Updated gam update|delete|info adminrole to handle the following error:

ERROR: 400: failedPrecondition - Precondition check failed.

.github/workflows/build.yml

@@ -9,6 +9,7 @@ on:
 permissions:
   contents: read
   id-token: write
+  attestations: write
 
 defaults:
   run:
@@ -34,13 +35,11 @@ jobs:
             goal: build
             arch: x86_64
             openssl_archs: linux-x86_64
-            fullGamTest: yes
           - os: [self-hosted, linux, arm64]
             jid: 2
             goal: build
             arch: aarch64
             openssl_archs: linux-aarch64
-            fullGamTest: yes
           - os: ubuntu-20.04
             jid: 3
             goal: build
@@ -58,13 +57,11 @@ jobs:
             goal: build
             arch: x86_64
             openssl_archs: darwin64-x86_64
-            fullGamTest: yes
           - os: macos-14
             jid: 6
             goal: build
             arch: aarch64
             openssl_archs: darwin64-arm64
-            fullGamTest: yes
           - os: macos-14
             jid: 7
             goal: build
@@ -75,7 +72,6 @@ jobs:
             goal: build
             arch: Win64
             openssl_archs: VC-WIN64A
-            fullGamTest: yes
           - os: ubuntu-22.04
             goal: test
             python: "3.8"
@@ -118,7 +114,7 @@ jobs:
         with:
           path: |
             cache.tar.xz
-          key: gam-${{ matrix.jid }}-20240210
+          key: gam-${{ matrix.jid }}-20240526
 
       - name: Untar Cache archive
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -199,8 +195,9 @@ jobs:
           bash ./rust.sh -y
           source $HOME/.cargo/env
           # Install needed packages
-          brew update
-          brew install gpg swig
+          # brew update
+          # brew install gpg
+          brew install swig
 
       - name: Windows Configure VCode
         uses: ilammy/msvc-dev-cmd@v1
@@ -222,12 +219,6 @@ jobs:
             GAM_ARCHIVE_ARCH="x86_64"
             WIX_ARCH="x64"
             CHOC_OPS=""
-          elif [[ "${arch}" == "Win32" ]]; then
-            PYEXTERNALS_PATH="win32"
-            PYBUILDRELEASE_ARCH="Win32"
-            GAM_ARCHIVE_ARCH="x86"
-            WIX_ARCH="x86"
-            CHOC_OPS="--forcex86"
           fi
           if [[ "${RUNNER_OS}" == "macOS" ]]; then
             MAKE=make
@@ -497,22 +488,20 @@ jobs:
           cd pyinstaller
           export latest_release=$(git tag --list | grep -v dev | grep -v rc | sort -Vr | head -n1)
           #V6.0.0 causes errors on staticx
-          if [[ "${staticx}" == "yes" ]]; then
-            git checkout "v5.13.2"
-          elif [[ "${RUNNER_OS}" == "Windows" ]]; then
-            git checkout "v5.13.2"
-          elif [[ "${RUNNER_OS}" == "macOS" ]]; then
-            git checkout "v5.13.2"
-          else
-            git checkout "${latest_release}"
-          fi
+          #if [[ "${staticx}" == "yes" ]]; then
+          #  git checkout "v5.13.2"
+          #elif [[ "${RUNNER_OS}" == "Windows" ]]; then
+          #  git checkout "v5.13.2"
+          #elif [[ "${RUNNER_OS}" == "macOS" ]]; then
+          #  git checkout "v5.13.2"
+          #else
+          git checkout "${latest_release}"
+          #fi
           # remove pre-compiled bootloaders so we fail if bootloader compile fails
           rm -rvf PyInstaller/bootloader/*-*/*
           cd bootloader
+          export PYINSTALLER_BUILD_ARGS=""
           case "${arch}" in
-            "Win32")
-              export PYINSTALLER_BUILD_ARGS="--target-arch=32bit"
-              ;;
             "Win64")
               export PYINSTALLER_BUILD_ARGS="--target-arch=64bit"
               ;;
@@ -539,20 +528,31 @@ jobs:
           elif [[ "${RUNNER_OS}" == "Windows" ]]; then
             # Work around issue where PyInstaller picks up python3.dll from other Python versions
             # https://github.com/pyinstaller/pyinstaller/issues/7102
-            export PATH="/usr/bin"
+            export PATH="$(dirname ${PYTHON}):/usr/bin"
           else
             export gampath=$(realpath "${gampath}")
           fi
           export gam="${gampath}/gam"
           echo "gampath=${gampath}" >> $GITHUB_ENV
-          echo "gam=${gam}" >> $GITHUB_ENV
-          echo -e "GAM: ${gam}\nGAMPATH: ${gampath}"
           # TEMP force everything back to one file.
           export PYINSTALLER_BUILD_ONEFILE="yes"
           export distpath="./dist/gam"
           export gampath="${distpath}"
           "${PYTHON}" -m PyInstaller --clean --noconfirm --distpath="${distpath}" gam.spec
           cat build/gam/warn-gam.txt
+          if [ -x "$(command -v realpath)" ]; then
+               realpath=realpath
+             else
+               brew install coreutils
+               realpath=grealpath
+             fi
+          export gam=$(realpath "$gam")
+          if [[ "${RUNNER_OS}" == "Windows" ]]; then
+            export gam=$(cygpath -w "$gam")
+            echo "GAM on Windows at ${gam}"
+          fi
+          echo "gam=${gam}" >> $GITHUB_ENV
+          echo -e "GAM: ${gam}\nGAMPATH: ${gampath}"
 
       - name: Copy extra package files
         if: matrix.goal == 'build'
@@ -596,19 +596,26 @@ jobs:
           echo "GAM Version ${GAMVERSION}"
           echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV
 
+      - name: Attest Binary Provenance
+        uses: actions/attest-build-provenance@v1
+        if: matrix.goal == 'build'
+        with:
+          subject-path: ${{ env.gam }}
+
       - name: Linux/MacOS package
         if: runner.os != 'Windows' && matrix.goal == 'build'
         run: |
           if [[ "${RUNNER_OS}" == "macOS" ]]; then
-              GAM_ARCHIVE="gam-${GAMVERSION}-macos-${arch}.tar.xz"
+            GAM_ARCHIVE="gam-${GAMVERSION}-macos-${arch}.tar.xz"
           elif [[ "${RUNNER_OS}" == "Linux" ]]; then
-              if [[ "${staticx}" == "yes" ]]; then
-                libver="legacy"
-              else
-                libver="glibc$(ldd --version | awk '/ldd/{print $NF}')"
-              fi
-              GAM_ARCHIVE="gam-${GAMVERSION}-linux-$(arch)-${libver}.tar.xz"
+            if [[ "${staticx}" == "yes" ]]; then
+              libver="legacy"
+            else
+              libver="glibc$(ldd --version | awk '/ldd/{print $NF}')"
+            fi
+            GAM_ARCHIVE="gam-${GAMVERSION}-linux-$(arch)-${libver}.tar.xz"
           fi
+          echo "GAM Archive ${GAM_ARCHIVE}"
           tar -C dist/ --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam
 
       - name: Windows package
@@ -618,8 +625,8 @@ jobs:
           GAM_ARCHIVE="../gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.zip"
           /c/Program\ Files/7-Zip/7z.exe a -tzip $GAM_ARCHIVE gam "-xr@${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" -bb3
           cd ..
-          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.11/bin/candle.exe -arch "${WIX_ARCH}" gam.wxs
-          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.11/bin/light.exe -ext /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.11/bin/WixUIExtension.dll gam.wixobj -o "gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.msi" || true;
+          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/candle.exe -arch "${WIX_ARCH}" gam.wxs
+          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/light.exe -ext /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/WixUIExtension.dll gam.wixobj -o "gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.msi" || true;
           rm -v -f *.wixpdb
 
       - name: Basic Tests build jobs only
@@ -643,7 +650,7 @@ jobs:
           echo "We successfully compiled Python ${this_python} and OpenSSL ${this_openssl}"
 
       - name: Live API tests push only
-        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.fullGamTest == 'yes'
+        if: (github.event_name == 'push' || github.event_name == 'schedule')
         env:
           PASSCODE: ${{ secrets.PASSCODE }}
         run: |
@@ -730,7 +737,7 @@ jobs:
           $gam info group $newgroup
           $gam info cigroup $newgroup membertree
           # confirm mailbox is provisoned before continuing
-          $gam user $newuser waitformailbox
+          $gam user $newuser waitformailbox retries 20
           $gam user $newuser imap on
           $gam user $newuser show imap
           $gam user $newuser show delegates
@@ -744,7 +751,7 @@ jobs:
           $gam user $gam_user insertemail subject "GHA insert $newbase" file gam.py labels INBOX,UNREAD # yep body is gam code
           $gam user $gam_user sendemail subject "GHA send $gam_user $newbase" file gam.py recipient admin@pdl.jaylee.us
           $gam user $gam_user draftemail subject "GHA draft $newbase" message "Draft message test"
-          $gam csvfile sample.csv:email waitformailbox
+          $gam csvfile sample.csv:email waitformailbox retries 20
           $gam user $newuser delegate to "${newbase}-bulkuser-1" || if [ $? != 50 ]; then exit $?; fi # expect a 50 return code (delegation failed)
           $gam users "$gam_user $newbase-bulkuser-1 $newbase-bulkuser-2 $newbase-bulkuser-3" delete messages query in:anywhere maxtodelete 99999 doit || if [ $? != 60 ]; then exit $?; fi # expect a 60 return code (no messages)
           $gam users "$newbase-bulkuser-4 $newbase-bulkuser-5 $newbase-bulkuser-6" trash messages query in:anywhere maxtotrash 99999 doit || if [ $? != 60 ]; then exit $?; fi # expect a 60 return code (no messages)
@@ -852,15 +859,24 @@ jobs:
           fi
           tar cJvvf cache.tar.xz $tar_folders
 
+      - name: Attest Build Archive Provenance
+        uses: actions/attest-build-provenance@v1
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal == 'build'
+        with:
+          subject-path: |
+            src/gam*.tar.xz
+            src/gam*.zip
+            src/gam*.msi
+
       - name: Archive production artifacts
         uses: actions/upload-artifact@v4
         if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal != 'test'
         with:
           name: gam-binaries-${{ env.GAMOS }}-${{ env.arch }}-${{ matrix.jid }}
           path: |
-            src/*.tar.xz
-            src/*.zip
-            src/*.msi
+            src/gam*.tar.xz
+            src/gam*.zip
+            src/gam*.msi
 
   merge:
     if: (github.event_name == 'push' || github.event_name == 'schedule')
@@ -876,11 +892,6 @@ jobs:
           name: gam-binaries
           pattern: gam-binaries-*
 
-#      - name: Delete Artifacts
-#        uses: geekyeggo/delete-artifact@v4
-#        with:
-#          name: gam-binaries-*
-
   publish:
     if: github.event_name == 'push'
     runs-on: ubuntu-latest

docs/Administrators.md

@@ -851,11 +851,15 @@ gam delete adminrole <RoleItem>
 ## Display administrative roles
 ```
 gam info adminrole <RoleItem> [privileges]
-gam print adminroles|roles [todrive <ToDriveAttribute>*] [privileges]
+gam print adminroles|roles [todrive <ToDriveAttribute>*]
+        [privileges] [oneitemperrow]
 gam show adminroles|roles [todrive <ToDriveAttribute>*] [privileges]
 ```
 * `privileges` - Display privileges associated with each role
 
+By default, all privileges for a role are shown on one row as a repeating item.
+When `oneitemperrow` is specified, each privilege is output on a separate row/line with the other role fields.
+
 ## Create an administrator
 Add an administrator role to an administrator.
 ```
@@ -877,7 +881,8 @@ gam delete admin <RoleAssignmentId>
 ## Display administrators
 ```
 gam print admins [todrive <ToDriveAttribute>*]
-        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
+        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition]
+        [privileges] [oneitemperrow]
 gam show admins
         [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
 ```
@@ -889,6 +894,9 @@ options to limit the display:
 * `condition` - Display any conditions associated with a role assignment
 * `privileges` - Display privileges associated with each role assignment
 
+By default, all role privileges for an admin are shown on one row as a repeating item.
+When `oneitemperrow` is specified, each role privilege is output on a separate row/line with the other admin fields.
+
 In versions prior to 6.07.01, specification of both `user <UserItem>`
 and `role <RoleItem>` generated no output due to an undocumented API rule that disallows both.
 

docs/Authorization.md

@@ -7,6 +7,7 @@
 - [Definitions](#definitions)
 - [Manage Projects](#manage-projects)
   - [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+  - [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
   - [Authorize GAM to create projects](#authorize-gam-to-create-projects)
   - [Create a new GCP project folder](#create-a-new-gcp-project-folder)
   - [Create a new project for GAM authorization](#create-a-new-project-for-gam-authorization)
@@ -30,6 +31,7 @@
   - [Update an existing Service Account key](#update-an-existing-service-account-key)
   - [Replace all existing Service Account keys](#replace-all-existing-service-account-keys)
   - [Delete Service Account keys](#delete-service-account-keys)
+  - [Upload a Service Account key to a service account with no keys](#upload-a-service-account-key-to-a-service-account-with-no-keys)
   - [Display Service Account keys](#display-service-account-keys)
 - [Manage Service Account access](#manage-service-account-access)
   - [Full Service Account access](#full-service-account-access)
@@ -89,15 +91,6 @@ If you run a Google Workspace Education SKU, verify that the super admin you'll
 * Choose "All users are 18 or older"
 * Click "SAVE"
 
-Verify whether the super admin you'll be using is in an OU where reauthentication is required.
-* Access the admin console and go to Security -> Overview
-* Scroll down and open Google Cloud session control section
-* Select the OU containing the super admin
-* If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
-* If that sounds unappealing, check Exempt Trusted apps
-* Click "OVERRIDE"
-* Follow the steps below to mark GAM as a trusted app
-
 Based on your domain policies, you may have to mark GAM as a trusted app. These steps are performed after a project is created.
 * Access the admin console and go to Security -> Access and data control -> API controls
 * Check Trust internal, domain-owned apps
@@ -114,6 +107,20 @@ Based on your domain policies, you may have to mark GAM as a trusted app. These
 * Click Next/Continue
 * Click Finish
 
+Verify whether the super admin you'll be using is in an OU where reauthentication is required.
+* Access the admin console and go to Security -> Overview
+* Scroll down and open Google Cloud session control section
+* Select the OU containing the super admin
+* If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
+* If that sounds unappealing, check Exempt Trusted apps
+* Click "OVERRIDE"
+* Follow the steps below to mark GAM as a trusted app
+
+Additional steps may be required if errors are encountered.
+* [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+* [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
+* [Authorize GAM to create projects](#authorize-gam-to-create-projects)
+
 ## Headless computers and Cloud Shells
 With many thanks to Jay, `gam oauth create` now uses a new client access authentication flow
 as required by Google for headless computers/cloud shells; this is required as of February 28, 2022.
@@ -199,8 +206,51 @@ perform these steps and then retry the create project command.
 * Click in the Select a role box
 * Type project creator in the Filter box
 * Click Project Creator
+* Click + Add Another Role
+* Type organization policy administrator in the Filter box
+* Click Orgainzation Policy Administrator
 * Click Save
 
+## Authorize Service Account Key Uploads
+
+If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxx`,
+perform these steps and then you should be able to authorize and use your project.
+
+* Login as an existing super admin at console.cloud.google.com
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click the down arrow in the box to the right of Google Cloud
+* Click the three dots at the right and select IAM/Permissions
+* Now you should be at "Permissions for organization ..."
+* Click on Grant Access
+* Enter the new admin address in Principals
+* Click in the Select a role box
+* Type orgpolicy.policies.update in the Filter box
+* Click Organization Policy Administrator
+* Click Save
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click the down arrow in the box to the right of Google Cloud
+* Click the three dots at the right and select Manage Resources
+* Click the three dots and the end of the line for the GAM project just created
+* Click Settings
+* Click Organization Policies in the left column
+* Now you should be at "Policies for Gam Project"
+* Click in the Filter box
+* Enter iam.disableServiceAccountKeyUpload
+* Click the three dots at the end of the Disable Service Account Key Upload
+* Choose Edit policy
+* Click Override parent's policy
+* Click Add A Rule
+* Select Enforcement/Off
+* Click Done
+* Click Set Policy
+
+Wait a couple of minutes for the policy updates to complete and then do the following to upload the service account key:
+```
+gam upload sakey [admin <EmailAddress>]
+```
+
 ## Authorize GAM to create projects
 If you try to create a project and get an error saying "This app has been blocked on your domain for either being
 insecure or non-edutational"; you'll have to mark the GAM Project Creation app as trusted.
@@ -265,6 +315,9 @@ gam create project [admin <EmailAddress>] [project <ProjectID>]
         [projectname <ProjectName>] [parent <String>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
 ```
 * `admin <EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `appname <String>` - Application name, defaults to `GAM`
@@ -276,6 +329,8 @@ gam create project [admin <EmailAddress>] [project <ProjectID>]
 * `sadisplayname <ServiceAccountDisplayName>` - Service account display name
 * `sadescription <ServiceAccountDescription>` - Service account description
 
+You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys)
+
 ## Use an existing project for GAM authorization
 Use an existing project to create and download two files: `client_secrets.json` for the Client and `oauth2service.json` for the Service Account.
 
@@ -285,8 +340,11 @@ Use an existing project to create and download two files: `client_secrets.json`
 * `<ServiceAccountDescription>` - `<ServiceAccountDisplayName>`
 
 ### Basic
-Use an existing project with default values for the service account. This is typically used when
-the system administrators have created a basic project and you now want to configure it as a GAM project.
+Use an existing uninitialized/uncredentialed project and configure it to be a GAM project; this typically used when
+the GCP  administrators have created a basic project because project creation is not available for most users.
+
+See Jay's notes about how to do this: https://github.com/GAM-team/GAM/wiki/GAM-with--minimal-GCP-rights
+
 ```
 gam use project [<EmailAddress>] [project <ProjectID>]
 ```
@@ -301,6 +359,9 @@ can not be re-downloaded.
 gam use project [admin <EmailAddress>] [project <ProjectID>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
 ```
 * `admin <EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `project <ProjectID>` - An existing Google project ID; if omitted, you will be prompted for the ID
@@ -308,6 +369,8 @@ gam use project [admin <EmailAddress>] [project <ProjectID>]
 * `sadisplayname <ServiceAccountDisplayName>` - Service account display name
 * `sadescription <ServiceAccountDescription>` - Service account description
 
+You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys)
+
 ## Update an existing project for GAM authorization
 This command is used when GAM has added new capabilities that require additional APIs to be added to your project.
 ```
@@ -404,60 +467,70 @@ writes the credentials into the file oauth2.txt.
 ```
 gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-42[a|r] or s|u|e|c: 
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
 
@@ -487,60 +560,70 @@ writes the credentials into the file `oauth2.txt`.
 ```
 gam oauth update
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-42[a|r] or s|u|e|c: 
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
 
@@ -625,6 +708,9 @@ file or define a new section in `gam.cfg` that references a different `oauth2ser
 gam create|add svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
 ```
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 
@@ -639,6 +725,8 @@ Use these options to select user-specified values..
 * `sadisplayname <ServiceAccountDisplayName>` - Service account display name
 * `sadescription <ServiceAccountDescription>` - Service account description
 
+You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys)
+
 After adding an additional service account, you can select specific access APIs for it.
 [Selective Service Account access](#selective-service-account-access)
 
@@ -695,6 +783,7 @@ There are several methods for generating private keys:
 * `localkeysize 1024` - Gam generates a 1024 bit key; this is not recommended
 * `localkeysize 2048` - Gam generates a 2048 bit key; this is the default
 * `localkeysize 4096` - Gam generates a 4096 bit key
+* `yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]` - [Using GAMADV-XTD3 with a YubiKey](Using-GAMADV-XTD3-with-a-YubiKey)
 
 When `localkeysize` is specified, the optional argument `validityhours <Number>` sets the length of time during which the key will be valid and should be used when the [GCP constraints/iam.serviceAccountKeyExpiryHours organization policy](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#limit_key_expiry) is in use. Note that in order to account for system clock skew, GAM sets the key to be valid two minutes earlier than the current system time and thus it will also expire two minutes earlier.
 
@@ -720,16 +809,12 @@ The two forms of the command are equivalent; the second form is used by Basic Ga
 ```
 gam create sakey
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 gam rotate sakey retain_existing
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 ```
 To distribute `oauth2service.json` files with unique private keys perform the following steps:
 ```
@@ -750,16 +835,12 @@ The two forms of the command are equivalent; the second form is used by Basic Ga
 ```
 gam update sakey
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 gam rotate sakey replace_existing
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 ```
 ## Replace all existing Service Account keys
 Create a new Service Account private key; all existing private keys are revoked.
@@ -773,16 +854,12 @@ The two forms of the command are equivalent; the second form is used by Basic Ga
 ```
 gam replace sakeys
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 gam rotate sakeys retain_none
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 ```
 ## Delete Service Account keys
 You can delete Service Accounts keys thus revoking access for that key. Generally, you will
@@ -790,10 +867,24 @@ delete a service account key for a distributed copy of an `oauth2service.json` f
 that user's service account access.
 
 You can disable your current Service Account key if you specify the `doit` argument. This is your
-acknowledgement that you will have to manually create a new Service Account key in the Developer's Console.
+acknowledgement that you will have to manually create a new Service Account key in the Developer's Console
+or upload a new key with the `gam upload sakey` command.
 ```
 gam delete sakeys <ServiceAccountKeyList>+ [doit]
 ```
+## Upload a Service Account key to a service account with no keys
+There are two cases where you will use this command:
+* Your workspace is configured to disable service account private key uploads and you are creating a project.
+* All of your service account keys have been deleted, either manually or with the `gam delete sakeys` command.
+
+The `oauth2service.json` file is updated with the new private key. If you had previously distributed
+any `oauth2service.json` file to other users, you must redistribute the updated file with the new key.
+```
+gam upload sakey [admin <EmailAddress>]
+        (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
+```
 ## Display Service Account keys
 There are system keys and user keys; user keys are what Gam uses; GCP uses system keys.
 
@@ -817,24 +908,38 @@ By default, the following scopes are verified:
 ```
 https://mail.google.com/
 https://sites.google.com/feeds
-https://www.google.com/m8/feeds
+https://www.googleapis.com/auth/analytics.readonly
 https://www.googleapis.com/auth/apps.alerts
 https://www.googleapis.com/auth/calendar
+https://www.googleapis.com/auth/chat.delete
+https://www.googleapis.com/auth/chat.memberships
+https://www.googleapis.com/auth/chat.messages
+https://www.googleapis.com/auth/chat.spaces
 https://www.googleapis.com/auth/classroom.announcements
 https://www.googleapis.com/auth/classroom.coursework.students
+https://www.googleapis.com/auth/classroom.courseworkmaterials
 https://www.googleapis.com/auth/classroom.profile.emails
+https://www.googleapis.com/auth/classroom.profile.photos
 https://www.googleapis.com/auth/classroom.rosters
 https://www.googleapis.com/auth/classroom.topics
 https://www.googleapis.com/auth/cloud-identity
 https://www.googleapis.com/auth/cloud-platform
-https://www.googleapis.com/auth/cloudprint
 https://www.googleapis.com/auth/contacts
+https://www.googleapis.com/auth/contacts.other.readonly
+https://www.googleapis.com/auth/datastudio
+https://www.googleapis.com/auth/directory.readonly
+https://www.googleapis.com/auth/documents
 https://www.googleapis.com/auth/drive
 https://www.googleapis.com/auth/drive.activity
+https://www.googleapis.com/auth/drive.admin.labels
+https://www.googleapis.com/auth/drive.labels
 https://www.googleapis.com/auth/gmail.modify
 https://www.googleapis.com/auth/gmail.settings.basic
 https://www.googleapis.com/auth/gmail.settings.sharing
+https://www.googleapis.com/auth/keep
 https://www.googleapis.com/auth/spreadsheets
+https://www.googleapis.com/auth/tasks
+https://www.googleapis.com/auth/userinfo.profile
 ```
 This scope is verified when `user_service_account_access_only = true` in `gam.cfg`.
 ```
@@ -862,6 +967,118 @@ gam <UserTypeEntity> update serviceaccount (scope|scopes <APIScopeURLList>)*
 * `<UserTypeEntity>` - Typically `user <EmailAddress>`, a non-Google Workspace administrator.
 * `scopes <APIScopeURLList>` - Verify/enable service account access for a set of specific scopes rather than selecting the scopes.
 
+```
+gam user user@domain.com update serviceaccount
+
+[*]  0)  AlertCenter API
+[*]  1)  Analytics API - read only
+[*]  2)  Analytics Admin API - read only
+[*]  3)  Calendar API (supports readonly)
+[*]  4)  Chat API - Memberships (supports readonly)
+[*]  5)  Chat API - Messages (supports readonly)
+[*]  6)  Chat API - Spaces (supports readonly)
+[*]  7)  Chat API - Spaces Delete
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Profile Emails
+[*] 13)  Classroom API - Profile Photos
+[*] 14)  Classroom API - Rosters (supports readonly)
+[*] 15)  Cloud Identity Devices API (supports readonly)
+[*] 16)  Cloud Resource Manager API v3
+[*] 17)  Docs API (supports readonly)
+[*] 18)  Drive API (supports readonly)
+[*] 19)  Drive API - todrive
+[*] 20)  Drive Activity API v2 - must pair with Drive API
+[*] 21)  Drive Labels API v2beta - Admin (supports readonly)
+[*] 22)  Drive Labels API v2beta - User (supports readonly)
+[*] 23)  Forms API
+[*] 24)  Gmail API - Basic Settings (Filters,IMAP, Language, POP, Vacation) - read/write, Sharing Settings (Delegates, Forwarding, SendAs) - read
+[*] 25)  Gmail API - Full Access (Labels, Messages)
+[*] 26)  Gmail API - Full Access (Labels, Messages) except delete message
+[ ] 27)  Gmail API - Full Access - read only
+[ ] 28)  Gmail API - Send Messages - including todrive
+[*] 29)  Gmail API - Sharing Settings (Delegates, Forwarding, SendAs) - write
+[*] 30)  Identity and Access Management API
+[*] 31)  Keep API (supports readonly)
+[*] 32)  Looker Studio API (supports readonly)
+[*] 33)  OAuth2 API
+[*] 34)  People API (supports readonly)
+[*] 35)  People API - Other Contacts - read only
+[*] 36)  People Directory API - read only
+[*] 37)  Sheets API (supports readonly)
+[*] 38)  Sheets API - todrive
+[*] 39)  Sites API
+[*] 40)  Tasks API (supports readonly)
+[ ] 41)  Youtube API - read only
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+
+Please enter 0-41[a|r] or s|u|e|c: c
+
+System time status
+  Your system time differs from admin.googleapis.com by less than 1 second  PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 364 days                                 WARN
+Domain-wide Delegation authentication:, User: user@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.profile.photos                  PASS (14/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (15/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (16/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (17/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (18/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (19/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (20/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (21/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (22/34)
+  https://www.googleapis.com/auth/documents                                 PASS (23/34)
+  https://www.googleapis.com/auth/drive                                     PASS (24/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (25/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (26/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (27/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (29/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (30/34)
+  https://www.googleapis.com/auth/keep                                      PASS (31/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (32/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (33/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (34/34)
+Some scopes Failed!
+To authorize them, please go to the following link in your browser:
+
+    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,...
+
+You will be directed to the Google Workspace admin console Security > API Controls > Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+```
+
 ## Configure Limited access
 You can configure GAM to allow users limited access to your domain via GAM.
 You can limit both client and service account access.

docs/Basic-Items.md

@@ -119,7 +119,7 @@
         #7a4706|#8a1c0a|#994a64|#ffffff
 <LanguageCode> ::=
         ach|af|ag|ak|am|ar|az|be|bem|bg|bn|br|bs|ca|chr|ckb|co|crs|cs|cy|da|de|
-        ee|el|en|en-gb|en-us|eo|es|es-419|et|eu|fa|fi|fil|fo|fr|fr-ca|fy|
+        ee|el|en|en-ca|en-gb|en-us|eo|es|es-419|et|eu|fa|fi|fil|fo|fr|fr-ca|fy|
         ga|gaa|gd|gl|gn|gu|ha|haw|he|hi|hr|ht|hu|hy|ia|id|ig|in|is|it|iw|ja|jw|
         ka|kg|kk|km|kn|ko|kri|ku|ky|la|lg|ln|lo|loz|lt|lua|lv|
         mfe|mg|mi|mk|ml|mn|mo|mr|ms|mt|my|ne|nl|nn|no|nso|ny|nyn|oc|om|or|
@@ -222,72 +222,6 @@
         shortcut
 <MimeTypeName> ::= application|audio|font|image|message|model|multipart|text|video
 <MimeType> ::= <MimeTypeShortcut>|(<MimeTypeName>/<String>)
-<ProductID> ::=
-        nv:<String> |
-        101001 |
-        101005 |
-        101031 |
-        101033 |
-        101034 |
-        101035 |
-        101036 |
-        101037 |
-        101039 |
-        101040 |
-        Google-Apps |
-        Google-Chrome-Device-Management |
-        Google-Drive-storage |
-        Google-Vault
-<SKUID> ::=
-        nv:<String>:<String> |
-        20gb | drive20gb | googledrivestorage20gb | Google-Drive-storage-20GB |
-        50gb | drive50gb | googledrivestorage50gb | Google-Drive-storage-50GB |
-        200gb | drive200gb | googledrivestorage200gb | Google-Drive-storage-200GB |
-        400gb | drive400gb | googledrivestorage400gb | Google-Drive-storage-400GB |
-        1tb | drive1tb | googledrivestorage1tb | Google-Drive-storage-1TB |
-        2tb | drive2tb | googledrivestorage2tb | Google-Drive-storage-2TB |
-        4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
-        8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
-        16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
-        assuredcontrols | 1010390001 |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 |
-        cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
-        cloudidentity | identity | 1010010001 |
-        cloudidentitypremium | identitypremium | 1010050001 |
-        cloudsearch | 1010350001 |
-        gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
-        gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
-        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
-        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 |
-        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 |
-        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 |
-        gsuitegov | gafg | gsuitegovernment | Google-Apps-For-Government |
-        gsuitelite | gal | gsl | lite | Google-Apps-Lite |
-        gwep | workspaceeducationplus | 1010310008 |
-        gwepstaff | workspaceeducationplusstaff | 1010310009 |
-        gwepstudent | workspaceeducationplusstudent | 1010310010 |
-        gwes | workspaceeducationstandard | 1010310005 |
-        gwesstaff | workspaceeducationstandardstaff | 1010310006 |
-        gwesstudent | workspaceeducationstandardstudent | 1010310007 |
-        gwetlu | workspaceeducationupgrade | 1010370001 |
-        meetdialing | googlemeetglobaldialing | 1010360001 |
-        postini | gams | gsuitegams | gsuitepostini | gsuitemessagesecurity | Google-Apps-For-Postini |
-        standard | free | Google-Apps |
-        vault | googlevault | Google-Vault |
-        vfe | googlevaultformeremployee | Google-Vault-Former-Employee |
-        voicepremier | gvpremier | googlevoicepremier | 1010330002 |
-        voicestandard | gvstandard | googlevoicestandard | 1010330004 |
-        voicestarter | gvstarter | googlevoicestarter | 1010330003 |
-        wsbizplus | workspacebusinessplus | 1010020025 |
-        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 |
-        wsbizstan | workspacebusinessstandard | 1010020028 |
-        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 |
-        wsentess | workspaceenterpriseessentials | 1010060003 |
-        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 |
-        wsentstan | workspaceenterprisestandard | 1010020026 |
-        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 |
-        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 |
-        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030
 ```
 ## Items built from primitives
 ```
@@ -346,7 +280,7 @@
 <ChannelCustomerID> ::= <String>
 <ChatMember> ::= spaces/<String>/members/<String>
 <ChatMessage> ::= spaces/<String>/messages/<String>
-<ChatSpace> ::= spaces/<String> | <String>
+<ChatSpace> ::= spaces/<String> | space <String> | space spaces/<String>
 <ChatThread> ::= spaces/<String>/threads/<String>
 <ClassroomInvitationID> ::= <String>
 <ClientID> ::= <String>
@@ -421,6 +355,7 @@
 <DriveLabelFieldID> ::= <String>
 <DriveLabelSelectionID> ::= <String>
 <DriveLabelName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]
+<DriveLabelPermissionName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]/permissions/(audiences|groups|people)/<String>
 <EmailAddress> ::= <String>@<DomainName>
 <EmailItem> ::= <EmailAddress>|<UniqueID>|<String>
 <EmailReplacement> ::= <String>
@@ -456,6 +391,11 @@
 <Marker> ::= <String>
 <MatterItem> ::= <UniqueID>|<String>
 <MatterState> ::= open|closed|deleted
+<MessageContent> ::=
+        (message|textmessage|htmlmessage <String>)|
+        (file|textfile|htmlfile <FileName> [charset <Charset>])|
+        (gdoc|ghtml <UserGoogleDoc>)|
+        (gcsdoc|gcshtml <StorageBucketObjectName>)
 <MessageID> ::= <String>
 <Namespace> ::= <String>
 <NotesName> ::= notes/<String>
@@ -517,6 +457,7 @@
 <ResellerID> ::= <String>
 <ResourceID> ::= <String>
 <SchemaName> ::= <String>
+<SchemaNameField> ::= <SchemaName>.<FieldName>
 <Section> ::= <String>
 <SendAsContent> ::=
         (sig|signature|htmlsig <String>)|
@@ -529,7 +470,7 @@
 <ServiceAccountDisplayName> ::= <String>
         Maximum of 100 characters
 <ServiceAccountDescrition> ::= <String>
-       Maximumof 256 chcracters
+       Maximum of 256 chcracters
 <ServiceAccountEmail> ::= <ServiceAccountName>@<ProjectID>.iam.gserviceaccount.com
 <ServiceAccountUniqueID> ::= <Number>
 <ServiceAccountKey> ::= <String>
@@ -573,6 +514,7 @@
 <Title> ::= <String>
 <ToDriveAttribute> ::=
         (tdaddsheet [<Boolean>])|
+        (tdalert <EmailAddress>)*|
         (tdbackupsheet (id:<Number>)|<String>)|
         (tdcellnumberformat text|number)|
         (tdcellwrap clip|overflow|wrap)|
@@ -580,15 +522,20 @@
         (tdcopysheet (id:<Number>)|<String>)|
         (tddescription <String>)|
         (tdfileid <DriveFileID>)|
+        (tdfrom <EmailAddress>)|
         (tdlocalcopy [<Boolean>])|
         (tdlocale <Locale>)|
         (tdnobrowser [<Boolean>])|
         (tdnoemail [<Boolean>])|
+        (tdnoescapechar [<Boolean>])|
+        (tdnotify [<Boolean>])|
         (tdparent (id:<DriveFolderID>)|<DriveFolderName>)|
-        (tdshare <EmailAddress> commenter|reader|writer)|
+        (tdretaintitle [<Boolean>])|
+        (tdshare <EmailAddress> commenter|reader|writer)*|
         (tdsheet (id:<Number>)|<String>)|
         (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
         (tdsheettitle <String>)|
+        (tdsubject <String>)|
         ([tdsheetdaysoffset <Number>] [tdsheethoursoffset <Number>])|
         (tdtimestamp [<Boolean>] [tdtimeformat <String>]
             [tddaysoffset <Number>] [tdhoursoffset <Number>])|

docs/Bulk-Processing.md

@@ -42,6 +42,7 @@ Batch files can contain the following types of lines:
   * GAM prints \<String\> and waits for the user to press any key
   * GAM continues
 * sleep \<Integer\> - Batch processing will suspend for \<Integer\> seconds before the next command line is processed
+  * To be effective, this should immediately follow commit-batch
 * print \<String\> - Print \<String\> on stderr
 * set \<KeywordString\> \<ValueString\>
   * Subsequent lines will have %\<KeywordString\>% replaced with \<ValueString\>
@@ -129,25 +130,29 @@ gam csv gsheet <user> <fileID> "<sheetName>" gam update user "~primaryEmail" add
 ## CSV files with redirection and select
 You should use the `multiprocess` option on any redirected files: `csv`, `stdout`, `stderr`.
 ```
-gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user ~primaryEmail print filelist fields id,title,permissions,owners.emailaddress
+gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user ~primaryEmail print filelist fields id,name,mimetype,basicpermissions
+gam redirect csv - multiprocess todrive csv Users.csv gam user ~primaryEmail print filelist fields id,name,mimetype,basicpermissions
 ```
 
 If you want to select a `gam.cfg` section for the command, you can select the section at the outer `gam` and save it
 or select the section at the inner `gam`.
 ```
-gam select <Section> save redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user ~primaryEmail print filelist fields id,title,permissions,owners.emailaddress
-gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam select <Section> user ~primaryEmail print filelist fields id,title,permissions,owners.emailaddress
+gam select <Section> save redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user ~primaryEmail print filelist fields id,name,mimetype,basicpermissions
+gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam select <Section> user ~primaryEmail print filelist fields id,name,mimetype,basicpermissions
+gam select <Section> save redirect csv - multiprocess todrive csv Users.csv gam user ~primaryEmail print filelist fields id,name,mimetype,basicpermissions
+gam redirect csv - multiprocess todrive csv Users.csv gam select <Section> user ~primaryEmail print filelist fields id,name,mimetype,basicpermissions
 ```
 
 ## Automatic batch processing
 You can enable automatic batch (parallel) processing when issuing commands of the form `gam <UserTypeEntity> ...`.
 In the following example, if the number of users in group sales@domain.com exceeds 1, then the `print filelist` command will be processed in parallel.
 ```
-gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,title,permissions,owners.emailaddress
+gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,name,mimetype,basicpermissions
+gam config auto_batch_min 1 redirect csv - multiprocess todrive group sales@domain.com print filelist fields id,name,mimetype,basicpermissions
 ```
 With automatic batch processing, you should use the `multiprocess` option on any redirected files: `csv`, `stdout`, `stderr`.
 
