Include missing gamlib updates

Gmail CSE updates

Added todrive options: tdalert, tdfrom, tdsubject

Added CSV output row sorting

Fixed audit monitor create

docs/Authorization.md

@@ -89,15 +89,6 @@ If you run a Google Workspace Education SKU, verify that the super admin you'll
 * Choose "All users are 18 or older"
 * Click "SAVE"
 
-Verify whether the super admin you'll be using is in an OU where reauthentication is required.
-* Access the admin console and go to Security -> Overview
-* Scroll down and open Google Cloud session control section
-* Select the OU containing the super admin
-* If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
-* If that sounds unappealing, check Exempt Trusted apps
-* Click "OVERRIDE"
-* Follow the steps below to mark GAM as a trusted app
-
 Based on your domain policies, you may have to mark GAM as a trusted app. These steps are performed after a project is created.
 * Access the admin console and go to Security -> Access and data control -> API controls
 * Check Trust internal, domain-owned apps
@@ -114,6 +105,15 @@ Based on your domain policies, you may have to mark GAM as a trusted app. These
 * Click Next/Continue
 * Click Finish
 
+Verify whether the super admin you'll be using is in an OU where reauthentication is required.
+* Access the admin console and go to Security -> Overview
+* Scroll down and open Google Cloud session control section
+* Select the OU containing the super admin
+* If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
+* If that sounds unappealing, check Exempt Trusted apps
+* Click "OVERRIDE"
+* Follow the steps below to mark GAM as a trusted app
+
 ## Headless computers and Cloud Shells
 With many thanks to Jay, `gam oauth create` now uses a new client access authentication flow
 as required by Google for headless computers/cloud shells; this is required as of February 28, 2022.
@@ -404,60 +404,70 @@ writes the credentials into the file oauth2.txt.
 ```
 gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-42[a|r] or s|u|e|c: 
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
 
@@ -487,60 +497,70 @@ writes the credentials into the file `oauth2.txt`.
 ```
 gam oauth update
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - Telemetry read only
-[*]  3)  Chrome Management API - read only
-[*]  4)  Chrome Policy API (supports readonly)
-[*]  5)  Chrome Printer Management API (supports readonly)
-[*]  6)  Chrome Version History API
-[*]  7)  Classroom API - Course Announcements (supports readonly)
-[*]  8)  Classroom API - Course Topics (supports readonly)
-[*]  9)  Classroom API - Course Work/Materials (supports readonly)
-[*] 10)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 11)  Classroom API - Courses (supports readonly)
-[*] 12)  Classroom API - Profile Emails
-[*] 13)  Classroom API - Profile Photos
-[*] 14)  Classroom API - Rosters (supports readonly)
-[*] 15)  Classroom API - Student Guardians (supports readonly)
-[*] 16)  Cloud Identity Groups API (supports readonly)
-[*] 17)  Cloud Storage (Vault Export - read only)
-[*] 18)  Contact Delegation API (supports readonly)
-[*] 19)  Contacts API - Domain Shared and Users and GAL
-[*] 20)  Data Transfer API (supports readonly)
-[*] 21)  Directory API - Chrome OS Devices (supports readonly)
-[*] 22)  Directory API - Customers (supports readonly)
-[*] 23)  Directory API - Domains (supports readonly)
-[*] 24)  Directory API - Groups (supports readonly)
-[*] 25)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 26)  Directory API - Organizational Units (supports readonly)
-[*] 27)  Directory API - Resource Calendars (supports readonly)
-[*] 28)  Directory API - Roles (supports readonly)
-[*] 29)  Directory API - User Schemas (supports readonly)
-[*] 30)  Directory API - User Security
-[*] 31)  Directory API - Users (supports readonly)
-[*] 32)  Email Audit API
-[*] 33)  Groups Migration API
-[*] 34)  Groups Settings API
-[*] 35)  License Manager API
-[*] 36)  People API (supports readonly)
-[*] 37)  People Directory API - read only
-[ ] 38)  Pub / Sub API
-[*] 39)  Reports API - Audit Reports
-[*] 40)  Reports API - Usage Reports
-[ ] 41)  Reseller API
-[*] 42)  Site Verification API
-[*] 43)  Sites API
-[*] 44)  Vault API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-42[a|r] or s|u|e|c: 
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
 
