupRoleList>` - Limit display to those groups for which the user has a specific role
 
 ### Display group counts in CSV format
 There is one row per user displaying the number of groups, by role, to which a user belongs.
@@ -476,6 +482,33 @@ By default, all groups to which a member belongs are displayed, these options al
 * `customerid <CustomerID>` - For resellers, display all groups in a resold workspace of which they are a member
 * `roles <GroupRoleList>` - Limit display to those groups for which the user has a specific role
 
+### Display total group counts as an indented list
+There is one row per user displaying the number of groups to which a user belongs.
+
+There is one API call per user to get the total group count.
+```
+gam <UserTypeEntity> show groups
+        [(domain <DomainName>)|(customerid <CustomerID>)]
+        totalonly
+```
+By default, all groups to which a member belongs are displayed, these options allow selection of subsets of groups:
+* `domain <DomainName>` - Limit display to groups in the domain `<DomainName>` of which they are a member
+* `customerid <CustomerID>` - For resellers, display all groups in a resold workspace of which they are a member
+
+
+### Display total group counts in CSV format
+There is one row per user displaying the total number of groups to which a user belongs.
+
+There is one API call per user to get the total group count.
+```
+gam <UserTypeEntity> print groups [todrive <ToDriveAttribute>*]
+        [(domain <DomainName>)|(customerid <CustomerID>)]
+        totalonly
+```
+By default, all groups to which a member belongs are displayed, these options allow selection of subsets of groups:
+* `domain <DomainName>` - Limit display to groups in the domain `<DomainName>` of which they are a member
+* `customerid <CustomerID>` - For resellers, display all groups in a resold workspace of which they are a member
+
 ### Display group addresses in CSV format
 There is one row per user showing the number and list of groups to which a user directly belongs.
 ```

docs/Users-Keep.md

@@ -131,13 +131,17 @@ Display all notes
 ```
 gam <UserTypeEntity> show notes
         [fields <NotesFieldList>] [filter <String>]
-        [role owner|writwer]
+        [role owner|writer]
+        [countsonly]
         [compact|formatjson]
 ```
 By default, GAM displays all non-trashed notes:
 * `filter trashed` - Display notes in the trash
 * `role owner|writer` - Display notes where the user has the specified role
 
+When  option `countsonly` is specified, the number of notes a user owns, the number of notes of user can edit
+and the total number of notes is displayed.
+
 By default, Gam displays the information as an indented list of keys and values; the note text is displayed as individual lines.
 * `compact` - Display the note text with escaped carriage returns as \r and newlines as \n
 * `formatjson` - Display the note in JSON format
@@ -145,7 +149,8 @@ By default, Gam displays the information as an indented list of keys and values;
 ```
 gam <UserTypeEntity> print notes [todrive <ToDriveAttribute>*]
         [fields <NotesFieldList>] [filter <String>]
-        [role owner|writwer]
+        [role owner|writer]
+        [countsonly]
         [formatjson [quotechar <Character>]]
 
 ```
@@ -153,6 +158,9 @@ By default, GAM displays all non-trashed notes:
 * `filter trashed` - Display notes in the trash
 * `role owner|writer` - Display notes where the user has the specified role
 
+When  option `countsonly` is specified, the number of notes a user owns, the number of notes of user can edit
+and the total number of notes is displayed.
+
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
 the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.

docs/Users-Looker-Studio.md

@@ -17,6 +17,8 @@ To use these commands you must add the 'Looker Studio API' to your project and u
 ```
 gam update project
 gam user user@domain.com check serviceaccount
+...
+[*] 35)  Looker Studio API (supports readonly)
 ```
 ## Definitions
 * [`<UserTypeEntity>`](Collections-of-Users)

docs/Users-Meet.md

@@ -0,0 +1,174 @@
+# Users - Meet
+- [API documentation](#api-documentation)
+- [Query documentation](#query-documentation)
+- [Introduction](#introduction)
+- [Definitions](#definitions)
+- [Manage Meet Spaces](#manage-meet-spaces)
+- [Display Meet Conferences](#display-meet-conferences)
+- [Display Meet Participants](#display-meet-participants)
+- [Display Meet Recordings](#display-meet-recordings)
+- [Display Meet Transcripts](#display-meet-transcripts)
+
+## API documentation
+* https://developers.google.com/meet/api/reference/rest/v2
+* https://developers.google.com/meet/api/reference/rest/v2/spaces
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords.participants
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords.recordings
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords.transcripts
+
+## Query documentation
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords/list