 If you want to select a `gam.cfg` section for the command, you must select and save it for it to be processed correctly.
 ```
-gam select <Section> save config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,title,permissions,owners.emailaddress
+gam select <Section> save config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,name,mimetype,basicpermissions
 ```

docs/CSV-Input-Filtering.md

@@ -3,6 +3,10 @@
 - [Definitions](#definitions)
 - [Quoting rules](#quoting-rules)
 - [Column row filtering](#column-row-filtering)
+  - [Field names](#field-names)
+  - [Inclusive filters](#inclusive-filters)
+  - [Exclusive filters](#exclusive-filters)
+  - [Matches](#matches)
 - [Column row limiting](#column-row-limiting)
 - [Saving filters in gam.cfg](#saving-filters-in-gamcfg)
 - [Validate filters](#validate-filters)
@@ -39,28 +43,30 @@ These filters can be used alone or in conjunction with the `matchfield|skipfield
 
 <FieldNameFilter> :: = <RegularExpression>
 <RowValueFilter> ::=
-        [(any|all):]count<Operator><Number>|
-        [(any|all):]countrange=<Number>/<Number>|
-        [(any|all):]countrange!=<Number>/<Number>|
-        [(any|all):]date<Operator><Date>|
-        [(any|all):]daterange=<Date>/<Date>|
-        [(any|all):]daterange!=<Date>/<Date>|
-        [(any|all):]length<Operator><Number>|
-        [(any|all):]lengthrange=<Number>/<Number>|
-        [(any|all):]lengthrange!=<Number>/<Number>|
-        [(any|all):]text<Operator><String>|
-        [(any|all):]textrange=<String>/<String>|
-        [(any|all):]textrange!=<String>/<String>|
-        [(any|all):]time<Operator><Time>|
-        [(any|all):]timerange=<Time>/<Time>|
-        [(any|all):]timerange!=<Time>/<Time>|
         [(any|all):]boolean:<Boolean>|
-        [(any|all):]regex:<RegularExpression>|
-        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]count<Operator><Number>|
+        [(any|all):]countrange!=<Number>/<Number>|
+        [(any|all):]countrange=<Number>/<Number>|
+        [(any|all):]data:<DataSelector>|
+        [(any|all):]date<Operator><Date>|
+        [(any|all):]daterange!=<Date>/<Date>|
+        [(any|all):]daterange=<Date>/<Date>|
+        [(any|all):]length<Operator><Number>|
+        [(any|all):]lengthrange!=<Number>/<Number>|
+        [(any|all):]lengthrange=<Number>/<Number>|
+        [(any|all):]notdata:<DataSelector>|
         [(any|all):]notregex:<RegularExpression>|
         [(any|all):]notregexcs:<RegularExpression>|
-        [(any|all):]data:<DataSelector>|
-        [(any|all):]notdata:<DataSelector>|
+        [(any|all):]regex:<RegularExpression>|
+        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]text<Operator><String>|
+        [(any|all):]textrange!=<String>/<String>|
+        [(any|all):]textrange=<String>/<String>|
+        [(any|all):]time<Operator><Time>|
+        [(any|all):]timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timerange!=<Time>/<Time>|
+        [(any|all):]timerange=<Time>/<Time>|
 <RowValueFilterList> ::=
         "'<FieldNameFilter>:<RowValueFilter>'(,'<FieldNameFilter>:<RowValueFilter>')*"
 <RowValueFilterJSONList> ::=
@@ -77,11 +83,17 @@ Name:value form.
 * Each `<FieldNameFilter>:<RowValueFilter>` pair should be enclosed in `'`.
 * If `<FieldNameFilter>` contains a `:` or a space, it should be enclosed in `\"`.
 * If `<RegularExpression>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
+* If `<FieldNameFilter>` or `<RegularExpression>` in `<RowValueFilter>` contain a `\` to escape a special character
+or enter a special sequence, enter `\\\` on Linux and Mac OS, `\\` on Windows,
 
-Example:
+Examples:
 ```
 csv_input_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
 csv_input_row_filter "'email:data:\"csvfile gsheet:email user@domain.com FileID Sheet1\"'"
+Linux and Mac OS
+csv_input_row_filter "'phones.\\\d+.value:regex:(?:^\\\(510\\\) )|(?:^510[- ])\\\d{3}-\\\d{4}'"
+Windows
+csv_input_row_filter "'phones.\\d+.value:regex:(?:^\\(510\\) )|(?:^510[- ])\\d{3}-\\d{4}'"
 ```
 JSON form.
 ```
@@ -156,11 +168,13 @@ In the case of `notregex|notregexcs|notdata`, the filter matches if some (not al
 If neither `any` or `all` is explicitly specified, `any` is the default.
 
 These are the row value filter types:
+* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
 * `count<Operator><Number>` - Used on fields with numbers; a blank field will not match
 * `countrange=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `countrange!=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `<` the left `<Number>` or `>` the right `<Number>`
+* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
 * `date<Operator><Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
 * `daterange=<Date>/<Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
   * The field value must be `>=` the left `<Date>` and `<=` the right `<Date>`
@@ -171,23 +185,25 @@ These are the row value filter types:
   * The field length must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `lengthrange!=<Number>/<Number>` - Used on fields with strings; non string fields will not match
   * The field length must be `<` the left `<Number>` or `>` the right `<Number>`
+* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
+* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
+* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
+* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
+* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
 * `text<Operator><String>` - Used on fields with text
 * `textrange=<String>/<String>` - Used on fields with strings
   * The field value must be `>=` the left `<String>` and `<=` the right `<String>`
 * `textrange!=<String>/<String>` - Used on fields with strings
   * The field value must be `<` the left `<String>` or `>` the right `<String>`
 * `time<Operator><Time>` - Used on fields with times; a blank field will not match
+* `timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `>=` the left `<Hour>:<Minute>` and `<=` the right `<Hour>:<Minute>`
+* `timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `<` the left `<Hour>:<Minute>` or `>` the right `<Hour>:<Minute>`
 * `timerange=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `>=` the left `<Time>` and `<=` the right `<Time>`
 * `timerange!=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `<` the left `<Time>` or `>` the right `<Time>`
-* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
-* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
-* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
-* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
-* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
-* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
-* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
 
 ### **Change in behavior.**
 In versions prior to `5.12.00`, `regex:<RegularExpression>` and `notregex:<RegularExpression>` were processed in a case sensitive manner;

docs/CSV-Output-Filtering.md

@@ -4,6 +4,10 @@
 - [Quoting rules](#quoting-rules)
 - [Column header filtering](#column-header-filtering)
 - [Column row filtering](#column-row-filtering)
+  - [Field names](#field-names)
+  - [Inclusive filters](#inclusive-filters)
+  - [Exclusive filters](#exclusive-filters)
+  - [Matches](#matches)
 - [Column row limiting](#column-row-limiting)
 - [Saving filters in gam.cfg](#saving-filters-in-gamcfg)
 
@@ -44,28 +48,30 @@ on all platforms.
 <FieldNameFilter> :: = <RegularExpression>
 <ColumnFieldNameFilterList> ::= "<FieldNameFilter>(,<FieldNameFilter>)*"
 <RowValueFilter> ::=
-        [(any|all):]count<Operator><Number>|
-        [(any|all):]countrange=<Number>/<Number>|
-        [(any|all):]countrange!=<Number>/<Number>|
-        [(any|all):]date<Operator><Date>|
-        [(any|all):]textrange=<String>/<String>|
-        [(any|all):]textrange!=<String>/<String>|
-        [(any|all):]daterange=<Date>/<Date>|
-        [(any|all):]daterange!=<Date>/<Date>|
-        [(any|all):]length<Operator><Number>|
-        [(any|all):]lengthrange=<Number>/<Number>|
-        [(any|all):]lengthrange!=<Number>/<Number>|
-        [(any|all):]text<Operator><String>|
-        [(any|all):]time<Operator><Time>|
-        [(any|all):]timerange=<Time>/<Time>|
-        [(any|all):]timerange!=<Time>/<Time>|
         [(any|all):]boolean:<Boolean>|
-        [(any|all):]regex:<RegularExpression>|
-        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]count<Operator><Number>|
+        [(any|all):]countrange!=<Number>/<Number>|
+        [(any|all):]countrange=<Number>/<Number>|
+        [(any|all):]data:<DataSelector>|
+        [(any|all):]date<Operator><Date>|
+        [(any|all):]daterange!=<Date>/<Date>|
+        [(any|all):]daterange=<Date>/<Date>|
+        [(any|all):]length<Operator><Number>|
+        [(any|all):]lengthrange!=<Number>/<Number>|
+        [(any|all):]lengthrange=<Number>/<Number>|
+        [(any|all):]notdata:<DataSelector>
         [(any|all):]notregex:<RegularExpression>|
         [(any|all):]notregexcs:<RegularExpression>|
-        [(any|all):]data:<DataSelector>|
-        [(any|all):]notdata:<DataSelector>
+        [(any|all):]regex:<RegularExpression>|
+        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]text<Operator><String>|
+        [(any|all):]textrange!=<String>/<String>|
+        [(any|all):]textrange=<String>/<String>|
+        [(any|all):]time<Operator><Time>|
+        [(any|all):]timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timerange!=<Time>/<Time>|
+        [(any|all):]timerange=<Time>/<Time>|
 <RowValueFilterList> ::=
         "'<FieldNameFilter>:<RowValueFilter>'(,'<FieldNameFilter>:<RowValueFilter>')*"
 <RowValueFilterJSONList> ::=
@@ -83,13 +89,16 @@ Name:value form.
 * If `<FieldNameFilter>` contains a `:` or a space, it should be enclosed in `\"`.
 * If `<RegularExpression>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
 * If `<FieldNameFilter>` or `<RegularExpression>` in `<RowValueFilter>` contain a `\` to escape a special character
-or enter a special sequence, enter `\\\`.
+or enter a special sequence, enter `\\\` on Linux and Mac OS, `\\` on Windows,
 
-Example:
+Examples:
 ```
 csv_output_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
 csv_output_row_filter "'email:data:\"csvfile gsheet:email user@domain.com FileID Sheet1\"'"
+Linux and Mac OS
 csv_output_row_filter "'phones.\\\d+.value:regex:(?:^\\\(510\\\) )|(?:^510[- ])\\\d{3}-\\\d{4}'"
+Windows
+csv_output_row_filter "'phones.\\d+.value:regex:(?:^\\(510\\) )|(?:^510[- ])\\d{3}-\\d{4}'"
 ```
 JSON form.
 ```
@@ -214,11 +223,13 @@ In the case of `notregex|notregexcs|notdata`, the filter matches if some (not al
 If neither `any` or `all` is explicitly specified, `any` is the default.
 
 These are the row value filter types:
+* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
 * `count<Operator><Number>` - Used on fields with numbers; a blank field will not match
 * `countrange=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `countrange!=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `<` the left `<Number>` or `>` the right `<Number>`
+* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
 * `date<Operator><Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
 * `daterange=<Date>/<Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
   * The field value must be `>=` the left `<Date>` and `<=` the right `<Date>`
@@ -229,23 +240,25 @@ These are the row value filter types:
   * The field length must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `lengthrange!=<Number>/<Number>` - Used on fields with strings; non string fields will not match
   * The field length must be `<` the left `<Number>` or `>` the right `<Number>`
+* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
+* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
+* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
+* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
+* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
 * `text<Operator><String>` - Used on fields with text
 * `textrange=<String>/<String>` - Used on fields with strings
   * The field value must be `>=` the left `<String>` and `<=` the right `<String>`
 * `textrange!=<String>/<String>` - Used on fields with strings
   * The field value must be `<` the left `<String>` or `>` the right `<String>`
 * `time<Operator><Time>` - Used on fields with times; a blank field will not match
+* `timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `>=` the left `<Hour>:<Minute>` and `<=` the right `<Hour>:<Minute>`
+* `timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `<` the left `<Hour>:<Minute>` or `>` the right `<Hour>:<Minute>`
 * `timerange=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `>=` the left `<Time>` and `<=` the right `<Time>`
 * `timerange!=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `<` the left `<Time>` or `>` the right `<Time>`
-* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
-* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
-* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
-* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
-* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
-* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
-* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
 
 ### **Change in behavior.**
 In versions prior to `5.12.00`, `regex:<RegularExpression>` and `notregex:<RegularExpression>` were processed in a case sensitive manner;

docs/Calendars-Events.md

@@ -196,6 +196,9 @@ Client access works when accessing Resource calendars.
 
 <EventMatchProperty> ::=
         (matchfield attendees <EmailAddressEntity>)|
+        (matchfield attendeesonlydomainlist <DomainNameList>)|
+        (matchfield attendeesdomainlist <DomainNameList>)|
+        (matchfield attendeesnotdomainlist <DomainNameList>)|
         (matchfield attendeespattern <RegularExpression>)|
         (matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>)|
         (matchfield creatoremail <RegularExpression>)|
@@ -216,7 +219,6 @@ Client access works when accessing Resource calendars.
         (event|events <EventIdList> |
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVSubkeySelector> | <CSVDataSelector>)
         See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
-
 <EventSelectEntity> ::=
         (<EventSelectProperty>+ <EventMatchProperty>*)
 
@@ -229,6 +231,7 @@ Client access works when accessing Resource calendars.
         lavender|peacock|sage|tangerine|tomato
 <PropertyKey> ::= <String>
 <PropertyValue> ::= <String>
+<TimeZone> ::= <String>
 
 <EventAttribute> ::=
         (allday <Date>)|
@@ -356,7 +359,15 @@ The Google Calendar API processes `<EventSelectProperty>*`; you may specify none
 
 GAM processes `<EventMatchProperty>*`; you may specify none or multiple properties.
 * `matchfield attendees <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
-* `matchfield attendeespattern <RegularExpression>` - Some attendee must match `<RegularExpression>`
+* `matchfield attendeesonlydomainlist <DomainNameList>` - All attendee's email addresses must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with all attendees in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeesdomainlist <DomainNameList>` - Some attendee's email address must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with attendees in specific external domains
+* `matchfield attendeesnotdomainlist <DomainNameList>` - Some attendee's email address must be in a domain not in `<DomainNameList>`
+  * For example, this lets you look for events with attendees not in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeespattern <RegularExpression>` - Some attendee's email address must match `<RegularExpression>`
 * `matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
 and must have the specified values.
     * `<AttendeeAttendance>` - Default is `required`

docs/ChromeOS-Devices.md

@@ -105,7 +105,10 @@ The second form is backwards compatible with Standard GAM and selection with `<C
         annotatedlocation|location|
         annotateduser|user|
         autoupdateexpiration|
+        autoupdatethrough|
+        backlightinfo|
         bootmode|
+        cpuinfo|
         cpustatusreports|
         deprovisionreason|
         devicefiles|
@@ -115,6 +118,9 @@ The second form is backwards compatible with Standard GAM and selection with `<C
         dockmacaddress|
         ethernetmacaddress|
         ethernetmacaddress0|
+        extendedsupporteligible|
+        extendedsupportstart|
+        extendedsupportenabled|
         firmwareversion|
         firstenrollmenttime|
         lastdeprovisiontimestamp|
@@ -551,6 +557,7 @@ gam print cros [todrive <ToDriveAttribute>*]
         [start <Date>] [end <Date>] [listlimit <Number>]
         [reverselists <CrOSListFieldNameList>]
         [timerangeorder ascending|descending] [showdvrsfp]
+        (addcsvdata <FieldName> <String>)*
         [sortheaders]
         [formatjson [quotechar <Character>]]
 ```
@@ -593,6 +600,9 @@ otherwise, the remaining field names will appear in the order specified.
 - `timerangeorder descending` - Change the `activetimeranges` order from ascending (oldest to newest) to descending (newest to oldest); this makes it easy to get the `N` most recent values with `timeranges listlimit N timerangeorder descending`.
 - `showdvrsfp` - Display a field `diskVolumeReports.volumeInfo.storageFreePercentage` which is calculated as: `(diskVolumeReports.volumeInfo.storageFree/diskVolumeReports.volumeInfo.storageTotal)*100`
 
+Add additional columns of data from the command line to the output
+* `addcsvdata <FieldName> <String>`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 
 - `formatjson` - Display the fields in JSON format.
@@ -615,6 +625,7 @@ gam <CrOSTypeEntity> print cros [todrive <ToDriveAttribute>*]
         [start <Date>] [end <Date>] [listlimit <Number>]
         [reverselists <CrOSListFieldNameList>]
         [timerangeorder ascending|descending] [showdvrsfp]
+        (addcsvdata <FieldName> <String>)*
         [sortheaders]
         [formatjson [quotechar <Character>]]
 
@@ -643,6 +654,9 @@ otherwise, the remaining field names will appear in the order specified.
 - `timerangeorder descending` - Change the `activetimeranges` order from ascending (oldest to newest) to descending (newest to oldest); this makes it easy to get the `N` most recent values with `timeranges listlimit N timerangeorder descending`.
 - `showdvrsfp` - Display a field `diskVolumeReports.volumeInfo.storageFreePercentage` which is calculated as: `(diskVolumeReports.volumeInfo.storageFree/diskVolumeReports.volumeInfo.storageTotal)*100`
 
+Add additional columns of data from the command line to the output
+* `addcsvdata <FieldName> <String>`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 
 - `formatjson` - Display the fields in JSON format.

docs/Collections-of-Items.md

@@ -262,6 +262,8 @@ Data fields identified in a `csvkmd` argument.
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <DriveLabelNameEntity> ::=
         <DriveLabelNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
+<DriveLabelPermissionNameEntity> ::=
+        <DriveLabelPermissionNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
 <EmailAddressEntity> ::=
         <EmailAddressList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <FilterIDEntity> ::=

docs/Context-Aware-Access-Levels.md

@@ -23,7 +23,7 @@ gam update project
 ```
 
 ## API documentation
-* https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies/list
+* https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies
 
 ## Grant Service Account Rights to Manage CAA
 In order for GAM to manage CAA access levels, you need to grant your service account a special role for your GCP organization.

docs/Drive-File-Selection.md

@@ -182,7 +182,7 @@ gam user testuser show fileinfo anydrivefilename "Test File"
 gam user testuser show fileinfo anydrivefilename:"Test File"
 ```
 ## Select file ownership
-By default, files the user owns are sisplayed; you can select the ownership characteristic.
+By default, files the user owns are displayed; you can select the ownership characteristic.
 ```
 anyowner|(showownedby any|me|others)
 ```

docs/GamUpdates.md

@@ -10,6 +10,457 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads](https://github.com/taers232c/GAMADV-XTD3/wiki/Downloads) for Windows or other options, including manual installation
 
+### 6.76.09
+
+Updated `gam update|delete|info adminrole` to handle the following error:
+```
+ERROR: 400: failedPrecondition - Precondition check failed.
+```
+
+### 6.76.08
+
+Updated `<SchemaNameList>` to `"<SchemaName>|<SchemaFieldName>(,<SchemaName>|<SchemaFieldName>)*"`
+that allows `schemas <SchemaNameList>` in `gam info user` and `gam print users` to display all fields or selected fields
+of the specified custom schemas.
+
+### 6.76.07
+
+Fixed bug where control-C was not recognized when GAM had processed all rows in a CSV file
+and was `Waiting for N running processes to finish before terminating`.
+
+### 6.76.06
+
+Fixed bug in `gam <UserTypeEntity> print messages ... positivecountsonly` where message counts with value 0 were deiplayed.
+
+Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print|messages` that adds
+additional columns of data to the CSV file output.
+
+Added option `showusagebytes` to `gam <UserTypeEntity> print|show drivesettings` that displays
+the following fields in bytes ```usageBytes,usageInDriveBytes,usageInDriveTrashBytes```
+in addition to the fields in their formatted form with units: ```usage,usageInDrive,usageInDriveTrash```.
+This will be most useful with `print` as the rows can be sorted based on the `usagexxxBytes` columns.
+
+### 6.76.05
+
+Added options `deletefromoldowner`, `addtonewowner <CalendarAttribute>*` and `nolistmessages`
+to `gam <UserTypeEntity> transfer calendars <UserItem>` that allow manipulation of the
+source and target user's calendar lists.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Calendars-Access#transfer-calendar-ownership
+
+### 6.76.04
+
+Added the following fields to `<CrOSFieldName>`:
+```
+autoupdatethrough
+extendedsupporteligible
+extendedsupportstart
+extendedsupportenabled
+```
+
+### 6.76.03
+
+Added option `folderpathonly [<Boolean>]` to the following commands that causes GAM
+to display only the folder names when displaying the path to a file. This folder only path
+an be used in  `gam <UserTypeEntity> create drivefolderpath` to recreate the folder hierarchy.
+```
+gam <UserTypeEntity> info drivefile ... filepath|fullpath
+gam <UserTypeEntity> show fileinfo ... filepath|fullpath
+gam <UserTypeEntity> print|show filepath
+gam <UserTypeEntity> print filelist ... filepath|fullpath
+```
+
+### 6.76.02
+
+Updated `gam update group` to handle the following error:
+```
+ERROR: 400: invalidArgument - Failed request validation in update settings: WHO_CAN_VIEW_MEMBERSHIP_CANNOT_BE_BROADER_THAN_WHO_CAN_SEE_GROUP
+```
+
+### 6.76.01
+
+Fixed bug in `gam create vaulthold matter <MatterItem> ... corpus calendar` that caused a trap.
+
+### 6.76.00
+
+Updated versions of `gam create|use project` that use keyword options to also accept the following options
+to define non-default Service Account key characteristics.
+```
+(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+(localkeysize 1024|2048|4096 [validityhours <Number>])|
+(yubikey yubikey_pin yubikey_slot AUTHENTICATION yubikey_serialnumber <String>)
+```
+
+### 6.75.05
+
+Added option `csv [todrive <ToDriveAttribute>*]` to `gam <UserTypeEntity> archive|delete|modify|spam|trash|untrash messages|threads`
+that causes GAM to display the command results in CSV form.
+
+### 6.75.04
+
+Added a command to print user counts by OrgUnit. By default, all users in the workspace are counted;
+you can specify a domain to only count users in that domain.
+```
+gam print usercountsbyorgunit [todrive <ToDriveAttribute>*]
+        [domain <String>]
+```
+
+Added option `uploadattachments [<DriveFileParentAttribute>]` to `gam <UserTypeEntity> show messages|threads` that
+causes GAM to upload all message attachments to the user's `My Drive`, the default, or to a specific folder.
+The existing option `attachmentnamepattern <RegularExpression>` can be used to select attachments to upload.
+
+### 6.75.03
+
+Fixed bug in `gam batch|tbatch` where the line `sleep <Integer>` in the batch file caused the error:
+```
+ERROR: Invalid argument: Expected <gam|commit-batch|print>
+```
+
+### 6.75.02
+
+Updated `gam report  <ActivityApplictionName>` to retry/handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+```
+
+### 6.75.01
+
+Added option `admin <EmailAddress>` to  `gam upload sakey`.
+
+### 6.75.00
+
+Updated `gam create project` to simplify handling the situation where your workspace is configured to disable service account private key uploads.
+
+Added command `gam upload sakey` to aid in this process.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#upload-a-service-account-key-to-a-service-account-with-no-keys
+
+### 6.74.02
+
+Fixed bug in `gam <UserTypeEntity> print shareddrives ... formatjson` that caused a trap.
+
+### 6.74.01
+
+Updated `gam create|update drivefileacl <DriveFileEntity> ... expiration <Time>` to handle
+the following error caused by tryig to add an expiration time to a member of a Shared Drive.
+```
+ERROR: 403: expirationDateNotAllowedForSharedDriveMembers - Expiration dates are not allowed for shared drive members.
+```
+
+### 6.74.00
+
+Added `truncate_client_id` Boolean variable to `gam.cfg`. Prior to version 6.74.00, GAM stripped
+'.apps.googleusercontent.com' from `client_id` in `oauth2.txt` and passed the truncated value in API calls.
+At Jay's suggestion this is no longer performed by default; setting `truncate_client_id = true` restores the previous behavior.
+
+Do `gam oauth delete` and `gam oauth create` to set the untruncated value of `client_id` in `oauth2.txt`.
+
+### 6.73.00
+
+The Google Chat API has been updated so that chat members can now have their role set to manager.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Chat#manage-chat-members
+
+### 6.72.16
+
+Updated `emailaddressList <EmailAddressList>` and `domainlist|notdomainlist <DomainNameList>`
+in `<PermissionMatch>` to perform case-insensitive matches as the API is returning mixed case
+ACL email addresses in some cases.
+
+### 6.75.15
+
+Updated all commands that display tasks to display the due date in GMT as the time portion
+is not supported by the API and converting the due date to local time may display the wrong date.
+
+Renamed license SKU `1010400001` from `Beyond Corp Enterprise` to `Chrome Enterprise Premium`.
+
+### 6.72.14
+
+Upgraded to Python 3.12.3 where possible.
+
+### 6.72.13
+
+Added the following option to `<EventMatchProperty>` that can be used to select
+events based on the domains of the attendees.
+```
+matchfield attendeesonlydomainlist <DomainNameList>
+```
+This returns true if all attendee's email addresses are in a domain in `<DomainNameList>`;
+for example this lets you look for events with attendees only in your internal domains.
+
+### 6.72.12
+
+Added the following options to `<EventMatchProperty>` that can be used to select
+events based on the domains of the attendees.
+```
+matchfield attendeesdomainlist <DomainNameList>
+matchfield attendeesnotdomainlist <DomainNameList>
+```
+The first returns true if any attendee's email address is in a domain in `<DomainNameList>`;
+for example this lets you look for events with attendees in specific external domains.
+
+The second returns true if any attendee's email address is in a domain other than those in `<DomainNameList>`;
+for example this lets you look for events with attendees not in your internal domains.
+
+### 6.72.11
+
+Added option `oneitemperrow` to 'gam print vaultholds` to have each of a
+hold's accounts displayed on a separate row with all of the other hold fields.
+
+### 6.72.10
+
+Added `timeofdayrange=<HH:MM>/<HH:MM>` and `timeofdayrange!=<HH:MM>/<HH:MM>` to `<RowValueFilter>` that allows
+CSV row filtering based on time-of-day.
+
+### 6.72.09
+
+Updated `countsonly` option of `gam <UserTypeEntity> print|show notes` to additionally display the total number of notes.
+
+### 6.72.08
+
+Added option `countsonly` to `gam <UserTypeEntity> print|show notes` that displays
+the number of notes a user owns and the number of notes a user can edit.
+
+### 6.72.07
+
+Updated commands that send emails to not downshift `'First Last<firstlast@domain.com>'` to `'first last<firstlast@domain.com>'`.
+
+### 6.72.06
+
+Updated the following commands to properly handle emailaddress lists containing addresses of the form: `'First Last<firstlast@domain.com>'`.
+```
+gam <UserTypeEntity> sendemail recipient|to <RecipientEntity> [cc <RecipientEntity>] [bcc <RecipientEntity>] [singlemessage]
+gam create|update user ... notify <EmailAddressList>
+```
+
+### 6.72.05
+
+Cleaned up code for all commands that display Chat objects.
+
+### 6.72.04
+
+Added commands to display Chat events.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Chat#display-chat-events
+
+### 6.72.03
+
+Fixed bug in `gam <UserTypeEntity> create chatspace` that caused a trap.
+
+### 6.72.02
+
+Updated `gam delete admin <RoleAssignmentId>` to handle the following error that
+occurs when `<RoleAssignmentId>` references a user that has been deleted.
+```
+ERROR: 404: resourceNotFound - Does not exist
+```
+
+### 6.72.01
+
+Improved commands to display drive file comments.
+
+### 6.72.00
+
+Added commands to display drive file comments.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Comments
+
+### 6.71.18
+
+Updated `<CrOSFieldName>` to include `cpuinfo` and `backlightinfo`.
+
+### 6.71.17
+
+Added `depth` column to output of `gam <UserTypeEntity> print diskusage <DriveFileEntity>` that can
+be used to filter the depth of the folders displayed. Depth `-1` is the top level folder, depth `0`
+are its immediate children, depth `2` are the children of depth `1` and so forth.
+```
+gam config csv_output_row_filter "depth:count<1" user organizer@domain.com  print diskusage teamdriveid <TeamDriveID>
+```
+
+### 6.71.16
+
+Updated `gam <UserTypeEntity> create|update sendas <EmailAddress> ... replyto <EmailAddress>`
+to allow uppercase letters in `sendas <EmailAddress>` and `replyto <EmailAddress>`.
+
+### 6.71.15
+
+Updated `gam create project` to handle the following error:
+```
+ERROR: 403: permissionDenied - Authentication error: 7; Error Details: User not allowed to access GCP services.
+```
+This error occurs when the Google Workspace admin or GCP project manager email address used in the command
+is in an OU where Google Cloud Platform is not enabled in Apps/Additional Google services.
+
+### 6.71.14
+
+Added a command to update a Gmail label's settings by specifying it's ID rather than it's name.
+```
+gam <UserTypeEntity> update labelid <LabelID> [name <String>]
+        [messagelistvisibility hide|show] [labellistvisibility hide|show|showifunread]
+        [backgroundcolor <LabelColorHex>] [textcolor <LabelColorHex>]
+```
+
+### 6.71.13
+
+Updated `<UserMultiAttribute>.location.buildingid <String>` to allow non-validated building IDs
+by specifying `nv:` at the beginning of `<String>`; e.g., `nv:Building X' sets the building ID to `Building X`.
+
+### 6.71.12
+
+Added option `showmimetype category <MimeTypeNameList>` to `gam <UserTypeEntity> print|show filecounts|filelist|filetree`
+```
+<MimeTypeName> ::= application|audio|font|image|message|model|multipart|text|video
+<MimeTypeNameList> ::= "<MimeTypeName>(,<MimeTypeName>)*"
+
+gam user user@domain.com print filelist fields id,name,mimetype showmimetype prefixes audio,video
+```
+
+### 6.71.11
+
+Added option `addcsvdata <FieldName> <String>` to `gam print cros` that adds
+additional columns of data to the CSV file output. Typically, you would read CSV file of device IDs/serial numbers
+to generate a CSV file of results and copy data from the input CSV to the outout CSV.
+
+### 6.71.10
+
+Reverted change made in 6.71.09 to `gam <UserTypeEntity> print filelist` when `showmimetype` and `filepath|fullpath`
+were both specified. The change improved the performance when `showmimetype` selected a small number of files;
+the information for just those files was downloaded and then additional API calls were made to construct the file paths.
+However, if a large number of files were selected, the additional APIs calls decreased performance.
+
+Added option `mimetypeinquery` can be used when you expect the query to return a small number of files
+relative to the total number of files.
+
+### 6.71.09
+
+Improved the performance of `gam <UserTypeEntity> print filelist` when `showmimetype` and `filepath|fullpath`
+are both specified.
+
+### 6.71.08
+
+Added option `oneitemperrow` to 'gam print admins|adminroles` to have each of a
+roles privileges displayed on a separate row with all of the other admin/role fields.
+This produces a CSV file that can be used in subsequent commands without further script processing.
+
+### 6.71.07
+
+Added command to upload changes to Google Docs.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Files-Manage#upload-changes-to-google-documents
+
+### 6.71.06
+
+Added additional error handling to Gmail Client Side Encryption commands.
+
+Added license product Education Endpoint Management
+* ProductID - 101049
+
+Added license SKU Endpoint Education Upgrade
+* ProductID - 101049
+* SKUID - 1010490001 | eeu
+
+### 6.71.05
+
+Fixed a bug introduced in 6.71.00 that caused a trap in `gam <UserTypeEntity> print filelist`.
+
+Added option `tdfrom <EmailAddress>` to  `<ToDriveAttribute>` that causes GAM to use `<EmailAddress>` as the from address
+in all emails sent. By default, the from address is the Google Workspace Admin in `gam oauth info`.
+
+### 6.71.04
+
+Updated `gam <UserTypeEntity> create|update cseidentity` to accept either of the following key pair options:
+* `primarykeypairid <KeyPairID>` - The configuration of a CSE identity that uses the same key pair for signing and encryption.
+* `signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>` - The configuration of a CSE identity that uses different key pairs for signing and encryption.
+
+Updated CSV output row sorting to avoid a trap that occurred when a row was missing one of the sort fields.
+
+### 6.71.03
+
+Added option `tdalert <EmailAddress>` to `<ToDriveAttribute>`. When a todrive file is created or updated,
+GAM will send notification emails to all `tdalert <EmailAddress>` users if `tdnotify` is true.
+`<EmailAddress>` must be valid within your Google Workspace.
+
+### 6.71.02
+
+Added additional error handling to Gmail Client Side Encryption commands.
+
+### 6.71.01
+
+Fixed bug in `gam audit monitor create` that caused a trap.
+
+### 6.71.00
+
+Added `csv_output_sort_headers` string list variable to `gam.cfg` that causes GAM to sort CSV output
+rows by the column headers specified in the variable. The column headers are case insensitive and
+if column header does not appear in the CSV output, it is ignored.
+
+Added `sortheaders <StringList>` to `redirect csv <FileName>` that has the same effect as above.
+
+The sort keys specified in `redirect csv ... sortheaders <StringList>` take precedence over the values from `gam.cfg`.
+
+Added option `tdsubject <String>` to  `<ToDriveAttribute>` that causes GAM to use `<String>` as the subject
+in all emails sent. In `<String>`, `#file#` will, be replaced by the file title and `#sheet#` will be replaced
+by the sheet/tab title. By default, the subject is the file title.
+
+### 6.70.09
+
+Added additional error handling to Gmail Client Side Encryption commands.
+
+Added options `showpem` and `showkaclsdata` to all Gmail CSE commands that process/display
+CSE key pairs. By default, the `pem` and `kaclsdata` fields will not be displayed unless
+the corresponding `show` option is specified.
+
+### 6.70.08
+
+Fixed bug in `gam <UserTypeEntity> create cseidentity <KeyPairID>` that caused an error.
+
+### 6.70.07
+
+Updated user instructions in `gam oauth create` and `gam <UserTypeEntity> update serviceaccount`
+and changed `s` from selecting all scopes to selecting default scopes.
+
+### 6.70.06
+
+Updated `gam info users <UserTypeEntity>` to not include group tree infornation unless option `grouptree` is specified.
+
+### 6.70.05
+
+Added commands to create|delete|display Drive Label permissions.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Labels
+
+### 6.70.04
+
+Added option `showvalidcolumn` to `gam print users` that can be used to identify whether
+users are defined in the domain. Typically, you would read CSV file of email addresses
+to verify as domain members.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users#verify-domain-membership
+
+Added option `addcsvdata <FieldName> <String>` to `gam print users` that adds
+additional columns of data to the CSV file output. Typically, you would read CSV file of email addresses
+to generate a CSV file of results and copy data from the input CSV to the outout CSV.
+
+### 6.70.03
+
+Renamed license product DuetAI to Gemini
+* ProductID - 101047
+
+Renamed license SKU DuetAI for Google Workspace to Gemini Enterprise
+* ProductID - 101047
+* SKUID - 1010470001 | geminient | duetai 
+
+Added support for license SKU Gemini Business
+* ProductID - 101047
+* SKUID - 1010470003 | geminibiz
+
+### 6.70.02
+
+In 6.69.00, GAM starting using course owner access when using `copyfrom` in `gam create|update course`
+regardless of the value of `gam.cfg/use_course_owner_access`. This prevents copying from courses
+with a deleted user. GAM now uses the value of `gam.cfg/use_course_owner_access` when `copyfrom` is used.o
+
 ### 6.70.01
 
 Added `gmail_cse_incert_dir` and `gmail_cse_inkey_dir` path variables to `gam.cfg` that provide
@@ -25,10 +476,10 @@ This is an initial, minimally tested release; proceed with care and report all i
 
 ### 6.69.00
 
-Added `use_classroom_owner_access` Boolean variable to `gam.cfg` that controls how GAM gets
-classroom member information and removes students/teachers. Client access does not provide
+Added `use_course_owner_access` Boolean variable to `gam.cfg` that controls how GAM gets
+classroom member information and removes students/teachers. Client/admin access does not provide
 complete information about non-domain students/teachers.
-* `False` - Use client access; this is the default. Use if you don't have non-domain members in your courses.
+* `False` - Use client/admin access; this is the default. Use if you don't have non-domain members in your courses.
 * `True` - Use service account access as the classroom owner. An extra API call is required per course to authenticate the owner; this will affect performance
 
 Added the following command which must be used to delete classroom invitations for non-domain students/teachers.

docs/Groups-Membership.md

@@ -1,5 +1,6 @@
  Groups - Membership
 - [API documentation](#api-documentation)
+- [Query documentation](#query-documentation)
 - [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Definitions](#definitions)
 - [Collections of Users](#collections-of-users)
@@ -18,6 +19,10 @@
 ## API documentation
 * https://developers.google.com/admin-sdk/directory/v1/reference/members
 
+## Query documentation
+* https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
+* https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery
+
 ## Definitions
 See [Collections of Items](Collections-of-Items)
 ```

docs/Groups.md

@@ -25,7 +25,7 @@
 * https://cloud.google.com/identity/docs/reference/rest/v1/groups
 
 ## Name guidelines
-* https://support.google.com/a/answer/9193374?hl=en
+* https://support.google.com/a/answer/9193374
 
 ## Query documentation
 * https://developers.google.com/admin-sdk/directory/v1/guides/search-groups

docs/How-to-Install-Advanced-Gam.md

@@ -264,9 +264,6 @@ writes the credentials into the file oauth2.txt.
 ```
 admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -274,7 +271,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -284,7 +281,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -314,15 +311,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
@@ -709,9 +713,6 @@ writes the credentials into the file oauth2.txt.
 ```
 C:\GAMADV-XTD3>gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -719,7 +720,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -729,7 +730,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -759,15 +760,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com

docs/How-to-Update-Advanced-Gam.md

@@ -99,9 +99,6 @@ writes the credentials into the file oauth2.txt.
 ```
 admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -109,7 +106,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -119,7 +116,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -149,15 +146,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
@@ -382,9 +386,6 @@ writes the credentials into the file oauth2.txt.
 ```
 C:\GAMADV-XTD3>gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -392,7 +393,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -402,7 +403,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -432,15 +433,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com

docs/How-to-Upgrade-from-Standard-GAM.md

@@ -213,6 +213,7 @@ Section: DEFAULT
   todrive_timezone = ''
   todrive_upload_nodata = true
   todrive_user = ''
+  truncate_client_id = false
   update_cros_ou_with_id = false
   use_projectid_as_name = false
   user_max_results = 500
@@ -334,18 +335,15 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin/bin/gamadv-xtd3$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAMADV-XTD3 6.70.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.76.09 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
+Python 3.12.3 64-bit final
+MacOS Sonoma 14.4.1 x86_64
 Path: /Users/admin/bin/gamadv-xtd3
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 
 admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -353,7 +351,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -363,7 +361,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -393,15 +391,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
@@ -657,6 +662,7 @@ Section: DEFAULT
   todrive_timezone = ''
   todrive_upload_nodata = true
   todrive_user = ''
+  truncate_client_id = false
   update_cros_ou_with_id = false
   use_projectid_as_name = false
   user_max_results = 500
@@ -859,6 +865,7 @@ Section: DEFAULT
   todrive_timezone = ''
   todrive_upload_nodata = true
   todrive_user = ''
+  truncate_client_id = false
   update_cros_ou_with_id = false
   use_projectid_as_name = false
   user_max_results = 500
@@ -1002,18 +1009,15 @@ writes the credentials into the file oauth2.txt.
 C:\GAMADV-XTD3>del C:\GAMConfig\oauth2.txt
 C:\GAMADV-XTD3>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAMADV-XTD3 6.70.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.76.09 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
+Python 3.12.3 64-bit final
 Windows-10-10.0.17134 AMD64
 Path: C:\GAMADV-XTD3
 Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 
 C:\GAMADV-XTD3>gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -1021,7 +1025,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -1031,7 +1035,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -1061,15 +1065,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
@@ -1327,6 +1338,7 @@ Section: DEFAULT
   todrive_timezone = ''
   todrive_upload_nodata = true
   todrive_user = ''
+  truncate_client_id = false
   update_cros_ou_with_id = false
   use_projectid_as_name = false
   user_max_results = 500

docs/Install-GAM-as-Python-Library.md

@@ -9,7 +9,7 @@ Scroll down to Install Git
 
 You can install GAM as a Python library with pip.
 ```
-pip install git+https://github.com/taers232c/GAMADV-XTD3.git#subdirectory=src --use-pep517
+pip install git+https://github.com/taers232c/GAMADV-XTD3.git#subdirectory=src
 ```
 