@@ -817,24 +837,38 @@ By default, the following scopes are verified:
 ```
 https://mail.google.com/
 https://sites.google.com/feeds
-https://www.google.com/m8/feeds
+https://www.googleapis.com/auth/analytics.readonly
 https://www.googleapis.com/auth/apps.alerts
 https://www.googleapis.com/auth/calendar
+https://www.googleapis.com/auth/chat.delete
+https://www.googleapis.com/auth/chat.memberships
+https://www.googleapis.com/auth/chat.messages
+https://www.googleapis.com/auth/chat.spaces
 https://www.googleapis.com/auth/classroom.announcements
 https://www.googleapis.com/auth/classroom.coursework.students
+https://www.googleapis.com/auth/classroom.courseworkmaterials
 https://www.googleapis.com/auth/classroom.profile.emails
+https://www.googleapis.com/auth/classroom.profile.photos
 https://www.googleapis.com/auth/classroom.rosters
 https://www.googleapis.com/auth/classroom.topics
 https://www.googleapis.com/auth/cloud-identity
 https://www.googleapis.com/auth/cloud-platform
-https://www.googleapis.com/auth/cloudprint
 https://www.googleapis.com/auth/contacts
+https://www.googleapis.com/auth/contacts.other.readonly
+https://www.googleapis.com/auth/datastudio
+https://www.googleapis.com/auth/directory.readonly
+https://www.googleapis.com/auth/documents
 https://www.googleapis.com/auth/drive
 https://www.googleapis.com/auth/drive.activity
+https://www.googleapis.com/auth/drive.admin.labels
+https://www.googleapis.com/auth/drive.labels
 https://www.googleapis.com/auth/gmail.modify
 https://www.googleapis.com/auth/gmail.settings.basic
 https://www.googleapis.com/auth/gmail.settings.sharing
+https://www.googleapis.com/auth/keep
 https://www.googleapis.com/auth/spreadsheets
+https://www.googleapis.com/auth/tasks
+https://www.googleapis.com/auth/userinfo.profile
 ```
 This scope is verified when `user_service_account_access_only = true` in `gam.cfg`.
 ```
@@ -862,6 +896,118 @@ gam <UserTypeEntity> update serviceaccount (scope|scopes <APIScopeURLList>)*
 * `<UserTypeEntity>` - Typically `user <EmailAddress>`, a non-Google Workspace administrator.
 * `scopes <APIScopeURLList>` - Verify/enable service account access for a set of specific scopes rather than selecting the scopes.
 
+```
+gam user user@domain.com update serviceaccount
+
+[*]  0)  AlertCenter API
+[*]  1)  Analytics API - read only
+[*]  2)  Analytics Admin API - read only
+[*]  3)  Calendar API (supports readonly)
+[*]  4)  Chat API - Memberships (supports readonly)
+[*]  5)  Chat API - Messages (supports readonly)
+[*]  6)  Chat API - Spaces (supports readonly)
+[*]  7)  Chat API - Spaces Delete
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Profile Emails
+[*] 13)  Classroom API - Profile Photos
+[*] 14)  Classroom API - Rosters (supports readonly)
+[*] 15)  Cloud Identity Devices API (supports readonly)
+[*] 16)  Cloud Resource Manager API v3
+[*] 17)  Docs API (supports readonly)
+[*] 18)  Drive API (supports readonly)
+[*] 19)  Drive API - todrive
+[*] 20)  Drive Activity API v2 - must pair with Drive API
+[*] 21)  Drive Labels API v2beta - Admin (supports readonly)
+[*] 22)  Drive Labels API v2beta - User (supports readonly)
+[*] 23)  Forms API
+[*] 24)  Gmail API - Basic Settings (Filters,IMAP, Language, POP, Vacation) - read/write, Sharing Settings (Delegates, Forwarding, SendAs) - read
+[*] 25)  Gmail API - Full Access (Labels, Messages)
+[*] 26)  Gmail API - Full Access (Labels, Messages) except delete message
+[ ] 27)  Gmail API - Full Access - read only
+[ ] 28)  Gmail API - Send Messages - including todrive
+[*] 29)  Gmail API - Sharing Settings (Delegates, Forwarding, SendAs) - write
+[*] 30)  Identity and Access Management API
+[*] 31)  Keep API (supports readonly)
+[*] 32)  Looker Studio API (supports readonly)
+[*] 33)  OAuth2 API
+[*] 34)  People API (supports readonly)
+[*] 35)  People API - Other Contacts - read only
+[*] 36)  People Directory API - read only
+[*] 37)  Sheets API (supports readonly)
+[*] 38)  Sheets API - todrive
+[*] 39)  Sites API
+[*] 40)  Tasks API (supports readonly)
+[ ] 41)  Youtube API - read only
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+
+Please enter 0-41[a|r] or s|u|e|c: c
+
+System time status
+  Your system time differs from admin.googleapis.com by less than 1 second  PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 364 days                                 WARN
+Domain-wide Delegation authentication:, User: user@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.profile.photos                  PASS (14/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (15/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (16/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (17/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (18/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (19/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (20/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (21/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (22/34)
+  https://www.googleapis.com/auth/documents                                 PASS (23/34)
+  https://www.googleapis.com/auth/drive                                     PASS (24/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (25/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (26/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (27/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (29/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (30/34)
+  https://www.googleapis.com/auth/keep                                      PASS (31/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (32/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (33/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (34/34)
+Some scopes Failed!
+To authorize them, please go to the following link in your browser:
+
+    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,...
+
+You will be directed to the Google Workspace admin console Security > API Controls > Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+```
+
 ## Configure Limited access
 You can configure GAM to allow users limited access to your domain via GAM.
 You can limit both client and service account access.

docs/Basic-Items.md

@@ -119,7 +119,7 @@
         #7a4706|#8a1c0a|#994a64|#ffffff
 <LanguageCode> ::=
         ach|af|ag|ak|am|ar|az|be|bem|bg|bn|br|bs|ca|chr|ckb|co|crs|cs|cy|da|de|
-        ee|el|en|en-gb|en-us|eo|es|es-419|et|eu|fa|fi|fil|fo|fr|fr-ca|fy|
+        ee|el|en|en-ca|en-gb|en-us|eo|es|es-419|et|eu|fa|fi|fil|fo|fr|fr-ca|fy|
         ga|gaa|gd|gl|gn|gu|ha|haw|he|hi|hr|ht|hu|hy|ia|id|ig|in|is|it|iw|ja|jw|
         ka|kg|kk|km|kn|ko|kri|ku|ky|la|lg|ln|lo|loz|lt|lua|lv|
         mfe|mg|mi|mk|ml|mn|mo|mr|ms|mt|my|ne|nl|nn|no|nso|ny|nyn|oc|om|or|
@@ -232,8 +232,11 @@
         101035 |
         101036 |
         101037 |
+        101038 |
         101039 |
         101040 |
+        101043 |
+        101047 |
         Google-Apps |
         Google-Chrome-Device-Management |
         Google-Drive-storage |
@@ -249,12 +252,17 @@
         4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
         8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
         16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
+        appsheetcore | 1010380001 |
+        appsheetstandard | appsheetenterprisestandard | 1010380002 |
+        appsheetplus | appsheetenterpriseplus | 1010380003 |
         assuredcontrols | 1010390001 |
         bce | beyondcorp | beyondcorpenterprise | 1010400001 |
         cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
         cloudidentity | identity | 1010010001 |
         cloudidentitypremium | identitypremium | 1010050001 |
         cloudsearch | 1010350001 |
+        geminibiz | 1010470003 |
+        geminient| duetai | 1010470001 |
         gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
         gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
         gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
@@ -270,6 +278,7 @@
         gwesstaff | workspaceeducationstandardstaff | 1010310006 |
         gwesstudent | workspaceeducationstandardstudent | 1010310007 |
         gwetlu | workspaceeducationupgrade | 1010370001 |
+        gwlabs | workspacelabs | 1010470002
         meetdialing | googlemeetglobaldialing | 1010360001 |
         postini | gams | gsuitegams | gsuitepostini | gsuitemessagesecurity | Google-Apps-For-Postini |
         standard | free | Google-Apps |
@@ -278,16 +287,22 @@
         voicepremier | gvpremier | googlevoicepremier | 1010330002 |
         voicestandard | gvstandard | googlevoicestandard | 1010330004 |
         voicestarter | gvstarter | googlevoicestarter | 1010330003 |
+        wsas | plusstorage | 1010430001 |
         wsbizplus | workspacebusinessplus | 1010020025 |
         wsbizplusarchived | workspacebusinessplusarchived | 1010340003 |