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords.participants/list
+
+## Introduction
+These features were added in version 6.81.00.
+
+To use these commands you must add the 'Meet API' to your project and update your service account authorization.
+```
+gam update project
+gam user user@domain.com update serviceaccount
+...
+[*] 36)  Meet API (supports readonly)
+
+```
+## Definitions
+* [`<UserTypeEntity>`](Collections-of-Users)
+```
+<MeetConferenceName> ::= conferenceRecords/<String>
+<MeetSpaceName> ::= spaces/<String> | <String>
+<MeetSpaceOptions> ::=
+        accesstype open|trusted|restricted |
+        entrypointaccess all|creatorapponly
+```
+
+## Manage Meet Spaces
+### Create a meet space
+```
+gam <UserTypeEntity> create meetspace
+        <MeetSpaceOptions>*
+        [formatjson|returnidonly]
+```
+By default, Gam displays the information about the created meetspace as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+* `returnidonly` - Display the meetspace name only
+
+### Update a meet space
+```
+gam <UserTypeEntity> update meetspace <MeetSpaceName>
+        <MeetSpaceOptions>*
+        [formatjson]
+```
+By default, Gam displays the information about the created meetspace as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Display information about a specific meet space for a user
+```
+gam <UserTypeEntity> info meetspace <MeetSpaceName>
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### End a meet space conference
+```
+gam <UserTypeEntity> end meetconference <MeetSpaceName>
+```
+
+## Display Meet Conferences
+```
+gam <UserItem> show meetconferences
+        [space <MeetSpaceName>] [code <String>]
+        [andquery|orquery <String>] [querytime<String> <Time>]
+        [formatjson]
+```
+By default, conferences are shown for all of a user's meet spaces. To limit the display use:
+  * `space <MeetSpaceName>` - Display conferences for a specifc space by giving its name
+  * `code <String>` - Display conferences for a specifc space by giving its code
+  
+By default, Gam displays the information about the meet conferences as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+```
+gam <UserItem> print meetconferences [todrive <ToDriveAttribute>*]
+        [space <MeetSpaceName>] [code <String>]
+        [andquery|orquery <String>] [querytime<String> <Time>]
+        [formatjson [quotechar <Character>]]
+```
+By default, conferences are shown for all of a user's meet spaces. To limit the display use:
+  * `space <MeetSpaceName>` - Display conferences for a specifc space by giving its name
+  * `code <String>` - Display conferences for a specifc space by giving its code
+  
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+
+## Display Meet Participants
+```
+gam <UserItem> show meetparticipants <MeetConferenceName>
+        [query <String>] [querytime<String> <Time>]
+        [formatjson]
+```
+By default, Gam displays the information about the meet participants as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+```
+gam <UserItem> print meetparticipants <MeetConferenceName> [todrive <ToDriveAttribute>*]
+        [query <String>] [querytime<String> <Time>]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+
+## Display Meet Recordings
+```
+gam <UserItem> show meetrecordings <MeetConferenceName>
+        [formatjson]
+```
+By default, Gam displays the information about the meet recordings as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+```
+gam <UserItem> print meetrecordings <MeetConferenceName> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+
+## Display Meet Transcripts
+```
+gam <UserItem> show meettranscripts <MeetConferenceName>
+        [formatjson]
+```
+By default, Gam displays the information about the meet transcripts as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+```
+gam <UserItem> print meettranscripts <MeetConferenceName> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+

docs/Users-People-Contacts-Profiles.md

@@ -59,6 +59,7 @@ gam user user@domain.com check serviceaccount
 
 ```
 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
+<QueryContact> ::= <String>
 
 <PeopleResourceName> ::= people/<String>
 <PeopleResourceNameList> ::= "<PeopleResourceName>(,<PeopleResourceName>)*"
@@ -124,8 +125,15 @@ gam user user@domain.com check serviceaccount
         (subject <String>)|
         (suffix <String>)|
         (userdefinedfield clear|(<String> <String>))|
-        (website clear|(app_install_page|blog|ftp|home|home_page|other|profile|reservations|work|<String> <URL> notprimary|primary))
+        (url|website clear|(app_install_page|blog|ftp|home|home_page|other|profile|reservations|work|<String> <URL> notprimary|primary))
 
+For address, email, phone and url, the type <String> can be empty.
+address "" formatted "My Address" primary
+email "" user@gmail.com primary
+phone "" "510-555-1212" primary
+url "" "https://www.domain.com" primary
+```
+```
 <PeopleFieldName> ::=
         addresses|
         ageranges|