 Or as a PEP 508 Requirement Specifier, e.g. in requirements.txt file:
@@ -29,7 +29,7 @@ dependencies = [
 
 Target a specific revision or tag:
 ```
-advanced-gam-for-google-workspace @ git+https://github.com/taers232c/GAMADV-XTD3.git@v6.58.00#subdirectory=src
+advanced-gam-for-google-workspace @ git+https://github.com/taers232c/GAMADV-XTD3.git@v6.76.01#subdirectory=src
 ```
 
 ## Using the library

docs/Licenses.md

@@ -20,11 +20,12 @@
 |--------------|------------|
 | AppSheet | 101038 |
 | Assured Controls | 101039 |
-| Beyond Corp Enterprise | 101040 |
+| Chrome Enterprise | 101040 |
 | Cloud Identity Free | 101001 |
 | Cloud Identity Premium | 101005 |
 | Cloud Search | 101035 |
-| Duet AI | 101047 |
+| Education Endpoint Management | 101049 |
+| Gemini | 101047 |
 | Google Chrome Device Management | Google-Chrome-Device-Management |
 | Google Drive Storage | Google-Drive-storage |
 | Google Meet Global Dialing | 101036 |
@@ -42,15 +43,17 @@
 | AppSheet Enterprise Standard | 1010380002 | appsheetstandard |
 | AppSheet Enterprise Plus | 1010380003 | appsheetplus |
 | Assured Controls | 1010390001 | assuredcontrols |
-| Beyond Corp Enterprise | 1010400001 | bce |
+| Chrome Enterprise Premium | 1010400001 | cep | chromeenterprisepremium |
 | Cloud Identity Free | 1010010001 | cloudidentity |
 | Cloud Identity Premium | 1010050001 | cloudidentitypremium |
 | Cloud Search | 1010350001 | cloudsearch |
-| Duet AI | 1010470001 | duetai |
+| Endpoint Education Upgrade | 1010490001 | eeu |
 | G Suite Basic | Google-Apps-For-Business | gsuitebasic |
 | G Suite Business | Google-Apps-Unlimited | gsuitebusiness |
 | G Suite Legacy | Google-Apps | standard |
 | G Suite Lite | Google-Apps-Lite | gsuitelite |
+| Gemini Business | 1010470003 | geminibiz
+| Gemini Enterprise | 1010470001 | geminient | duetai |
 | Google Apps Message Security | Google-Apps-For-Postini | postini |
 | Google Chrome Device Management | Google-Chrome-Device-Management | cdm |
 | Google Drive Storage 16TB | Google-Drive-storage-16TB | 16tb |
@@ -115,6 +118,7 @@
         101040 |
         101043 |
         101047 |
+        101049 |
         Google-Apps |
         Google-Chrome-Device-Management |
         Google-Drive-storage |
@@ -132,52 +136,58 @@
         4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
         8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
         16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
-        appsheetcore | 1010380001 |
-        appsheetstandard | appsheetenterprisestandard | 1010380002 |
-        appsheetplus | appsheetenterpriseplus | 1010380003 |
-        assuredcontrols | 1010390001 |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 |
+        appsheetcore | 1010380001 | AppSheet Core |
+        appsheetstandard | appsheetenterprisestandard | 1010380002 | AppSheet Enterprise Standard |
+        appsheetplus | appsheetenterpriseplus | 1010380003 | AppSheet Enterprise Plus |
+        assuredcontrols | 1010390001 | Assured Controls |
+        bce | beyondcorp | beyondcorpenterprise | cep | chromeenterprisepremium | 1010400001 | Chrome Enterprise Premium |
         cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
-        cloudidentity | identity | 1010010001 |
-        cloudidentitypremium | identitypremium | 1010050001 |
-        cloudsearch | 1010350001 |
-        duetai | 1010470001 |
+        cloudidentity | identity | 1010010001 | Cloud Identity |
+        cloudidentitypremium | identitypremium | 1010050001 | Cloud Identity Premium |
+        cloudsearch | 1010350001 | Cloud Search |
+        eeu | 1010490001 | SKU Endpoint Education Upgrade |
+        geminibiz | 1010470003 | Gemini Business |
+        geminient| duetai | 1010470001 | Gemini Enterprise |
         gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
         gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
-        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
-        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 |
-        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 |
-        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 |
+        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 | Google Workspace Business - Archived User |
+        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 | Google Workspace Enterprise Plus - Archived User |
+        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 | Google Workspace for Education Plus - Legacy |
+        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 | Google Workspace for Education Plus - Legacy (Student) |
         gsuitegov | gafg | gsuitegovernment | Google-Apps-For-Government |
         gsuitelite | gal | gsl | lite | Google-Apps-Lite |
-        gwep | workspaceeducationplus | 1010310008 |
-        gwepstaff | workspaceeducationplusstaff | 1010310009 |
-        gwepstudent | workspaceeducationplusstudent | 1010310010 |
-        gwes | workspaceeducationstandard | 1010310005 |
-        gwesstaff | workspaceeducationstandardstaff | 1010310006 |
-        gwesstudent | workspaceeducationstandardstudent | 1010310007 |
-        gwetlu | workspaceeducationupgrade | 1010370001 |
-        gwlabs | workspacelabs | 1010470002
-        meetdialing | googlemeetglobaldialing | 1010360001 |
+        gwep | workspaceeducationplus | 1010310008 | Google Workspace for Education Plus |
+        gwepstaff | workspaceeducationplusstaff | 1010310009 | Google Workspace for Education Plus (Staff) |
+        gwepstudent | workspaceeducationplusstudent | 1010310010 | Google Workspace for Education Plus (Extra Student)|
+        gwes | workspaceeducationstandard | 1010310005 | Google Workspace for Education Standard |
+        gwesstaff | workspaceeducationstandardstaff | 1010310006 | Google Workspace for Education Standard (Staff) |
+        gwesstudent | workspaceeducationstandardstudent | 1010310007 | Google Workspace for Education Standard (Extra Student)
+        gwetlu | workspaceeducationupgrade | 1010370001 | Google Workspace for Education: Teaching and Learning Upgrade |
+        gwlabs | workspacelabs | 1010470002 | Google Workspace Labs |
+        meetdialing | googlemeetglobaldialing | 1010360001 |  Google Meet Global Dialing |
         postini | gams | gsuitegams | gsuitepostini | gsuitemessagesecurity | Google-Apps-For-Postini |
         standard | free | Google-Apps |
         vault | googlevault | Google-Vault |
         vfe | googlevaultformeremployee | Google-Vault-Former-Employee |
-        voicepremier | gvpremier | googlevoicepremier | 1010330002 |
-        voicestandard | gvstandard | googlevoicestandard | 1010330004 |
-        voicestarter | gvstarter | googlevoicestarter | 1010330003 |
-        wsas | plusstorage | 1010430001 |
-        wsbizplus | workspacebusinessplus | 1010020025 |
-        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 |
-        wsbizstan | workspacebusinessstandard | 1010020028 |
-        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 |
-        wsentess | workspaceenterpriseessentials | 1010060003 |
-        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 |
-        wsentstan | workspaceenterprisestandard | 1010020026 |
-        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 |
-        wsentstarter | workspaceenterprisestarter | 1010020029 | wes |
-        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 |
-        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030
+        voicepremier | gvpremier | googlevoicepremier | 1010330002 | Google Voice Premier 
+        voicestandard | gvstandard | googlevoicestandard | 1010330004 | Google Voice Standard |
+        voicestarter | gvstarter | googlevoicestarter | 1010330003 | Google Voice Starter |
+        wsas | plusstorage | 1010430001 | Google Workspace Additional Storage |
+        wsbizplus | workspacebusinessplus | 1010020025 | Google Workspace Business Plus |
+        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 | Google Workspace Business Plus - Archived User |
+        wsbizstan | workspacebusinessstandard | 1010020028 | Google Workspace Business Standard }
+        wsbizstanarchived | workspacebusinessstandardarchived | 1010340006 | Google Workspace Business Standard - Archived User |
+        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 | Google Workspace Business Starter |
+        wsbizstarterarchived | workspacebusinessstarterarchived | 1010340005 | Google Workspace Business Starter - Archived User |
+        wsentess | workspaceenterpriseessentials | 1010060003 | Google Workspace Enterprise Essentials |
+        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 | Google Workspace Enterprise Plus |
+        wsentstan | workspaceenterprisestandard | 1010020026 | Google Workspace Enterprise Standard |
+        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 | Google Workspace Enterprise Standard - Archived User |
+        wsentstarter | workspaceenterprisestarter | wes | 1010020029 | Workspace Enterprise Starter |
+        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 | Google Workspace Essentials |
+        wsessplus | workspaceessentialsplus | 1010060005 | Google Workspace Essentials Plus |
+        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030 | Google Workspace Frontline Starter |
+        wsflwstan | workspacefrontlinestan | workspacefrontlineworkerstan | 1010020031 | Google Workspace Frontline Standard
 <SKUIDList> ::= "<SKUID>(,<SKUID>)*"
 ```
 ## Notes

docs/List-Items.md

@@ -43,6 +43,7 @@
 <DriveFolderNameList> ::= "<DriveFolderName>(,<DriveFolderName>)*"
 <DriveLabelIDList> ::= "<DriveLabelID>(,<DriveLabelID>)*"
 <DriveLabelNameList> ::= "<DriveLabelName>(,<DriveLabelName>)*"
+<DriveLabelPermissionNameList> ::= "<DriveLabelPermissionName>(,<DriveLabelPermissionName>)*"
 <DriveLabelFieldIDList> ::= "<DriveLabelFieldID>(,<DriveLabelFieldID>)*"
 <DriveLabelSelectionIDList> ::= "<DriveLabelSelectionID>(,<DriveLabelSelectionID>)*"
 <EmailAddressList> ::= "<EmailAddress>(,<EmailAddress>)*"
@@ -68,6 +69,7 @@
 <MatterStateList> ::= "<MatterState>(,<MatterState>)*"
 <MessageIDList> ::= "<MessageID>(,<MessageID>)*"
 <MimeTypeList> ::= "<MimeType>(,<MimeType>)*"
+<MimeTypeNameList> ::= "<MimeTypeName>(,<MimeTypeName>)*"
 <NamespaceList> ::= "<Namespace>(,<Namespace>)*"
 <NotesNameList> ::= "<NotesName>(,<NotesName>)*"
 <OrgUnitList> ::= "<OrgUnitItem>(,<OrgUnitItem>)*"
@@ -83,7 +85,7 @@
 <QueryMobileList> ::= "<QueryMobile>(,<QueryMobile>)*"
 <QueryUserList> ::= "<QueryUser>(,<QueryUser>)*"
 <ResourceIDList> ::= "<ResourceID>(,<ResourceID>)*"
-<SchemaNameList> ::= "<SchemaName>(,<SchemaName>)*"
+<SchemaNameList> ::= "<SchemaName>|<SchemaFieldName>(,<SchemaName>|<SchemaFieldName>)*"
 <SerialNumberList> ::= "<SerialNumber>(,<SerialNumber>)*"
 <ServiceAccountKeyList> ::= "<ServiceAccountKey>(,<ServiceAccountKey>)*"
 <SiteACLScopeList> ::= "<SiteACLScope>(,<SiteACLScope>)*"

docs/Meta-Commands-and-File-Redirection.md

@@ -56,6 +56,7 @@ The only `<VariableNames>` recognized in this `<Section>` are:
 * `csv_output_row_drop_filter`
 * `csv_output_row_drop_filter_mode`
 * `csv_output_row_limit`
+* `csv_output_sort_headers`
 
 ### Select input filter section
 Select an input filter section from gam.cfg and process a GAM command using values from that section.
@@ -113,7 +114,7 @@ You can redirect stdout and stderr to null and stderr can be redirected to stdou
 <Redirect> ::=
         redirect csv <FileName> [multiprocess] [append] [noheader] [charset <Charset>]
                      [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
-                     [timestampcolumn <String>]
+                     [sortheaders <StringList>] [timestampcolumn <String>]
                      [todrive <ToDriveAttribute>*] |
         redirect stdout <FileName> [multiprocess] [append] |
         redirect stdout null [multiprocess] |
@@ -151,6 +152,9 @@ The `quotechar <Character>` subargument sets the character used to quote fields
 that contaim special charactere; the default value is the value of `csv_output_quote_char` in `gam.cfg`
 which defaults to double quote.
 
+The `sortheaders <StringList>` argument causes GAM to sort CSV output rows by the column headers specified in `<StringList>`.
+The column headers are case insensitive and if column header does not appear in the CSV output, it is ignored.
+
 The `timestampcolumn <String>` adds a column named `<String>` to the CSV file; the value is the
 timestamp of when the GAM command started.
 

docs/Organizational-Units.md

@@ -192,6 +192,7 @@ By default, all users of the org units are displayed:
 * `nousers` - Don't display users of the org units
 * `notsuspended` - Display non-suspended users of the org units
 * `suspended` - Display suspended users of the org units
+* `children|child` - Display users in any child org unit
 
 ## Print organizational units
 This command displays information in CSV format.

docs/Other-Resources.md

@@ -4,13 +4,15 @@ The following are links to contributions of others in support of GAMADV-XTD3.
 
 Thank you.
 
-* Gabriel Clifton - https://docs.google.com/document/d/1p32QOBTr89GaG7RfCafSbFuhlUQ9r3qBM_666E0xvQM/edit
-* Steve Larsen - https://docs.google.com/spreadsheets/d/1MzzA-u-cmoQcJnQOovCnZcEKMjvOyFhfkdFdf10X_GI/edit
-* Kevin Melillo -  https://github.com/KevinMelilloIEEE/gam-script
-* James Seymour - https://sites.google.com/jis.edu.bn/gam-commands/home
 * Amado Tejada - https://github.com/amadotejada/GAMpass
-* Workspace Admins YouTube Channel - https://youtube.com/@googleworkspaceadmins
+* Brecht Sannen - https://gcloud.devoteam.com/blog/what-is-google-apps-manager-gam/
+* Gabriel Clifton - https://docs.google.com/document/d/1p32QOBTr89GaG7RfCafSbFuhlUQ9r3qBM_666E0xvQM/edit
 * Goldy Arora - https://www.goldyarora.com/license-notifier/
-* Paul Ogier (Taming.Tech) - GAMADV-XTD3 Tutorials https://www.youtube.com/watch?v=g9LDeyXQNLI&list=PL_dLiK09pJVhKJxZHNk9CHK0q5hkZ856w
+* Iain Macleod - https://docs.google.com/document/d/1QxWAPdhROcx70OXLpSD9Trh3vs-nJKSMiaMZCTwOOTg/edit?pli=1#heading=h.2a2azzpy36k0
+* James Seymour - https://sites.google.com/jis.edu.bn/gam-commands/home
+* Kevin Melillo -  https://github.com/KevinMelilloIEEE/gam-script
 * Paul Ogier (Taming.Tech) - GAMADV-XTD3 Course on Udemy https://taming.tech/GAMCourse
-* Paul Ogier (Taming.Tech) - https://taming.tech/taming-gam-a-practical-guide-to-gam-and-gamadv-xtd3/
+* Paul Ogier (Taming.Tech) - GAMADV-XTD3 Tutorials https://www.youtube.com/watch?v=g9LDeyXQNLI&list=PL_dLiK09pJVhKJxZHNk9CHK0q5hkZ856w
+* Paul Ogier (Taming.Tech) - https://taming.tech/taming-gam-a-practical-guide-to-gam-and-gamadv-xtd3/
+* Steve Larsen - https://docs.google.com/spreadsheets/d/1MzzA-u-cmoQcJnQOovCnZcEKMjvOyFhfkdFdf10X_GI/edit
+* Workspace Admins YouTube Channel - https://youtube.com/@googleworkspaceadmins

docs/Reports.md

@@ -143,7 +143,8 @@ Get Shared Drives ID and Name
 ```
 gam redirect csv ./SharedDrives.csv print shareddrives fields id,name
 ```
-Options:
+
+Options for the `gam report drive` commands below:
 * `maxactivities 1` - Limits the number of activities displayed for Shared Drives with activity.
 * `shownoactivities` - Displays a row for Shared Drives with no activity.
 * `addcsvdata shared_drive_id "~id"` adds the Shared Drive ID to the output.

docs/Reseller.md

@@ -59,46 +59,58 @@ Thanks to Duncan Isaksen-Loxton for a script to help manage multiple domains.
         4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
         8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
         16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
-        assuredcontrols | 1010390001 |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 |
+        appsheetcore | 1010380001 | AppSheet Core |
+        appsheetstandard | appsheetenterprisestandard | 1010380002 | AppSheet Enterprise Standard |
+        appsheetplus | appsheetenterpriseplus | 1010380003 | AppSheet Enterprise Plus |
+        assuredcontrols | 1010390001 | Assured Controls |
+        bce | beyondcorp | beyondcorpenterprise | 1010400001 | Beyond Corp Enterprise |
         cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
-        cloudidentity | identity | 1010010001 |
-        cloudidentitypremium | identitypremium | 1010050001 |
-        cloudsearch | 1010350001 |
+        cloudidentity | identity | 1010010001 | Cloud Identity |
+        cloudidentitypremium | identitypremium | 1010050001 | Cloud Identity Premium |
+        cloudsearch | 1010350001 | Cloud Search |
+        eeu | 1010490001 | SKU Endpoint Education Upgrade |
+        geminibiz | 1010470003 | Gemini Business |
+        geminient| duetai | 1010470001 | Gemini Enterprise |
         gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
         gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
-        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
-        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 |
-        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 |
-        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 |
+        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 | Google Workspace Business - Archived User |
+        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 | Google Workspace Enterprise Plus - Archived User |
+        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 | Google Workspace for Education Plus - Legacy |
+        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 | Google Workspace for Education Plus - Legacy (Student) |
         gsuitegov | gafg | gsuitegovernment | Google-Apps-For-Government |
         gsuitelite | gal | gsl | lite | Google-Apps-Lite |
-        gwep | workspaceeducationplus | 1010310008 |
-        gwepstaff | workspaceeducationplusstaff | 1010310009 |
-        gwepstudent | workspaceeducationplusstudent | 1010310010 |
-        gwes | workspaceeducationstandard | 1010310005 |
-        gwesstaff | workspaceeducationstandardstaff | 1010310006 |
-        gwesstudent | workspaceeducationstandardstudent | 1010310007 |
-        gwetlu | workspaceeducationupgrade | 1010370001 |
-        meetdialing | googlemeetglobaldialing | 1010360001 |
+        gwep | workspaceeducationplus | 1010310008 | Google Workspace for Education Plus |
+        gwepstaff | workspaceeducationplusstaff | 1010310009 | Google Workspace for Education Plus (Staff) |
+        gwepstudent | workspaceeducationplusstudent | 1010310010 | Google Workspace for Education Plus (Extra Student)|
+        gwes | workspaceeducationstandard | 1010310005 | Google Workspace for Education Standard |
+        gwesstaff | workspaceeducationstandardstaff | 1010310006 | Google Workspace for Education Standard (Staff) |
+        gwesstudent | workspaceeducationstandardstudent | 1010310007 | Google Workspace for Education Standard (Extra Student)
+        gwetlu | workspaceeducationupgrade | 1010370001 | Google Workspace for Education: Teaching and Learning Upgrade |
+        gwlabs | workspacelabs | 1010470002 | Google Workspace Labs |
+        meetdialing | googlemeetglobaldialing | 1010360001 |  Google Meet Global Dialing |
         postini | gams | gsuitegams | gsuitepostini | gsuitemessagesecurity | Google-Apps-For-Postini |
         standard | free | Google-Apps |
         vault | googlevault | Google-Vault |
         vfe | googlevaultformeremployee | Google-Vault-Former-Employee |
-        voicepremier | gvpremier | googlevoicepremier | 1010330002 |
-        voicestandard | gvstandard | googlevoicestandard | 1010330004 |
-        voicestarter | gvstarter | googlevoicestarter | 1010330003 |
-        wsbizplus | workspacebusinessplus | 1010020025 |
-        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 |
-        wsbizstan | workspacebusinessstandard | 1010020028 |
-        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 |
-        wsentess | workspaceenterpriseessentials | 1010060003 |
-        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 |
-        wsentstan | workspaceenterprisestandard | 1010020026 |
-        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 |
-        wsentstarter | workspaceenterprisestarter | 1010020029 | wes |
-        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 |
-        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030
+        voicepremier | gvpremier | googlevoicepremier | 1010330002 | Google Voice Premier 
+        voicestandard | gvstandard | googlevoicestandard | 1010330004 | Google Voice Standard |
+        voicestarter | gvstarter | googlevoicestarter | 1010330003 | Google Voice Starter |
+        wsas | plusstorage | 1010430001 | Google Workspace Additional Storage |
+        wsbizplus | workspacebusinessplus | 1010020025 | Google Workspace Business Plus |
+        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 | Google Workspace Business Plus - Archived User |
+        wsbizstan | workspacebusinessstandard | 1010020028 | Google Workspace Business Standard }
+        wsbizstanarchived | workspacebusinessstandardarchived | 1010340006 | Google Workspace Business Standard - Archived User |
+        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 | Google Workspace Business Starter |
+        wsbizstarterarchived | workspacebusinessstarterarchived | 1010340005 | Google Workspace Business Starter - Archived User |
+        wsentess | workspaceenterpriseessentials | 1010060003 | Google Workspace Enterprise Essentials |
+        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 | Google Workspace Enterprise Plus |
+        wsentstan | workspaceenterprisestandard | 1010020026 | Google Workspace Enterprise Standard |
+        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 | Google Workspace Enterprise Standard - Archived User |
+        wsentstarter | workspaceenterprisestarter | wes | 1010020029 | Workspace Enterprise Starter |
+        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 | Google Workspace Essentials |
+        wsessplus | workspaceessentialsplus | 1010060005 | Google Workspace Essentials Plus |
+        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030 | Google Workspace Frontline Starter |
+        wsflwstan | workspacefrontlinestan | workspacefrontlineworkerstan | 1010020031 | Google Workspace Frontline Standard
 ```
 ## Manage Resold Customers
 ```

docs/Resources.md

@@ -1,6 +1,7 @@
 # Resources
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
+- [Region Codes](#region-codes)
 - [Special quoting](#special-quoting)
 - [Manage buildings](#manage-buildings)
 - [Display buildings](#display-buildings)
@@ -121,6 +122,252 @@ See [Collections of Items](Collections-of-Items)
         uservisibledescription
 <ResourceFieldNameList> ::= "<ResourceFieldName>(,<ResourceFieldName>)*"
 ```
+
+## Region Codes
+
+| Region | Code |
+|--------|------|
+| Afghanistan | AF |
+| Aland Islands | AX |
+| Albania | AL |
+| Algeria | DZ |
+| American Samoa | AS |
+| Andorra | AD |
+| Angola | AO |
+| Anguilla | AI |
+| Antarctica | AQ |
+| Antigua & Barbuda | AG |
+| Argentina | AR |
+| Armenia | AM |
+| Aruba | AW |
+| Ascension Island | AC |
+| Australia | AU |
+| Austria | AT |
+| Azerbaijan | AZ |
+| Bahamas | BS |
+| Bahrain | BH |
+| Bangladesh | BD |
+| Barbados | BB |
+| Belarus | BY |
+| Belgium | BE |
+| Belize | BZ |
+| Benin | BJ |
+| Bermuda | BM |
+| Bhutan | BT |
+| Bolivia | BO |
+| Bosnia & Herzegovina | BA |
+| Botswana | BW |
+| Bouvet Island | BV |
+| Brazil | BR |
+| British Indian Ocean Territory | IO |
+| British Virgin Islands | VG |
+| Brunei | BN |
+| Bulgaria | BG |
+| Burkina Faso | BF |
+| Burundi | BI |
+| Cambodia | KH |
+| Cameroon | CM |
+| Canada | CA |
+| Canary Islands | IC |
+| Cape Verde | CV |
+| Caribbean Netherlands | BQ |
+| Cayman Islands | KY |
+| Central African Republic | CF |
+| Ceuta & Melilla | EA |
+| Chad | TD |
+| Chile | CL |
+| China | CN |
+| Christmas Island | CX |
+| Clipperton Island | CP |
+| Cocos (Keeling) Islands | CC |
+| Columbia | CO |
+| Comoros | KM |
+| Congo - Brazzaville | CG |
+| Congo - Kinshasa | CD |
+| Cook Islands | CK |
+| Costa Rica | CR |
+| Cote d’Ivoire | CI |
+| Croatia | HR |
+| Cuba | CU |
+| Curacao | CW |
+| Cyprus | CY |
+| Czech Republic | CZ |
+| Falkland Islands | FK |
+| Faroe Islands | FO |
+| Fiji | FJ |
+| Finland | FI |
+| France | FR |
+| Gabon | GA |
+| Gambia | GM |
+| Georgia | GE |
+| Germany | DE |
+| Ghana | GH |
+| Gibraltar | GI |
+| Greece | GR |
+| Greenland | GL |
+| Grenada | GD |
+| Guadeloupe | GP |
+| Guam | GU |
+| Guatemala | GT |
+| Guernsey | GG |
+| Guinea | GN |
+| Guinea-Bissau | GW |
+| Guyana | GY |
+| Haiti | HT |
+| Heard & McDonald Islands | HM |
+| Honduras | HN |
+| Hong Kong SAR China | HK |
+| Hungary | HU |
+| Iceland | IS |
+| India | IN |
+| Indonesia | ID |
+| Iran | IR |
+| Iraq | IQ |
+| Ireland | IE |
+| Isle of Man | IM |
+| Israel | IL |
+| Italy | IT |
+| Jamaica | JM |
+| Japan | JP |
+| Jersey | JE |
+| Jordan | JO |
+| Kazakhstan | KZ |
+| Kenya | KE |
+| Kiribati | KI |
+| Kosovo | XK |
+| Kuwait | KW |
+| Kyrgyzstan | KG |
+| Laos | LA |
+| Latvia | LV |
+| Lebanon | LB |
+| Lesotho | LS |
+| Liberia | LR |
+| Libya | LY |
+| Liechtenstein | LI |
+| Lithuania | LT |
+| Luxembourg | LU |
+| Macau SAR China | MO |
+| Macedonia | MK |
+| Madagascar | MG |
+| Malawi | MW |
+| Malaysia | MY |
+| Maldives | MV |
+| Mali | ML |
+| Malta | MT |
+| Marshall Islands | MH |
+| Martinique | MQ |
+| Mauritania | MR |
+| Mauritius | MU |
+| Mayotte | YT |
+| Mexico | MX |
+| Micronesia | FM |
+| Moldova | MD |
+| Monaco | MC |
+| Mongolia | MN |
+| Montenegro | ME |
+| Montserrat | MS |
+| Morocco | MA |
+| Mozambique | MZ |
+| Myanmar | MM |
+| Namibia | NA |
+| Nauru | NR |
+| Nepal | NP |
+| Netherlands | NL |
+| New Caledonia | NC |
+| New Zealand | NZ |
+| Nicaragua | NI |
+| Niger | NE |
+| Nigeria | NG |
+| Niue | NU |
+| Norfolk Island | NF |
+| North Korea | KP |
+| Northern Mariana Islands | MP |
+| Norway | NO |
+| Oman | OM |
+| Pakistan | PK |
+| Palau | PW |
+| Palestinia Territories | PS |
+| Panama | PA |
+| Papua New Guinea | PG |
+| Paraguay | PY |
+| Peru | PE |
+| Philippines | PH |
+| Pitcairn Islands | PN |
+| Poland | PL |
+| Portugal | PT |
+| Puerto Rico | PR |
+| Qatar | QA |
+| Reunion | RE |
+| Romania | RO |
+| Russia | RU |
+| Rwanda | RW |
+| Samoa | WS |
+| San Marino | SM |
+| Sao Tomm & Principe | ST |
+| Saudi Arabia | SA |
+| Senegal | SN |
+| Serbia | RS |
+| Seychelles | SC |
+| Sierra Leone | SL |
+| Singapore | SG |
+| Sint Maarten | SX |
+| Slovakia | SK |
+| Slovenia | SI |
+| Solomon Islands | SB |
+| Somalia | SO |
+| South Africa | ZA |
+| South Georgia & South Sandwich Islands | GS |
+| South Korea | KR |
+| South Sudan | SS |
+| Spain | ES |
+| Sri Lanka | LK |
+| St. Barthelemy | BL |
+| St. Helena | SH |
+| St. Kitts & Nevis | KN |
+| St. Lucia | LC |
+| St. Martin | MF |
+| St. Pierre & Miquelon | PM |
+| St. Vincent & Grenadines | VC |
+| Sudan | SD |
+| Suriname | SR |
+| Svalbard & Jan Mayen | SJ |
+| Swaziland | SZ |
+| Sweden | SE |
+| Switzerland | CH |
+| Syria | SY |
+| Taiwan | TW |
+| Tajikistan | TJ |
+| Tanzania | TZ |
+| Thailand | TH |
+| Timor-Leste | TL |
+| Togo | TG |
+| Tokelau | TK |
+| Tonga | TO |
+| Trinidad & Tobago | TT |
+| Tristan da Cunha | TA |
+| Tunisia | TN |
+| Turkey | TR |
+| Turkmenistan | TM |
+| Turks & Caicos Islands | TC |
+| Tuvalu | TV |
+| U.S. Outlying Islands | UM |
+| U.S. Virgin Islands | VI |
+| Uganda | UG |
+| Ukraine | UA |
+| United Arab Emirates | AE |
+| United Kingdom | GB |
+| United States | US |
+| Unknown Region | ZZ |
+| Uraguay | UY |
+| Uzbekistan | UZ |
+| Vanuatu | VU |
+| Vatican City | VA |
+| Venezuela | VE |
+| Vietnam | VN |
+| Yemen | YE |
+| Zambia | ZM |
+| Zimbabwe | ZW |
+
 ## Special quoting
 When entering `<FeatureNameList>` with `<FeatureName>s`containing spaces, enclose the list in `"` and the names containing spaces in `'`.
 ```
@@ -133,10 +380,8 @@ When creating a building, at a minimum you must enter `address|addresslines` and
 
 * Enter a single-line address as `address "123 Main Street"`
 * Enter a multi-line address as `addresslines "123 Main Street\nAnytown, US"`
-
-For `country|regioncode` see: http://www.unicode.org/cldr/charts/30/supplemental/territory_information.html
 ```
-gam create|add building <BuildIngID> <Name> <BuildingAttribute>*
+gam create|add building <Name> <BuildingAttribute>*
 gam update building <BuildIngID> <BuildingAttribute>*
 gam delete building <BuildingID>
 ```

docs/Todrive.md

@@ -174,11 +174,15 @@ direct the uploaded file to a particular user and location and add a timestamp t
 ```
 <ToDriveAttribute> ::=
         (tdaddsheet [<Boolean>])|
+        (tdalert <EmailAddress>)*|
         (tdbackupsheet (id:<Number>)|<String>)|
+        (tdcellnumberformat text|number)|
+        (tdcellwrap clip|overflow|wrap)|
         (tdclearfilter [<Boolean>])|
         (tdcopysheet (id:<Number>)|<String>)|
         (tddescription <String>)|
         (tdfileid <DriveFileID>)|
+        (tdfrom <EmailAddress>)|
         (tdlocalcopy [<Boolean>])|
         (tdlocale <Locale>)|
         (tdnobrowser [<Boolean>])|
@@ -191,13 +195,12 @@ direct the uploaded file to a particular user and location and add a timestamp t
         (tdsheet (id:<Number>)|<String>)|
         (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
         (tdsheettitle <String>)|
-        ([tdsheetdaysoffset <Number>] [tdsheethoursoffset <Number])|
-        (tdtimestamp [<Boolean>] [tdtimeformat <String>])|
-        ([tddaysoffset <Number>] [tdhoursoffset <Number])|
+        (tdsubject <String>)|
+        ([tdsheetdaysoffset <Number>] [tdsheethoursoffset <Number>])|
+        (tdtimestamp [<Boolean>] [tdtimeformat <String>]
+            ([tddaysoffset <Number>] [tdhoursoffset <Number>])|
         (tdtimezone <TimeZone>)|
         (tdtitle <String>)|
-        (tdcellwrap clip|overflow|wrap)|
-        (tdcellnumberformat text|plain)|
         (tdupdatesheet [<Boolean>])|
         (tduploadnodata [<Boolean>])|
         (tduser <EmailAddress>)
@@ -227,6 +230,7 @@ If `tdfileid <DriveFileID>` is not specified, a new file is created.
 * `tdtimeformat` - Format of the timestamp added to the title of the uploaded file; if not specified, the `todrive_timeformat` value from gam.cfg is used, that value defaults to '' which selects an ISO format timestamp.
   * See: https://docs.python.org/3/library/datetime.html#strftime-strptime-behavior
 * `tddaysoffset` and `tdhoursoffset` - Values that subtract time from the timestamp, they default to 0. A possible use for these values is as documentation to reflect the end of the time period that the uploaded report covers.
+* `tdsubject <String>` - Use `<String>` as the subject in all emails sent. In `<String>`, `#file#` will, be replaced by the file title and `#sheet#` will be replaced by the sheet/tab title. By default, the subject is the file title.
 
 ## Spreadsheet settings
 * `tdlocale <Locale>` - The Spreadsheet settings Locale value.
@@ -235,9 +239,10 @@ If `tdfileid <DriveFileID>` is not specified, a new file is created.
 * `tdcellnumberformat text|number` - The Spreadsheet number format.
 
 ## Open browser and send email
-* `tdnobrowser` - If False, a browser is opened to view the file uploaded to Google Drive; if not specified, the `todrive_nobrowser` value from gam.cfg is used.
-* `tdnoemail` - If False, an email is sent to `tduser` informing them of name and URL of the uploaded file; if not specified, the `todrive_noemail` value from gam.cfg is used.
-* `tdnotify` - If True, an email is sent to all `tdshare <EmailAddress>` users informing them of name and URL of the uploaded/updated file.
+* `tdnobrowser` - If False, a browser is opened to view the file uploaded to Google Drive; if not specified, the `todrive_nobrowser` value from gam.cfg is used. If True, no browser is opened.
+* `tdnoemail` - If False, an email is sent to `tduser` informing them of name and URL of the uploaded file; if not specified, the `todrive_noemail` value from gam.cfg is used. If True, no email is sent to `tduser`.
+* `tdnotify` - If True, an email is sent to all `tdshare <EmailAddress>` and `tdalert <EmailAddress>` users informing them of name and URL of the uploaded/updated file. If False, no emails are sent.
+* `tdfrom <EmailAddress>` - Emails will be sent with `<EmailAddress>` as the from address. By default, the from address is the Google Workspace Admin in `gam oauth info`.
 
 ## Escape character
 * `tdnoescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `todrive_no_escape_char` from `gam.cfg` will be used

docs/Users-Calendars-Access.md

@@ -37,6 +37,17 @@ Calendar ACL roles (as seen in Calendar GUI):
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>
 
+<CalendarAttribute> ::=
+        (backgroundcolor <ColorValue>)|
+        (color <CalendarColorName>)|
+        (colorindex|colorid <CalendarColorIndex>)|
+        (foregroundcolor <ColorValue>)|
+        (hidden <Boolean>)|
+        (notification clear|(email <CalendarEmailNotificatonEventTypeList>))|
+        (reminder clear|(email|pop <Number>)|(<Number> email|pop))|
+        (selected <Boolean>)|
+        (summary <String>)
+
 <CalendarSettings> ::=
         (description <String>)|
         (location <String>)|
@@ -134,15 +145,15 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ## Transfer calendar ownership
 
 You can transfer ownership of calendars from one user to another; only non-primary calendars owned by the source user can be transferred.
-You can update calendar settings as part of the transfer. In description, location and summary, #email#, #user# and #username# will be replaced
-by the original owner's full email address or just the name portion; #timestamp# will be replaced by the current date and time.
 ```
-gam <UserTypeEntity> transfer calendars <UserItem> <UserCalendarEntity>
+gam <UserTypeEntity> transfer calendars|seccals <UserItem> [<UserCalendarEntity>]
         [keepuser | (retainrole <CalendarACLRole>)] [sendnotifications <Boolean>]
         [noretentionmessages]
         [<CalendarSettings>] [append description|location|summary] [noupdatemessages]
-gam <UserTypeEntity> transfer seccals <UserItem> [keepuser] [sendnotifications <Boolean>]
+        [deletefromoldowner] [addtonewowner <CalendarAttribute>*] [nolistmessages]
 ```
+If `<UserCalendarEntity>` is not specified, all of a user's owned secondary calendars will be transferrdd.
+
 By default, the users in `<UserTypeEntity>` retain no role in the transferred calendars.
 * `keepuser` - The users in `<UserTypeEntity>` retain their ownership.
 * `retainrole <CalendarACLRole>` - The users in `<UserTypeEntity>` retain the specified role.
@@ -150,11 +161,23 @@ By default, the users in `<UserTypeEntity>` retain no role in the transferred ca
 
 By default, when you add or update a calendar ACL, a notification is sent to the affected users; use `sendnotifications false` to suppress sending the notifications.
 
+You can update calendar settings as part of the transfer. In description, location and summary, #email#, #user# and #username# will be replaced
+by the original owner's full email address or just the name portion; #timestamp# will be replaced by the current date and time.
 * `<CalendarSettings>` - The value specified will replace the existing value.
 * `append description|location|summary` - The specified <CalendarSettings> value will be appended to the existing value.
 * `noupdatemessages` - Suppress the settings update messages.
 