         wsbizstan | workspacebusinessstandard | 1010020028 |
+        wsbizstanarchived | workspacebusinessstandardarchived | 1010340006 |
         wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 |
+        wsbizstarterarchived | workspacebusinessstarterarchived | 1010340005 |
         wsentess | workspaceenterpriseessentials | 1010060003 |
         wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 |
         wsentstan | workspaceenterprisestandard | 1010020026 |
         wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 |
+        wsentstarter | workspaceenterprisestarter | 1010020029 | wes |
         wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 |
-        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030
+        wsessplus | workspaceessentialsplus | 1010060005 |
+        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030 |
+        wsflwstan | workspacefrontlinestan | workspacefrontlineworkerstan | 1010020031
 ```
 ## Items built from primitives
 ```
@@ -346,7 +361,7 @@
 <ChannelCustomerID> ::= <String>
 <ChatMember> ::= spaces/<String>/members/<String>
 <ChatMessage> ::= spaces/<String>/messages/<String>
-<ChatSpace> ::= spaces/<String> | <String>
+<ChatSpace> ::= spaces/<String> | space <String> | space spaces/<String>
 <ChatThread> ::= spaces/<String>/threads/<String>
 <ClassroomInvitationID> ::= <String>
 <ClientID> ::= <String>
@@ -421,6 +436,7 @@
 <DriveLabelFieldID> ::= <String>
 <DriveLabelSelectionID> ::= <String>
 <DriveLabelName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]
+<DriveLabelPermissionName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]/permissions/(audiences|groups|people)/<String>
 <EmailAddress> ::= <String>@<DomainName>
 <EmailItem> ::= <EmailAddress>|<UniqueID>|<String>
 <EmailReplacement> ::= <String>
@@ -456,6 +472,11 @@
 <Marker> ::= <String>
 <MatterItem> ::= <UniqueID>|<String>
 <MatterState> ::= open|closed|deleted
+<MessageContent> ::=
+        (message|textmessage|htmlmessage <String>)|
+        (file|textfile|htmlfile <FileName> [charset <Charset>])|
+        (gdoc|ghtml <UserGoogleDoc>)|
+        (gcsdoc|gcshtml <StorageBucketObjectName>)
 <MessageID> ::= <String>
 <Namespace> ::= <String>
 <NotesName> ::= notes/<String>
@@ -529,7 +550,7 @@
 <ServiceAccountDisplayName> ::= <String>
         Maximum of 100 characters
 <ServiceAccountDescrition> ::= <String>
-       Maximumof 256 chcracters
+       Maximum of 256 chcracters
 <ServiceAccountEmail> ::= <ServiceAccountName>@<ProjectID>.iam.gserviceaccount.com
 <ServiceAccountUniqueID> ::= <Number>
 <ServiceAccountKey> ::= <String>
@@ -584,8 +605,10 @@
         (tdlocale <Locale>)|
         (tdnobrowser [<Boolean>])|
         (tdnoemail [<Boolean>])|
+        (tdnoescapechar [<Boolean>])|
         (tdparent (id:<DriveFolderID>)|<DriveFolderName>)|
-        (tdshare <EmailAddress> commenter|reader|writer)|
+        (tdretaintitle [<Boolean>])|
+        (tdshare <EmailAddress> commenter|reader|writer)*|
         (tdsheet (id:<Number>)|<String>)|
         (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
         (tdsheettitle <String>)|

docs/Collections-of-Items.md

@@ -262,6 +262,8 @@ Data fields identified in a `csvkmd` argument.
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <DriveLabelNameEntity> ::=
         <DriveLabelNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
+<DriveLabelPermissionNameEntity> ::=
+        <DriveLabelPermissionNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
 <EmailAddressEntity> ::=
         <EmailAddressList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <FilterIDEntity> ::=

docs/GamUpdates.md

@@ -10,6 +10,101 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads](https://github.com/taers232c/GAMADV-XTD3/wiki/Downloads) for Windows or other options, including manual installation
 
+### 6.71.05
+
+Fixed a bug introduced in 6.71.00 that caused a trap in `gam <UserTypeEntity> print filelist`.
+
+Added option `tdfrom <EmailAddress>` to  `<ToDriveAttribute>` that causes GAM to use `<EmailAddress>` as the from address
+in all emails sent. By default, the from address is the Google Workspace Admin in `gam oauth info`.
+
+### 6.71.04
+
+Updated `gam <UserTypeEntity> create|update cseidentity` to accept either of the following key pair options:
+* `primarykeypairid <KeyPairID>` - The configuration of a CSE identity that uses the same key pair for signing and encryption.
+* `signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>` - The configuration of a CSE identity that uses different key pairs for signing and encryption.
+
+Updated CSV output row sorting to avoid a trap that occurred when a row was missing one of the sort fields.
+
+### 6.71.03
+
+Added option `tdalert <EmailAddress>` to `<ToDriveAttribute>`. When a todrive file is created or updated,
+GAM will send notification emails to all `tdalert <EmailAddress>` users if `tdnotify` is true.
+`<EmailAddress>` must be valid within your Google Workspace.
+
+### 6.71.02
+
+Added additional error handling to Gmail Client Side Encryption commands.
+
+### 6.71.01
+
+Fixed bug in `gam audit monitor create` that caused a trap.
+
+### 6.71.00
+
+Added `csv_output_sort_headers` string list variable to `gam.cfg` that causes GAM to sort CSV output
+rows by the column headers specified in the variable. The column headers are case insensitive and
+if column header does not appear in the CSV output, it is ignored.
+
+Added `sortheaders <StringList>` to `redirect csv <FileName>` that has the same effect as above.
+
+The sort keys specified in `redirect csv ... sortheaders <StringList>` take precedence over the values from `gam.cfg`.
+
+Added option `tdsubject <String>` to  `<ToDriveAttribute>` that causes GAM to use `<String>` as the subject
+in all emails sent. In `<String>`, `#file#` will, be replaced by the file title and `#sheet#` will be replaced
+by the sheet/tab title. By default, the subject is the file title.
+
+### 6.70.09
+
+Added additional error handling to Gmail Client Side Encryption commands.
+
+Added options `showpem` and `showkaclsdata` to all Gmail CSE commands that process/display
+CSE key pairs. By default, the `pem` and `kaclsdata` fields will not be displayed unless
+the corresponding `show` option is specified.
+
+### 6.70.08
+
+Fixed bug in `gam <UserTypeEntity> create cseidentity <KeyPairID>` that caused an error.
+
+### 6.70.07
+
+Updated user instructions in `gam oauth create` and `gam <UserTypeEntity> update serviceaccount`
+and changed `s` from selecting all scopes to selecting default scopes.
+
+### 6.70.06
+
+Updated `gam info users <UserTypeEntity>` to not include group tree infornation unless option `grouptree` is specified.
+
+### 6.70.05
+
+Added commands to create|delete|display Drive Label permissions.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Labels
+
+### 6.70.04
+
+Added option `showvalidcolumn` to `gam print users` that can be used to identify whether
+users are defined in the domain. Typically, you would read CSV file of email addresses
+to verify as domain members.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users#verify-domain-membership
+
+Added option `addcsvdata <FieldName> <String>` to `gam print users` that adds
+additional columns of data to the CSV file output. Typically, you would read CSV file of email addresses
+to generate a CSV file of results and copy data from the input CSV to the outout CSV.
+
+### 6.70.03
+
+Renamed license product DuetAI to Gemini
+* ProductID - 101047
+
+Renamed license SKU DuetAI for Google Workspace to Gemini Enterprise
+* ProductID - 101047
+* SKUID - 1010470001 | geminient | duetai 
+
+Added support for license SKU Gemini Business
+* ProductID - 101047
+* SKUID - 1010470003 | geminibiz
+
 ### 6.70.02
 
 In 6.69.00, GAM starting using course owner access when using `copyfrom` in `gam create|update course`

docs/How-to-Install-Advanced-Gam.md

@@ -264,9 +264,6 @@ writes the credentials into the file oauth2.txt.
 ```
 admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -274,7 +271,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -284,7 +281,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -314,15 +311,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
@@ -709,9 +713,6 @@ writes the credentials into the file oauth2.txt.
 ```
 C:\GAMADV-XTD3>gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -719,7 +720,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -729,7 +730,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -759,15 +760,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com

docs/How-to-Update-Advanced-Gam.md

@@ -99,9 +99,6 @@ writes the credentials into the file oauth2.txt.
 ```
 admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -109,7 +106,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -119,7 +116,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -149,15 +146,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
@@ -382,9 +386,6 @@ writes the credentials into the file oauth2.txt.
 ```
 C:\GAMADV-XTD3>gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -392,7 +393,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -402,7 +403,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -432,15 +433,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com

docs/How-to-Upgrade-from-Standard-GAM.md

@@ -334,7 +334,7 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin/bin/gamadv-xtd3$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAMADV-XTD3 6.70.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.71.05 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
 Python 3.12.2 64-bit final
 MacOS Sonoma 14.2.1 x86_64
@@ -343,9 +343,6 @@ Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_c
 
 admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -353,7 +350,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -363,7 +360,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -393,15 +390,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com
@@ -1002,7 +1006,7 @@ writes the credentials into the file oauth2.txt.
 C:\GAMADV-XTD3>del C:\GAMConfig\oauth2.txt
 C:\GAMADV-XTD3>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAMADV-XTD3 6.70.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.71.05 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
 Python 3.12.2 64-bit final
 Windows-10-10.0.17134 AMD64
@@ -1011,9 +1015,6 @@ Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, d
 
 C:\GAMADV-XTD3>gam oauth create
 
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
 [*]  2)  Chrome Management API - AppDetails read only
@@ -1021,7 +1022,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*]  4)  Chrome Management API - read only
 [*]  5)  Chrome Policy API (supports readonly)
 [*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
+[*]  7)  Chrome Version History API
 [*]  8)  Classroom API - Course Announcements (supports readonly)
 [*]  9)  Classroom API - Course Topics (supports readonly)
 [*] 10)  Classroom API - Course Work/Materials (supports readonly)
@@ -1031,7 +1032,7 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [*] 14)  Classroom API - Profile Photos
 [*] 15)  Classroom API - Rosters (supports readonly)
 [*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
 [*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
 [*] 19)  Cloud Identity Groups API (supports readonly)
 [*] 20)  Cloud Identity OrgUnits API (supports readonly)
@@ -1061,15 +1062,22 @@ Append an 'r' to grant read-only access or an 'a' to grant action-only access.
 [ ] 44)  Pub / Sub API
 [*] 45)  Reports API - Audit Reports
 [*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
+[ ] 47)  Reseller API
 [*] 48)  Site Verification API
 [ ] 49)  Sites API
 [*] 50)  Vault API (supports readonly)
 
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
 Please enter 0-50[a|r] or s|u|e|c: c
 
 Enter your Google Workspace admin email address? admin@domain.com

docs/Licenses.md

@@ -24,7 +24,7 @@
 | Cloud Identity Free | 101001 |
 | Cloud Identity Premium | 101005 |
 | Cloud Search | 101035 |
-| Duet AI | 101047 |
+| Gemini | 101047 |
 | Google Chrome Device Management | Google-Chrome-Device-Management |
 | Google Drive Storage | Google-Drive-storage |
 | Google Meet Global Dialing | 101036 |
@@ -46,11 +46,12 @@
 | Cloud Identity Free | 1010010001 | cloudidentity |
 | Cloud Identity Premium | 1010050001 | cloudidentitypremium |
 | Cloud Search | 1010350001 | cloudsearch |
-| Duet AI | 1010470001 | duetai |
 | G Suite Basic | Google-Apps-For-Business | gsuitebasic |
 | G Suite Business | Google-Apps-Unlimited | gsuitebusiness |
 | G Suite Legacy | Google-Apps | standard |
 | G Suite Lite | Google-Apps-Lite | gsuitelite |
+| Gemini Business | 1010470003 | geminibiz
+| Gemini Enterprise | 1010470001 | geminient | duetai |
 | Google Apps Message Security | Google-Apps-For-Postini | postini |
 | Google Chrome Device Management | Google-Chrome-Device-Management | cdm |
 | Google Drive Storage 16TB | Google-Drive-storage-16TB | 16tb |

docs/List-Items.md

@@ -43,6 +43,7 @@
 <DriveFolderNameList> ::= "<DriveFolderName>(,<DriveFolderName>)*"
 <DriveLabelIDList> ::= "<DriveLabelID>(,<DriveLabelID>)*"
 <DriveLabelNameList> ::= "<DriveLabelName>(,<DriveLabelName>)*"
+<DriveLabelPermissionNameList> ::= "<DriveLabelPermissionName>(,<DriveLabelPermissionName>)*"
 <DriveLabelFieldIDList> ::= "<DriveLabelFieldID>(,<DriveLabelFieldID>)*"
 <DriveLabelSelectionIDList> ::= "<DriveLabelSelectionID>(,<DriveLabelSelectionID>)*"
 <EmailAddressList> ::= "<EmailAddress>(,<EmailAddress>)*"

docs/Meta-Commands-and-File-Redirection.md

@@ -56,6 +56,7 @@ The only `<VariableNames>` recognized in this `<Section>` are:
 * `csv_output_row_drop_filter`
 * `csv_output_row_drop_filter_mode`
 * `csv_output_row_limit`
+* `csv_output_sort_headers`
 
 ### Select input filter section
 Select an input filter section from gam.cfg and process a GAM command using values from that section.
@@ -113,7 +114,7 @@ You can redirect stdout and stderr to null and stderr can be redirected to stdou
 <Redirect> ::=
         redirect csv <FileName> [multiprocess] [append] [noheader] [charset <Charset>]
                      [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
-                     [timestampcolumn <String>]
+                     [sortheaders <StringList>] [timestampcolumn <String>]
                      [todrive <ToDriveAttribute>*] |
         redirect stdout <FileName> [multiprocess] [append] |
         redirect stdout null [multiprocess] |
@@ -151,6 +152,9 @@ The `quotechar <Character>` subargument sets the character used to quote fields
 that contaim special charactere; the default value is the value of `csv_output_quote_char` in `gam.cfg`
 which defaults to double quote.
 
+The `sortheaders <StringList>` argument causes GAM to sort CSV output rows by the column headers specified in `<StringList>`.
+The column headers are case insensitive and if column header does not appear in the CSV output, it is ignored.
+
 The `timestampcolumn <String>` adds a column named `<String>` to the CSV file; the value is the
 timestamp of when the GAM command started.
 

docs/Todrive.md

@@ -174,11 +174,15 @@ direct the uploaded file to a particular user and location and add a timestamp t
 ```
 <ToDriveAttribute> ::=
         (tdaddsheet [<Boolean>])|
+        (tdalert <EmailAddress>)*|
         (tdbackupsheet (id:<Number>)|<String>)|
+        (tdcellnumberformat text|number)|
+        (tdcellwrap clip|overflow|wrap)|
         (tdclearfilter [<Boolean>])|
         (tdcopysheet (id:<Number>)|<String>)|
         (tddescription <String>)|
         (tdfileid <DriveFileID>)|
+        (tdfrom <EmailAddress>)|
         (tdlocalcopy [<Boolean>])|
         (tdlocale <Locale>)|
         (tdnobrowser [<Boolean>])|
@@ -191,13 +195,12 @@ direct the uploaded file to a particular user and location and add a timestamp t
         (tdsheet (id:<Number>)|<String>)|
         (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
         (tdsheettitle <String>)|
-        ([tdsheetdaysoffset <Number>] [tdsheethoursoffset <Number])|
-        (tdtimestamp [<Boolean>] [tdtimeformat <String>])|
-        ([tddaysoffset <Number>] [tdhoursoffset <Number])|
+        (tdsubject <String>)|
+        ([tdsheetdaysoffset <Number>] [tdsheethoursoffset <Number>])|
+        (tdtimestamp [<Boolean>] [tdtimeformat <String>]
+            ([tddaysoffset <Number>] [tdhoursoffset <Number>])|
         (tdtimezone <TimeZone>)|
         (tdtitle <String>)|
-        (tdcellwrap clip|overflow|wrap)|
-        (tdcellnumberformat text|plain)|
         (tdupdatesheet [<Boolean>])|
         (tduploadnodata [<Boolean>])|
         (tduser <EmailAddress>)
@@ -227,6 +230,7 @@ If `tdfileid <DriveFileID>` is not specified, a new file is created.
 * `tdtimeformat` - Format of the timestamp added to the title of the uploaded file; if not specified, the `todrive_timeformat` value from gam.cfg is used, that value defaults to '' which selects an ISO format timestamp.
   * See: https://docs.python.org/3/library/datetime.html#strftime-strptime-behavior
 * `tddaysoffset` and `tdhoursoffset` - Values that subtract time from the timestamp, they default to 0. A possible use for these values is as documentation to reflect the end of the time period that the uploaded report covers.
+* `tdsubject <String>` - Use `<String>` as the subject in all emails sent. In `<String>`, `#file#` will, be replaced by the file title and `#sheet#` will be replaced by the sheet/tab title. By default, the subject is the file title.
 