+You can manipulate the old and new owner's calendar lists.
+* `deletefromoldowner` - Delete the calendar from the old owner's calendar list
+* `addtonewowner <CalendarAttribute>*` - Add the calendar to the new owner's calendar list; optionally specify attributes
+* `nolistmessages` - Suppress the calendar list add/delete messages.
+
 ### Example
+Transfer a secondary calendar from oldowner to newowner. Remove the calendar from the old owner's calendar list and add to the new owner's  calendar list.
+```
+gam user oldowner@domain.com transfer calendars newowner@domain.com c_aaa123zzz@group.calendar.google.com removefromoldowner addtonewowner
+```
+
 Transfer ownership of all non-primary calendars from oldowner to newowner; append a message to the calendar description noting the old owner and the time of transfer.
 ```
 gam user oldowner@domain.com transfer calendars newowner@domain.com minaccessrole owner description "(Transferred from #user# on #timestamp#)" append description

docs/Users-Calendars-Events.md

@@ -261,6 +261,9 @@
 
 <EventMatchProperty> ::=
         (matchfield attendees <EmailAddressEntity>)|
+        (matchfield attendeesonlydomainlist <DomainNameList>)|
+        (matchfield attendeesdomainlist <DomainNameList>)|
+        (matchfield attendeesnotdomainlist <DomainNameList>)|
         (matchfield attendeespattern <RegularExpression>)|
         (matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>)|
         (matchfield creatoremail <RegularExpression>)|
@@ -438,7 +441,15 @@ The Google Calendar API processes `<EventSelectProperty>*`; you may specify none
 
 GAM processes `<EventMatchProperty>*`; you may specify none or multiple properties.
 * `matchfield attendees <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
-* `matchfield attendeespattern <RegularExpression>` - Some attendee must match `<RegularExpression>`
+* `matchfield attendeesonlydomainlist <DomainNameList>` - All attendee's email addresses must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with all attendees in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeesdomainlist <DomainNameList>` - Some attendee's email address must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with attendees in specific external domains
+* `matchfield attendeesnotdomainlist <DomainNameList>` - Some attendee's email address must be in a domain not in `<DomainNameList>`
+  * For example, this lets you look for events with attendees not in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeespattern <RegularExpression>` - Some attendee's email address must match `<RegularExpression>`
 * `matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
 and must have the specified values.
     * `<AttendeeAttendance>` - Default is `required`
@@ -592,6 +603,13 @@ To empty the calendar trash a temporary calendar is created, the deleted events
 gam <UserTypeEntity> empty calendartrash <UserCalendarEntity>
 ```
 
+## Move calendar events to another calendar
+Generally you won't move all events from one calendar to another; typically, you'll move events created by the event creator
+using `matchfield creatoremail <RegularExpression>` in conjunction with other `<EventSelectProperty>` and `<EventMatchProperty>` options.
+```
+gam <UserTypeEntity> move events <UserCalendarEntity> [<EventEntity>] destination|to <CalendarItem> [<EventNotificationAttribute>]
+```
+
 ## Display calendar events
 ```
 gam <UserTypeEntity> info events <UserCalendarEntity> [<EventEntity>] [maxinstances <Number>]

docs/Users-Chat.md

@@ -9,11 +9,15 @@
 - [Display Chat Members](#display-chat-members)
 - [Manage Chat Messages](#manage-chat-messages)
 - [Display Chat Messages](#display-chat-messages)
+- [Display Chat Events](#display-chat-events)
 - [Bulk Operations](#bulk-operations)
 
 ## API documentation
-* https://developers.google.com/chat/concepts
-* https://developers.google.com/chat/reference/rest
+* https://developers.google.com/workspace/chat/overview
+* https://developers.google.com/workspace/chat/api/reference/rest
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.members/list
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.messages/list
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.spaceEvents/list
 * https://support.google.com/chat/answer/7655820
 
 ## Introduction
@@ -63,6 +67,7 @@ Google requires that you have a Chat Bot configured in order to use the Chat API
          (gdoc <UserGoogleDoc>)|
          (gcsdoc <StorageBucketObjectName>))
 
+<ChatEvent> ::= spaces/<String>/spaceEvents/<String>
 <ChatMember> ::= spaces/<String>/members/<String>
 <ChatMemberList> ::= "<ChatMember>(,<ChatMember>)*"
 <ChatMessage> ::= spaces/<String>/messages/<String>
@@ -92,21 +97,21 @@ gam <UserTypeEntity> create chatspace
         [formatjson|returnidonly]
 ```
 For `type space`, the following apply:
-* `member <UserTypeEntity>` - Optional, can not specify more that 20 users
+* `members <UserTypeEntity>` - Optional, can not specify more that 20 users
 * `displayname <String>` - Required
 * `description <String>` - Optional
 * `guidelines <String>` - Optional
 * `history <Boolean>` - Optional
 
 For `type groupchat`, the following apply:
-* `member <UserTypeEntity>` - Required, must specify between 2 and 20 users
+* `members <UserTypeEntity>` - Required, must specify between 2 and 20 users
 * `displayname <String>` - Ignored
 * `description <String>` - Optional
 * `guidelines <String>` - Optional
 * `history <Boolean>` - Optional
 
 For `type directmessage`, the following apply:
-* `member <UserTypeEntity>` - Required, must specify 1 user
+* `members <UserTypeEntity>` - Required, must specify 1 user
 * `displayname <String>` - Ignored
 * `description <String>` - Ignored
 * `guidelines <String>` - Ignored
@@ -233,6 +238,20 @@ Delete members by specifying chatmember names.
 gam <UserTypeEntity> remove chatmember members <ChatMemberList>
 ```
 
+### Update members role
+Update members by specifying a chat space, user/group email addresses and role.
+```
+gam <UserTypeEntity> update chatmember <ChatSpace>
+        role member|manager
+        ((user <UserItem>)|(members <UserTypeEntity>))+
+```
+Update members by specifying chatmember names and role.
+```
+gam <UserTypeEntity> modify chatmember
+        role member|manager
+        members <ChatMemberList>
+```
+
 ## Display Chat Members
 ### Display information about a specific chat members
 ```
@@ -378,7 +397,6 @@ Display a specific Chat message.
 
 ```
 gam <UserTypeEntity> info chatmessage name <ChatMessage>
-        [filter <String>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -447,6 +465,69 @@ filter 'createTime > \"2012-04-21T11:30:00+00:00\" AND createTime < \"2013-01-01
 filter 'thread.name = spaces/AAAAAAAAAAA/threads/123'
 ```
 
+## Display Chat Events
+Display a specific Chat event.
+
+```
+gam <UserTypeEntity> info chatevent name <ChatEvent>
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Example
+```
+gam user user@domain.com info chatevent name spaces/AAAAsUhqjkg/spaceEvents/MTcxMTY4ODM2NDE3OTQzOV81X3VwZGF0ZWQ
+```
+
+### Display information about all chat events in a chat space
+```
+gam <UserTypeEntity> show chatevents <ChatSpace>
+        filter <String>
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam <UserTypeEntity> print chatevents [todrive <ToDriveAttribute>*] <ChatSpace>
+        filter <String>
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+Use `filter <String>` to filter events by when they occurred and by the type of event.
+
+To filter events by the date they happened, specify the start_time and end_time with a timestamp in RFC-3339 format and double quotation marks.
+
+You must specify at least one event type (event_types) using the has : operator. To filter by multiple event types, use the OR operator.
+For a list of supported event types, see: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.spaceEvents#SpaceEvent.FIELDS.event_type
+
+For example, the following queries are valid on Linux/MacOS:
+```
+filter 'start_time="2024-03-15T11:30:00-04:00" AND event_types:"google.workspace.chat.message.v1.created"'
+filter 'start_time="2024-03-15T11:30:00+00:00" AND end_time="2024-03-3100:00:00+00:00"event_types:"google.workspace.chat.message.v1.created"'
+```
+
+For example, the following queries are valid on Windows Command Prompt:
+```
+filter "start_time=\"2024-03-15T11:30:00-04:00\" AND event_types:\"google.workspace.chat.message.v1.created\""
+filter "start_time=\"2024-03-15T11:30:00+00:00\" AND end_time=\"2024-03-3100:00:00+00:00\" AND event_types:\"google.workspace.chat.message.v1.created\""
+```
+
+For example, the following queries are valid on Windows PowerShell:
+```
+filter 'start_time=\"2024-03-15T11:30:00-04:00\" AND event_types:\"google.workspace.chat.message.v1.created\"'
+filter 'start_time=\"2024-03-15T11:30:00+00:00\" AND end_time=\"2024-03-3100:00:00+00:00\" AND event_types:\"google.workspace.chat.message.v1.created\"'
+```
+
 ## Bulk Operations
 ### Display information about all chat spaces for a collection of users
 ```

docs/Users-Drive-Activity-Settings.md

@@ -141,10 +141,16 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ```
 gam <UserTypeEntity> print drivesettings [todrive <ToDriveAttribute>*]
         [allfields|<DriveSettingsFieldName>*|(fields <DriveSettingsFieldNameList>)]
-        [delimiter <Character>]
+        [delimiter <Character>] [showusagebytes]
 gam <UserTypeEntity> show drivesettings
         [allfields|<DriveSettingsFieldName>*|(fields <DriveSettingsFieldNameList>)]
-        [delimiter <Character>]
+        [delimiter <Character>] [showusagebytes]
 ```
 If no fields are selected, these fields will be displayed:
     `name,appInstalled,largestChangeId,limit,maxUploadSize,permissionId,rootFolderId,usage,usageInDrive,usageInDriveTrash`
+
+By default, these fields are displayed in formatted form with units: ```usage,usageInDrive,usageInDriveTrash```.
+
+The option `showusagebytes` also displays the following fields in bytes ```usageBytes,usageInDriveBytes,usageInDriveTrashBytes```.
+
+This will be most useful with `print` as the rows can be sorted based on the `usagexxxBytes` columns.

docs/Users-Drive-Comments.md

@@ -0,0 +1,157 @@
+# Users - Drive - Comments
+- [API documentation](#api-documentation)
+- [Query documentation](Users-Drive-Query)
+- [Definitions](#definitions)
+- [Display file comments](#display-file-comments)
+
+## API documentation
+* https://developers.google.com/drive/api/v3/reference/comments
+
+## Definitions
+* [`<DriveFileEntity>`](Drive-File-Selection)
+* [`<UserTypeEntity>`](Collections-of-Users)
+
+```
+<DomainName> ::= <String>(.<String>)+
+<EmailAddress> ::= <String>@<DomainName>
+<UniqueID> ::= id:<String>
+<UserItem> ::= <EmailAddress>|<UniqueID>|<String>
+
+<CommentsAuthorSubfieldName> ::=
+        author.displayname|
+        author.emailaddress|
+        author.me|
+        author.permissionid|
+        author.photolink
+
+<CommentsRepliesSubfieldName> ::=
+        reply.action|
+        reply.author|
+        reply.author.<CommentsAuthorSubfieldName>|
+        reply.content|
+        reply.createddate|createdtime|
+        reply.deleted|
+        reply.htmlcontent|
+        reply.id|
+        reply.modifieddate|modifiedtime
+
+<CommentsFieldName> ::=
+        action|
+        author|
+        content|
+        <CommentsAuthorSubfieldName>|
+        <CommentsRepliesSubfieldName>|
+        createddate|createdtime|
+        deleted|
+        htmlcontent|
+        id|
+        modifieddate|modifiedtime|
+        quotedfilecontent|
+        reply|replies|
+        resolved
+<CommentsFieldNameList> ::= "<CommentsFieldName>(,<CommentsFieldName>)*"
+```
+
+## Display file comments
+### Display as an indented list of keys and values.
+```
+gam <UserTypeEntity> show filecomments <DriveFileEntity>
+        [showdeleted] [start <Date>|<Time>]
+        [fields <CommentsFieldNameList>] [showphotolinks]
+	[countsonly]
+        [formatjson]
+```
+By default, all non-deleted comments for a file are displayed; use these options to modify that behavior.
+* `showdeleted` - Display deleted comments
+* `start <Date>|<Time>` - Display comments modified on or after `<Date>|<Time>`
+
+By default, all comment and reply fields except author photolinks are displayed; use these options to modify that behavior.
+* `fields <CommentsFieldNameList>` - Select fields to display
+* `showphotolinks` - Display author photolinks
+* `countsonly` - Display just the number of comments and replies; no fields
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Display as a CSV file.
+Each comment/reply pair is output on a separate CSV file row.
+```
+gam <UserTypeEntity> print filecomments <DriveFileEntity> [todrive <ToDriveAttribute>*]
+        [showdeleted] [start <Date>|<Time>] [countsonly]
+        [fields <CommentsFieldNameList>] [showphotolinks]
+        (addcsvdata <FieldName> <String>)*
+        [formatjson [quotechar <Character>]]
+```
+By default, all non-deleted comments for a file are displayed; use these options to modify that behavior.
+Files with no comments will not be displayed.
+* `showdeleted` - Display deleted comments
+* `start <Date>|<Time>` - Display comments modified on or after `<Date>|<Time>`
+
+By default, all comment and reply fields except author photolinks are displayed; use these options to modify that behavior.
+* `fields <CommentsFieldNameList>` - Select fields to display
+* `showphotolinks` - Display author photolinks
+* `countsonly` - Display just the number of comments and replies; no fields. Files with no comments will display zero counts.
+
+Add additional columns of data from the command line to the output:
+* `addcsvdata <FieldName> <String>`
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+### Example
+```
+# Get files that may have comments
+$ gam redirect csv ./CheckForComments.csv user testsimple@domain.com print filelist showmimetype gdoc,gpresentation,gsheet fields id,name,mimetype
+Getting all Drive Files/Folders that match query ('me' in owners and (mimeType = 'application/vnd.google-apps.presentation' or mimeType = 'application/vnd.google-apps.spreadsheet' or mimeType = 'application/vnd.google-apps.document')) for testsimple@domain.com
+Got 131 Drive Files/Folders that matched query ('me' in owners and (mimeType = 'application/vnd.google-apps.presentation' or mimeType = 'application/vnd.google-apps.spreadsheet' or mimeType = 'application/vnd.google-apps.document')) for testsimple@domain.com...
+
+# Display file comments
+$ gam redirect csv ./FilesWithComments.csv multiprocess csv CheckForComments.csv gam user "~Owner" print filecomments "~id" addcsvdata fileName "~name" addcsvdata mimeType "~mimeType" fields author.displayName,author.me,content,createdTime,deleted,modifiedTime,resolved,reply.author.displayName,reply.author.me,reply.content,reply.createdTime,reply.deleted,reply.modifiedTime
+2024-03-24T08:04:46.235-07:00,0/131,Using 10 processes...
+2024-03-24T08:04:58.122-07:00,0,Processing item 100/131
+2024-03-24T08:05:01.345-07:00,0,Processing item 131/131
+2024-03-24T08:07:11.731-07:00,0/131,Processing complete
+
+$ more FilesWithCommnts.csv
+User,fileId,fileName,mimeType,commentId,replyId,author.displayName,author.me,content,createdTime,deleted,modifiedTime,resolved,reply.author.displayName,reply.author.me,reply.content,reply.createdTime,reply.deleted,reply.modifiedTime
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwm0,,Test-Simple,True,XXX Comment,2024-03-14T11:34:39-07:00,False,2024-03-14T11:34:39-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwkw,,Test-Simple,True,Grack Comment,2024-03-14T11:26:30-07:00,False,2024-03-14T11:26:30-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwkY,,Test-Simple,True,Again commnt,2024-03-14T11:24:13-07:00,False,2024-03-14T11:24:13-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwkQ,,Test-Simple,True,More Comment,2024-03-14T11:23:48-07:00,False,2024-03-14T11:23:48-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwkA,,Test-Simple,True,Comment 8,2024-03-14T11:23:14-07:00,False,2024-03-14T11:34:01-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwj4,,Test-Simple,True,Comment 7,2024-03-14T11:23:05-07:00,False,2024-03-14T11:23:05-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwj0,,Test-Simple,True,Comment 6,2024-03-14T11:22:55-07:00,False,2024-03-14T11:22:55-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwjs,,Test-Simple,True,Comment 5,2024-03-14T11:22:38-07:00,False,2024-03-14T11:22:38-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwjo,,Test-Simple,True,Comment 4,2024-03-14T11:22:19-07:00,False,2024-03-14T11:22:19-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedtKQ,,Test-Simple,True,End Comment,2024-03-14T10:32:16-07:00,False,2024-03-14T10:32:16-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedtKI,AAABJFedwik,Test-Simple,True,My first comment,2024-03-14T10:32:03-07:00,False,2024-03-14T11:15:05-07:00,False,Test-Simple,True,My first reply,2024-03-14T11:14:13-07:00,False,2024-03-14T11:14:13-07:00
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedtKI,AAABJFedwiw,Test-Simple,True,My first comment,2024-03-14T10:32:03-07:00,False,2024-03-14T11:15:05-07:00,False,Test-Simple,True,Yet another reply,2024-03-14T11:15:05-07:00,False,2024-03-14T11:15:05-07:00
+testsimple@domain.com,yyy,TS Sheet,application/vnd.google-apps.spreadsheet,AAABJM6zbc0,,Test-Simple,True,Sheet Comment,2024-03-14T20:43:18-07:00,False,2024-03-14T20:43:18-07:00,False,,,,,,
+testsimple@domain.com,zzz,TS Pres,application/vnd.google-apps.presentation,AAABJLy5DpA,,Test-Simple,True,Presentation Comment,2024-03-14T20:42:48-07:00,False,2024-03-14T20:42:48-07:00,False,,,,,,
+
+$ gam redirect csv ./FilesWithComments.csv multiprocess csv CheckForComments.csv gam user "~Owner" print filecomments "~id" addcsvdata fileName "~name" addcsvdata mimeType "~mimeType" fields author.displayName,author.me,content,createdTime,deleted,modifiedTime,resolved,reply.author.displayName,reply.author.me,reply.content,reply.createdTime,reply.deleted,,reply.modifiedTime
+2024-03-24T08:04:46.235-07:00,0/131,Using 10 processes...
+2024-03-24T08:04:58.122-07:00,0,Processing item 100/131
+2024-03-24T08:05:01.345-07:00,0,Processing item 131/131
+2024-03-24T08:07:11.731-07:00,0/131,Processing complete
+
+
+# Display file comment counts
+$ gam redirect csv ./FileCommentCounts.csv multiprocess csv CheckForComments.csv gam user "~Owner" print filecomments "~id" addcsvdata fileName "~name" addcsvdata mimeType "~mimeType" countsonly
+2024-03-24T07:51:16.881-07:00,0/131,Using 10 processes...
+2024-03-24T07:51:28.909-07:00,0,Processing item 100/131
+2024-03-24T07:51:32.241-07:00,0,Processing item 131/131
+2024-03-24T07:51:37.404-07:00,0/131,Processing complete
+
+$ more FileCommentCounts.csv
+User,fileId,fileName,mimeType,comments,replies
+...
+testsimple@domain.com,yyy,TS Sheet,application/vnd.google-apps.spreadsheet,1,0
+testsimple@domain.com,aaa,ViewTest,application/vnd.google-apps.document,0,0
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,11,2
+testsimple@domain.com,zzz,TS Pres,application/vnd.google-apps.presentation,1,0
+...
+```

docs/Users-Drive-Files-Display.md

@@ -71,6 +71,7 @@
         g3pshortcut|
         gsite
 <MimeTypeName> ::= application|audio|font|image|message|model|multipart|text|video
+<MimeTypeNameList> ::= "<MimeTypeName>(,<MimeTypeName>)*"
 <MimeType> ::= <MimeTypeShortcut>|(<MimeTypeName>/<String>)
 <MimeTypeList> ::= "<MimeType>(,<MimeType>)*"
 ```
@@ -395,7 +396,7 @@ Display file details in indented keyword: value format. The two forms are equiva
 ```
 gam <UserTypeEntity> show fileinfo <DriveFileEntity>
         [returnidonly]
-        [filepath|fullpath] [pathdelimiter <Character>]
+        [filepath|fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
         [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
         [showdrivename] [showshareddrivepermissions]
@@ -405,7 +406,7 @@ gam <UserTypeEntity> show fileinfo <DriveFileEntity>
         [formatjson]
 gam <UserTypeEntity> info drivefile <DriveFileEntity>
         [returnidonly]
-        [filepath|fullpath] [pathdelimiter <Character>]
+        [filepath|fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
         [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
         [showdrivename] [showshareddrivepermissions]
@@ -420,6 +421,10 @@ Use `filepath` to display the path(s) to the files in `<DriveFileEntity>`.
 
 Use `fullpath` to add additional path information indicating that a file is an Orphan or Shared with me.
 
+By default, the path to a file includes the file name as the last element of the path.
+Use `folderpathonly` to display only the folder names when displaying the path to a file. This folder only path
+an be used in  `gam <UserTypeEntity> create drivefolderpath` to recreate the folder hierarchy.
+
 By default, file path components are separated by `/`; use `pathdelimiter <Character>` to use `<Character>` as the separator.
 
 When `allfields` is specified (or no fields are specified), use `showdrivename` to display Shared(Team) Drive names.
@@ -478,16 +483,21 @@ By default, Gam displays the information as an indented list of keys and values.
 gam <UserTypeEntity> show filepath <DriveFileEntity>
         [returnpathonly]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
-        [stripcrsfromname] [fullpath] [pathdelimiter <Character>]
+        [stripcrsfromname]
+        [folderpathonly [<Boolean>]] [fullpath] [pathdelimiter <Character>]
 gam <UserTypeEntity> print filepath <DriveFileEntity> [todrive <ToDriveAttribute>*]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
-        [stripcrsfromname] [fullpath] [pathdelimiter <Character>]
-        [oneitemperrow]
+        [stripcrsfromname] [oneitemperrow]
+        [fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
 ```
 Use `returnpathonly` to display just the file path of the files in `<DriveFileEntity>`.
 
 Use `fullpath` to add additional path information indicating that a file is an Orphan or Shared with me.
 
+By default, the path to a file includes the file name as the last element of the path.
+Use `folderpathonly` to display only the folder names when displaying the path to a file. This folder only path
+an be used in  `gam <UserTypeEntity> create drivefolderpath` to recreate the folder hierarchy.
+
 By default, file path components are separated by `/`; use `pathdelimiter <Character>` to use `<Character>` as the separator.
 
 The `stripcrsfromname` option strips nulls, carriage returns and linefeeds from drive file names.
@@ -611,9 +621,11 @@ By default, all types of files and folders are selected. You can specify a list
 This option updates the current query.
 ```
 showmimetype [not] <MimeTypeList>
+showmimetype category <MimeTypeNameList>
 ```
 * `showmimetype <MimeTypeList>` - Select files and folders with the specified MIME types
 * `showmimetype not <MimeTypeList>` - Select files and folders with MIME types other than those specified
+* `showmimetype category <MimeTypeNameList>` - Select files and folders with the specified MIME type categories
 
 ## File selection by file size
 These options would typically be used with `showmimetype` to select files of a particular type. This
@@ -649,7 +661,7 @@ gam <UserTypeEntity> print filecounts [todrive <ToDriveAttribute>*]
         [corpora <CorporaAttribute>]
         [select <SharedDriveEntity>]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
@@ -662,7 +674,7 @@ gam <UserTypeEntity> show filecounts
         [corpora <CorporaAttribute>]
         [select <SharedDriveEntity>]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
@@ -894,7 +906,7 @@ gam <UserTypeEntity> print filetree [todrive <ToDriveAttribute>*]
         [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
             [depth <Number>]]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
@@ -906,7 +918,7 @@ gam <UserTypeEntity> show filetree
         [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
             [depth <Number>]]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
@@ -999,15 +1011,16 @@ gam <UserTypeEntity> print|show filelist [todrive <ToDriveAttribute>*]
         [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
             [(norecursion [<Boolean>])|(depth <Number>)] [showparent]]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>] [mimetypeinquery [<Boolean>]]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>] [pmfilter] [oneitemperrow]
         [excludetrashed]
         [maxfiles <Integer>] [nodataheaders <String>]
         [countsonly [summary none|only|plus] [summaryuser <String>]
-                    [showsource] [showsize] [showmimetypesize]] [countsrowfilter]
-        [filepath|fullpath [pathdelimiter <Character>] [addpathstojson] [showdepth]] [buildtree]
+                    [showsource] [showsize] [showmimetypesize]]
+        [countsrowfilter]
+        [filepath|fullpath [folderpathonly [<Boolean>]] [pathdelimiter <Character>] [addpathstojson] [showdepth]] [buildtree]
         [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
         [showdrivename] [showshareddrivepermissions]
         [(showlabels details|ids)|(includelabels <DriveLabelIDList>)]
@@ -1023,6 +1036,10 @@ When `allfields` is specified (or no fields are specified), use `showshareddrive
 when shared drives are queried/selected. In this case, the Drive API returns the permission IDs
 but not the permissions themselves so GAM makes an additional API call per file to get the permissions.
 
+By default, when `showimimetype` and `filepath|fullpath`are both specified, GAM locally filters files by MimeType;
+this may be slow if the user has a large number of files. Adding the option `mimetypeinquery` or `mimetypeinquery true`
+causes GAM to have Google filter files by MimeType; this will increase performance.
+
 See [Select files for Display file counts, list, tree](#select-files-for-display-file-counts-list-tree)
 
 ## File selection by name and entity shortcuts for Display file list
@@ -1114,13 +1131,13 @@ By default, when a folder is selected, only its contents are displayed.
 ## Choose what fields to display
 If no query or select is performed, use these options to get file path information:
 * `filepath|fullpath` - For files and folders, display the full path(s) to them starting at the root (My Drive)
-* `addcsvdata <FieldName> <String>` - Add additional columns of data from the command line to the output
 * `addpathstojson` - When this option and `formatjson` are specified, the path information will be included in the
 JSON data rather than as additional columns
+* `addcsvdata <FieldName> <String>` - Add additional columns of data from the command line to the output
 
 When used with `filepath` or `fullpath`, `showdepth` will display a `depth` column.
 Files/folders directly in `My Drive` are at depth 0, the depth increases by 1
-for each containing folder. For files with multiple parents, the maximum depth is displayed.
+for each containing folder.
 
 If a query or select is performed, use these options to get file path information:
 * `filepath` - For files, no path information is shown; for folders, the paths of all of its children are shown starting at the selected folder
@@ -1128,6 +1145,10 @@ If a query or select is performed, use these options to get file path informatio
 * `addpathstojson` - When this option and `formatjson` are specified, the path information will be included in the
 JSON data rather than as additional columns
 
+By default, the path to a file includes the file name as the last element of the path.
+Use `folderpathonly` to display only the folder names when displaying the path to a file. This folder only path
+an be used in  `gam <UserTypeEntity> create drivefolderpath` to recreate the folder hierarchy.
+
 By default, file path components are separated by `/`; use `pathdelimiter <Character>` to use `<Character>` as the separator.
 
 By default, only the fields `id` and `webViewLink` are displayed.
@@ -1539,6 +1560,10 @@ For each folder in `<DriveFileEntity>`, the following items are displayed:
 * `totalFileCount` - The number of files directly in the folder and all of its subfolders
 * `totalFileSize` - The sum of the sizes of the files directly in the folder and all of its subfolders
 * `totalFolderCount` - The number of folders directly in the folder and all of its subfolders
+* `depth` - The depth of the folder
+  * `-1` - The top level folder
+  * `0` - Immediate children of the top level folder
+  * `1` - Immediate children of level 0 folders
 * `path` - The path of the folder
 
 There is a final row detailing files and folders in the trash; it is omitted if `excludetrashed` or `show summary` are specified.
@@ -1555,8 +1580,13 @@ There is a final row detailing files and folders in the trash; it is omitted if
 * `totalFileCount` - The number of files in the trash
 * `totalFileSize` - The sum of the sizes of the files in the trash
 * `totalFolderCount` - The number of folders in the trash
+* `depth` - Always -1
 * `path` - Trash
 
+GAM version `6.71.17` added the `depth` column that can be used to filter the depth of the folders displayed.
+Depth `-1` is the top level folder, depth `0` are its immediate children, depth `2` are the children of depth `1` and so forth.
+For example to limit the display to the top folder and its immediate children, use `config csv_output_row_filter depth:count<1`.
+
 By default, files owned by the user are counted. These options update the current query with the desired ownership.
 * `showownedby me` - Count files owned by the user; this is the default
 * `showownedby any` or `anyowner` - Count files accessible by the user
@@ -1586,24 +1616,37 @@ Use the `show` option to control the display of data:
 $ gam redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage mydrive 
 User: testsimple@domain.com, Print 1 Drive Disk Usage
 $ more MyDriveUsage.csv
-User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,path
-testsimple@domain.com,testsimple@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,My Drive
-testsimple@domain.com,testsimple@domain.com,456YenC8f12ALfndaQ1NHc0RtUG92Y1BIUUl4bjVBRmNkWG5oakNqVVFDcXJWOHNmdFlwZmc,Classroom,True,False,False,0,0,15,9,6840,17,My Drive/Classroom
+User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
+testsimple@domain.com,testsimple@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
+testsimple@domain.com,testsimple@domain.com,456YenC8f12ALfndaQ1NHc0RtUG92Y1BIUUl4bjVBRmNkWG5oakNqVVFDcXJWOHNmdFlwZmc,Classroom,True,False,False,0,0,15,9,6840,17,0,My Drive/Classroom
+testsimple@domain.com,testsimple@domain.com,0B3YenC8f12ALfmRuX3I4WFlqaTRnMGhXNkVvWV9UUG1zRDQwY1BwVkJhUGx5WHVIcjJKZUU,TestUpdate,True,False,False,2,3420,0,2,3420,0,1,My Drive/Classroom/TestUpdate
+testsimple@domain.com,testsimple@domain.com,1MT5xJ897oYa0Q2OuzBDfLHvig6k_b0EKaovVA2imGYcnrmqZu5hjlJkEPMH-rHKj4qDyy9_j,TS Course,True,False,False,0,0,0,0,0,0,1,My Drive/Classroom/TS Course
+testsimple@domain.com,testsimple@domain.com,1gsbqsbhhwBx9hCF0sqtE213tpUn6Ebj2klLFhHb4xkzBKIdEFkvvwCVtZpYWPgOA796fIPEN,TS Course 2,True,False,False,0,0,0,0,0,0,1,My Drive/Classroom/TS Course 2
 ...
-testsimple@domain.com,testsimple@domain.com,1bHS_Tp77W3KSGRNSs_jP1RhAJhIGRCaI,XferFolder,True,False,False,1,1024,0,1,1024,0,My Drive/XferFolder
-testsimple@domain.com,testsimple@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,Trash
+testsimple@domain.com,testsimple@domain.com,1bHS_Tp77W3KSGRNSs_jP1RhAJhIGRCaI,XferFolder,True,False,False,1,1024,0,1,1024,0,0,My Drive/XferFolder
+testsimple@domain.com,testsimple@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash
+
+$ gam config csv_output_row_filter "depth:count<1" redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage mydrive 
+User: testsimple@domain.com, Print 1 Drive Disk Usage
+$ more MyDriveUsage.csv
+User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
+testsimple@domain.com,testsimple@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
+testsimple@domain.com,testsimple@domain.com,456YenC8f12ALfndaQ1NHc0RtUG92Y1BIUUl4bjVBRmNkWG5oakNqVVFDcXJWOHNmdFlwZmc,Classroom,True,False,False,0,0,15,9,6840,17,0,My Drive/Classroom
+...
+testsimple@domain.com,testsimple@domain.com,1bHS_Tp77W3KSGRNSs_jP1RhAJhIGRCaI,XferFolder,True,False,False,1,1024,0,1,1024,0,0,My Drive/XferFolder
+testsimple@domain.com,testsimple@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash
 
 $ gam redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage mydrive show summaryandtrash
 User: testsimple@domain.com, Print 1 Drive Disk Usage
 $ more MyDriveUsage.csv 
-User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,path
-testsimple@domain.com,testsimple@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,My Drive
-testsimple@domain.com,testsimple@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,Trash
+User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
+testsimple@domain.com,testsimple@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
+testsimple@domain.com,testsimple@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash
 
 $ gam redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage shareddriveid 0AL5LiIe4dqxZUk9PVA  show summaryandtrash
 User: testsimple@domain.com, Print 1 Drive Disk Usage
 $ more MyDriveUsage.csv 
-User,id,name,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,path
-testsimple@domain.com,0125LiIe4dqxZUk9PVA,TS Shared Drive 1,False,False,16,6144,7,42,73799,25,SharedDrives/TS Shared Drive 1
-testsimple@domain.com,Trash,Trash,True,True,1,1024,0,1,1024,0,Trash
+User,id,name,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
+testsimple@domain.com,0125LiIe4dqxZUk9PVA,TS Shared Drive 1,False,False,16,6144,7,42,73799,25,-1,SharedDrives/TS Shared Drive 1
+testsimple@domain.com,Trash,Trash,True,True,1,1024,0,1,1024,0,-1,Trash
 ```

docs/Users-Drive-Files-Manage.md

@@ -19,6 +19,7 @@
 - [Shortcuts](Users-Drive-Shortcuts)
 - [Drive Labels](Users-Drive-Labels)
 - [Download Google Documents as JSON](#download-google-documents-as-json)
+- [Upload changes to Google Documents](#upload-changes-to-google-documents)
 
 ## API documentation
 * https://developers.google.com/drive/api/v3/reference/files
@@ -642,8 +643,6 @@ gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> purge
 ```
 
 ## Download Google Documents as JSON
-This command was added in version 5.31.04, you'll have to do `gam update project` and
-`gam <UserTypeEntity> check|update serviceaccount` to enable it.
 ```
 gam <UserTypeEntity> get document <DriveFileEntity>
         [viewmode default|suggestions_inline|preview_suggestions_accepted|preview_without_suggestions]
@@ -666,3 +665,31 @@ By default, when getting a document, an existing local file will not be overwrit
 * `overwrite` - Overwite an existing file
 * `overwrite true` - Overwite an existing file
 * `overwrite false` - Do not overwite an existing file; add a numeric prefix and create a new file
+
+## Upload changes to Google Documents
+
+```
+<DocumentJSONUpdateRequest> ::=
+        '{"requests": [{object (Request)}], "writeControl": {object (WriteControl) }`
+See: https://developers.google.com/docs/api/reference/rest/v1/documents/request
+
+gam <UserTypeEntity> update document <DriveFileEntity>
+        ((json [charset <Charset>] <DocumentJSONUpdateRequest>) |
+         (json file <FileName> [charset <Charset>]))
+        [formatjson]
+```
+The JSON data can be read from a command line argument or a file. On the command line, the
+JSON data is enclosed in single quotes; these should not be present when the JSON data is read from a file.
+
+The output is formatted for human readability. Use the following option to produce JSON output for program parsing.
+* `formatjson` - Display output in JSON format.
+
+### Examples
+Replace Foo with Goo in a document.
+```
+File Update.json contains:
+{ "requests": [{"replaceAllText": {"replaceText": "Goo", "containsText": {"text": "Foo", "matchCase": "True"}}}]}
+
+
+gam user testuser@domain.com update document <DriveFileItem> json file Update.json
+```

docs/Users-Drive-Labels.md

@@ -6,12 +6,15 @@
 - [Introduction](#introduction)
 - [Display Drive Labels](#display-drive-labels)
 - [Process File Drive Labels](#process-file-drive-labels)
+- [Manage Drive Label Permissions](#manage-drive-label-permissions)
+- [Display Drive Label Permissions](#display-drive-label-permissions)
 
 ## API documentation
 * https://support.google.com/a/answer/9292382
 * https://developers.google.com/drive/labels/guides/overview
 * https://developers.google.com/drive/labels/guides/authorize
 * https://developers.google.com/drive/labels/reference/rest/v2beta/labels
+* https://developers.google.com/drive/labels/reference/rest/v2beta/labels.permissions
 * https://developers.google.com/drive/api/guides/about-labels
 * https://developers.google.com/drive/api/v3/reference/files
 
@@ -19,13 +22,15 @@
 To use these commands you must add the 'Drive Labels API' to your project and update your service account authorization.
 ```
 gam update project
-gam user user@domain.com check serviceaccount
+gam user user@domain.com update serviceaccount
 ```
 Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Standard and Education Plus; G Suite Business; Essentials.
 
 ## Definitions
 * [`<DriveFileEntity>`](Drive-File-Selection)
 * [`<UserTypeEntity>`](Collections-of-Users)
+* [`<DriveLabelNameEntity>`, `<DriveLabelPermissionNameEntity'](Collections-of-Items)
+* [`<UserTypeEntity>`](Collections-of-Items)
 
 ```
 <DriveLabelID> ::= <String>
@@ -35,7 +40,11 @@ Supported editions for this feature: Business Standard and Business Plus; Enterp
 <DriveLabelNameList> ::= "<DriveLabelName>(,<DriveLabelName)*"
 <DriveLabelNameEntity> ::=
         <DriveLabelNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+
+<DriveLabelPermissionName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]/permissions/(audiences|groups|people)/<String>
+<DriveLabelPermissionNameList> ::= "<DriveLabelPermissionName>(,<DriveLabelPermissionName>)*"
+<DriveLabelPermissionNameEntity> ::=
+        <DriveLabelPermissionNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
 
 <DriveLabelFieldID> ::= <String>
 <DriveLabelSelectionID> ::= <String>
@@ -86,9 +95,9 @@ A domain administrator with the Drive and Docs administrator privilege can searc
 owned by their organization, regardless of the admin's membership in any given Shared Drive.
 
 Three forms of the commands are available:
-* `gam action ...` - The administrator named in oauth2.txt is used, domain administrator access implied and labels of type `SHARED` and `ADMIN`can be written
-* `gam <UserTypeEntity> action ... adminaccess` - The user named in `<UserTypeEntty>` is used, adminaccess indicates that labels of type `SHARED` and `ADMIN`can be written
-* `gam <UserTypeEntity> action ...` - The user named in `<UserTypeEntty>` is used, access is limited, onlylabels of type `SHARED` can be written
+* `gam action ...` - The administrator named in oauth2.txt is used, domain administrator access implied and labels of type `SHARED` and `ADMIN`can be processed
+* `gam <UserTypeEntity> action ... adminaccess` - The user named in `<UserTypeEntty>` is used, adminaccess indicates that labels of type `SHARED` and `ADMIN`can be processed
+* `gam <UserTypeEntity> action ...` - The user named in `<UserTypeEntty>` is used, access is limited, onlylabels of type `SHARED` can be processed
 
 ## Display Drive Labels
 
@@ -156,3 +165,51 @@ gam <UserTypeEntity> process filedrivelabels <DriveFileEntity>
 
 By default, details of the process labels are displayed, use `nodetails` to suppress this display.
 
+## Manage Drive Label Permissions
+Create a permission for a Drive Label by specifying the label name and the principal.
+```
+gam [<UserTypeEntity>] create drivelabelpermission <DriveLabelNameEntity>
+        (user <UserItem>) | (group <GroupItem) | (audience <String>)
+        role applier|editor|organizer|reader
+        [nodetails|formatjson] [adminaccess|asadmin]
+```
+
+By default, when a permission is created, GAM outputs details of the permission as indented keywords and values.
+* `nodetails` - Suppress the details output.
+* `formatjson` - Output the details in JSON format.
+
+Delete a Drive Label permission by specifying the label name and the principal.
+```
+gam [<UserTypeEntity>] delete drivelabelpermission <DriveLabelNameEntity>
+        (user <UserItem>) | (group <GroupItem) | (audience <String>)
+        [adminaccess|asadmin]
+```
+
+Delete a Drive Label permission by specifying the label permission name.
+```
+gam [<UserTypeEntity>] remove drivelabelpermission <DriveLabelPermissionNameEntity>
+        [adminaccess|asadmin]
+```
+## Display Drive Label Permissions
+Display permissions for a collection of Drive Label permission names.
+```
+gam [<UserTypeEntity>] show drivelabelpermissions <DriveLabelNameEntity>
+        [formatjson] [adminaccess|asadmin]
+```
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam [<UserTypeEntity>] print drivelabelpermissions <DriveLabelNameEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]] [adminaccess|asadmin]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+

docs/Users-Drive-Permissions.md

@@ -8,6 +8,7 @@
 - [Display file permissions/sharing](#display-file-permissionssharing)
 - [Delete all ACLs except owner from a file](#delete-all-acls-except-owner-from-a-file)
 - [Change shares to User1 to shares to User2](#change-shares-to-user1-to-shares-to-user2)
+- [Map All ACLs from an old domain to a new domain](#map-all-acls-from-an-old-domain-to-a-new-domain)
 
 ## API documentation
 * https://developers.google.com/drive/api/v3/reference/permissions
@@ -316,4 +317,26 @@ gam redirect csv ./FilesSharedWithU1Settings.csv multiprocess csv FilesSharedWit
 gam redirect stdout ./DeleteU1Sharing.txt multiprocess redirect stderr stdout csv FilesSharedWithU1Settings.csv gam user "~Owner" delete drivefileacl "~id" "~permissions.0.emailAddress"
 # For each of these files, add the share to User2 with the same role that User1 had
 gam redirect stdout ./AddUser2Sharing.txt multiprocess redirect stderr stdout csv FilesSharedWithU1Settings.csv gam user "~Owner" create drivefileacl "~id" user user2@domain.com role "~permissions.0.role"
-```
+```
+
+## Map All ACLs from an old domain to a new domain
+* Get ACLs
+```
+gam redirect csv ./allUsersFiles.csv multiprocess all users print filelist fields name,id,basicpermissions oneitemperrow pmfilter pm domain olddomain.com em
+```
+
+* Delete ACLs with olddomain.com
+```
+gam redirect stdout ./DeleteOldDomainACLs.txt multiprocess redirect stderr stdout csv ./allUsersFiles.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
+```
+
+* Add user/group ACLs replacing olddomain.com with newdomain.com
+```
+gam config csv_input_row_filter "permission.type:regex:user|group" redirect stdout ./AddNewDomainACLsUserGroupShares.txt multiprocess redirect stderr stdout csv ./allUsersFiles.csv gam user "~Owner" create drivefileacl "~id" "~permission.type" "~permission.emailAddress" role "~permission.role" mappermissionsdomain olddomain.com newdomain.com
+```
+
+* Add domain ACLs replacing olddomain.com with newdomain.com
+```
+gam config csv_input_row_filter "permission.type:regex:domain" redirect stdout ./AddNewDomainACLsDomainShares.txt multiprocess redirect stderr stdout csv ./allUsersFiles.csv gam user "~Owner" create drivefileacl "~id" "~permission.type" "~permission.domain" role "~permission.role" allowfilediscovery "~permission.allowFileDiscovery" mappermissionsdomain olddomain.com newdomain.com
+```
+    

docs/Users-Gmail-CSE.md

@@ -49,9 +49,15 @@ Creates and configures a client-side encryption identity that's authorized to se
 Google publishes the S/MIME certificate to a shared domain-wide directory so that people within a Google Workspace organization can encrypt and send mail to the identity.
 