 ## Spreadsheet settings
 * `tdlocale <Locale>` - The Spreadsheet settings Locale value.
@@ -235,9 +239,10 @@ If `tdfileid <DriveFileID>` is not specified, a new file is created.
 * `tdcellnumberformat text|number` - The Spreadsheet number format.
 
 ## Open browser and send email
-* `tdnobrowser` - If False, a browser is opened to view the file uploaded to Google Drive; if not specified, the `todrive_nobrowser` value from gam.cfg is used.
-* `tdnoemail` - If False, an email is sent to `tduser` informing them of name and URL of the uploaded file; if not specified, the `todrive_noemail` value from gam.cfg is used.
-* `tdnotify` - If True, an email is sent to all `tdshare <EmailAddress>` users informing them of name and URL of the uploaded/updated file.
+* `tdnobrowser` - If False, a browser is opened to view the file uploaded to Google Drive; if not specified, the `todrive_nobrowser` value from gam.cfg is used. If True, no browser is opened.
+* `tdnoemail` - If False, an email is sent to `tduser` informing them of name and URL of the uploaded file; if not specified, the `todrive_noemail` value from gam.cfg is used. If True, no email is sent to `tduser`.
+* `tdnotify` - If True, an email is sent to all `tdshare <EmailAddress>` and `tdalert <EmailAddress>` users informing them of name and URL of the uploaded/updated file. If False, no emails are sent.
+* `tdfrom <EmailAddress>` - Emails will be sent with `<EmailAddress>` as the from address. By default, the from address is the Google Workspace Admin in `gam oauth info`.
 
 ## Escape character
 * `tdnoescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `todrive_no_escape_char` from `gam.cfg` will be used

docs/Users-Calendars-Events.md

@@ -592,6 +592,13 @@ To empty the calendar trash a temporary calendar is created, the deleted events
 gam <UserTypeEntity> empty calendartrash <UserCalendarEntity>
 ```
 
+## Move calendar events to another calendar
+Generally you won't move all events from one calendar to another; typically, you'll move events created by the event creator
+using `matchfield creatoremail <RegularExpression>` in conjunction with other `<EventSelectProperty>` and `<EventMatchProperty>` options.
+```
+gam <UserTypeEntity> move events <UserCalendarEntity> [<EventEntity>] destination|to <CalendarItem> [<EventNotificationAttribute>]
+```
+
 ## Display calendar events
 ```
 gam <UserTypeEntity> info events <UserCalendarEntity> [<EventEntity>] [maxinstances <Number>]

docs/Users-Drive-Labels.md

@@ -6,12 +6,15 @@
 - [Introduction](#introduction)
 - [Display Drive Labels](#display-drive-labels)
 - [Process File Drive Labels](#process-file-drive-labels)
+- [Manage Drive Label Permissions](#manage-drive-label-permissions)
+- [Display Drive Label Permissions](#display-drive-label-permissions)
 
 ## API documentation
 * https://support.google.com/a/answer/9292382
 * https://developers.google.com/drive/labels/guides/overview
 * https://developers.google.com/drive/labels/guides/authorize
 * https://developers.google.com/drive/labels/reference/rest/v2beta/labels
+* https://developers.google.com/drive/labels/reference/rest/v2beta/labels.permissions
 * https://developers.google.com/drive/api/guides/about-labels
 * https://developers.google.com/drive/api/v3/reference/files
 
@@ -19,13 +22,15 @@
 To use these commands you must add the 'Drive Labels API' to your project and update your service account authorization.
 ```
 gam update project
-gam user user@domain.com check serviceaccount
+gam user user@domain.com update serviceaccount
 ```
 Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Standard and Education Plus; G Suite Business; Essentials.
 