 ```
-gam <UserTypeEntity> create cseidentity <KeyPairID> [kpemail <EmailAddress>]
+gam <UserTypeEntity> create cseidentity
+        (primarykeypairid <KeyPairID>) | (signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>)
+        [kpemail <EmailAddress>]
         [formatjson]
 ```
+One of the following is required:
+* `primarykeypairid <KeyPairID>` - The configuration of a CSE identity that uses the same key pair for signing and encryption.
+* `signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>` - The configuration of a CSE identity that uses different key pairs for signing and encryption.
+
 If `kpemail <EmailAddress>` is not specified, the user's primary email address is used for the identity.
 
 By default, Gam displays the identity as an indented list of keys and values; the following option causes the output to be in JSON format:
@@ -60,10 +66,16 @@ By default, Gam displays the identity as an indented list of keys and values; th
 ## Update Gmail CSE Identity
 Associates a different key pair with an existing client-side encryption identity. The updated key pair must validate against Google's S/MIME certificate profiles.
 ```
-gam <UserTypeEntity> update cseidentity <KeyPairID> [kpemail <EmailAddress>]
+gam <UserTypeEntity> update cseidentity
+        (primarykeypairid <KeyPairID>) | (signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>)
+        [kpemail <EmailAddress>]
         [formatjson]
 ```
-If `kpemail <EmailAddress>` is not specified, the key pair for the user's primary email address is identity updated.
+One of the following is required:
+* `primarykeypairid <KeyPairID>` - The configuration of a CSE identity that uses the same key pair for signing and encryption.
+* `signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>` - The configuration of a CSE identity that uses different key pairs for signing and encryption.
+
+bIf `kpemail <EmailAddress>` is not specified, the key pair for the user's primary email address is identity updated.
 
 By default, Gam displays the identity as an indented list of keys and values; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.
@@ -112,7 +124,7 @@ Create a CSE Key Pair for the primary address of a user.
 gam <UserTypeEntity> create csekeypair
         [incertdir <FilePath>] [inkeydir <FilePath>]
         [addidentity [<Boolean>]] [kpemail <EmailAddress>]
-        [formatjson|returnidonly]
+        [showpem] [showkaclsdata] [formatjson|returnidonly]
 ```
 * The S/MIME certificate files for the users are in the `incertdir <FilePath>` folder/directory.
 * If this option is not specified, the directory is taken from `gam.cfg/gmail_cse_incert_dir`.
@@ -126,6 +138,8 @@ gam <UserTypeEntity> create csekeypair
     * `kacls_url` - The URI of the key access control list service that manages the private key.
     * `wrapped_private_key` - Opaque data generated and used by the key access control list service.
 
+By default, the `pem` and `kaclsdata` fields will not be displayed unless the corresponding `showpem` and `showkaclsdata` option is specified.
+
 By default, Gam displays the new key pair as an indented list of keys and values; the following options cause the output to be displayed in alternate forms.
 * `formatjson` - Display the fields in JSON format.
 * `returnidonly` - Display just the new `<KeyPairID>`.
@@ -139,11 +153,14 @@ By default, Gam displays the identity as an indented list of keys and values; th
 
 
 ## Action Gmail CSE Key Pairs
+### Display pem and kaclsdata fields
+By default, the `pem` and `kaclsdata` fields will not be displayed unless the corresponding `showpem` and `showkaclsdata` option is specified.
+
 ### Disable
 Turns off a client-side encryption key pair. The authenticated user can no longer use the key pair to decrypt incoming CSE message texts or sign outgoing CSE mail.
 ```
 gam <UserTypeEntity> disable csekeypair <KeyPairID>
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 ```
 By default, Gam displays the disabled key pair as an indented list of keys and values; the following option causes the output to be displayed in alternate forms.
 * `formatjson` - Display the fields in JSON format.
@@ -152,7 +169,7 @@ By default, Gam displays the disabled key pair as an indented list of keys and v
 Turn on a client-side encryption key pair that was turned off. The key pair becomes active again for any associated client-side encryption identities.
 ```
 gam <UserTypeEntity> ensable csekeypair <KeyPairID>
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 ```
 By default, Gam displays the enabled key pair as an indented list of keys and values; the following option causes the output to be displayed in alternate forms.
 * `formatjson` - Display the fields in JSON format.
@@ -167,10 +184,13 @@ gam <UserTypeEntity> obliterate csekeypair <KeyPairID>
 Gmail can't restore or decrypt any messages that were encrypted by an obliterated key. Authenticated users and Google Workspace administrators lose access to reading the encrypted messages.
 
 ## Display Gmail CSE Key Pairs
+### Display pem and kaclsdata fields
+By default, the `pem` and `kaclsdata` fields will not be displayed unless the corresponding `showpem` and `showkaclsdata` option is specified.
+
 ### Display an existing client-side encryption key pair.
 ```
 gam <UserTypeEntity> info csekeypair <KeyPairID>
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 ```
 By default, Gam displays the key pairs as an indented list of keys and values; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.
@@ -179,14 +199,14 @@ By default, Gam displays the key pairs as an indented list of keys and values; t
 ### Display all client-side encryption key pairs for an authenticated user.
 ```
 gam <UserTypeEntity> show csekeypairs
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 ```
 By default, Gam displays the key pairs as an indented list of keys and values; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.
 
 ```
 gam <UserTypeEntity> print csekeypairs [todrive <ToDriveAttribute>*]
-        [formatjson [quotechar <Character>]]
+        [showpem] [showkaclsdata] [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the key pairs as columns of fields; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.

docs/Users-Gmail-Labels.md

@@ -88,11 +88,17 @@ all parent labels are created as necessary.
 Example: `gam user user@domain.com add label "Top/Middle/Bottom" buildpath`
 
 ## Update a label's settings
+The two commands are equivalent; in the first you specify a `<LabelName>`, in the second you specify a `<LabelId>`.
 ```
 gam <UserTypeEntity> update labelsettings <LabelName> [name <String>]
         [messagelistvisibility hide|show] [labellistvisibility hide|show|showifunread]
         [backgroundcolor "<LabelColorHex>|<LabelBackgroundColorHex>|custom:<ColorHex>"]
         [textcolor "<LabelColorHex>|<LabelTextColorHex>|custom:<ColorHex>"]
+
+gam <UserTypeEntity> update labelid <LabelID> [name <String>]
+        [messagelistvisibility hide|show] [labellistvisibility hide|show|showifunread]
+        [backgroundcolor "<LabelColorHex>|<LabelBackgroundColorHex>|custom:<ColorHex>"]
+        [textcolor "<LabelColorHex>|<LabelTextColorHex>|custom:<ColorHex>"]
 ```
 `<LabelColorHex>` values should be enclosed in " to keep the command shell on MacOS and Linux from mis-interpreting them.
 

docs/Users-Gmail-Messages-Threads.md

@@ -1,4 +1,5 @@
 # Users - Gmail - Messages/Threads
+- [Notes](#notes)
 - [API documentation](#api-documentation)
 - [Query documentation](#query-documentation)
 - [Definitions](#definitions)
@@ -22,9 +23,17 @@
   - [Print only options](#print-only-options)
   - [Show only options](#show-only-options)
   - [Download attachments](#download-attachments)
+  - [Upload attachments](#upload-attachments)
   - [Display messages sent by delegates for delegator](#display-messages-sent-by-delegates-for-delegator)
 - [User attribute `replace <Tag> <UserReplacement>` processing](Tag-Replace)
 
+## Notes
+Restrict email messages to authorized addresses or domains only
+* https://support.google.com/a/answer/2640542
+
+Block emails between specific user groups
+* https://support.google.com/a/answer/9175444
+
 ## API documentation
 * https://developers.google.com/gmail/api/v1/reference/users/messages
 * https://developers.google.com/gmail/api/v1/reference/users/threads
@@ -172,6 +181,20 @@
         (gdoc|ghtml <UserGoogleDoc>)|
         (gcsdoc|gcshtml <StorageBucketObjectName>)|
         (emlfile <FileName> [charset <Charset>]))
+
+<DriveFolderID> ::= <String>
+<DriveFolderName> ::= <String>
+<SharedDriveID> ::= <String>
+<SharedDriveName> ::= <String>
+
+<DriveFileParentAttribute> ::=
+        (parentid <DriveFolderID>)|
+        (parentname <DriveFolderName>)|
+        (anyownerparentname <DriveFolderName>)|
+        (teamdriveparentid <DriveFolderID>)|
+        (teamdriveparent <SharedDriveName>)|
+        (teamdriveparentid <SharedDriveID> teamdriveparentname <DriveFolderName>)|
+        (teamdriveparent <SharedDriveName> teamdriveparentname <DriveFolderName>)
 ```
 ## Message queries with dates
 ```
@@ -337,20 +360,35 @@ Your command line will have: `embedimage file1.jpg image1` embedimage file2.jpg
 gam <UserTypeEntity> archive messages <GroupItem>
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_archive <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 ```
 
 Messages are archived to the group specified by `<GroupItem>`.
 
+By default, the command results are displayed as indented keys and values. Use the `csv` option
+to display the command results in CSV form.
+```
+$ gam user user@domain.com archive messages ids 18e9fc6581b9acab,18e9fc58c5491f4c    
+User: user@domain.com, Archive 2 Messages
+  User: user@domain.com, Message: 18e9fc6581b9acab, Archived (1/2)
+  User: user@domain.com, Message: 18e9fc58c5491f4c, Archived (2/2)
+$ gam user user@domain.com archive messages ids 18e9fc6581b9acab,18e9fc58c5491f4c csv
+User: user@domain.com, Archive 2 Messages
+User,id,action,error
+user@domain.com,18e9fc6581b9acab,Archived,
+user@domain.com,18e9fc58c5491f4c,Archived,
+```
+
 See below for message selection.
 
 ## Export messages/threads
 Export messages in EML format.
 ```
 gam <UserTypeEntity> export message|messages
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_export <Number>])|(ids <MessageIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [max_to_export <Number>])|(ids <MessageIDEntity>)
         [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]
 gam <UserTypeEntity> export thread|threads
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_export <Number>])|(ids <ThreadIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [max_to_export <Number>])|(ids <ThreadIDEntity>)
         [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]
 ```
 
@@ -398,20 +436,40 @@ See below for message selection.
 gam <UserTypeEntity> delete messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_delete <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> modify messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_modify <Number>])|(ids <MessageIDEntity>)
         (addlabel <LabelName>)* (removelabel <LabelName>)*
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> spam messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_spam <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> trash messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_trash <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> untrash messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_untrash <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 ```
+
+By default, the command results are displayed as indented keys and values. Use the `csv` option
+to display the command results in CSV form.
+```
+$ gam user user@domain.com delete messages ids 18e9fc6581b9acab,18e9fc58c5491f4c    
+User: user@domain.com, Delete 2 Messages
+  User: user@domain.com, Message: 18e9fc6581b9acab, Deleted (1/2)
+  User: user@domain.com, Message: 18e9fc58c5491f4c, Deleted (2/2)
+$ gam user user@domain.com delete messages ids 18e9fc6581b9acab,18e9fc58c5491f4c csv
+User: user@domain.com, Delete 2 Messages
+User,id,action,error
+user@domain.com,18e9fc6581b9acab,Deleted,
+user@domain.com,18e9fc58c5491f4c,Deleted,
+```
+
 ### Manage a specific set of messages
 * `ids <MessageIDEntity>` - A list of message ids
 
@@ -498,6 +556,7 @@ By default, Gam displays all messages.
   * `labelmatchpattern xyz` - Label must start with xyz
   * `labelmatchpattern .*xyz.*` - Label must contain xyz
   * `labelmatchpattern .*xyz` - Label must end with xyz
+  * `labelmatchpattern ^xyz$` - Label must extctly match xyz
 * `sendermatchpattern <RegularExpression>` - Only display messages if the sender matches the `<RegularExpression>`
 
 When `matchlabel <LabelName>` is specified, the following characters are replaced with a `-` in the generated query.
@@ -587,6 +646,16 @@ By default, when downloading attachments, an existing local file will not be ove
 * `overwrite true` - Overwite an existing file
 * `overwrite false` - Do not overwite an existing file; add a numeric prefix and create a new file
 
+## Upload attachments
+These options are valid with `show'.
+
+By default, message attachments are not uploaded to Google Drive.
+* `uploadattachments` - Upload message attachments
+* `attachmentnamepattern <RegularExpression>` - Limit the attachments uploaded to those whose names match `<RegularExpression>`
+
+By default, message attachments are uploaded to the root of the user's My Drive.
+* `<DriveFileParentAttributeh>` - Specify an alternate location for the uploaded attachments
+
 ## Display messages sent by delegates for delegator
 Display messages sent by a particular delegate for a delegator; the message is
 from the delegator but sent by the delegate.

docs/Users-Gmail-Send-As-Signature-Vacation.md

@@ -9,6 +9,7 @@
 - [Manage vacation](#manage-vacation)
 - [Display vacation](#display-vacation)
 - [User attribute `replace <Tag> <UserReplacement>` processing](Tag-Replace)
+- [Standardize user signatures](#standardize-user-signatures)
 
 ## API documentation
 * https://developers.google.com/gmail/api/reference/rest/v1/users.settings.sendAs
@@ -245,3 +246,37 @@ Gam displays the information in CSV form.
 * `compact` - Strip carriage returns and newlines in original HTML; this makes these values easier to process in the CSV file
 and can be used as input to GAM.
 * `enabledonly` - Do not display users with vacation autoreply disabled.
+
+## Standardize user signatures
+You can standardize user signatures by creating a signature template and a CSV file with data for each user.
+
+You can create a signature template by defining the signature in the Gmail Settings GUI of a test user.
+You must use the default signature `My signature`.
+Use text like `{FirstName}` and `{Email}` in the locations where the actual values will go.
+
+Once you're created the template signature, do the following:
+```
+$ gam user testuser@domain.com show signature compact > SimpleSig.html
+$ more SimpleSig.html
+SendAs Address: <testuser@domain.com>
+  IsPrimary: True
+  Default: True
+  Signature: <div dir="ltr">--<div>Name: {FirstName} {LastName}<div>Phone: {Phone}</div><div>Email: {Email}</div></div><div><br></div><div>Company Name</div><div>Company Address</div><div><br></div></div>\n
+```
+Edit SimpleSig.html and delete all text from `SendAs ` through `Signature: `.
+The result should be:
+```
+<div dir="ltr">--<div>Name: {FirstName} {LastName}<div>Phone: {Phone}</div><div>Email: {Email}</div></div><div><br></div><div>Company Name</div><div>Company Address</div><div><br></div></div>\n
+```
+
+This is a sample Users.csv file.
+```
+email,first,last,phone
+bsmith@domain.com,Bob,Smith,510-555-1212 x 123
+mjones@domain.com,Mary,Jones,510-555-1212 x 456
+```
+
+This command will update the user's signatures.
+```
+gam csv Users.csv gam user "~email" signature htmlfile SimpleSig.html replace FirstName "~first"  replace LastName "~last" replace Phone "~phone" replace Email "~email"
+```

docs/Users-Keep.md

@@ -131,13 +131,17 @@ Display all notes
 ```
 gam <UserTypeEntity> show notes
         [fields <NotesFieldList>] [filter <String>]
-        [role owner|writwer]
+        [role owner|writer]
+        [countsonly]
         [compact|formatjson]
 ```
 By default, GAM displays all non-trashed notes:
 * `filter trashed` - Display notes in the trash
 * `role owner|writer` - Display notes where the user has the specified role
 
+When  option `countsonly` is specified, the number of notes a user owns, the number of notes of user can edit
+and the total number of notes is displayed.
+
 By default, Gam displays the information as an indented list of keys and values; the note text is displayed as individual lines.
 * `compact` - Display the note text with escaped carriage returns as \r and newlines as \n
 * `formatjson` - Display the note in JSON format
@@ -145,7 +149,8 @@ By default, Gam displays the information as an indented list of keys and values;
 ```
 gam <UserTypeEntity> print notes [todrive <ToDriveAttribute>*]
         [fields <NotesFieldList>] [filter <String>]
-        [role owner|writwer]
+        [role owner|writer]
+        [countsonly]
         [formatjson [quotechar <Character>]]
 
 ```
@@ -153,6 +158,9 @@ By default, GAM displays all non-trashed notes:
 * `filter trashed` - Display notes in the trash
 * `role owner|writer` - Display notes where the user has the specified role
 
+When  option `countsonly` is specified, the number of notes a user owns, the number of notes of user can edit
+and the total number of notes is displayed.
+
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
 the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.

docs/Users-Shared-Drives.md

@@ -293,7 +293,7 @@ gam <UserTypeEntity> show teamdrives
 ```
 By default, Gam displays all Teams Drives accessible by the user.
 * `matchname <RegularExpression>` - Display Shared Drives with names that match a pattern.
-* `(role|roles <SharedDriveACLRoleList>)* - Display Shared Drives where the user has one of the specified roles.
+* `(role|roles <SharedDriveACLRoleList>)*` - Display Shared Drives where the user has one of the specified roles.
 
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.

docs/Users-Tasks.md

@@ -69,6 +69,8 @@ gam <UserTypeEntity> create task <TasklistEntity>
         <TaskAttribute>* [parent <TaskID>] [previous <TaskID>]
         [compact|formatjson|returnidonly]
 ```
+The API only supports all-day tasks; you should specify: `due YYYY-MM-DDT00:00:00Z`.
+
 By default, Gam displays the created task as an indented list of keys and values; the task notes text is displayed as individual lines.
 * `compact` - Display the task notes text with escaped carriage returns as \r and newlines as \n
 * `formatjson` - Display the task in JSON format
@@ -100,6 +102,9 @@ By default, Gam displays the moved task as an indented list of keys and values;
 * `formatjson` - Display the task in JSON format
 
 ## Display Tasks
+All commands that display tasks display the due date in GMT as the time portion
+is not supported by the API and converting the due date to local time may display the wrong date.
+
 ### Display selected tasks
 ```
 gam <UserTypeEntity> info task <TasklistIDTaskIDEntity>
@@ -119,6 +124,13 @@ gam <UserTypeEntity> show tasks [tasklists <TasklistEntity>]
         [orderby completed|due|updated]
         [countsonly|compact|formatjson]
 ```
+The API only supports dates in `duemin` and `duemax' but you must supply a null time:
+* `duemin YYYY-MM-DDT00:00:00Z` - Specify the starting due date
+* `duemax YYYY-MM-DDT00:00:00Z` - Specify one day beyond the ending due date
+
+For example: `duemin 2024-05-01T00:00:00Z duemax 2024-05-02T00:00:00Z` will
+display all tasks on 2024-05-01.
+
 By default, tasks are displayed in hierarchical order.
 * `orderby completed` - Display tasks in completed date order regardless of the hierarchy.
 * `orderby due` - Display tasks in due date order regardless of the hierarchy.
@@ -142,6 +154,13 @@ gam <UserTypeEntity> print tasks [tasklists <TasklistEntity>] [todrive <ToDriveA
         [orderby completed|due|updated]
         [countsonly | (formatjson [quotechar <Character>])]
 ```
+The API only supports dates in `duemin` and `duemax' but you must supply a null time:
+* `duemin YYYY-MM-DDT00:00:00Z` - Specify the starting due date
+* `duemax YYYY-MM-DDT00:00:00Z` - Specify one day beyond the ending due date
+
+For example: `duemin 2024-05-01T00:00:00Z duemax 2024-05-02T00:00:00Z` will
+display all tasks on 2024-05-01.
+
 By default, tasks are displayed in hierarchical order.
 * `orderby completed` - Display tasks in completed date order regardless of the hierarchy.
 * `orderby due` - Display tasks in due date order regardless of the hierarchy.

docs/Users.md

@@ -37,15 +37,17 @@
 - [Print user domain counts](#print-user-domain-counts)
     - [Print domain counts for users in a specific domain and/or selected by a query](#print-domain-counts-for-users-in-a-specific-domain-and-or-selected-by-a-query)
     - [Print domain counts for users specified by `<UserTypeEntity>`](#print-domain-counts-for-users-specified-by-usertypeentity)
+- [Print user counts by OrgUnit](print-user-counts-by-orgunit)
 - [Print user list](#print-user-list)
 - [Display user counts](#display-user-counts)
+- [Verify domain membership]($verify-domain-membership)
 
 ## API documentation
 * https://developers.google.com/admin-sdk/directory/reference/rest/v1/users
 * https://developers.google.com/admin-sdk/directory/reference/rest/v1/schemas
 
 ## Name guidelines
-* https://support.google.com/a/answer/9193374?hl=en
+* https://support.google.com/a/answer/9193374
 
 ## Query documentation
 * https://developers.google.com/admin-sdk/directory/v1/guides/search-users
@@ -108,6 +110,11 @@ queries "`"orgUnitPath=\'/Students/Lower\ School/2027\'`",`"orgUnitPath=\'/Stude
 <QueryUser> ::= <String>
         See: https://developers.google.com/admin-sdk/directory/v1/guides/search-users
 
+<FieldName> ::= <String>
+<SchemaName> ::= <String>
+<SchemaNameField> ::= <SchemaName>.<FieldName>
+<SchemaNameList> ::= "<SchemaName>|<SchemaFieldName>(,<SchemaName>|<SchemaFieldName>)*"
+
 <StorageBucketName> ::= <String>
 <StorageObjectName> ::= <String>
 <StorageBucketObjectName> ::=
@@ -337,6 +344,10 @@ relation manager manageremail@domain.com
 externalid organization "Employee ID"
 
 ```
+`<UserMultiAttribute>.location.buildingid <String>` allows non-validated building IDs
+by specifying `nv:` at the beginning of `<String>`; e.g., `nv:Building X' sets the building ID to `Building X`.
+
+
 ## Passwords
 To set a user's password, you specify a `<Password>` string and a hash method that specifies how to interpret the string
 * `password random|uniquerandom` - A 25 character plain text string of ASCII uppercase/lowecase letters, digits and punctuation
@@ -482,7 +493,7 @@ clearschema <SchemaName>
 ```
 Clear a specific field in a schema:
 ```
-clearschema <SchemaName>.<FieldName>
+clearschema <SchemaNameField>
 ```
 
 ## Create a user
@@ -608,7 +619,7 @@ gam update user <UserItem> [ignorenullpassword] <UserAttribute>*
         [updateoufromgroup <FileName> [charset <Charset>]
             [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
             [fields <FieldNameList>] [keyfield <FieldName>] [datafield <FieldName>]]
-        [clearschema <SchemaName>] [clearschema <SchemaName>.<FieldName>]
+        [clearschema <SchemaName>|<SchemaNameField>]
         [createifnotfound] [notfoundpassword random|<Password>]
         (groups [<GroupRole>] [[delivery] <DeliverySetting>] <GroupEntity>)*
         [alias|aliases <EmailAddressList>]
@@ -629,7 +640,7 @@ gam update users <UserTypeEntity> [ignorenullpassword] <UserAttribute>*
         [updateoufromgroup <FileName> [charset <Charset>]
             [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
             [fields <FieldNameList>] [keyfield <FieldName>] [datafield <FieldName>]]
-        [clearschema <SchemaName>] [clearschema <SchemaName>.<FieldName>]
+        [clearschema <SchemaName>|<SchemaNameField>]
         [createifnotfound] [notfoundpassword random|<Password>]
         (groups [<GroupRole>] [[delivery] <DeliverySetting>] <GroupEntity>)*
         [alias|aliases <EmailAddressList>]
@@ -650,7 +661,7 @@ gam <UserTypeEntity> update users [ignorenullpassword] <UserAttribute>*
         [updateoufromgroup <FileName> [charset <Charset>]
             [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
             [fields <FieldNameList>] [keyfield <FieldName>] [datafield <FieldName>]]
-        [clearschema <SchemaName>] [clearschema <SchemaName>.<FieldName>]
+        [clearschema <SchemaName>|<SchemaNameField>]
         [createifnotfound] [notfoundpassword random|<Password>]
         (groups [<GroupRole>] [[delivery] <DeliverySetting>] <GroupEntity>)*
         [alias|aliases <EmailAddressList>]
@@ -948,7 +959,7 @@ Starting in version `5.23.01`, the variable `quick_info_user` was added to `gam.
 
 These existing options enable the display of additional information.
 * `(products|product <ProductIDList>)|(skus|sku <SKUIDList>)` - Display license information for a selected list of products/SKUs.
-* `schemas|custom|customschemas <SchemaNameList>` - Display the specified custom schemas
+* `schemas|custom|customschemas <SchemaNameList>` - Display all fields or selected fields of the specified custom schemas
 
 By default, Gam displays fields that only an adminstrator can view.
 * `userview` - Only display fields that other users in the domain can view.
@@ -981,14 +992,16 @@ gam print users [todrive <ToDriveAttribute>*]
          [limittoou <OrgUnitItem>] [deleted_only|only_deleted])
         [orderby <UserOrderByFieldName> [ascending|descending]]
         [groups|groupsincolumns]
-        [license|licenses|licence|licences]
+        [license|licenses|licence|licences|licensebyuser|licensesbyuser|licencebyuser|licencesbyuser]
         [onelicenseperrow|onelicenceperrow]
+        [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
         [schemas|custom|customschemas all|<SchemaNameList>]
         [emailpart|emailparts|username]
         [userview] [allfields|basic|full|(<UserFieldName>*|fields <UserFieldNameList>)]
         [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
         [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
         [issuspended <Boolean>] [aliasmatchpattern <RegularExpression>]
+        [showvalidcolumn] (addcsvdata <FieldName> <String>)*
 ```
 
 By default, users in all domains in the account are selected; these options allow selection of subsets of users:
@@ -1008,11 +1021,13 @@ gam print users [todrive <ToDriveAttribute>*] select <UserTypeEntity>
         [onelicenseperrow|onelicenceperrow]
         [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
         [schemas|custom|customschemas all|<SchemaNameList>]
-        [emailpart|emailparts|username][schemas|custom all|<SchemaNameList>]
-        [userview] [allfields|basic|full|(<UserFieldName>*|fields <UserFieldNameList>)]
+        [emailpart|emailparts|username]
+        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
         [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
         [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
         [issuspended <Boolean>] [aliasmatchpattern <RegularExpression>]
+        [showvalidcolumn] (addcsvdata <FieldName> <String>)*
+
 gam <UserTypeEntity> print users [todrive <ToDriveAttribute>*]
         [orderby <UserOrderByFieldName> [ascending|descending]]
         [groups|groupsincolumns]
@@ -1021,10 +1036,11 @@ gam <UserTypeEntity> print users [todrive <ToDriveAttribute>*]
         [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
         [schemas|custom|customschemas all|<SchemaNameList>]
         [emailpart|emailparts|username]
-        [userview] [allfields|basic|full|(<UserFieldName>*|fields <UserFieldNameList>)]
+        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
         [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
         [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
         [issuspended <Boolean>] [aliasmatchpattern <RegularExpression>]
+        [showvalidcolumn] (addcsvdata <FieldName> <String>)*
 ```
 
 By default, Gam gets no group membership information for each user. The `groups` and `groupsincolumns`
@@ -1053,8 +1069,8 @@ By default, Gam displays only the primary email address for each user.
 * `allfields|basic` - Display all non custom schema fields for each user.
 * `full` - Display all fields including  all custom schema fields for each user.
 * `<UserFieldName>* [fields <UserFieldNameList>]` - Only display selected fields.
-* `schemas|custom all` - Get custom schema information for all schemas.
-* `schemas|custom <SchemaNameList>` - Get custom schema information for a selected list of schemas.
+* `schemas|custom all` - Display custom schema information for all schemas.
+* `schemas|custom <SchemaNameList>` - Display all fields or selected fields of the specified custom schemas
 
 By default, when aliases are displayed, all aliases are displayed. Use `aliasmatchpattern <RegularExpression>`
 to limit the display of aliases to those that match `<RegularExpression>`.
@@ -1079,6 +1095,17 @@ In the output, primaryEmail is the always the first column; these options contro
 * `<UserFieldName>*|fields <UserFieldNameList>` - The columns appear in the order that the fields are specified.
 * `scalarsfirst [true]` - When columns are sorted by name, scalar fields appear before repeating fields.
 
+By default, if `<UserTypeEntity>` includes an email address the is not a user member of the domain,
+an error message is generated.
+```
+User: testuserxxx@domain.com, Does not exist
+```
+
+Using option `showvalidcolumn`, a new column `Found` indicates domain membership; no errors are generated
+
+Add additional columns of data from the command line to the output
+* `addcsvdata <FieldName> <String>`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.
 
@@ -1221,6 +1248,15 @@ $ more UsersList.csv
  ["testuser1@domain.org",  "testuser2@domain.org",  "testuser3@domain.org",  "testuser4@domain.org"] 
 ```
 
+## Print user counts by OrgUnit
+Display the count of archived, suspended and total users in each OrgUnit; display a grand total.
+
+By default, all users in the workspace are counted; you can specify a domain to only count users in that domain.
+```
+gam print usercountsbyorgunit [todrive <ToDriveAttribute>*]
+        [domain <String>]
+```
+
 ## Display user counts
 Display the number of users in an entity.
 ```
@@ -1249,3 +1285,34 @@ count=$(gam print users query "orgUnitPath='/Students/Middle School'" showitemco
 Windows PowerShell
 count = & gam print users query "orgUnitPath='/Students/Middle School'" showitemcountonly
 ```
+## Verify domain membership
+You have a CSV file of email addresses and want to verify of the addresses are valid users in your domain.
+```
+# Users.csv
+$ more Users.csv
+primaryEmail,name
+testuser1@domain.com,Test User 1
+testuserxxx@domain.com,Test User XXX
+testuser2@domain.com,Test User 2
+
+# Without showvalidcolumn, non-domain users generate an error
+$ gam redirect csv - multiprocess csv Users.csv gam user "~primaryEmail" print users fields primaryemail,id addcsvdata name "~name"
+2024-02-23T11:29:00.407-08:00,0/3,Using 3 processes...
+2024-02-23T11:29:00.410-08:00,0,Processing item 3/3
+User: testuserxxx@domain.com, Does not exist
+2024-02-23T11:29:06.511-08:00,0/3,Processing complete
+primaryEmail,id,name
+testuser1@domain.com,118080758787650801331,Test User 1
+testuser2@domain.com,107344800159717682514,Test User 2
+
+# Using showvalidcolumn, a new column `Valid` indicates domain membership; no errors are generated
+$ gam redirect csv - multiprocess csv Users.csv gam user "~primaryEmail" print users fields primaryemail,id addcsvdata name "~name" showvalidcolumn
+2024-02-23T11:29:22.287-08:00,0/3,Using 3 processes...
+2024-02-23T11:29:22.292-08:00,0,Processing item 3/3
+2024-02-23T11:29:23.366-08:00,0/3,Processing complete
+primaryEmail,id,Valid,name
+testuser1@domain.com,118080758787650801331,True,Test User 1
+testuserxxx@domain.com,,False,Test User XXX
+testuser2@domain.com,107344800159717682514,True,Test User 2
+```
+

docs/Using-GAMADV-XTD3-with-a-YubiKey.md

@@ -28,7 +28,7 @@ The YubiKey can be configured with a PIN that must be entered in order for it to
 Yes but in practice this does not work very well with GAMADV-XTD3. The YubiKey will need to be touched every time there is a GAMADV-XTD3 command running which for batch or cron jobs may be constant. GAMADV-XTD3 can use a PIN configured on the YubiKey in order to offer an additional layer of protection.
 
 ### If I use a YubiKey, do I need to rotate the private key regularly?
-No, because the YubiKey generated the private key it cannot be digitally exported from the YubiKey so there is not chance for it to be copied and stolen. Instead you should physically secure the YubiKey from theft.
+No, because the YubiKey generated the private key it cannot be digitally exported from the YubiKey so there is no chance for it to be copied and stolen. Instead you should physically secure the YubiKey from theft.
 
 ### What data does the service account private key have access to?
 When using domain-wide delegation with GAMADV-XTD3, the service account and anyone possessing the service account private key oauth2service.json file has access to the Gmail, Drive and Calendar data of ALL Workspace users in your domain. For this reason, whether using a YubiKey or not, you should take strong measures to protect the service account private key.

docs/Vault-Takeout.md

@@ -546,7 +546,7 @@ The `shownames` argument controls whether account and org unit names are display
 ## Vault Holds
 ## Create Vault Holds
 ```
-gam create vaulthold|hold matter <MatterItem> [name <String>] corpus drive|mail|groups|hangouts_chat
+gam create vaulthold|hold matter <MatterItem> [name <String>] corpus calendar|drive|mail|groups|hangouts_chat|voice
         [(accounts|groups|users <EmailItemList>) | (orgunit|org|ou <OrgUnit>)]
         [query <QueryVaultCorpus>]
         [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
@@ -560,10 +560,12 @@ Specify the name of the hold:
 * `default` - The hold will be named `GAM <corpus> Hold - <Time>`
 
 Specify the corpus of data, this option is required:
+* `calendar`
 * `drive`
 * `mail`
 * `groups`
 * `hangouts_chat`
+* `voice`
 
 Specify the search method, this option is required:
 * `accounts|groups|users <EmailAddressEntity>` - Search all accounts specified in `<EmailAddressEntity>`
@@ -657,7 +659,11 @@ By default, Gam displays the information as an indented list of keys and values.
 gam print vaultholds|holds [todrive <ToDriveAttributes>*] [matters <MatterItemList>]
         [fields <VaultHoldFieldNameList>] [shownames]
         [formatjson [quotechar <Character>]]
+        [oneitemperrow]
 ```
+By default, all accounts for a hold are displayed on a single row;
+use `oneitemperrow` to have each account displayed on a separate row.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 

docs/Version-and-Help.md

@@ -1,12 +1,12 @@
-# Version and Help
+\# Version and Help
 
 Print the current version of Gam with details
 ```
 gam version
-GAMADV-XTD3 6.70.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.76.09 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
+Python 3.12.3 64-bit final
+MacOS Sonoma 14.4.1 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
@@ -15,10 +15,10 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAMADV-XTD3 6.70.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.76.09 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
+Python 3.12.3 64-bit final
+MacOS Sonoma 14.4.1 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Your system time differs from www.googleapis.com by less than 1 second
@@ -27,17 +27,17 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAMADV-XTD3 6.70.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.76.09 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
+Python 3.12.3 64-bit final
+MacOS Sonoma 14.4.1 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
 Your system time differs from admin.googleapis.com by less than 1 second
 OpenSSL 3.1.1 30 May 2023
 cryptography 41.0.1
-filelock 3.12.2
+filelock 3.12.3
 google-api-python-client 2.88.0
 google-auth-httplib2 0.1.0
 google-auth-oauthlib 1.0.0
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Version Check:
   Current: 5.35.08
-   Latest: 6.70.00
+   Latest: 6.76.09
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-6.70.00
+6.76.09
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,10 +82,10 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 6.70.00 - https://github.com/taers232c/GAMADV-XTD3
+GAM 6.76.09 - https://github.com/taers232c/GAMADV-XTD3
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
+Python 3.12.3 64-bit final
+MacOS Sonoma 14.4.1 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00

docs/_Sidebar.md

@@ -129,6 +129,7 @@ Service Account Access
 * [Users - Drive - File Selection](Drive-File-Selection)
 * [Users - Drive - Activity/Settings](Users-Drive-Activity-Settings)
 * [Users - Drive - Cleanup](Users-Drive-Cleanup)
+* [Users - Drive - Comments](Users-Drive-Comments)
 * [Users - Drive - Copy/Move](Users-Drive-Copy-Move)
 * [Users - Drive - Files-Display](Users-Drive-Files-Display)
 * [Users - Drive - Files-Manage](Users-Drive-Files-Manage)

docs/gam.cfg.md

@@ -123,7 +123,9 @@ clock_skew_in_seconds
         Default: 10
         Range: 10 - 3600
 cmdlog
-        Path to GAM Log file; there is no logging if cmdlog is empty
+        Path to GAM Log file; there is no logging if cmdlog is empty.
+        If cmdlog specifies a relative path, e.g., just a filename, it is appended to GamConfigDir.
+        If cmdlog specifies a full path, it is used as is.
         Default: ''
 cmdlog_max_backups
         Maximum number of backup log files
@@ -255,6 +257,10 @@ csv_output_row_filter_mode
 csv_output_row_limit
         A limit on the number of rows to write to a CSV file; a value of 0 sets no limit.
         Default: 0
+csv_output_sort_headers
+        A list of column headers that causes GAM to sort CSV output rows by those headers.
+        The column headers are case insensitive and if column header does not appear in the CSV output, it is ignored.
+        Default: Blank
 csv_output_subfield_delimiter
         Character used to delimit fields and subfields in headers when writing CSV files;
         this must be a single character
@@ -467,7 +473,7 @@ section
         Default section of gam.cfg.
         Default: DEFAULT
 show_api_calls_retry_data
-        Enable/disable display of Google API calls retry data and end of processing
+        Enable/disable display of Google API calls retry data at end of processing
         Default: False
 show_commands
         Enable/disable display of commands to stderr when executing `gam batch|tbatch|csv|loop`.
@@ -574,6 +580,10 @@ todrive_upload_nodata
 todrive_user
         Email address of user to receive CSV files when todrive is specified
         Default: '' which becomes admin user in admin_email or address from oauth2.txt
+truncate_client_id
+        Prior to version 6.74.00, GAM stripped '.apps.googleusercontent.com' from the client_id in oauth2.txt
+        and passed the truncated value in API calls; this is no longer performed unless truncate_client_id is true
+        Default: False
 update_cros_ou_with_id
         Update the OU of a Chromebook with the OU ID rather than the OU path.
         Set to true if you are getting the following error:
@@ -724,6 +734,7 @@ Section: DEFAULT
   todrive_timezone = ''
   todrive_upload_nodata = true
   todrive_user = ''
+  truncate_client_id = false
   update_cros_ou_with_id = false
   use_projectid_as_name = false
   user_max_results = 500
@@ -910,6 +921,7 @@ todrive_timestamp = false
 todrive_timezone = ''
 todrive_upload_nodata = true
 todrive_user = ''
+truncate_client_id = false
 update_cros_ou_with_id = false
 use_projectid_as_name = false
 

src/GamCommands.txt

@@ -22,43 +22,6 @@ If an item contains spaces, it should be surrounded by ".
 <FalseValues>= false|off|no|disabled|0
 <TrueValues> ::= true|on|yes|enabled|1
 