 ## Definitions
 * [`<DriveFileEntity>`](Drive-File-Selection)
 * [`<UserTypeEntity>`](Collections-of-Users)
+* [`<DriveLabelNameEntity>`, `<DriveLabelPermissionNameEntity'](Collections-of-Items)
+* [`<UserTypeEntity>`](Collections-of-Items)
 
 ```
 <DriveLabelID> ::= <String>
@@ -35,7 +40,11 @@ Supported editions for this feature: Business Standard and Business Plus; Enterp
 <DriveLabelNameList> ::= "<DriveLabelName>(,<DriveLabelName)*"
 <DriveLabelNameEntity> ::=
         <DriveLabelNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+
+<DriveLabelPermissionName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]/permissions/(audiences|groups|people)/<String>
+<DriveLabelPermissionNameList> ::= "<DriveLabelPermissionName>(,<DriveLabelPermissionName>)*"
+<DriveLabelPermissionNameEntity> ::=
+        <DriveLabelPermissionNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
 
 <DriveLabelFieldID> ::= <String>
 <DriveLabelSelectionID> ::= <String>
@@ -86,9 +95,9 @@ A domain administrator with the Drive and Docs administrator privilege can searc
 owned by their organization, regardless of the admin's membership in any given Shared Drive.
 
 Three forms of the commands are available:
-* `gam action ...` - The administrator named in oauth2.txt is used, domain administrator access implied and labels of type `SHARED` and `ADMIN`can be written
-* `gam <UserTypeEntity> action ... adminaccess` - The user named in `<UserTypeEntty>` is used, adminaccess indicates that labels of type `SHARED` and `ADMIN`can be written
-* `gam <UserTypeEntity> action ...` - The user named in `<UserTypeEntty>` is used, access is limited, onlylabels of type `SHARED` can be written
+* `gam action ...` - The administrator named in oauth2.txt is used, domain administrator access implied and labels of type `SHARED` and `ADMIN`can be processed
+* `gam <UserTypeEntity> action ... adminaccess` - The user named in `<UserTypeEntty>` is used, adminaccess indicates that labels of type `SHARED` and `ADMIN`can be processed
+* `gam <UserTypeEntity> action ...` - The user named in `<UserTypeEntty>` is used, access is limited, onlylabels of type `SHARED` can be processed
 
 ## Display Drive Labels
 
@@ -156,3 +165,51 @@ gam <UserTypeEntity> process filedrivelabels <DriveFileEntity>
 
 By default, details of the process labels are displayed, use `nodetails` to suppress this display.
 
+## Manage Drive Label Permissions
+Create a permission for a Drive Label by specifying the label name and the principal.
+```
+gam [<UserTypeEntity>] create drivelabelpermission <DriveLabelNameEntity>
+        (user <UserItem>) | (group <GroupItem) | (audience <String>)
+        role applier|editor|organizer|reader
+        [nodetails|formatjson] [adminaccess|asadmin]
+```
+
+By default, when a permission is created, GAM outputs details of the permission as indented keywords and values.
+* `nodetails` - Suppress the details output.
+* `formatjson` - Output the details in JSON format.
+
+Delete a Drive Label permission by specifying the label name and the principal.
+```
+gam [<UserTypeEntity>] delete drivelabelpermission <DriveLabelNameEntity>
+        (user <UserItem>) | (group <GroupItem) | (audience <String>)
+        [adminaccess|asadmin]
+```
+
+Delete a Drive Label permission by specifying the label permission name.
+```
+gam [<UserTypeEntity>] remove drivelabelpermission <DriveLabelPermissionNameEntity>
+        [adminaccess|asadmin]
+```
+## Display Drive Label Permissions
+Display permissions for a collection of Drive Label permission names.
+```
+gam [<UserTypeEntity>] show drivelabelpermissions <DriveLabelNameEntity>
+        [formatjson] [adminaccess|asadmin]
+```
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam [<UserTypeEntity>] print drivelabelpermissions <DriveLabelNameEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]] [adminaccess|asadmin]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+

docs/Users-Drive-Permissions.md

@@ -8,6 +8,7 @@
 - [Display file permissions/sharing](#display-file-permissionssharing)
 - [Delete all ACLs except owner from a file](#delete-all-acls-except-owner-from-a-file)
 - [Change shares to User1 to shares to User2](#change-shares-to-user1-to-shares-to-user2)
+- [Map All ACLs from an old domain to a new domain](#map-all-acls-from-an-old-domain-to-a-new-domain)
 
 ## API documentation
 * https://developers.google.com/drive/api/v3/reference/permissions
@@ -316,4 +317,26 @@ gam redirect csv ./FilesSharedWithU1Settings.csv multiprocess csv FilesSharedWit
 gam redirect stdout ./DeleteU1Sharing.txt multiprocess redirect stderr stdout csv FilesSharedWithU1Settings.csv gam user "~Owner" delete drivefileacl "~id" "~permissions.0.emailAddress"
 # For each of these files, add the share to User2 with the same role that User1 had
 gam redirect stdout ./AddUser2Sharing.txt multiprocess redirect stderr stdout csv FilesSharedWithU1Settings.csv gam user "~Owner" create drivefileacl "~id" user user2@domain.com role "~permissions.0.role"
-```
+```
+
+## Map All ACLs from an old domain to a new domain
+* Get ACLs
+```
+gam redirect csv ./allUsersFiles.csv multiprocess all users print filelist fields name,id,basicpermissions oneitemperrow pmfilter pm domain olddomain.com em
+```
+
+* Delete ACLs with olddomain.com
+```
+gam redirect stdout ./DeleteOldDomainACLs.txt multiprocess redirect stderr stdout csv ./allUsersFiles.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
+```
+
+* Add user/group ACLs replacing olddomain.com with newdomain.com
+```
+gam config csv_input_row_filter "permission.type:regex:user|group" redirect stdout ./AddNewDomainACLsUserGroupShares.txt multiprocess redirect stderr stdout csv ./allUsersFiles.csv gam user "~Owner" create drivefileacl "~id" "~permission.type" "~permission.emailAddress" role "~permission.role" mappermissionsdomain olddomain.com newdomain.com
+```
+
+* Add domain ACLs replacing olddomain.com with newdomain.com
+```
+gam config csv_input_row_filter "permission.type:regex:domain" redirect stdout ./AddNewDomainACLsDomainShares.txt multiprocess redirect stderr stdout csv ./allUsersFiles.csv gam user "~Owner" create drivefileacl "~id" "~permission.type" "~permission.domain" role "~permission.role" allowfilediscovery "~permission.allowFileDiscovery" mappermissionsdomain olddomain.com newdomain.com
+```
+    

docs/Users-Gmail-CSE.md

@@ -49,9 +49,15 @@ Creates and configures a client-side encryption identity that's authorized to se
 Google publishes the S/MIME certificate to a shared domain-wide directory so that people within a Google Workspace organization can encrypt and send mail to the identity.
 
 ```
-gam <UserTypeEntity> create cseidentity <KeyPairID> [kpemail <EmailAddress>]
+gam <UserTypeEntity> create cseidentity
+        (primarykeypairid <KeyPairID>) | (signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>)
+        [kpemail <EmailAddress>]
         [formatjson]
 ```
+One of the following is required:
+* `primarykeypairid <KeyPairID>` - The configuration of a CSE identity that uses the same key pair for signing and encryption.
+* `signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>` - The configuration of a CSE identity that uses different key pairs for signing and encryption.
+
 If `kpemail <EmailAddress>` is not specified, the user's primary email address is used for the identity.
 
 By default, Gam displays the identity as an indented list of keys and values; the following option causes the output to be in JSON format:
@@ -60,10 +66,16 @@ By default, Gam displays the identity as an indented list of keys and values; th
 ## Update Gmail CSE Identity
 Associates a different key pair with an existing client-side encryption identity. The updated key pair must validate against Google's S/MIME certificate profiles.
 ```
-gam <UserTypeEntity> update cseidentity <KeyPairID> [kpemail <EmailAddress>]
+gam <UserTypeEntity> update cseidentity
+        (primarykeypairid <KeyPairID>) | (signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>)
+        [kpemail <EmailAddress>]
         [formatjson]
 ```
-If `kpemail <EmailAddress>` is not specified, the key pair for the user's primary email address is identity updated.
+One of the following is required:
+* `primarykeypairid <KeyPairID>` - The configuration of a CSE identity that uses the same key pair for signing and encryption.
+* `signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>` - The configuration of a CSE identity that uses different key pairs for signing and encryption.
+
+bIf `kpemail <EmailAddress>` is not specified, the key pair for the user's primary email address is identity updated.
 
 By default, Gam displays the identity as an indented list of keys and values; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.
@@ -112,7 +124,7 @@ Create a CSE Key Pair for the primary address of a user.
 gam <UserTypeEntity> create csekeypair
         [incertdir <FilePath>] [inkeydir <FilePath>]
         [addidentity [<Boolean>]] [kpemail <EmailAddress>]
-        [formatjson|returnidonly]
+        [showpem] [showkaclsdata] [formatjson|returnidonly]
 ```
 * The S/MIME certificate files for the users are in the `incertdir <FilePath>` folder/directory.
 * If this option is not specified, the directory is taken from `gam.cfg/gmail_cse_incert_dir`.
@@ -126,6 +138,8 @@ gam <UserTypeEntity> create csekeypair
     * `kacls_url` - The URI of the key access control list service that manages the private key.
     * `wrapped_private_key` - Opaque data generated and used by the key access control list service.
 