-<Charset> ::= ascii|latin1|mbcs|utf-8|utf-8-sig|utf-16|<String>
-<CalendarColorIndex> ::= <Number in range 1-24>
-<CalendarColorName> ::=
-        amethyst|avocado|banana|basil|birch|blueberry|
-        cherryblossom|citron|cobalt|cocoa|eucalyptus|flamingo|
-        grape|graphite|lavender|mango|peacock|pistachio|
-        pumpkin|radicchio|sage|tangerine|tomato|wisteria|
-<ColorHex> ::= "#<Hex><Hex><Hex><Hex><Hex><Hex>"
-<ColorNameGoogle> ::=
-        asparagus|bluevelvet|bubblegum|cardinal|chocolateicecream|denim|desertsand|
-        earthworm|macaroni|marsorange|mountaingray|mountaingrey|mouse|oldbrickred|
-        pool|purpledino|purplerain|rainysky|seafoam|slimegreen|spearmint|
-        toyeggplant|vernfern|wildstrawberries|yellowcab
-<ColorNameWeb> ::=
-        aliceblue|antiquewhite|aqua|aquamarine|azure|beige|bisque|black|blanchedalmond|
-        blue|blueviolet|brown|burlywood|cadetblue|chartreuse|chocolate|coral|
-        cornflowerblue|cornsilk|crimson|cyan|darkblue|darkcyan|darkgoldenrod|darkgray|
-        darkgrey|darkgreen|darkkhaki|darkmagenta|darkolivegreen|darkorange|darkorchid|
-        darkred|darksalmon|darkseagreen|darkslateblue|darkslategray|darkslategrey|
-        darkturquoise|darkviolet|deeppink|deepskyblue|dimgray|dimgrey|dodgerblue|
-        firebrick|floralwhite|forestgreen|fuchsia|gainsboro|ghostwhite|gold|goldenrod|
-        gray|grey|green|greenyellow|honeydew|hotpink|indianred|indigo|ivory|khaki|
-        lavender|lavenderblush|lawngreen|lemonchiffon|lightblue|lightcoral|lightcyan|
-        lightgoldenrodyellow|lightgray|lightgrey|lightgreen|lightpink|lightsalmon|
-        lightseagreen|lightskyblue|lightslategray|lightslategrey|lightsteelblue|
-        lightyellow|lime|limegreen|linen|magenta|maroon|mediumaquamarine|mediumblue|
-        mediumorchid|mediumpurple|mediumseagreen|mediumslateblue|mediumspringgreen|
-        mediumturquoise|mediumvioletred|midnightblue|mintcream|mistyrose|moccasin|
-        navajowhite|navy|oldlace|olive|olivedrab|orange|orangered|orchid|
-        palegoldenrod|palegreen|paleturquoise|palevioletred|papayawhip|peachpuff|
-        peru|pink|plum|powderblue|purple|red|rosybrown|royalblue|saddlebrown|salmon|
-        sandybrown|seagreen|seashell|sienna|silver|skyblue|slateblue|slategray|
-        slategrey|snow|springgreen|steelblue|tan|teal|thistle|tomato|turquoise|violet|
-        wheat|white|whitesmoke|yellow|yellowgreen
-<ColorName> ::= <ColorNameGoogle>|<ColorNameWeb>
-<ColorValue> ::= <ColorName>|<ColorHex>
-<DayOfWeek> ::= mon|tue|wed|thu|fri|sat|sun
 <BCP47LanguageCode> ::=
         ar-sa| # Arabic Saudi Arabia
         cs-cz| # Czech Czech Republic
@@ -97,6 +60,43 @@ If an item contains spaces, it should be surrounded by ".
         zh-cn| # Chinese China
         zh-hk| # Chinese Hong Kong
         zh-tw  # Chinese Taiwan
+<Charset> ::= ascii|latin1|mbcs|utf-8|utf-8-sig|utf-16|<String>
+<CalendarColorIndex> ::= <Number in range 1-24>
+<CalendarColorName> ::=
+        amethyst|avocado|banana|basil|birch|blueberry|
+        cherryblossom|citron|cobalt|cocoa|eucalyptus|flamingo|
+        grape|graphite|lavender|mango|peacock|pistachio|
+        pumpkin|radicchio|sage|tangerine|tomato|wisteria|
+<ColorHex> ::= "#<Hex><Hex><Hex><Hex><Hex><Hex>"
+<ColorNameGoogle> ::=
+        asparagus|bluevelvet|bubblegum|cardinal|chocolateicecream|denim|desertsand|
+        earthworm|macaroni|marsorange|mountaingray|mountaingrey|mouse|oldbrickred|
+        pool|purpledino|purplerain|rainysky|seafoam|slimegreen|spearmint|
+        toyeggplant|vernfern|wildstrawberries|yellowcab
+<ColorNameWeb> ::=
+        aliceblue|antiquewhite|aqua|aquamarine|azure|beige|bisque|black|blanchedalmond|
+        blue|blueviolet|brown|burlywood|cadetblue|chartreuse|chocolate|coral|
+        cornflowerblue|cornsilk|crimson|cyan|darkblue|darkcyan|darkgoldenrod|darkgray|
+        darkgrey|darkgreen|darkkhaki|darkmagenta|darkolivegreen|darkorange|darkorchid|
+        darkred|darksalmon|darkseagreen|darkslateblue|darkslategray|darkslategrey|
+        darkturquoise|darkviolet|deeppink|deepskyblue|dimgray|dimgrey|dodgerblue|
+        firebrick|floralwhite|forestgreen|fuchsia|gainsboro|ghostwhite|gold|goldenrod|
+        gray|grey|green|greenyellow|honeydew|hotpink|indianred|indigo|ivory|khaki|
+        lavender|lavenderblush|lawngreen|lemonchiffon|lightblue|lightcoral|lightcyan|
+        lightgoldenrodyellow|lightgray|lightgrey|lightgreen|lightpink|lightsalmon|
+        lightseagreen|lightskyblue|lightslategray|lightslategrey|lightsteelblue|
+        lightyellow|lime|limegreen|linen|magenta|maroon|mediumaquamarine|mediumblue|
+        mediumorchid|mediumpurple|mediumseagreen|mediumslateblue|mediumspringgreen|
+        mediumturquoise|mediumvioletred|midnightblue|mintcream|mistyrose|moccasin|
+        navajowhite|navy|oldlace|olive|olivedrab|orange|orangered|orchid|
+        palegoldenrod|palegreen|paleturquoise|palevioletred|papayawhip|peachpuff|
+        peru|pink|plum|powderblue|purple|red|rosybrown|royalblue|saddlebrown|salmon|
+        sandybrown|seagreen|seashell|sienna|silver|skyblue|slateblue|slategray|
+        slategrey|snow|springgreen|steelblue|tan|teal|thistle|tomato|turquoise|violet|
+        wheat|white|whitesmoke|yellow|yellowgreen
+<ColorName> ::= <ColorNameGoogle>|<ColorNameWeb>
+<ColorValue> ::= <ColorName>|<ColorHex>
+<DayOfWeek> ::= mon|tue|wed|thu|fri|sat|sun
 <EventColorIndex> ::= <Number in range 1-11>
 <EventColorName> ::=
         banana|basil|blueberry|flamingo|graphite|grape|
@@ -243,6 +243,7 @@ If an item contains spaces, it should be surrounded by ".
         101040 |
         101043 |
         101047 |
+        101049 |
         Google-Apps |
         Google-Chrome-Device-Management |
         Google-Drive-storage |
@@ -258,56 +259,58 @@ If an item contains spaces, it should be surrounded by ".
         4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
         8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
         16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
-        appsheetcore | 1010380001 |
-        appsheetstandard | appsheetenterprisestandard | 1010380002 |
-        appsheetplus | appsheetenterpriseplus | 1010380003 |
-        assuredcontrols | 1010390001 |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 |
+        appsheetcore | 1010380001 | AppSheet Core |
+        appsheetstandard | appsheetenterprisestandard | 1010380002 | AppSheet Enterprise Standard |
+        appsheetplus | appsheetenterpriseplus | 1010380003 | AppSheet Enterprise Plus |
+        assuredcontrols | 1010390001 | Assured Controls |
+        bce | beyondcorp | beyondcorpenterprise | cep | chromeenterprisepremium | 1010400001 | Chrome Enterprise Premium |
         cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
-        cloudidentity | identity | 1010010001 |
-        cloudidentitypremium | identitypremium | 1010050001 |
-        cloudsearch | 1010350001 |
-        duetai | 1010470001 |
+        cloudidentity | identity | 1010010001 | Cloud Identity |
+        cloudidentitypremium | identitypremium | 1010050001 | Cloud Identity Premium |
+        cloudsearch | 1010350001 | Cloud Search |
+        eeu | 1010490001 | SKU Endpoint Education Upgrade |
+        geminibiz | 1010470003 | Gemini Business |
+        geminient| duetai | 1010470001 | Gemini Enterprise |
         gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
         gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
-        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
-        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 |
-        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 |
-        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 |
+        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 | Google Workspace Business - Archived User |
+        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 | Google Workspace Enterprise Plus - Archived User |
+        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 | Google Workspace for Education Plus - Legacy |
+        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 | Google Workspace for Education Plus - Legacy (Student) |
         gsuitegov | gafg | gsuitegovernment | Google-Apps-For-Government |
         gsuitelite | gal | gsl | lite | Google-Apps-Lite |
-        gwep | workspaceeducationplus | 1010310008 |
-        gwepstaff | workspaceeducationplusstaff | 1010310009 |
-        gwepstudent | workspaceeducationplusstudent | 1010310010 |
-        gwes | workspaceeducationstandard | 1010310005 |
-        gwesstaff | workspaceeducationstandardstaff | 1010310006 |
-        gwesstudent | workspaceeducationstandardstudent | 1010310007 |
-        gwetlu | workspaceeducationupgrade | 1010370001 |
-        gwlabs | workspacelabs | 1010470002
-        meetdialing | googlemeetglobaldialing | 1010360001 |
+        gwep | workspaceeducationplus | 1010310008 | Google Workspace for Education Plus |
+        gwepstaff | workspaceeducationplusstaff | 1010310009 | Google Workspace for Education Plus (Staff) |
+        gwepstudent | workspaceeducationplusstudent | 1010310010 | Google Workspace for Education Plus (Extra Student)|
+        gwes | workspaceeducationstandard | 1010310005 | Google Workspace for Education Standard |
+        gwesstaff | workspaceeducationstandardstaff | 1010310006 | Google Workspace for Education Standard (Staff) |
+        gwesstudent | workspaceeducationstandardstudent | 1010310007 | Google Workspace for Education Standard (Extra Student)
+        gwetlu | workspaceeducationupgrade | 1010370001 | Google Workspace for Education: Teaching and Learning Upgrade |
+        gwlabs | workspacelabs | 1010470002 | Google Workspace Labs |
+        meetdialing | googlemeetglobaldialing | 1010360001 |  Google Meet Global Dialing |
         postini | gams | gsuitegams | gsuitepostini | gsuitemessagesecurity | Google-Apps-For-Postini |
         standard | free | Google-Apps |
         vault | googlevault | Google-Vault |
         vfe | googlevaultformeremployee | Google-Vault-Former-Employee |
-        voicepremier | gvpremier | googlevoicepremier | 1010330002 |
-        voicestandard | gvstandard | googlevoicestandard | 1010330004 |
-        voicestarter | gvstarter | googlevoicestarter | 1010330003 |
-        wsas | plusstorage | 1010430001 |
-        wsbizplus | workspacebusinessplus | 1010020025 |
-        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 |
-        wsbizstan | workspacebusinessstandard | 1010020028 |
-        wsbizstanarchived | workspacebusinessstandardarchived | 1010340006 |
-        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 |
-        wsbizstarterarchived | workspacebusinessstarterarchived | 1010340005 |
-        wsentess | workspaceenterpriseessentials | 1010060003 |
-        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 |
-        wsentstan | workspaceenterprisestandard | 1010020026 |
-        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 |
-        wsentstarter | workspaceenterprisestarter | 1010020029 | wes |
-        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 |
-        wsessplus | workspaceessentialsplus | 1010060005 |
-        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030 |
-        wsflwstan | workspacefrontlinestan | workspacefrontlineworkerstan | 1010020031
+        voicepremier | gvpremier | googlevoicepremier | 1010330002 | Google Voice Premier 
+        voicestandard | gvstandard | googlevoicestandard | 1010330004 | Google Voice Standard |
+        voicestarter | gvstarter | googlevoicestarter | 1010330003 | Google Voice Starter |
+        wsas | plusstorage | 1010430001 | Google Workspace Additional Storage |
+        wsbizplus | workspacebusinessplus | 1010020025 | Google Workspace Business Plus |
+        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 | Google Workspace Business Plus - Archived User |
+        wsbizstan | workspacebusinessstandard | 1010020028 | Google Workspace Business Standard }
+        wsbizstanarchived | workspacebusinessstandardarchived | 1010340006 | Google Workspace Business Standard - Archived User |
+        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 | Google Workspace Business Starter |
+        wsbizstarterarchived | workspacebusinessstarterarchived | 1010340005 | Google Workspace Business Starter - Archived User |
+        wsentess | workspaceenterpriseessentials | 1010060003 | Google Workspace Enterprise Essentials |
+        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 | Google Workspace Enterprise Plus |
+        wsentstan | workspaceenterprisestandard | 1010020026 | Google Workspace Enterprise Standard |
+        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 | Google Workspace Enterprise Standard - Archived User |
+        wsentstarter | workspaceenterprisestarter | wes | 1010020029 | Workspace Enterprise Starter |
+        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 | Google Workspace Essentials |
+        wsessplus | workspaceessentialsplus | 1010060005 | Google Workspace Essentials Plus |
+        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030 | Google Workspace Frontline Starter |
+        wsflwstan | workspacefrontlinestan | workspacefrontlineworkerstan | 1010020031 | Google Workspace Frontline Standard
 
 ## Items built from primitives
 
@@ -441,6 +444,7 @@ If an item contains spaces, it should be surrounded by ".
 <DriveLabelFieldID> ::= <String>
 <DriveLabelSelectionID> ::= <String>
 <DriveLabelName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]
+<DriveLabelPermissionName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]/permissions/(audiences|groups|people)/<String>
 <EmailAddress> ::= <String>@<DomainName>
 <EmailItem> ::= <EmailAddress>|<UniqueID>|<String>
 <EmailReplacement> ::= <String>
@@ -542,6 +546,7 @@ If an item contains spaces, it should be surrounded by ".
 <ResellerID> ::= <String>
 <ResourceID> ::= <String>
 <SchemaName> ::= <String>
+<SchemaNameField> ::= <SchemaName>.<FieldName>
 <Section> ::= <String>
 <SendAsContent> ::=
         (sig|signature|htmlsig <String>)|
@@ -583,6 +588,7 @@ If an item contains spaces, it should be surrounded by ".
 <StorageObjectName> ::= <String>
 <StorageBucketObjectName> ::=
         https://storage.cloud.google.com/<StorageBucketName>/<StorageObjectName>|
+        https://storage.googleapis.com/<StorageBucketName>/<StorageObjectName>|
         gs://<StorageBucketName>/<StorageObjectName>|
         <StorageBucketName>/<StorageObjectName>
 <Tag> ::= <String>
@@ -597,6 +603,7 @@ If an item contains spaces, it should be surrounded by ".
 <Title> ::= <String>
 <ToDriveAttribute> ::=
         (tdaddsheet [<Boolean>])|
+        (tdalert <EmailAddress>)*|
         (tdbackupsheet (id:<Number>)|<String>)|
         (tdcellnumberformat text|number)|
         (tdcellwrap clip|overflow|wrap)|
@@ -604,17 +611,20 @@ If an item contains spaces, it should be surrounded by ".
         (tdcopysheet (id:<Number>)|<String>)|
         (tddescription <String>)|
         (tdfileid <DriveFileID>)|
+        (tdfrom <EmailAddress>)|
         (tdlocalcopy [<Boolean>])|
         (tdlocale <Locale>)|
         (tdnobrowser [<Boolean>])|
         (tdnoemail [<Boolean>])|
         (tdnoescapechar [<Boolean>])|
+        (tdnotify [<Boolean>])|
         (tdparent (id:<DriveFolderID>)|<DriveFolderName>)|
         (tdretaintitle [<Boolean>])|
         (tdshare <EmailAddress> commenter|reader|writer)*|
         (tdsheet (id:<Number>)|<String>)|
         (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
         (tdsheettitle <String>)|
+        (tdsubject <String>)|
         ([tdsheetdaysoffset <Number>] [tdsheethoursoffset <Number>])|
         (tdtimestamp [<Boolean>] [tdtimeformat <String>]
             [tddaysoffset <Number>] [tdhoursoffset <Number>])|
@@ -641,6 +651,7 @@ If an item contains spaces, it should be surrounded by ".
 <AssetTagList> ::= "<AssetTag>(,<AssetTag>)*"
 <CalendarACLScopeList> ::= "<CalendarACLScope>(,<CalendarACLScope>)*"
 <CalendarList> ::= "<CalendarItem>(,<CalendarItem>)*"
+<ChatSpaceList> ::= "<ChatSpace>(,<ChatSpace>)*"
 <CIGroupAliasList> ::= "<CIGroupAlias>(,<CIGroupAlias>)*"
 <CIGroupTypeList> ::= "<CIGroupType>(,<CIGroupType>)*"
 <ClassroomInvitationIDList> ::= "<ClassroomInvitationID>(,<ClassroomInvitationID>)*"
@@ -673,6 +684,7 @@ If an item contains spaces, it should be surrounded by ".
 <DriveFolderNameList> ::= "<DriveFolderName>(,<DriveFolderName>)*"
 <DriveLabelIDList> ::= "<DriveLabelID>(,<DriveLabelID>)*"
 <DriveLabelNameList> ::= "<DriveLabelName>(,<DriveLabelName>)*"
+<DriveLabelPermissionNameList> ::= "<DriveLabelPermissionName>(,<DriveLabelPermissionName>)*"
 <DriveLabelFieldIDList> ::= "<DriveLabelFieldID>(,<DriveLabelFieldID>)*"
 <DriveLabelSelectionIDList> ::= "<DriveLabelSelectionID>(,<DriveLabelSelectionID>)*"
 <EmailAddressList> ::= "<EmailAddress>(,<EmailAddress>)*"
@@ -698,6 +710,7 @@ If an item contains spaces, it should be surrounded by ".
 <MatterStateList> ::= "<MatterState>(,<MatterState>)*"
 <MessageIDList> ::= "<MessageID>(,<MessageID>)*"
 <MimeTypeList> ::= "<MimeType>(,<MimeType>)*"
+<MimeTypeNameList> ::= "<MimeTypeName>(,<MimeTypeName>)*"
 <NamespaceList> ::= "<Namespace>(,<Namespace>)*"
 <NotesNameList> ::= "<NotesName>(,<NotesName>)*"
 <OrgUnitList> ::= "<OrgUnitItem>(,<OrgUnitItem>)*"
@@ -713,7 +726,7 @@ If an item contains spaces, it should be surrounded by ".
 <QueryMobileList> ::= "<QueryMobile>(,<QueryMobile>)*"
 <QueryUserList> ::= "<QueryUser>(,<QueryUser>)*"
 <ResourceIDList> ::= "<ResourceID>(,<ResourceID>)*"
-<SchemaNameList> ::= "<SchemaName>(,<SchemaName>)*"
+<SchemaNameList> ::= "<SchemaName>|<SchemaFieldName>(,<SchemaName>|<SchemaFieldName>)*"
 <SerialNumberList> ::= "<SerialNumber>(,<SerialNumber>)*"
 <ServiceAccountKeyList> ::= "<ServiceAccountKey>(,<ServiceAccountKey>)*"
 <SiteACLScopeList> ::= "<SiteACLScope>(,<SiteACLScope>)*"
@@ -1095,6 +1108,8 @@ Specify a collection of items by directly specifying them; the item type is dete
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <DriveLabelNameEntity> ::=
         <DriveLabelNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
+<DriveLabelPermissionNameEntity> ::=
+        <DriveLabelPermissionNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
 <EmailAddressEntity> ::=
         <EmailAddressList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <FilterIDEntity> ::=
@@ -1240,7 +1255,7 @@ For redirect csv, the optional arguments must appear in the order shown.
 <Redirect> ::=
         redirect csv <FileName> [multiprocess] [append] [noheader] [charset <Charset>]
                      [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
-                     [timestampcolumn <String>]
+                     [sortheaders <StringList>] [timestampcolumn <String>]
                      [todrive <ToDriveAttribute>*] |
         redirect stdout <FileName> [multiprocess] [append] |
         redirect stdout null [multiprocess] |
@@ -1324,10 +1339,16 @@ gam create project [admin <EmailAddress>] [project <ProjectID>]
         [projectname <ProjectName>] [parent <String>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
 gam use project [<EmailAddress>] [<ProjectID>]
 gam use project [admin <EmailAddress>] [project <ProjectID>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
 gam update project [[admin] <EmailAddress>] [<ProjectIDEntity>]
 gam delete project [[admin] <EmailAddress>] [<ProjectIDEntity>]
 gam show projects [[admin] <EmailAddress>] [all|<ProjectIDEntity>]
@@ -1340,6 +1361,9 @@ gam info currentprojectid
 gam create|add svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
 gam delete svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
         (saemail <ServiceAccountEmail>)|(saname <ServiceAccountName>)|(sauniqueid <ServiceAccountUniqueID>)
 gam check svcacct <UserTypeEntity> (scope|scopes <APIScopeURLList>)*
@@ -1353,44 +1377,35 @@ gam print svcaccts [[admin] <EmailAddress>] [all|<ProjectIDEntity>]
 
 gam create sakey
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (localkeysize 1024|2048|4096)|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 gam rotate sakey|sakeys retain_existing
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 
 gam update sakey
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 gam rotate sakey|sakeys replace_current
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 
 gam replace sakeys
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (localkeysize 1024|2048|4096)|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 gam rotate sakey|sakeys retain_none
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
+
+gam upload sakey [admin <EmailAddress>]
+        (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 
 gam delete sakeys <ServiceAccountKeyList>+ [doit]
 gam show sakeys [all|system|user]
@@ -1425,7 +1440,8 @@ gam create adminrole <String> privileges all|all_ou|<PrivilegesList> [descriptio
 gam update adminrole <RoleItem> [name <String>] [privileges all|all_ou|<PrivilegesList>] [description <String>]
 gam delete adminrole <RoleItem>
 gam info adminrole <RoleItem> [privileges]
-gam print adminroles|roles [todrive <ToDriveAttribute>*] [privileges]
+gam print adminroles|roles [todrive <ToDriveAttribute>*]
+        [privileges] [oneitemperrow]
 gam show adminroles|roles [privileges]
 
 gam create|add admin <EmailAddress>|<UniqueID> <RoleItem> customer|(org_unit <OrgUnitItem>)
@@ -1433,7 +1449,8 @@ gam create|add admin <EmailAddress>|<UniqueID> <RoleItem> customer|(org_unit <Or
 gam delete admin <RoleAssignmentId>
 
 gam print admins [todrive <ToDriveAttribute>*]
-        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
+        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition]
+        [privileges] [oneitemperrow]
 gam show admins
         [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
 
@@ -1581,6 +1598,9 @@ gam calendar <CalendarEntity> printacl [todrive <ToDriveAttribute>*]
 
 <EventMatchProperty> ::=
         (matchfield attendees <EmailAddressEntity>)|
+        (matchfield attendeesonlydomainlist <DomainNameList>)|
+        (matchfield attendeesdomainlist <DomainNameList>)|
+        (matchfield attendeesnotdomainlist <DomainNameList>)|
         (matchfield attendeespattern <RegularExpression>)|
         (matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>)|
         (matchfield creatoremail <RegularExpression>)|
@@ -1827,7 +1847,7 @@ gam calendar <CalendarEntity> deleteevent (id|eventid <EventID>)+ [doit] [<Event
         [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]]
 gam calendar <CalendarEntity> moveevent (id|eventid <EventID>)+ destination <CalendarItem> [<EventNotificationAttribute>]
 gam calendar <CalendarEntity> wipe
-gam calendar <CalendarEntity> printevents <EventSelectProperty>* <EventDisplayProperty>* [fields <EventFieldNameList>]
+gam calendar <CalendarEntity> printevents <EventSelectProperty>* <EventDisplayProperty>*
         [fields <EventFieldNameList>] [showdayofweek]
         [countsonly]
         [formatjson [quotechar <Character>]] [todrive <ToDriveAttribute>*]
@@ -2027,6 +2047,9 @@ gam delete chatmessage name <ChatMessage>
 gam info chatmessage name <ChatMessage>
         [formatjson]
 
+gam info chatevent name <ChatEvent>
+        [formatjson]
+
 # Chrome Installed Apps Counts
 
 gam show chromeapps
@@ -2208,7 +2231,10 @@ gam <CrOSTypeEntity> update <CrOSAttribute>+ [quickcrosmove [<Boolean>]] [nobatc
         annotatedlocation|location|
         annotateduser|user|
         autoupdateexpiration|
+        autoupdatethrough|
+        backlightinfo|
         bootmode|
+        cpuinfo|
         cpustatusreports|
         deprovisionreason|
         devicefiles|
@@ -2218,6 +2244,9 @@ gam <CrOSTypeEntity> update <CrOSAttribute>+ [quickcrosmove [<Boolean>]] [nobatc
         dockmacaddress|
         ethernetmacaddress|
         ethernetmacaddress0|
+        extendedsupporteligible|
+        extendedsupportstart|
+        extendedsupportenabled|
         firmwareversion|
         firstenrollmenttime|
         lastdeprovisiontimestamp|
@@ -2294,6 +2323,7 @@ gam print cros [todrive <ToDriveAttribute>*]
         [start <Date>] [end <Date>] [listlimit <Number>]
         [reverselists <CrOSListFieldNameList>]
         [timerangeorder ascending|descending] [showdvrsfp]
+        (addcsvdata <FieldName> <String>)*
         [sortheaders]
         [formatjson [quotechar <Character>]]
         [showitemcountonly]
@@ -2318,6 +2348,7 @@ gam <CrOSTypeEntity> print cros [todrive <ToDriveAttribute>*]
         [start <Date>] [end <Date>] [listlimit <Number>]
         [reverselists <CrOSListFieldNameList>]
         [timerangeorder ascending|descending] [showdvrsfp]
+        (addcsvdata <FieldName> <String>)*
         [sortheaders]
         [formatjson [quotechar <Character>]]
         [showitemcountonly]
@@ -3395,6 +3426,21 @@ gam [<UserTypeEntity>] show drivelabels
         [basic|full] [languagecode <LanguageCode>]
         [publishedonly [<Boolean>]] [minimumrole applier|editor|organizer|reader]
         [formatjson] [adminaccess|asadmin]
+`
+gam [<UserTypeEntity>] create drivelabelpermission <DriveLabelNameEntity>
+        (user <UserItem>) | (group <GroupItem) | (audience <String>)
+        role applier|editor|organizer|reader
+        [formatjson] [adminaccess|asadmin]
+gam [<UserTypeEntity>] delete drivelabelpermission <DriveLabelNameEntity>
+        (user <UserItem>) | (group <GroupItem) | (audience <String>)
+        [adminaccess|asadmin]
+gam [<UserTypeEntity>] remove drivelabelpermission <DriveLabelPermissionNameEntity>
+        [adminaccess|asadmin]
+
+gam [<UserTypeEntity>] print drivelabelpermissions <DriveLabelNameEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]] [adminaccess|asadmin]
+gam [<UserTypeEntity>] show drivelabelpermissions <DriveLabelNameEntity>
+        [formatjson] [adminaccess|asadmin]
 
 # Email Audit Monitor
 
@@ -4946,7 +4992,7 @@ gam <UserTypeEntity> show teamdriveacls
         (field:<UserReplacementField>)|
         (field:<UserReplacementFieldSubfield>)|
         (field:<UserReplacementFieldSubfieldMatchSubfield>)|
-        (schema:<SchemaName>.<FieldName>)|
+        (schema:<SchemaNameField>)|
         <String>
 
 # Vault/Takeout
@@ -5056,7 +5102,7 @@ gam show vaultexports|exports
         [fields <VaultExportFieldNameList>] [shownames]
         [formatjson]
 
-gam create vaulthold|hold matter <MatterItem> [name <String>] corpus drive|mail|groups|hangouts_chat
+gam create vaulthold|hold matter <MatterItem> [name <String>] corpus calendar|drive|mail|groups|hangouts_chat|voice
         [(accounts|groups|users <EmailItemList>) | (orgunit|org|ou <OrgUnit>)]
         [query <QueryVaultCorpus>]
         [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
@@ -5099,6 +5145,7 @@ gam info vaulthold|hold <MatterItem> <HoldItem>
 gam print vaultholds|holds [todrive <ToDriveAttribute>*] [matters <MatterItemList>]
         [fields <VaultHoldFieldNameList>] [shownames]
         [formatjson [quotechar <Character>]]
+        [oneitemperrow]
 gam show vaultholds|holds [matters <MatterItemList>]
         [fields <VaultHoldFieldNameList>] [shownames]
         [formatjson]
@@ -5210,9 +5257,9 @@ gam download storagefile <StorageBucketObjectName>
         (recoveryemail <EmailAddress>)|
         (recoveryphone <string>)|
         (suspend|suspended <Boolean>)|
-        (<SchemaName>.<FieldName> [scalarnonempty|
-                                   [multivalued|multivalue|value|multinonempty [type home|other|work|(custom <String>)]]]
-                                  <String>)
+        (<SchemaNameField> [scalarnonempty|
+                             [multivalued|multivalue|value|multinonempty [type home|other|work|(custom <String>)]]]
+                           <String>)
 
 <UserMultiAttribute> ::=
         (address type home|other|work|(custom <String>)
@@ -5301,7 +5348,7 @@ gam update user <UserItem> [ignorenullpassword] <UserAttribute>*
             [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
             [fields <FieldNameList>] [keyfield <FieldName>] [datafield <FieldName>]]
         [immutableous <OrgUnitEntity>]|
-        [clearschema <SchemaName>] [clearschema <SchemaName>.<FieldName>]
+        [clearschema <SchemaName> |  <SchemaNameField>]
         [createifnotfound] [notfoundpassword (random [<Integer>])|blocklogin|<Password>]
         (groups [<GroupRole>] [[delivery] <DeliverySetting>] <GroupEntity>)*
         [alias|aliases <EmailAddressList>]
@@ -5336,7 +5383,7 @@ gam update users <UserTypeEntity> [ignorenullpassword] <UserAttribute>*
         [updateoufromgroup <FileName> [charset <CharSet>]
             [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
             [fields <FieldNameList>] [keyfield <FieldName>] [datafield <FieldName>]]
-        [clearschema <SchemaName>] [clearschema <SchemaName>.<FieldName>]
+        [clearschema <SchemaName>|<SchemaNameField>]
         [createifnotfound] [notfoundpassword (random [<Integer>])|blocklogin|<Password>]
         (groups [<GroupRole>] [[delivery] <DeliverySetting>] <GroupEntity>)*
         [alias|aliases <EmailAddressList>]
@@ -5369,7 +5416,7 @@ gam <UserTypeEntity> update users [ignorenullpassword] <UserAttribute>*
         [verifynotinvitable] [noactionifalias]
         [updateprimaryemail <RegularExpression> <EmailReplacement>]
         [updateoufromgroup <CSVFileInput> [keyfield <FieldName>] [datafield <FieldName>]]
-        [clearschema <SchemaName>] [clearschema <SchemaName>.<FieldName>]
+        [clearschema <SchemaName> | <SchemaNameField>]
         [createifnotfound] [notfoundpassword (random [<Integer>])|blocklogin|<Password>]
         (groups [<GroupRole>] [[delivery] <DeliverySetting>] <GroupEntity>)*
         [alias|aliases <EmailAddressList>]
@@ -5413,10 +5460,11 @@ gam print users [todrive <ToDriveAttribute>*]
         [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
         [schemas|custom|customschemas all|<SchemaNameList>]
         [emailpart|emailparts|username]
-        [userview] [basic|full|allfields | <UserFieldName>* | fields <UserFieldNameList>]
+        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
         [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
         [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
         [issuspended <Boolean>] [aliasmatchpattern <RegularExpression>]
+        [showvalidcolumn] (addcsvdata <FieldName> <String>)*
         [showitemcountonly]
 
 Print fields for specified users.
@@ -5429,10 +5477,11 @@ gam print users [todrive <ToDriveAttribute>*] select <UserTypeEntity>
         [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
         [schemas|custom|customschemas all|<SchemaNameList>]
         [emailpart|emailparts|username]
-        [userview] [basic|full|allfields | <UserFieldName>* | fields <UserFieldNameList>]
+        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
         [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
         [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
         [issuspended <Boolean>] [aliasmatchpattern <RegularExpression>]
+        [showvalidcolumn] (addcsvdata <FieldName> <String>)*
         [showitemcountonly]
 
 gam <UserTypeEntity> print users [todrive <ToDriveAttribute>*]
@@ -5443,10 +5492,11 @@ gam <UserTypeEntity> print users [todrive <ToDriveAttribute>*]
         [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
         [schemas|custom|customschemas all|<SchemaNameList>]
         [emailpart|emailparts|username]
-        [userview] [basic|full|allfields | <UserFieldName>* | fields <UserFieldNameList>]
+        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
         [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
         [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
         [issuspended <Boolean>] [aliasmatchpattern <RegularExpression>]
+        [showvalidcolumn] (addcsvdata <FieldName> <String>)*
         [showitemcountonly]
 
 The first column will always be primaryEmail; the remaining field names will be sorted if allfields, basic, full or sortheaders is specified;
@@ -5477,6 +5527,11 @@ gam <UserTypeEntity> print users [todrive <ToDriveAttribute>*]
         [formatjson [quotechar <Character>]] [countsonly|countonly]
         [issuspended <Boolean>]
 
+Print user counts by OrgUnits
+
+gam print usercountsbyorgunit [todrive <ToDriveAttribute>*]
+        [domain <String>]
+
 Print lists of users
 
 gam <UserTypeEntity> print userlist [todrive <ToDriveAttribute>*]
@@ -5647,12 +5702,12 @@ gam <UserTypeEntity> print calendaracls <UserCalendarEntity> [todrive <ToDriveAt
         [noselfowner] (addcsvdata <FieldName> <String>)*
         [formatjson [quotechar <Character>]]
 
-Transfer ownership of a selection of users calendars to another user
+Transfer ownership of a selection of a users secondary calendars to another user
 
-gam <UserTypeEntity> transfer calendars <UserItem> <UserCalendarEntity>
+gam <UserTypeEntity> transfer calendars|seccals <UserItem> [<UserCalendarEntity>]
         [keepuser | (retainrole <CalendarACLRole>)] [sendnotifications <Boolean>] [noretentionmessages]
-        <CalendarSettings>] [append description|location|summary] [noupdatemessages]
-gam <UserTypeEntity> transfer seccals <UserItem> [keepuser] [sendnotifications <Boolean>]
+        <CalendarSettings>* [append description|location|summary] [noupdatemessages]
+        [deletefromoldowner] [addtonewowner <CalendarAttribute>*] [nolistmessages]
 
 <AttendeeAttendance> ::= optional|required
 <AttendeeStatus> ::= accepted|declined|needsaction|tentative
@@ -5935,6 +5990,12 @@ gam <UserTypeEntity> delete chatmember <ChatSpace>
         ((user <UserItem>)|(members <UserTypeEntity>)|
          (group <GroupItem>)|(groups <GroupEntity>))+
 gam <UserTypeEntity> remove chatmember members <ChatMemberList>
+gam <UserTypeEntity> update chatmember <ChatSpace>
+        role member|manager
+        ((user <UserItem>)|(members <UserTypeEntity>))+
+gam <UserTypeEntity> modify chatmember
+        role member|manager
+        members <ChatMemberList>
 
 gam <UserTypeEntity> info chatmember members <ChatMemberList>
         [formatjson]
@@ -5963,6 +6024,15 @@ gam <UserTypeEntity> print chatmessages [todrive <ToDriveAttribute>*] <ChatSpace
         [showdeleted [<Boolean>]] [filter <String>]
         [formatjson [quotechar <Character>]]
 
+gam <UserTypeEntity> info chatevent name <ChatEvent>
+        [formatjson]
+gam <UserTypeEntity> show chatevents <ChatSpace>
+        filter <String>
+        [formatjson]
+gam <UserTypeEntity> print chatevents [todrive <ToDriveAttribute>*] <ChatSpace>
+        filter <String>
+        [formatjson [quotechar <Character>]]
+
 # Users - Drive
 
 <DriveFileOrderByFieldName> ::=
@@ -6163,6 +6233,11 @@ gam <UserTypeEntity> get document <DriveFileEntity>
         [targetfolder <FilePath>] [targetname <FileName>]
         [donotfollowshortcuts [<Boolean>]] [overwrite [<Boolean>]]
 
+gam <UserTypeEntity> update docuument <DriveFileEntity>
+        ((json [charset <Charset>] <SpreadsheetJSONUpdateRequest>) |
+         (json file <FileName> [charset <Charset>]))
+        [formatjson]
+
 gam <UserTypeEntity> get drivefile <DriveFileEntity> [revision <DriveFileRevisionID>]
         [(format <FileFormatList>)|(gsheet|csvsheet <SheetEntity>)] [exportsheetaspdf <String>]
         [targetfolder <FilePath>] [targetname <FileName>|-]
@@ -6175,7 +6250,7 @@ gam <UserTypeEntity> untrash drivefile <DriveFileEntity>
 
 gam <UserTypeEntity> info drivefile <DriveFileEntity>
         [returnidonly]
-        [filepath|fullpath] [pathdelimiter <Character>]
+        [filepath|fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
         [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
         [showdrivename] [showshareddrivepermissions]
@@ -6311,6 +6386,52 @@ gam print ownership <DriveFileID>|(drivefilename <DriveFileName>) [todrive <ToDr
         (addcsvdata <FieldName> <String>)*
         [formatjson [quotechar <Character>]]
 
+<CommentsAuthorSubfieldName> ::=
+        author.displayname|
+        author.emailaddress|
+        author.me|
+        author.permissionid|
+        author.photolink
+
+<CommentsRepliesSubfieldName> ::=
+        reply.action|
+        reply.author|
+        reply.author.<CommentsAuthorSubfieldName>|
+        reply.content|
+        reply.createddate|createdtime|
+        reply.deleted|
+        reply.htmlcontent|
+        reply.id|
+        reply.modifieddate|modifiedtime
+
+<CommentsFieldName> ::=
+        action|
+        author|
+        content|
+        <CommentsAuthorSubfieldName>|
+        <CommentsRepliesSubfieldName>|
+        createddate|createdtime|
+        deleted|
+        htmlcontent|
+        id|
+        modifieddate|modifiedtime|
+        quotedfilecontent|
+        reply|replies|
+        resolved
+<CommentsFieldNameList> ::= "<CommentsFieldName>(,<CommentsFieldName>)*"
+
+gam <UserTypeEntity> show filecomments <DriveFileEntity>
+        [showdeleted] [start <Date>|<Time>]
+        [fields <CommentsFieldNameList>] [showphotolinks]
+        [countsonly]
+        [formatjson]
+gam <UserTypeEntity> print filecomments <DriveFileEntity> [todrive <ToDriveAttribute>*]
+        [showdeleted] [start <Date>|<Time>]
+        [fields <CommentsFieldNameList>] [showphotolinks]
+        [countsonly]
+        (addcsvdata <FieldName> <String>)*
+        [formatjson [quotechar <Character>]]
+
 <RevisionsFieldName> ::=
         filesize|
         id|
@@ -6612,7 +6733,7 @@ gam <UserTypeEntity> collect orphans
 
 gam <UserTypeEntity> show fileinfo <DriveFileEntity>
         [returnidonly]
-        [filepath|fullpath] [pathdelimiter <Character>]
+        [filepath|fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
         [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
         [showdrivename] [showshareddrivepermissions]
@@ -6622,13 +6743,14 @@ gam <UserTypeEntity> show fileinfo <DriveFileEntity>
         [formatjson]
 
 gam <UserTypeEntity> show filepath <DriveFileEntity>
-        [returnidonly]
+        [returnpathonly]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
-        [stripcrsfromname] [fullpath] [pathdelimiter <Character>]
+        [stripcrsfromname]
+        [fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
 gam <UserTypeEntity> print filepath <DriveFileEntity> [todrive <ToDriveAttribute>*]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
-        [stripcrsfromname] [fullpath] [pathdelimiter <Character>]
-        [oneitemperrow]
+        [stripcrsfromname] [oneitemperrow]
+        [fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
 
 gam <UserTypeEntity> print filecounts [todrive <ToDriveAttribute>*]
         [((query <QueryDriveFile>) | (fullquery <QueryDriveFile>) | <DriveFileQueryShortcut>)
@@ -6636,7 +6758,7 @@ gam <UserTypeEntity> print filecounts [todrive <ToDriveAttribute>*]
         [corpora <CorporaAttribute>]
         [select <SharedDriveEntity>]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
@@ -6649,7 +6771,7 @@ gam <UserTypeEntity> show filecounts
         [corpora <CorporaAttribute>]
         [select <SharedDriveEntity>]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [`<showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
@@ -6681,7 +6803,7 @@ gam <UserTypeEntity> print filetree [todrive <ToDriveAttribute>*]
         [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
             [depth <Number>]]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
@@ -6693,7 +6815,7 @@ gam <UserTypeEntity> show filetree
         [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
             [depth <Number>]]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
@@ -6713,7 +6835,7 @@ gam <UserTypeEntity> print filelist [todrive <ToDriveAttribute>*]
         [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
             [(norecursion [<Boolean>])|(depth <Number>)] [showparent]]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>] [mimetypeinquery [<Boolean>]]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>] [pmfilter] [oneitemperrow]
@@ -6722,7 +6844,7 @@ gam <UserTypeEntity> print filelist [todrive <ToDriveAttribute>*]
         [countsonly [summary none|only|plus] [summaryuser <String>]
                     [showsource] [showsize] [showmimetypesize]]
         [countsrowfilter]
-        [filepath|fullpath [pathdelimiter <Character>] [addpathstojson] [showdepth]] [buildtree]
+        [filepath|fullpath [folderpathonly [<Boolean>]] [pathdelimiter <Character>] [addpathstojson] [showdepth]] [buildtree]
         [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
         [showdrivename] [showshareddrivepermissions]
         [(showlabels details|ids)|(includelabels <DriveLabelIDList>)]
@@ -6783,8 +6905,12 @@ gam <UserTypeEntity> print|show driveactivity [todrive <ToDriveAttribute>*]
         usageindrivetrash
 <DriveSettingsFieldNameList> ::= "<DriveSettingsFieldName>(,<DriveSettingsFieldName>)*"
 
-gam <UserTypeEntity> print drivesettings [todrive <ToDriveAttribute>*] [allfields|<DriveSettingsFieldName>*|(fields <DriveSettingsFieldNameList>)] [delimiter <Character>]
-gam <UserTypeEntity> show drivesettings [allfields|<DriveSettingsFieldName>*|(fields <DriveSettingsFieldNameList>)] [delimiter <Character>]
+gam <UserTypeEntity> print drivesettings [todrive <ToDriveAttribute>*]
+        [allfields|<DriveSettingsFieldName>*|(fields <DriveSettingsFieldNameList>)]
+        [delimiter <Character>] [showusagebytes]
+gam <UserTypeEntity> show drivesettings
+        [allfields|<DriveSettingsFieldName>*|(fields <DriveSettingsFieldNameList>)]
+        [delimiter <Character>] [showusagebytes]
 
 gam <UserTypeEntity> print emptydrivefolders [todrive <ToDriveAttribute>*]
         [select <DriveFileEntity>]
@@ -6899,6 +7025,10 @@ gam <UserTypeEntity> create labellist <LabelNameEntity>
         [backgroundcolor "<LabelColorHex>|<LabelBackgroundColorHex>|custom:<ColorHex>"]
         [textcolor "<LabelColorHex>|<LabelTextColorHex>|custom:<ColorHex>"]
         [buildpath [<Boolean>]]
+gam <UserTypeEntity> update labelid <LabelID> [name <String>]
+        [messagelistvisibility hide|show] [labellistvisibility hide|show|showifunread]
+        [backgroundcolor "<LabelColorHex>|<LabelBackgroundColorHex>|custom:<ColorHex>"]
+        [textcolor "<LabelColorHex>|<LabelTextColorHex>|custom:<ColorHex>"]
 gam <UserTypeEntity> update labelsettings <LabelName> [name <String>]
         [messagelistvisibility hide|show] [labellistvisibility hide|show|showifunread]
         [backgroundcolor "<LabelColorHex>|<LabelBackgroundColorHex>|custom:<ColorHex>"]
@@ -7040,22 +7170,28 @@ gam <UserTypeEntity> insert message
 gam <UserTypeEntity> archive messages <GroupItem>
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_archive <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> delete messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_delete <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> modify messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_modify <Number>])|(ids <MessageIDEntity>)
         (addlabel <LabelName>)* (removelabel <LabelName>)*
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> spam messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_spam <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> trash messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_trash <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> untrash messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_untrash <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 
 gam <UserTypeEntity> export message|messages
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_export <Number>])|(ids <MessageIDEntity>)
@@ -7080,9 +7216,10 @@ gam <UserTypeEntity> show messages|threads
         [countsonly|positivecountsonly] [useronly]
         [headers all|<SMTPHeaderList>] [dateheaderformat iso|rfc2822|<String>] [dateheaderconverttimezone [<Boolean>]]
         [showlabels] [delimiter <Character>] [showbody] [showdate] [showsize] [showsnippet]
-        [showattachments [attachmentnamepattern <RegularExpression>] [noshowtextplain]]
-        [saveattachments [attachmentnamepattern <RegularExpression>]]
-            [targetfolder <FilePath>] [overwrite [<Boolean>]]
+        [[attachmentnamepattern <RegularExpression>]
+            [showattachments [noshowtextplain]]
+            [saveattachments [targetfolder <FilePath>] [overwrite [<Boolean>]]]
+            [uploadattachments [<DriveFileParentAttribute>]]]
 gam <UserTypeEntity> print messages|threads [todrive <ToDriveAttribute>*]
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])*
          [quick|notquick] [max_to_print <Number>] [includespamtrash])|(ids <MessageIDEntity>)
@@ -7090,8 +7227,10 @@ gam <UserTypeEntity> print messages|threads [todrive <ToDriveAttribute>*]
         [countsonly|positivecountsonly] [useronly]
         [headers all|<SMTPHeaderList>] [dateheaderformat iso|rfc2822|<String> [dateheaderconverttimezone [<Boolean>]]]
         [showlabels] [delimiter <Character>] [showbody] [showdate] [showsize] [showsnippet]
-        [showattachments [attachmentnamepattern <RegularExpression>]]
-        [convertcrnl]
+        [convertcrnl] [delimiter <Character>]
+        [[attachmentnamepattern <RegularExpression>]
+            [showattachments [noshowtextplain]]]
+        (addcsvdata <FieldName> <String>)*
 
 # Users - Gmail - Profile
 
@@ -7148,9 +7287,13 @@ gam <UserTypeEntity> print smimes [todrive <ToDriveAttribute>*]
 
 # Users - Gmail Client Side Encryption
 
-gam <UserTypeEntity> create cseidentity <KeyPairID> [kpemail <EmailAddress>]
+gam <UserTypeEntity> create cseidentity
+        (primarykeypairid <KeyPairID>) | (signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>)
+        [kpemail <EmailAddress>]
         [formatjson]
-gam <UserTypeEntity> update cseidentity <KeyPairID> [kpemail <EmailAddress>]
+gam <UserTypeEntity> update cseidentity
+        (primarykeypairid <KeyPairID>) | (signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>)
+        [kpemail <EmailAddress>]
         [formatjson]
 gam <UserTypeEntity> delete cseidentity [kpemail <EmailAddress>]
 
@@ -7164,19 +7307,19 @@ gam <UserTypeEntity> print cseidentities [todrive <ToDriveAttribute>*]
 gam <UserTypeEntity> create csekeypair
         [incertdir <FilePath>] [inkeydir <FilePath>]
         [addidentity [<Boolean>]] [kpemail <EmailAddress>]
-        [formatjson|returnidonly]
+        [showpem] [showkaclsdata] [formatjson|returnidonly]
 gam <UserTypeEntity> disable csekeypair <KeyPairID>
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 gam <UserTypeEntity> enable csekeypair <KeyPairID>
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 gam <UserTypeEntity> obliterate csekeypair <KeyPairID>
 
 gam <UserTypeEntity> info csekeypair <KeyPairID>
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 gam <UserTypeEntity> show csekeypairs
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 gam <UserTypeEntity> print csekeypairs [todrive <ToDriveAttribute>*]
-        [formatjson [quotechar <Character>]]
+        [showpem] [showkaclsdata] [formatjson [quotechar <Character>]]
 
 # Users - Gmail - Settings
 
@@ -7282,10 +7425,12 @@ gam <UserTypeEntity> info note <NotesNameEntity>
 gam <UserTypeEntity> show notes
         [fields <NotesFieldList>] [filter <String>]
         [role owner|writer]
+        [countsonly]
         [compact|formatjson]
 gam <UserTypeEntity> print notes [todrive <ToDriveAttribute>*]
         [fields <NotesFieldList>] [filter <String>]
         [role owner|writer]
+        [countsonly]
         [formatjson [quotechar <Character>]]
 
 gam <UserTypeEntity> get noteattachments <NotesNameEntity>

src/GamUpdate.txt

@@ -2,6 +2,460 @@
 
 Merged GAM-Team version
 
+6.76.09
+
+Updated `gam update|delete|info adminrole` to handle the following error:
+```
+ERROR: 400: failedPrecondition - Precondition check failed.
+```
+
+6.76.08
+
+Updated `<SchemaNameList>` to `"<SchemaName>|<SchemaFieldName>(,<SchemaName>|<SchemaFieldName>)*"`
+that allows `schemas <SchemaNameList>` in `gam info user` and `gam print users` to display all fields or selected fields
+of the specified custom schemas.
+
+6.76.07
+
+Fixed bug where control-C was not recognized when GAM had processed all rows in a CSV file
+and was `Waiting for N running processes to finish before terminating`.
+
+6.76.06
+
+Fixed bug in `gam <UserTypeEntity> print messages ... positivecountsonly` where message counts with value 0 were deiplayed.
+
+Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print|messages` that adds
+additional columns of data to the CSV file output.
+
+Added option `showusagebytes` to `gam <UserTypeEntity> print|show drivesettings` that displays
+the following fields in bytes ```usageBytes,usageInDriveBytes,usageInDriveTrashBytes```
+in addition to the fields in their formatted form with units: ```usage,usageInDrive,usageInDriveTrash```.
+This will be most useful with `print` as the rows can be sorted based on the `usagexxxBytes` columns.
+
+6.76.05
+
+Added options `deletefromoldowner`, `addtonewowner <CalendarAttribute>*` and `nolistmessages`
+to `gam <UserTypeEntity> transfer calendars <UserItem>` that allow manipulation of the
+old and new owners's calendar lists.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Calendars-Access#transfer-calendar-ownership
+
+6.76.04
+
+Added the following fields to `<CrOSFieldName>`:
+```
+autoupdatethrough
+extendedsupporteligible
+extendedsupportstart
+extendedsupportenabled
+```
+
+6.76.03
+
+Added option `folderpathonly [<Boolean>]` to the following commands that causes GAM
+to display only the folder names when displaying the path to a file. This folder only path
+an be used in  `gam <UserTypeEntity> create drivefolderpath` to recreate the folder hierarchy.
+```
+gam <UserTypeEntity> info drivefile ... filepath|fullpath
+gam <UserTypeEntity> show fileinfo ... filepath|fullpath
+gam <UserTypeEntity> print|show filepath
+gam <UserTypeEntity> print filelist ... filepath|fullpath
+```
+
+6.76.02
+
+Updated `gam update group` to handle the following error:
+```
+ERROR: 400: invalidArgument - Failed request validation in update settings: WHO_CAN_VIEW_MEMBERSHIP_CANNOT_BE_BROADER_THAN_WHO_CAN_SEE_GROUP
+```
+
+6.76.01
+
+Fixed bug in `gam create vaulthold matter <MatterItem> ... corpus calendar` that caused a trap.
+
+6.76.00
+
+Updated versions of `gam create|use project` that use keyword options to also accept the following options
+to define non-default Service Account key characteristics.
+```
+(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+(localkeysize 1024|2048|4096 [validityhours <Number>])|
+(yubikey yubikey_pin yubikey_slot AUTHENTICATION yubikey_serialnumber <String>)
+```
+
+6.75.05
+
+Added option `csv [todrive <ToDriveAttribute>*]` to `gam <UserTypeEntity> archive|delete|modify|spam|trash|untrash messages|threads`
+that causes GAM to display the command results in CSV form.
+
+6.75.04
+
+Added a command to print user counts by OrgUnit. By default, all users in the workspace are counted;
+you can specify a domain to only count users in that domain.
+```
+gam print usercountsbyorgunit [todrive <ToDriveAttribute>*]
+        [domain <String>]
+```
+
+Added option `uploadattachments [<DriveFileParentAttribute>]` to `gam <UserTypeEntity> show messages|threads` that
+causes GAM to upload all message attachments to the user's `My Drive`, the default, or to a specific folder.
+The existing option `attachmentnamepattern <RegularExpression>` can be used to select attachments to upload.
+
+6.75.03
+
+Fixed bug in `gam batch|tbatch` where the line `sleep <Integer>` in the batch file caused the error:
+```
+ERROR: Invalid argument: Expected <gam|commit-batch|print>
+```
+
+6.75.02
+
+Updated `gam report  <ActivityApplictionName>` to retry/handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+```
+
+6.75.01
+
+Added option `admin <EmailAddress>` to  `gam upload sakey`.
+
+6.75.00
+
+Updated `gam create project` to simplify handling the situation where your workspace is configured to disable service account private key uploads.
+
+Added command `gam upload sakey` to aid in this process.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#upload-a-service-account-key-to-a-service-account-with-no-keys
+
+6.74.02
+
+Fixed bug in `gam <UserTypeEntity> print shareddrives ... formatjson` that caused a trap.
+
+6.74.01
+
+Updated `gam create|update drivefileacl <DriveFileEntity> ... expiration <Time>` to handle
+the following error caused by tryig to add an expiration time to a member of a Shared Drive.
+```
+ERROR: 403: expirationDateNotAllowedForSharedDriveMembers - Expiration dates are not allowed for shared drive members.
+```
+
+6.74.00
+
+Added `truncate_client_id` Boolean variable to `gam.cfg`. Prior to version 6.74.00, GAM stripped
+'.apps.googleusercontent.com' from `client_id` in `oauth2.txt` and passed the truncated value in API calls.
+At Jay's suggestion this is no longer performed by default; setting `truncate_client_id = true` restores the previous behavior.
+
+Do `gam oauth delete` and `gam oauth create` to set the untruncated value of `client_id` in `oauth2.txt`.
+
+6.73.00
+
+The Google Chat API has been updated so that chat members can now have their role set to manager.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Chat#manage-chat-members
+
+6.72.16
+
+Updated `emailaddressList <EmailAddressList>` and `domainlist|notdomainlist <DomainNameList>`
+in `<PermissionMatch>` to perform case-insensitive matches as the API is returning mixed case
+ACL email addresses in some cases.
+
+6.72.15
+
+Updated all commands that display tasks to display the due date in GMT as the time portion
+is not supported by the API and converting the due date to local time may display the wrong date.
+
+Renamed license SKU `1010400001` from `Beyond Corp Enterprise` to `Chrome Enterprise Premium`.
+
+6.72.14
+
+Upgraded to Python 3.12.3 where possible.
+
+6.72.13
+
+Added the following option to `<EventMatchProperty>` that can be used to select
+events based on the domains of the attendees.
+```
+matchfield attendeesonlydomainlist <DomainNameList>
+```
+This returns true if all attendee's email addresses are in a domain in `<DomainNameList>`;
+for example this lets you look for events with attendees only in your internal domains.
+
+6.72.12
+
+Added the following options to `<EventMatchProperty>` that can be used to select
+events based on the domains of the attendees.
+```
+matchfield attendeesdomainlist <DomainNameList>
+matchfield attendeesnotdomainlist <DomainNameList>
+```
+The first returns true if any attendee's email address is in a domain in `<DomainNameList>`;
+for example this lets you look for events with attendees in specific external domains.
+
+The second returns true if any attendee's email address is in a domain other than those in `<DomainNameList>`;
+for example this lets you look for events with attendees not in your internal domains.
+
+6.72.11
+
+Added option `oneitemperrow` to 'gam print vaultholds` to have each of a
+hold's accounts displayed on a separate row with all of the other hold fields.
+
+6.72.10
+
+Added `timeofdayrange=<HH:MM>/<HH:MM>` and `timeofdayrange!=<HH:MM>/<HH:MM>` to `<RowValueFilter>` that allows
+CSV row filtering based on time-of-day.
+
+6.72.09
+
+Updated `countsonly` option of `gam <UserTypeEntity> print|show notes` to additionally display the total number of notes.
+
+6.72.08
+
+Added option `countsonly` to `gam <UserTypeEntity> print|show notes` that displays
+the number of notes a user owns and the number of notes a user can edit.
+
+6.72.07
+
+Updated commands that send emails to not downshift `'First Last<firstlast@domain.com>'` to `'first last<firstlast@domain.com>'`.
+
+6.72.06
+
+Updated the following commands to properly handle emailaddress lists containing addresses of the form: `'First Last<firstlast@domain.com>'`.
+```
+gam <UserTypeEntity> sendemail recipient|to <RecipientEntity> [cc <RecipientEntity>] [bcc <RecipientEntity>] [singlemessage]
+gam create|update user ... notify <EmailAddressList>
+```
+
+6.72.05
+
+Cleaned up code for all commands that display Chat objects.
+
+6.72.04
+
+Added commands to display Chat events.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Chat#display-chat-events
+
+6.72.03
+
+Fixed bug in `gam <UserTypeEntity> create chatspace` that caused a trap.
+
+6.72.02
+
+Updated `gam delete admin <RoleAssignmentId>` to handle the following error that
+occurs when `<RoleAssignmentId>` references a user that has been deleted.
+```
+ERROR: 404: resourceNotFound - Does not exist
+```
+
+6.72.01
+
+Improved commands to display drive file comments.
+
+6.72.00
+
+Added commands to display drive file comments.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Comments
+
+6.71.18
+
+Updated `<CrOSFieldName>` to include `cpuinfo` and `backlightinfo`.
+
+6.71.17
+
+Added `depth` column to output of `gam <UserTypeEntity> print diskusage <DriveFileEntity>` that can
+be used to filter the depth of the folders displayed. Depth `-1` is the top level folder, depth `0`
+are its immediate children, depth `2` are the children of depth `1` and so forth.
+```
+gam config csv_output_row_filter "depth:count<1" user organizer@domain.com  print diskusage teamdriveid <TeamDriveID>
+```
+
+6.71.16
+
+Updated `gam <UserTypeEntity> create|update sendas <EmailAddress> ... replyto <EmailAddress>`
+to allow uppercase letters in `sendas <EmailAddress>` and `replyto <EmailAddress>`.
+
+6.71.15
+
+Updated `gam create project` to handle the following error:
+```
+ERROR: 403: permissionDenied - Authentication error: 7; Error Details: User not allowed to access GCP services.
+```
+This error occurs when the Google Workspace admin or GCP project manager email address used in the command
+is in an OU where Google Cloud Platform is not enabled in Apps/Additional Google services.
+
+6.71.14
+
+Added a command to update a Gmail label's settings by specifying it's ID rather than it's name.
+```
+gam <UserTypeEntity> update labelid <LabelID> [name <String>]
+        [messagelistvisibility hide|show] [labellistvisibility hide|show|showifunread]
+        [backgroundcolor "<LabelColorHex>|<LabelBackgroundColorHex>|custom:<ColorHex>"]
+        [textcolor "<LabelColorHex>|<LabelTextColorHex>|custom:<ColorHex>"]
+```
+
+6.71.13
+
+Updated `<UserMultiAttribute>.location.buildingid <String>` to allow non-validated building IDs
+by specifying `nv:` at the beginning of `<String>`; e.g., `nv:Building X' sets the building ID to `Building X`.
+
+6.71.12
+
+Added option `showmimetype category <MimeTypeNameList>` to `gam <UserTypeEntity> print|show filecounts|filelist|filetree`
+```
+<MimeTypeName> ::= application|audio|font|image|message|model|multipart|text|video
+<MimeTypeNameList> ::= "<MimeTypeName>(,<MimeTypeName>)*"
+
+gam user user@domain.com print filelist fields id,name,mimetype showmimetype prefixes audio,video
+```
+
+Fix bug in `gam <UserTypeEntity> info|show sheet <DriveFileEntity>` that caused a trap.
+
+6.71.11
+
+Added option `addcsvdata <FieldName> <String>` to `gam print cros` that adds
+additional columns of data to the CSV file output. Typically, you would read CSV file of device IDs/serial numbers
+to generate a CSV file of results and copy data from the input CSV to the outout CSV.
+
+6.71.10
+
+Reverted change made in 6.71.09 to `gam <UserTypeEntity> print filelist` when `showmimetype` and `filepath|fullpath`
+were both specified. The change improved the performance when `showmimetype` selected a small number of files;
+the information for just those files was downloaded and then additional API calls were made to construct the file paths.
+However, if a large number of files were selected, the additional APIs calls decreased performance.
+
+Added option `mimetypeinquery` can be used when you expect the query to return a small number of files
+relative to the total number of files.
+
+6.71.09
+
+Improved the performance of `gam <UserTypeEntity> print filelist` when `showmimetype` and `filepath|fullpath`
+are both specified.
+
+6.71.08
+
+Added option `oneitemperrow` to 'gam print admins|adminroles` to have each of a
+roles privileges displayed on a separate row with all of the other admin/role fields.
+This produces a CSV file that can be used in subsequent commands without further script processing.
+
+6.71.07
+
+Added command to upload changes to Google Docs.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Files-Manage#upload-changes-to-google-documents
+
+6.71.06
+
+Added additional error handling to Gmail Client Side Encryption commands.
+
+Added license product Education Endpoint Management
+* ProductID - 101049
+
+Added license SKU Endpoint Education Upgrade
+* ProductID - 101049
+* SKUID - 1010490001 | eeu
+
+6.71.05
+
+Fixed a bug introduced in 6.71.00 that caused a trap in `gam <UserTypeEntity> print filelist`.
+
+Added option `tdfrom <EmailAddress>` to  `<ToDriveAttribute>` that causes GAM to use `<EmailAddress>` as the from address
+in all emails sent. By default, the from address is the Google Workspace Admin in `gam oauth info`.o
+
+6.71.04
+
+Updated `gam <UserTypeEntity> create|update cseidentity` to accept either of the following key pair options:
+* `primarykeypairid <KeyPairID>` - The configuration of a CSE identity that uses the same key pair for signing and encryption.
+* `signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>` - The configuration of a CSE identity that uses different key pairs for signing and encryption.
+
+Updated CSV output row sorting to avoid a trap that occurred when a row was missing one of the sort fields.
+
+6.71.03
+
+Added option `tdalert <EmailAddress>` to `<ToDriveAttribute>`. When a todrive file is created or updated,
+GAM will send notification emails to all `tdalert <EmailAddress>` users if `tdnotify` is true.
+`<EmailAddress>` must be valid within your Google Workspace.
+
+6.71.02
+
+Added additional error handling to Gmail Client Side Encryption commands.
+
+6.71.01
+
+Fixed bug in `gam audit monitor create` that caused a trap.
+
+6.71.00
+
+Added `csv_output_sort_headers` string list variable to `gam.cfg` that causes GAM to sort CSV output
+rows by the column headers specified in the variable. The column headers are case insensitive and
+if column header does not appear in the CSV output, it is ignored.
+
+Added `sortheaders <StringList>` to `redirect csv <FileName>` that has the same effect as above.
+
+The sort keys specified in `redirect csv ... sortheaders <StringList>` take precedence over the values from `gam.cfg`.
+
+Added option `tdsubject <String>` to  `<ToDriveAttribute>` that causes GAM to use `<String>` as the subject
+in all emails sent. In `<String>`, `#file#` will, be replaced by the file title and `#sheet#` will be replaced
+by the sheet/tab title. By default, the subject is the file title.
+
+6.70.09
+
+Added additional error handling to Gmail Client Side Encryption commands.
+
+Added options `showpem` and `showkaclsdata` to all Gmail CSE commands that process/display
+CSE key pairs. By default, the `pem` and `kaclsdata` fields will not be displayed unless
+the corresponding `show` option is specified.
+
+6.70.08
+
+Fixed bug in `gam <UserTypeEntity> create cseidentity <KeyPairID>` that caused an error.
+
+6.70.07
+
+Updated user instructions in `gam oauth create` and `gam <UserTypeEntity> update serviceaccount`
+and changed `s` from selecting all scopes to selecting default scopes.
+
+6.70.06
+
+Updated `gam info users <UserTypeEntity>` to not include group tree infornation unless option `grouptree` is specified.
+
+6.70.05
+
+Added commands to create|delete|display Drive Label permissions.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Labels
+
+6.70.04
+
+Added option `showvalidcolumn` to `gam print users` that can be used to identify whether
+users are defined in the domain. Typically, you would read CSV file of email addresses
+to verify as domain members.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users#verify-domain-membership
+
+Added option `addcsvdata <FieldName> <String>` to `gam print users` that adds
+additional columns of data to the CSV file output. Typically, you would read CSV file of email addresses
+to generate a CSV file of results and copy data from the input CSV to the outout CSV.
+
+6.70.03
+
+Renamed license product DuetAI to Gemini
+* ProductID - 101047
+
+Renamed license SKU DuetAI for Google Workspace to Gemini Enterprise
+* ProductID - 101047
+* SKUID - 1010470001 | geminient | duetai 
+
+Added support for license SKU Gemini Business
+* ProductID - 101047
+* SKUID - 1010470003 | geminibiz
+
+6.70.02
+
+In 6.69.00, GAM starting using course owner access when using `copyfrom` in `gam create|update course`
+regardless of the value of `gam.cfg/use_course_owner_access`. This prevents copying from courses
+with a deleted user. GAM now uses the value of `gam.cfg/use_course_owner_access` when `copyfrom` is used.
+
 6.70.01
 
 Added `gmail_cse_incert_dir` and `gmail_cse_inkey_dir` path variables to `gam.cfg` that provide
@@ -15,12 +469,12 @@ Added support for Gmail Client Side Encryption.
 
 This is an initial, minimally tested release; proceed with care and report all issues.
 
-c6.69.00
+6.69.00
 
-Added `use_classroom_owner_access` Boolean variable to `gam.cfg` that controls how GAM gets
-classroom member information and removes students/teachers. Client access does not provide
+Added `use_course_owner_access` Boolean variable to `gam.cfg` that controls how GAM gets
+classroom member information and removes students/teachers. Client/admin access does not provide
 complete information about non-domain students/teachers.
-* `False` - Use client access; this is the default. Use if you don't have non-domain members in your courses.
+* `False` - Use client/admin access; this is the default. Use if you don't have non-domain members in your courses.
 * `True` - Use service account access as the classroom owner. An extra API call is required per course to authenticate the owner; this will affect performance
 
 Added the following command which must be used to delete classroom invitations for non-domain students/teachers.
@@ -222,8 +676,8 @@ Added option `exportlinkeddrivefiles <Boolean>` to `gam create vaultexport` that
 Updated `gam remove aliases <EmailAddress> user|group <EmailAddressEntity>` to give a more informative
 error message when the target/alias combination does not exist.
 ```
-Old: User: testsimple@rdschool.org, User Alias: tsalias@rdschool.org, Remove Failed: Invalid Input: resource_id
-New: User: testsimple@rdschool.org, User Alias: tsalias@rdschool.org, Remove Failed: Does not exist
+Old: User: testsimple@domain.com, User Alias: tsalias@domain.com, Remove Failed: Invalid Input: resource_id
+New: User: testsimple@domain.com, User Alias: tsalias@domain.com, Remove Failed: Does not exist
 ```
 
 6.67.20

src/gam-install.sh

@@ -162,13 +162,14 @@ fi
 
 if [ -z ${GHCLIENT+x} ]; then
   check_type="unauthenticated"
+  echo_yellow "Checking GitHub URL $release_url for $gamversion GAM release ($check_type)..."
+  release_json=$(curl -s "$release_url" 2>&1 /dev/null)
 else
   check_type="authenticated"
+  echo_yellow "Checking GitHub URL $release_url for $gamversion GAM release ($check_type)..."
+  release_json=$(curl -s "$GHCLIENT" "$release_url" 2>&1 /dev/null)
 fi
 
-echo_yellow "Checking GitHub URL $release_url for $gamversion GAM release ($check_type)..."
-release_json=$(curl -s "$GHCLIENT" "$release_url" 2>&1 /dev/null)
-
 echo_yellow "Getting file and download URL..."
 # Python is sadly the nearest to universal way to safely handle JSON with Bash
 # At least this code should be compatible with just about any Python version ever
@@ -241,7 +242,11 @@ trap "rm -rf $temp_archive_dir" EXIT
 
 echo_yellow "Downloading file $name from $browser_download_url to $temp_archive_dir ($check_type)..."
 # Save archive to temp w/o losing our path
-(cd "$temp_archive_dir" && curl -O -L $GHCLIENT $browser_download_url)
+if [ -z ${GHCLIENT+x} ]; then
+  (cd "$temp_archive_dir" && curl -O -L $browser_download_url)
+else
+  (cd "$temp_archive_dir" && curl -O -L $GHCLIENT $browser_download_url)
+fi
 
 mkdir -p "$target_dir"
 

src/gam/gamlib/glapi.py

@@ -27,9 +27,12 @@ ANALYTICS_ADMIN = 'analyticsadmin'
 CALENDAR = 'calendar'
 CBCM = 'cbcm'
 CHAT = 'chat'
+CHAT_EVENTS = 'chatevents'
 CHAT_MEMBERSHIPS = 'chatmemberships'
+CHAT_MEMBERSHIPS_ADMIN = 'chatmembershipsadmin'
 CHAT_MESSAGES = 'chatmessages'
 CHAT_SPACES = 'chatspaces'
+CHAT_SPACES_ADMIN = 'chatspacesadmin'
 CHAT_SPACES_DELETE = 'chatspacesdelete'
 CHROMEMANAGEMENT = 'chromemanagement'
 CHROMEMANAGEMENT_APPDETAILS = 'chromemanagementappdetails'
@@ -71,6 +74,7 @@ KEEP = 'keep'
 LICENSING = 'licensing'
 LOOKERSTUDIO = 'datastudio'
 OAUTH2 = 'oauth2'
+ORGPOLICY = 'orgpolicy'
 PEOPLE = 'people'
 PEOPLE_DIRECTORY = 'peopledirectory'
 PEOPLE_OTHERCONTACTS = 'peopleothercontacts'
@@ -94,7 +98,9 @@ YOUTUBE = 'youtube'
 CHROMEVERSIONHISTORY_URL = 'https://versionhistory.googleapis.com/v1/chrome/platforms'
 DRIVE_SCOPE = 'https://www.googleapis.com/auth/drive'
 GMAIL_SEND_SCOPE = 'https://www.googleapis.com/auth/gmail.send'
-GOOGLE_OAUTH2_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token"
+GOOGLE_AUTH_PROVIDER_X509_CERT_URL = 'https://www.googleapis.com/oauth2/v1/certs'
+GOOGLE_OAUTH2_ENDPOINT = 'https://accounts.google.com/o/oauth2/v2/auth'
+GOOGLE_OAUTH2_TOKEN_ENDPOINT = 'https://oauth2.googleapis.com/token'
 CLOUD_PLATFORM_SCOPE = 'https://www.googleapis.com/auth/cloud-platform'
 IAM_SCOPE = 'https://www.googleapis.com/auth/iam'
 PEOPLE_SCOPE = 'https://www.googleapis.com/auth/contacts'
@@ -109,7 +115,8 @@ REQUIRED_SCOPES_SET = set(REQUIRED_SCOPES)
 JWT_APIS = {
   ACCESSCONTEXTMANAGER: [CLOUD_PLATFORM_SCOPE],
   CHAT: ['https://www.googleapis.com/auth/chat.bot'],
-  CLOUDRESOURCEMANAGER: [CLOUD_PLATFORM_SCOPE]
+  CLOUDRESOURCEMANAGER: [CLOUD_PLATFORM_SCOPE],
+  ORGPOLICY: [CLOUD_PLATFORM_SCOPE],
   }
 #
 APIS_NEEDING_ACCESS_TOKEN = {
@@ -190,9 +197,12 @@ _INFO = {
   CALENDAR: {'name': 'Calendar API', 'version': 'v3', 'v2discovery': True, 'mappedAPI': 'calendar-json'},
   CBCM: {'name': 'Chrome Browser Cloud Management API', 'version': 'v1.1beta1', 'v2discovery': True, 'localjson': True},
   CHAT: {'name': 'Chat API', 'version': 'v1', 'v2discovery': True},
+  CHAT_EVENTS: {'name': 'Chat API - Events', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
   CHAT_MEMBERSHIPS: {'name': 'Chat API - Memberships', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
+  CHAT_MEMBERSHIPS_ADMIN: {'name': 'Chat API - Admin Memberships', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
   CHAT_MESSAGES: {'name': 'Chat API - Messages', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
   CHAT_SPACES: {'name': 'Chat API - Spaces', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
+  CHAT_SPACES_ADMIN: {'name': 'Chat API - Admin  Spaces', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
   CHAT_SPACES_DELETE: {'name': 'Chat API - Spaces Delete', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
   CLASSROOM: {'name': 'Classroom API', 'version': 'v1', 'v2discovery': True},
   CHROMEMANAGEMENT: {'name': 'Chrome Management API', 'version': 'v1', 'v2discovery': True},
@@ -232,6 +242,7 @@ _INFO = {
   LICENSING: {'name': 'License Manager API', 'version': 'v1', 'v2discovery': True},
   LOOKERSTUDIO: {'name': 'Looker Studio API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
   OAUTH2: {'name': 'OAuth2 API', 'version': 'v2', 'v2discovery': False},
+  ORGPOLICY: {'name': 'Organization Policy API', 'version': 'v2', 'v2discovery': True},
   PEOPLE: {'name': 'People API', 'version': 'v1', 'v2discovery': True},
   PEOPLE_DIRECTORY: {'name': 'People Directory API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': PEOPLE},
   PEOPLE_OTHERCONTACTS: {'name': 'People  API - Other Contacts', 'version': 'v1', 'v2discovery': True, 'mappedAPI': PEOPLE},
@@ -507,6 +518,10 @@ _SVCACCT_SCOPES = [
    'api': CHAT_MEMBERSHIPS,
    'subscopes': READONLY,
    'scope': 'https://www.googleapis.com/auth/chat.memberships'},
+#  {'name': 'Chat API - Admin Memberships',
+#   'api': CHAT_MEMBERSHIPS_ADMIN,
+#   'subscopes': READONLY,
+#    'scope': 'https://www.googleapis.com/auth/chat.admin.memberships'},
   {'name': 'Chat API - Messages',
    'api': CHAT_MESSAGES,
    'subscopes': READONLY,
@@ -515,6 +530,10 @@ _SVCACCT_SCOPES = [
    'api': CHAT_SPACES,
    'subscopes': READONLY,
    'scope': 'https://www.googleapis.com/auth/chat.spaces'},
+#  {'name': 'Chat API - Admin Spaces',
+#   'api': CHAT_SPACES_ADMIN,
+#   'subscopes': READONLY,
+#   'scope': 'https://www.googleapis.com/auth/chat.admin.spaces'},
   {'name': 'Chat API - Spaces Delete',
    'api': CHAT_SPACES_DELETE,
    'subscopes': [],
@@ -642,6 +661,7 @@ _SVCACCT_SCOPES = [
   {'name': 'Youtube API - read only',
    'api': YOUTUBE,
    'subscopes': [],
+   'offByDefault': True,
    'scope': 'https://www.googleapis.com/auth/youtube.readonly'},
   ]
 
@@ -657,10 +677,12 @@ _SVCACCT_SPECIAL_SCOPES = [
   {'name': 'Gmail API - Full Access - read only',
    'api': GMAIL,
    'subscopes': [],
+   'offByDefault': True,
    'scope': 'https://www.googleapis.com/auth/gmail.readonly'},
   {'name': 'Gmail API - Send Messages - including todrive',
    'api': GMAIL,
    'subscopes': [],
+   'offByDefault': True,
    'scope': GMAIL_SEND_SCOPE},
   {'name': 'Sheets API - todrive',
    'api': SHEETSTD,

src/gam/gamlib/glcfg.py

@@ -131,6 +131,8 @@ CSV_OUTPUT_ROW_DROP_FILTER = 'csv_output_row_drop_filter'
 CSV_OUTPUT_ROW_DROP_FILTER_MODE = 'csv_output_row_drop_filter_mode'
 # Limit number of output rows
 CSV_OUTPUT_ROW_LIMIT = 'csv_output_row_limit'
+# Output sort headers
+CSV_OUTPUT_SORT_HEADERS = 'csv_output_sort_headers'
 # Column header subfield name delimiter in CSV output file
 CSV_OUTPUT_SUBFIELD_DELIMITER = 'csv_output_subfield_delimiter'
 # Add timestamp column to CSV output file
@@ -286,6 +288,8 @@ TODRIVE_TIMEZONE = 'todrive_timezone'
 TODRIVE_UPLOAD_NODATA = 'todrive_upload_nodata'
 # User for todrive files
 TODRIVE_USER = 'todrive_user'
+# Truncate Client ID
+TRUNCATE_CLIENT_ID  = 'truncate_client_id'
 # Update CrOS org unit with orgUnitId
 UPDATE_CROS_OU_WITH_ID = 'update_cros_ou_with_id'
 # Use course owner for course access
@@ -350,6 +354,7 @@ Defaults = {
   CSV_OUTPUT_ROW_DROP_FILTER: '',
   CSV_OUTPUT_ROW_DROP_FILTER_MODE: 'anymatch',
   CSV_OUTPUT_ROW_LIMIT: '0',
+  CSV_OUTPUT_SORT_HEADERS: '',
   CSV_OUTPUT_SUBFIELD_DELIMITER: '.',
   CSV_OUTPUT_TIMESTAMP_COLUMN: '',
   CSV_OUTPUT_USERS_AUDIT: FALSE,
@@ -427,6 +432,7 @@ Defaults = {
   TODRIVE_TIMEZONE: '',
   TODRIVE_UPLOAD_NODATA: TRUE,
   TODRIVE_USER: '',
+  TRUNCATE_CLIENT_ID: FALSE,
   UPDATE_CROS_OU_WITH_ID: FALSE,
   USE_COURSE_OWNER_ACCESS: FALSE,
   USE_PROJECTID_AS_NAME: FALSE,
@@ -454,6 +460,7 @@ TYPE_LOCALE = 'locl'
 TYPE_PASSWORD = 'pass'
 TYPE_ROWFILTER = 'rowf'
 TYPE_STRING = 'stri'
+TYPE_STRINGLIST = 'strl'
 TYPE_TIMEZONE = 'tmzn'
 
 VAR_TYPE = 'type'
@@ -508,6 +515,7 @@ VAR_INFO = {
   CSV_OUTPUT_ROW_DROP_FILTER: {VAR_TYPE: TYPE_ROWFILTER},
   CSV_OUTPUT_ROW_DROP_FILTER_MODE: {VAR_TYPE: TYPE_CHOICE, VAR_CHOICES: {'allmatch': True, 'anymatch': False}},
   CSV_OUTPUT_ROW_LIMIT: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (0, None)},
+  CSV_OUTPUT_SORT_HEADERS: {VAR_TYPE: TYPE_STRINGLIST},
   CSV_OUTPUT_SUBFIELD_DELIMITER: {VAR_TYPE: TYPE_CHARACTER},
   CSV_OUTPUT_TIMESTAMP_COLUMN: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
   CSV_OUTPUT_USERS_AUDIT: {VAR_TYPE: TYPE_BOOLEAN},
@@ -585,6 +593,7 @@ VAR_INFO = {
   TODRIVE_TIMEZONE: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
   TODRIVE_UPLOAD_NODATA: {VAR_TYPE: TYPE_BOOLEAN},
   TODRIVE_USER: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
+  TRUNCATE_CLIENT_ID: {VAR_TYPE: TYPE_BOOLEAN},
   UPDATE_CROS_OU_WITH_ID: {VAR_TYPE: TYPE_BOOLEAN},
   USE_COURSE_OWNER_ACCESS: {VAR_TYPE: TYPE_BOOLEAN},
   USE_PROJECTID_AS_NAME: {VAR_TYPE: TYPE_BOOLEAN},

src/gam/gamlib/glclargs.py

@@ -463,6 +463,8 @@ class GamCLArgs():
   ARG_CHANNELSKU = 'channelsku'
   ARG_CHANNELSKUS = 'channelskus'
   ARG_CHAT = 'chat'
+  ARG_CHATEVENT = 'chatevent'
+  ARG_CHATEVENTS = 'chatevents'
   ARG_CHATMEMBER = 'chatmember'
   ARG_CHATMEMBERS = 'chatmembers'
   ARG_CHATMESSAGE = 'chatmessage'
@@ -567,6 +569,8 @@ class GamCLArgs():
   ARG_DRIVEFOLDERPATH = 'drivefolderpath'
   ARG_DRIVELABEL = 'drivelabel'
   ARG_DRIVELABELS = 'drivelabels'
+  ARG_DRIVELABELPERMISSION = 'drivelabelpermission'
+  ARG_DRIVELABELPERMISSIONS = 'drivelabelpermissions'
   ARG_DRIVESETTINGS = 'drivesettings'
   ARG_DRIVETRASH = 'drivetrash'
   ARG_EMPTYDRIVEFOLDERS = 'emptydrivefolders'
@@ -576,6 +580,8 @@ class GamCLArgs():
   ARG_EXPORTS = 'exports'
   ARG_FEATURE = 'feature'
   ARG_FEATURES = 'features'
+  ARG_FILECOMMENT = 'filecomment'
+  ARG_FILECOMMENTS = 'filecomments'
   ARG_FILECOUNT = 'filecount'
   ARG_FILECOUNTS = 'filecounts'
   ARG_FILEDRIVELABEL = 'filedrivelabel'
@@ -770,6 +776,7 @@ class GamCLArgs():
   ARG_TRUSTEDAPPS = 'trustedapps'
   ARG_USER = 'user'
   ARG_USERS = 'users'
+  ARG_USERCOUNTSBYORGUNIT = 'usercountsbyorgunit'
   ARG_USERINVITATION = 'userinvitation'
   ARG_USERINVITATIONS = 'userinvitations'
   ARG_USERLIST = 'userlist'
@@ -814,6 +821,8 @@ class GamCLArgs():
   OB_CHANNEL_CUSTOMER_ID = 'ChannelCustomerID'
   OB_CHARACTER = 'Character'
   OB_CHAR_SET = 'CharacterSet'
+  OG_CHAT_ATTACHMENT = 'ChatAttachment'
+  OB_CHAT_EVENT = 'ChatEvent'
   OB_CHAT_MEMBER = 'ChatMember'
   OB_CHAT_MESSAGE = 'ChatMessage'
   OB_CHAT_MESSAGE_ID = 'ChatMessageID'
@@ -877,6 +886,7 @@ class GamCLArgs():
   OB_DRIVE_FOLDER_PATH = 'DriveFolderPath'
   OB_DRIVE_LABEL_ID = 'DriveLabelID'
   OB_DRIVE_LABEL_NAME = 'DriveLabelName'
+  OB_DRIVE_LABEL_PERMISSION_NAME = 'DriveLabelPermissionName'
   OB_DRIVE_LABEL_FIELD_ID = 'DriveLabelFieldID'
   OB_DRIVE_LABEL_SELECTION_ID_LIST = 'DriveLabelSelectionIDList'
   OB_EMAIL_ADDRESS = 'EmailAddress'

src/gam/gamlib/glentity.py

@@ -84,6 +84,7 @@ class GamEntity():
   CHANNEL_PRODUCT = 'chpr'
   CHANNEL_SKU = 'chsk'
   CHAT_BOT = 'chbo'
+  CHAT_EVENT = 'chev'
   CHAT_MANAGER_USER = 'chgu'
   CHAT_MEMBER = 'chme'
   CHAT_MEMBER_GROUP = 'chmg'
@@ -173,6 +174,7 @@ class GamEntity():
   DOMAIN_PROFILE = 'dopr'
   DRIVE_DISK_USAGE = 'drdu'
   DRIVE_FILE = 'dfil'
+  DRIVE_FILE_COMMENT = 'filc'
   DRIVE_FILE_ID = 'fili'
   DRIVE_FILE_NAME = 'filn'
   DRIVE_FILE_RENAMED = 'firn'
@@ -191,6 +193,8 @@ class GamEntity():
   DRIVE_LABEL_FIELD_ID = 'dlfi'
   DRIVE_LABEL_ID = 'dlid'
   DRIVE_LABEL_NAME = 'dlna'
+  DRIVE_LABEL_PERMISSION = 'dlpe'
+  DRIVE_LABEL_PERMISSION_NAME = 'dlpn'
   DRIVE_ORPHAN_FILE_OR_FOLDER = 'orph'
   DRIVE_PARENT_FOLDER = 'fipf'
   DRIVE_PARENT_FOLDER_ID = 'fipi'
@@ -288,6 +292,7 @@ class GamEntity():
   PERSONAL_DEVICE = 'pedv'
   PHOTO = 'phot'
   POP_ENABLED = 'popa'
+  PRESENTATION = 'pres'
   PRINTER = 'prin'
   PRINTER_ID = 'prid'
   PRINTER_MODEL = 'prmd'
@@ -419,6 +424,7 @@ class GamEntity():
     CHANNEL_PRODUCT: ['Channel Products', 'Channel Product'],
     CHANNEL_SKU: ['Channel SKUs', 'Channel SKU'],
     CHAT_BOT: ['Chat BOTs', 'Chat BOT'],
+    CHAT_EVENT: ['Chat Events', 'Chat Event'],
     CHAT_MANAGER_USER: ['Chat User Managers', 'Chat User Manager'],
     CHAT_MESSAGE: ['Chat Messages', 'Chat Message'],
     CHAT_MESSAGE_ID: ['Chat Message IDs', 'Chat Message ID'],
@@ -508,6 +514,7 @@ class GamEntity():
     DOMAIN_PROFILE: ['Domain Profiles', 'Domain Profile'],
     DRIVE_DISK_USAGE: ['Drive Disk Usages', 'Drive Disk Usage'],
     DRIVE_FILE: ['Drive Files', 'Drive File'],
+    DRIVE_FILE_COMMENT: ['Drive File Comments', 'Drive File Comment'],
     DRIVE_FILE_ID: ['Drive File IDs', 'Drive File ID'],
     DRIVE_FILE_NAME: ['Drive File Names', 'Drive File Name'],
     DRIVE_FILE_REVISION: ['Drive File Revisions', 'Drive File Revision'],
@@ -526,6 +533,8 @@ class GamEntity():
     DRIVE_LABEL_FIELD_ID: ['Drive Label Field IDs', 'Drive Label Field ID'],
     DRIVE_LABEL_ID: ['Drive Label IDs', 'Drive Label ID'],
     DRIVE_LABEL_NAME: ['Drive Label Names', 'Drive Label Name'],
+    DRIVE_LABEL_PERMISSION: ['Drive Label Permissions', 'Drive Label Permission'],
+    DRIVE_LABEL_PERMISSION_NAME: ['Drive Label Permission Names', 'Drive Label Permission Name'],
     DRIVE_ORPHAN_FILE_OR_FOLDER: ['Drive Orphan Files/Folders', 'Drive Orphan File/Folder'],
     DRIVE_PARENT_FOLDER: ['Drive Parent Folders', 'Drive Parent Folder'],
     DRIVE_PARENT_FOLDER_ID: ['Drive Parent Folder IDs', 'Drive Parent Folder ID'],
@@ -623,6 +632,7 @@ class GamEntity():
     PERSONAL_DEVICE: ['Personal Devices', 'Personal Device'],
     PHOTO: ['Photos', 'Photo'],
     POP_ENABLED: ['POP Enabled', 'POP Enabled'],
+    PRESENTATION: ['Presentations', 'Presentation'],
     PRINTER: ['Printers', 'Printer'],
     PRINTER_ID: ['Printer IDs', 'Printer ID'],
     PRINTER_MODEL: ['Printer Models', 'Printer Model'],

src/gam/gamlib/glgapi.py

@@ -24,6 +24,7 @@ ABORTED = 'aborted'
 ABUSIVE_CONTENT_RESTRICTION = 'abusiveContentRestriction'
 ACCESS_NOT_CONFIGURED = 'accessNotConfigured'
 ALREADY_EXISTS = 'alreadyExists'
+APPLY_LABEL_FORBIDDEN = 'applyLabelForbidden'
 AUTH_ERROR = 'authError'
 BACKEND_ERROR = 'backendError'
 BAD_GATEWAY = 'badGateway'
@@ -66,8 +67,10 @@ DOMAIN_CANNOT_USE_APIS = 'domainCannotUseApis'
 DOMAIN_NOT_FOUND = 'domainNotFound'
 DOMAIN_NOT_VERIFIED_SECONDARY = 'domainNotVerifiedSecondary'
 DOMAIN_POLICY = 'domainPolicy'
+DOWNLOAD_QUOTA_EXCEEDED = 'downloadQuotaExceeded'
 DUPLICATE = 'duplicate'
 EVENT_DURATION_EXCEEDS_LIMIT = 'eventDurationExceedsLimit'
+EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS = 'expirationDateNotAllowedForSharedDriveMembers'
 FAILED_PRECONDITION = 'failedPrecondition'
 FIELD_IN_USE = 'fieldInUse'
 FIELD_NOT_WRITABLE = 'fieldNotWritable'
@@ -205,8 +208,9 @@ DRIVE_ACCESS_THROW_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, FORBIDDEN
 DRIVE_COPY_THROW_REASONS = DRIVE_ACCESS_THROW_REASONS+[CANNOT_COPY_FILE, BAD_REQUEST, RESPONSE_PREPARATION_FAILURE, TEAMDRIVES_SHARING_RESTRICTION_NOT_ALLOWED,
                                                        FIELD_NOT_WRITABLE, RATE_LIMIT_EXCEEDED, USER_RATE_LIMIT_EXCEEDED,
                                                        STORAGE_QUOTA_EXCEEDED, TEAMDRIVE_FILE_LIMIT_EXCEEDED, TEAMDRIVE_HIERARCHY_TOO_DEEP]
-DRIVE_GET_THROW_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND]
-DRIVE3_CREATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID, INVALID_SHARING_REQUEST, OWNERSHIP_CHANGE_ACROSS_DOMAIN_NOT_PERMITTED, CANNOT_SET_EXPIRATION,
+DRIVE_GET_THROW_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, DOWNLOAD_QUOTA_EXCEEDED]
+DRIVE3_CREATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID, INVALID_SHARING_REQUEST, OWNERSHIP_CHANGE_ACROSS_DOMAIN_NOT_PERMITTED,
+                                   CANNOT_SET_EXPIRATION, EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS,
                                    NOT_FOUND, TEAMDRIVE_DOMAIN_USERS_ONLY_RESTRICTION, TEAMDRIVE_TEAM_MEMBERS_ONLY_RESTRICTION,
                                    TARGET_USER_ROLE_LIMITED_BY_LICENSE_RESTRICTION, INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, SHARING_RATE_LIMIT_EXCEEDED,
                                    PUBLISH_OUT_NOT_PERMITTED, SHARE_IN_NOT_PERMITTED, SHARE_OUT_NOT_PERMITTED, SHARE_OUT_NOT_PERMITTED_TO_USER,
@@ -222,7 +226,8 @@ DRIVE3_CREATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID, INVALID_SHARING_REQUEST
 DRIVE3_GET_ACL_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, FORBIDDEN, INTERNAL_ERROR,
                                                    INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, INSUFFICIENT_FILE_PERMISSIONS,
                                                    UNKNOWN_ERROR, INVALID]
-DRIVE3_UPDATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID_OWNERSHIP_TRANSFER, CANNOT_REMOVE_OWNER, CANNOT_SET_EXPIRATION,
+DRIVE3_UPDATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID_OWNERSHIP_TRANSFER, CANNOT_REMOVE_OWNER,
+                                   CANNOT_SET_EXPIRATION, EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS,
                                    OWNERSHIP_CHANGE_ACROSS_DOMAIN_NOT_PERMITTED,
                                    NOT_FOUND, TEAMDRIVE_DOMAIN_USERS_ONLY_RESTRICTION, TEAMDRIVE_TEAM_MEMBERS_ONLY_RESTRICTION,
                                    TARGET_USER_ROLE_LIMITED_BY_LICENSE_RESTRICTION, INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, SHARING_RATE_LIMIT_EXCEEDED,
@@ -243,10 +248,13 @@ DRIVE3_DELETE_ACL_THROW_REASONS = [BAD_REQUEST, CANNOT_REMOVE_OWNER,
                                    INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, SHARING_RATE_LIMIT_EXCEEDED,
                                    NOT_FOUND, PERMISSION_NOT_FOUND]
 DRIVE3_MODIFY_LABEL_THROW_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, NOT_FOUND, FORBIDDEN, INTERNAL_ERROR,
+                                                              FILE_NEVER_WRITABLE, APPLY_LABEL_FORBIDDEN,
                                                               INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, INSUFFICIENT_FILE_PERMISSIONS,
                                                               UNKNOWN_ERROR, INVALID_INPUT, BAD_REQUEST,
                                                               LABEL_MULTIPLE_VALUES_FOR_SINGULAR_FIELD, LABEL_MUTATION_FORBIDDEN,
                                                               LABEL_MUTATION_ILLEGAL_SELECTION, LABEL_MUTATION_UNKNOWN_FIELD]
+DOCS_ACCESS_THROW_REASONS = DRIVE_USER_THROW_REASONS+[NOT_FOUND, PERMISSION_DENIED, FORBIDDEN, INTERNAL_ERROR, INSUFFICIENT_FILE_PERMISSIONS,
+                                                      BAD_REQUEST, INVALID, INVALID_ARGUMENT, FAILED_PRECONDITION]
 GMAIL_THROW_REASONS = [SERVICE_NOT_AVAILABLE, BAD_REQUEST]
 GMAIL_LIST_THROW_REASONS = [FAILED_PRECONDITION, PERMISSION_DENIED, INVALID, INVALID_ARGUMENT]
 GMAIL_SMIME_THROW_REASONS = [SERVICE_NOT_AVAILABLE, BAD_REQUEST, INVALID_ARGUMENT, FORBIDDEN, NOT_FOUND, PERMISSION_DENIED]
@@ -255,7 +263,8 @@ GROUP_GET_RETRY_REASONS = [INVALID, SYSTEM_ERROR, SERVICE_NOT_AVAILABLE]
 GROUP_CREATE_THROW_REASONS = [DUPLICATE, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, FORBIDDEN, INVALID, INVALID_INPUT]
 GROUP_UPDATE_THROW_REASONS = [GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, FORBIDDEN, INVALID, INVALID_INPUT]
 GROUP_SETTINGS_THROW_REASONS = [NOT_FOUND, GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, FORBIDDEN, SYSTEM_ERROR, PERMISSION_DENIED,
-                                INVALID, INVALID_PARAMETER, INVALID_ATTRIBUTE_VALUE, INVALID_INPUT, SERVICE_LIMIT, SERVICE_NOT_AVAILABLE, AUTH_ERROR, REQUIRED]
+                                INVALID, INVALID_ARGUMENT, INVALID_PARAMETER, INVALID_ATTRIBUTE_VALUE, INVALID_INPUT,
+                                SERVICE_LIMIT, SERVICE_NOT_AVAILABLE, AUTH_ERROR, REQUIRED]
 GROUP_SETTINGS_RETRY_REASONS = [INVALID, SERVICE_LIMIT, SERVICE_NOT_AVAILABLE]
 GROUP_LIST_THROW_REASONS = [RESOURCE_NOT_FOUND, DOMAIN_NOT_FOUND, FORBIDDEN, BAD_REQUEST]
 GROUP_LIST_USERKEY_THROW_REASONS = GROUP_LIST_THROW_REASONS+[INVALID_MEMBER, INVALID_INPUT]
@@ -349,6 +358,8 @@ class accessNotConfigured(Exception):
   pass
 class alreadyExists(Exception):
   pass
+class applyLabelForbidden(Exception):
+  pass
 class authError(Exception):
   pass
 class backendError(Exception):
@@ -429,10 +440,14 @@ class domainNotVerifiedSecondary(Exception):
   pass
 class domainPolicy(Exception):
   pass
+class downloadQuotaExceeded(Exception):
+  pass
 class duplicate(Exception):
   pass
 class eventDurationExceedsLimit(Exception):
   pass
+class expirationDateNotAllowedForSharedDriveMembers(Exception):
+  pass
 class failedPrecondition(Exception):
   pass
 class fieldInUse(Exception):
@@ -649,6 +664,7 @@ REASON_EXCEPTION_MAP = {
   ABUSIVE_CONTENT_RESTRICTION: abusiveContentRestriction,
   ACCESS_NOT_CONFIGURED: accessNotConfigured,
   ALREADY_EXISTS: alreadyExists,
+  APPLY_LABEL_FORBIDDEN: applyLabelForbidden,
   AUTH_ERROR: authError,
   BACKEND_ERROR: backendError,
   BAD_REQUEST: badRequest,
@@ -689,8 +705,10 @@ REASON_EXCEPTION_MAP = {
   DOMAIN_NOT_FOUND: domainNotFound,
   DOMAIN_NOT_VERIFIED_SECONDARY: domainNotVerifiedSecondary,
   DOMAIN_POLICY: domainPolicy,
+  DOWNLOAD_QUOTA_EXCEEDED: downloadQuotaExceeded,
   DUPLICATE: duplicate,
   EVENT_DURATION_EXCEEDS_LIMIT: eventDurationExceedsLimit,
+  EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS: expirationDateNotAllowedForSharedDriveMembers,
   FAILED_PRECONDITION: failedPrecondition,
   FIELD_IN_USE: fieldInUse,
   FIELD_NOT_WRITABLE: fieldNotWritable,

src/gam/gamlib/glglobals.py

@@ -81,6 +81,8 @@ CSV_OUTPUT_ROW_FILTER_MODE = 'corm'
 CSV_OUTPUT_ROW_LIMIT = 'corl'
 # Add timestamp column to CSV output file
 CSV_OUTPUT_TIMESTAMP_COLUMN = 'csv_output_timestamp_column'
+# Output sort headers
+CSV_OUTPUT_SORT_HEADERS = 'cosh'
 # CSV todrive options
 CSV_TODRIVE = 'todr'
 # Current API services
@@ -169,6 +171,10 @@ RATE_CHECK_COUNT = 'rccn'
 RATE_CHECK_START = 'rcst'
 # Section name from outer gam, passed to inner gams
 SECTION = 'sect'
+# Enable/disable "Getting ... " messages
+SHOW_GETTINGS = 'shog'
+# Enable/disable NL at end of "Got ..." messages
+SHOW_GETTINGS_GOT_NL = 'shgn'
 # redirected files
 SAVED_STDOUT = 'svso'
 STDERR = 'stde'
@@ -236,6 +242,7 @@ Globals = {
   CSV_OUTPUT_ROW_FILTER: [],
   CSV_OUTPUT_ROW_FILTER_MODE: True,
   CSV_OUTPUT_ROW_LIMIT: 0,
+  CSV_OUTPUT_SORT_HEADERS: [],
   CSV_OUTPUT_TIMESTAMP_COLUMN: None,
   CSV_TODRIVE: {},
   CURRENT_API_SERVICES: {},
@@ -284,6 +291,8 @@ Globals = {
   RATE_CHECK_COUNT: 0,
   RATE_CHECK_START: 0,
   SECTION: None,
+  SHOW_GETTINGS: True,
+  SHOW_GETTINGS_GOT_NL: False,
   SAVED_STDOUT: None,
   STDERR: {},
   STDOUT: {},

src/gam/gamlib/glmsgs.py

@@ -91,13 +91,27 @@ Please go to:
 8. Press enter here on the terminal once trust is complete.
 '''
 
-YOUR_GAM_PROJECT_IS_CREATED_AND_READY_TO_USE = 'That\'s it! Your GAM Project is created and ready to use.\n'
+ENABLE_SERVICE_ACCOUNT_PRIVATE_KEY_UPLOAD = '''
+Your workspace is configured to disable service account private key uploads.
+
+Please go to:
+
+  https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#authorize-service-account-key-uploads
+
+Follow the steps to allow a service account private key upload for the project ({0}) just created.
+Once those steps are completed, you can continue with your project authentication.
+'''
+
+YOUR_GAM_PROJECT_IS_CREATED_AND_READY_TO_USE = '''
+That\'s it! Your GAM Project is created and ready to use.
+Proceed to the authentication steps.
+'''
 
 # check|update service messages in order of appearance
 SYSTEM_TIME_STATUS = 'System time status'
 YOUR_SYSTEM_TIME_DIFFERS_FROM_GOOGLE = 'Your system time differs from {0} by {1}'
 PRESS_ENTER_ONCE_AUTHORIZATION_IS_COMPLETE = 'Press enter once authorization is complete.'
-SERVICE_ACCOUNT_API_DISABLED = '{0} not enabled. Please run "gam update project" and "gam user user@domain.com check serviceaccount"'
+SERVICE_ACCOUNT_API_DISABLED = '{0} not enabled. Please run "gam update project" and "gam user user@domain.com update serviceaccount"'
 SERVICE_ACCOUNT_PRIVATE_KEY_AUTHENTICATION = 'Service Account Private Key Authentication'
 SERVICE_ACCOUNT_CHECK_PRIVATE_KEY_AGE = 'Service Account Private Key age; Google recommends rotating keys on a routine basis'
 SERVICE_ACCOUNT_PRIVATE_KEY_AGE = 'Service Account Private Key age: {0} days'
@@ -148,8 +162,9 @@ ALREADY_EXISTS_USE_MERGE_ARGUMENT = 'Already exists; use the "merge" argument to
 API_ACCESS_DENIED = 'API access Denied'
 API_CALLS_RETRY_DATA = 'API calls retry data\n'
 API_CHECK_CLIENT_AUTHORIZATION = 'Please make sure the Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam oauth create\n'
-API_CHECK_SVCACCT_AUTHORIZATION = 'Please make sure the Service Account Client name: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam user {2} check serviceaccount\n'
+API_CHECK_SVCACCT_AUTHORIZATION = 'Please make sure the Service Account Client name: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam user {2} update serviceaccount\n'
 API_ERROR_SETTINGS = 'API error, some settings not set'
+ARE_BOTH_REQUIRED = 'Arguments {0} and {1} are both required'
 ARE_MUTUALLY_EXCLUSIVE = 'Arguments {0} and {1} are mutually exclusive'
 AS = 'as'
 ATTENDEES_ADD = 'Add Attendees'
@@ -292,6 +307,7 @@ INVALID_SCHEMA_VALUE = 'Invalid Schema Value'
 INVALID_SCOPE = 'Invalid Scope'
 INVALID_SITE = 'Invalid Site ({0}), must match pattern ({1})'
 INVALID_TAG_SPECIFICATION = 'Invalid tag, expected field.subfield or field.subfield.subfield.string'
+INVALID_TIMEOFDAY_RANGE = '{0} must be less than/equal to {1}'
 IN_SKIPIDS = 'In skipids'
 IN_THE = ' in the {0}'
 IN_TRASH_AND_EXCLUDE_TRASHED = 'In Trash and excludeTrashed'

src/gam/gamlib/glskus.py

@@ -32,9 +32,10 @@ _PRODUCTS = {
   '101037': 'Google Workspace for Education',
   '101038': 'AppSheet',
   '101039': 'Assured Controls',
-  '101040': 'Beyond Corp Enterprise',
+  '101040': 'Chrome Enterprise',
   '101043': 'Google Workspace Additional Storage',
-  '101047': 'Duet AI',
+  '101047': 'Gemini',
+  '101049': 'Education Endpoint Management',
   'Google-Apps': 'Google Workspace',
   'Google-Chrome-Device-Management': 'Google Chrome Device Management',
   'Google-Drive-storage': 'Google Drive Storage',
@@ -61,12 +62,12 @@ _SKUS = {
     'product': '101031', 'aliases': ['gwepstaff', 'workspaceeducationplusstaff'], 'displayName': 'Google Workspace for Education Plus (Staff)'},
   '1010310010': {
     'product': '101031', 'aliases': ['gwepstudent', 'workspaceeducationplusstudent'], 'displayName': 'Google Workspace for Education Plus (Extra Student)'},
+  '1010330002': {
+    'product': '101033', 'aliases': ['gvpremier', 'voicepremier', 'googlevoicepremier'], 'displayName': 'Google Voice Premier'},
   '1010330003': {
     'product': '101033', 'aliases': ['gvstarter', 'voicestarter', 'googlevoicestarter'], 'displayName': 'Google Voice Starter'},
   '1010330004': {
     'product': '101033', 'aliases': ['gvstandard', 'voicestandard', 'googlevoicestandard'], 'displayName': 'Google Voice Standard'},
-  '1010330002': {
-    'product': '101033', 'aliases': ['gvpremier', 'voicepremier', 'googlevoicepremier'], 'displayName': 'Google Voice Premier'},
   '1010350001': {
     'product': '101035', 'aliases': ['cloudsearch'], 'displayName': 'Cloud Search'},
   '1010360001': {
@@ -82,13 +83,17 @@ _SKUS = {
   '1010390001': {
     'product': '101039', 'aliases': ['assuredcontrols'], 'displayName': 'Assured Controls'},
   '1010400001': {
-    'product': '101040', 'aliases': ['beyondcorp', 'beyondcorpenterprise', 'bce'], 'displayName': 'Beyond Corp Enterprise'},
+    'product': '101040', 'aliases': ['beyondcorp', 'beyondcorpenterprise', 'bce', 'cep', 'chromeenterprisepremium'], 'displayName': 'Chrome Enterprise Premium'},
   '1010430001': {
     'product': '101043', 'aliases': ['gwas', 'plusstorage'], 'displayName': 'Google Workspace Additional Storage'},
   '1010470001': {
-    'product': '101047', 'aliases': ['duetai'], 'displayName': 'Duet AI for Enterprise'},
+    'product': '101047', 'aliases': ['geminient', 'duetai'], 'displayName': 'Gemini Enterprise'},
   '1010470002': {
     'product': '101047', 'aliases': ['gwlabs', 'workspacelabs'], 'displayName': 'Google Workspace Labs'},
+  '1010470003': {
+    'product': '101047', 'aliases': ['geminibiz'], 'displayName': 'Gemini Business'},
+  '1010490001': {
+    'product': '101049', 'aliases': ['eeu'], 'displayName': 'Endpoint Education Upgrade'},
   'Google-Apps': {
     'product': 'Google-Apps', 'aliases': ['standard', 'free'], 'displayName': 'G Suite Legacy'},
   'Google-Apps-For-Business': {

src/gam/googleapiclient/discovery.py

@@ -53,6 +53,13 @@ try:
 except ImportError:  # pragma: NO COVER
     google_auth_httplib2 = None
 
+try:
+    from google.api_core import universe
+
+    HAS_UNIVERSE = True
+except ImportError:
+    HAS_UNIVERSE = False
+
 # Local imports
 from googleapiclient import _auth, mimeparse
 from googleapiclient._helpers import _add_query_parameter, positional
@@ -116,12 +123,22 @@ _PAGE_TOKEN_NAMES = ("pageToken", "nextPageToken")
 # Parameters controlling mTLS behavior. See https://google.aip.dev/auth/4114.
 GOOGLE_API_USE_CLIENT_CERTIFICATE = "GOOGLE_API_USE_CLIENT_CERTIFICATE"
 GOOGLE_API_USE_MTLS_ENDPOINT = "GOOGLE_API_USE_MTLS_ENDPOINT"
-
+GOOGLE_CLOUD_UNIVERSE_DOMAIN = "GOOGLE_CLOUD_UNIVERSE_DOMAIN"
+DEFAULT_UNIVERSE = "googleapis.com"
 # Parameters accepted by the stack, but not visible via discovery.
 # TODO(dhermes): Remove 'userip' in 'v2'.
 STACK_QUERY_PARAMETERS = frozenset(["trace", "pp", "userip", "strict"])
 STACK_QUERY_PARAMETER_DEFAULT_VALUE = {"type": "string", "location": "query"}
 
+
+class APICoreVersionError(ValueError):
+    def __init__(self):
+        message = (
+            "google-api-core >= 2.18.0 is required to use the universe domain feature."
+        )
+        super().__init__(message)
+
+
 # Library-specific reserved words beyond Python keywords.
 RESERVED_WORDS = frozenset(["body"])
 
@@ -436,6 +453,13 @@ def _retrieve_discovery_doc(
     return content
 
 
+def _check_api_core_compatible_with_credentials_universe(credentials):
+    if not HAS_UNIVERSE:
+        credentials_universe = getattr(credentials, "universe_domain", None)
+        if credentials_universe and credentials_universe != DEFAULT_UNIVERSE:
+            raise APICoreVersionError
+
+
 @positional(1)
 def build_from_document(
     service,
@@ -544,6 +568,18 @@ def build_from_document(
 
     # If an API Endpoint is provided on client options, use that as the base URL
     base = urllib.parse.urljoin(service["rootUrl"], service["servicePath"])
+    universe_domain = None
+    if HAS_UNIVERSE:
+        universe_domain_env = os.getenv(GOOGLE_CLOUD_UNIVERSE_DOMAIN, None)
+        universe_domain = universe.determine_domain(
+            client_options.universe_domain, universe_domain_env
+        )
+        base = base.replace(universe.DEFAULT_UNIVERSE, universe_domain)
+    else:
+        client_universe = getattr(client_options, "universe_domain", None)
+        if client_universe:
+            raise APICoreVersionError
+
     audience_for_self_signed_jwt = base
     if client_options.api_endpoint:
         base = client_options.api_endpoint
@@ -582,6 +618,9 @@ def build_from_document(
                     quota_project_id=client_options.quota_project_id,
                 )
 
+            # Check google-api-core >= 2.18.0 if credentials' universe != "googleapis.com".
+            _check_api_core_compatible_with_credentials_universe(credentials)
+
             # The credentials need to be scoped.
             # If the user provided scopes via client_options don't override them
             if not client_options.scopes:
@@ -666,7 +705,15 @@ def build_from_document(
             if use_mtls_endpoint == "always" or (
                 use_mtls_endpoint == "auto" and client_cert_to_use
             ):
+                if HAS_UNIVERSE and universe_domain != universe.DEFAULT_UNIVERSE:
+                    raise MutualTLSChannelError(
+                        f"mTLS is not supported in any universe other than {universe.DEFAULT_UNIVERSE}."
+                    )
                 base = mtls_endpoint
+    else:
+        # Check google-api-core >= 2.18.0 if credentials' universe != "googleapis.com".
+        http_credentials = getattr(http, "credentials", None)
+        _check_api_core_compatible_with_credentials_universe(http_credentials)
 
     if model is None:
         features = service.get("features", [])
@@ -681,6 +728,7 @@ def build_from_document(
         resourceDesc=service,
         rootDesc=service,
         schema=schema,
+        universe_domain=universe_domain,
     )
 
 
@@ -1043,6 +1091,9 @@ def createMethod(methodName, methodDesc, rootDesc, schema):
     def method(self, **kwargs):
         # Don't bother with doc string, it will be over-written by createMethod.
 
+        # Validate credentials for the configured universe.
+        self._validate_credentials()
+
         for name in kwargs:
             if name not in parameters.argmap:
                 raise TypeError("Got an unexpected keyword argument {}".format(name))
@@ -1352,6 +1403,7 @@ class Resource(object):
         resourceDesc,
         rootDesc,
         schema,
+        universe_domain=universe.DEFAULT_UNIVERSE if HAS_UNIVERSE else "",
     ):
         """Build a Resource from the API description.
 
@@ -1369,6 +1421,8 @@ class Resource(object):
               is considered a resource.
           rootDesc: object, the entire deserialized discovery document.
           schema: object, mapping of schema names to schema descriptions.
+          universe_domain: string, the universe for the API. The default universe
+          is "googleapis.com".
         """
         self._dynamic_attrs = []
 
@@ -1380,6 +1434,8 @@ class Resource(object):
         self._resourceDesc = resourceDesc
         self._rootDesc = rootDesc
         self._schema = schema
+        self._universe_domain = universe_domain
+        self._credentials_validated = False
 
         self._set_service_methods()
 
@@ -1502,6 +1558,7 @@ class Resource(object):
                         resourceDesc=methodDesc,
                         rootDesc=rootDesc,
                         schema=schema,
+                        universe_domain=self._universe_domain,
                     )
 
                 setattr(methodResource, "__doc__", "A collection resource.")
@@ -1546,6 +1603,27 @@ class Resource(object):
                 fixedMethodName, method.__get__(self, self.__class__)
             )
 
+    def _validate_credentials(self):
+        """Validates client's and credentials' universe domains are consistent.
+
+        Returns:
+            bool: True iff the configured universe domain is valid.
+
+        Raises:
+            UniverseMismatchError: If the configured universe domain is not valid.
+        """
+        credentials = getattr(self._http, "credentials", None)
+
+        self._credentials_validated = (
+            (
+                self._credentials_validated
+                or universe.compare_domains(self._universe_domain, credentials)
+            )
+            if HAS_UNIVERSE
+            else True
+        )
+        return self._credentials_validated
+
 
 def _findPageTokenName(fields):
     """Search field names for one like a page token.

src/gam/googleapiclient/version.py

@@ -12,4 +12,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-__version__ = "2.114.0"
+__version__ = "2.124.0"