+By default, the `pem` and `kaclsdata` fields will not be displayed unless the corresponding `showpem` and `showkaclsdata` option is specified.
+
 By default, Gam displays the new key pair as an indented list of keys and values; the following options cause the output to be displayed in alternate forms.
 * `formatjson` - Display the fields in JSON format.
 * `returnidonly` - Display just the new `<KeyPairID>`.
@@ -139,11 +153,14 @@ By default, Gam displays the identity as an indented list of keys and values; th
 
 
 ## Action Gmail CSE Key Pairs
+### Display pem and kaclsdata fields
+By default, the `pem` and `kaclsdata` fields will not be displayed unless the corresponding `showpem` and `showkaclsdata` option is specified.
+
 ### Disable
 Turns off a client-side encryption key pair. The authenticated user can no longer use the key pair to decrypt incoming CSE message texts or sign outgoing CSE mail.
 ```
 gam <UserTypeEntity> disable csekeypair <KeyPairID>
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 ```
 By default, Gam displays the disabled key pair as an indented list of keys and values; the following option causes the output to be displayed in alternate forms.
 * `formatjson` - Display the fields in JSON format.
@@ -152,7 +169,7 @@ By default, Gam displays the disabled key pair as an indented list of keys and v
 Turn on a client-side encryption key pair that was turned off. The key pair becomes active again for any associated client-side encryption identities.
 ```
 gam <UserTypeEntity> ensable csekeypair <KeyPairID>
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 ```
 By default, Gam displays the enabled key pair as an indented list of keys and values; the following option causes the output to be displayed in alternate forms.
 * `formatjson` - Display the fields in JSON format.
@@ -167,10 +184,13 @@ gam <UserTypeEntity> obliterate csekeypair <KeyPairID>
 Gmail can't restore or decrypt any messages that were encrypted by an obliterated key. Authenticated users and Google Workspace administrators lose access to reading the encrypted messages.
 
 ## Display Gmail CSE Key Pairs
+### Display pem and kaclsdata fields
+By default, the `pem` and `kaclsdata` fields will not be displayed unless the corresponding `showpem` and `showkaclsdata` option is specified.
+
 ### Display an existing client-side encryption key pair.
 ```
 gam <UserTypeEntity> info csekeypair <KeyPairID>
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 ```
 By default, Gam displays the key pairs as an indented list of keys and values; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.
@@ -179,14 +199,14 @@ By default, Gam displays the key pairs as an indented list of keys and values; t
 ### Display all client-side encryption key pairs for an authenticated user.
 ```
 gam <UserTypeEntity> show csekeypairs
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 ```
 By default, Gam displays the key pairs as an indented list of keys and values; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.
 
 ```
 gam <UserTypeEntity> print csekeypairs [todrive <ToDriveAttribute>*]
-        [formatjson [quotechar <Character>]]
+        [showpem] [showkaclsdata] [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the key pairs as columns of fields; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.

docs/Users.md

@@ -39,6 +39,7 @@
     - [Print domain counts for users specified by `<UserTypeEntity>`](#print-domain-counts-for-users-specified-by-usertypeentity)
 - [Print user list](#print-user-list)
 - [Display user counts](#display-user-counts)
+- [Verify domain membership]($verify-domain-membership)
 
 ## API documentation
 * https://developers.google.com/admin-sdk/directory/reference/rest/v1/users
@@ -981,14 +982,16 @@ gam print users [todrive <ToDriveAttribute>*]
          [limittoou <OrgUnitItem>] [deleted_only|only_deleted])
         [orderby <UserOrderByFieldName> [ascending|descending]]
         [groups|groupsincolumns]
-        [license|licenses|licence|licences]
+        [license|licenses|licence|licences|licensebyuser|licensesbyuser|licencebyuser|licencesbyuser]
         [onelicenseperrow|onelicenceperrow]
+        [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
         [schemas|custom|customschemas all|<SchemaNameList>]
         [emailpart|emailparts|username]
         [userview] [allfields|basic|full|(<UserFieldName>*|fields <UserFieldNameList>)]
         [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
         [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
         [issuspended <Boolean>] [aliasmatchpattern <RegularExpression>]
+        [showvalidcolumn] (addcsvdata <FieldName> <String>)*
 ```
 
 By default, users in all domains in the account are selected; these options allow selection of subsets of users:
@@ -1008,11 +1011,13 @@ gam print users [todrive <ToDriveAttribute>*] select <UserTypeEntity>
         [onelicenseperrow|onelicenceperrow]
         [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
         [schemas|custom|customschemas all|<SchemaNameList>]
-        [emailpart|emailparts|username][schemas|custom all|<SchemaNameList>]
-        [userview] [allfields|basic|full|(<UserFieldName>*|fields <UserFieldNameList>)]
+        [emailpart|emailparts|username]
+        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
         [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
         [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
         [issuspended <Boolean>] [aliasmatchpattern <RegularExpression>]
+        [showvalidcolumn] (addcsvdata <FieldName> <String>)*
+
 gam <UserTypeEntity> print users [todrive <ToDriveAttribute>*]
         [orderby <UserOrderByFieldName> [ascending|descending]]
         [groups|groupsincolumns]
@@ -1021,10 +1026,11 @@ gam <UserTypeEntity> print users [todrive <ToDriveAttribute>*]
         [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
         [schemas|custom|customschemas all|<SchemaNameList>]
         [emailpart|emailparts|username]
-        [userview] [allfields|basic|full|(<UserFieldName>*|fields <UserFieldNameList>)]
+        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
         [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
         [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
         [issuspended <Boolean>] [aliasmatchpattern <RegularExpression>]
+        [showvalidcolumn] (addcsvdata <FieldName> <String>)*
 ```
 
 By default, Gam gets no group membership information for each user. The `groups` and `groupsincolumns`
@@ -1079,6 +1085,17 @@ In the output, primaryEmail is the always the first column; these options contro
 * `<UserFieldName>*|fields <UserFieldNameList>` - The columns appear in the order that the fields are specified.
 * `scalarsfirst [true]` - When columns are sorted by name, scalar fields appear before repeating fields.
 
+By default, if `<UserTypeEntity>` includes an email address the is not a user member of the domain,
+an error message is generated.
+```
+User: testuserxxx@domain.com, Does not exist
+```
+
+Using option `showvalidcolumn`, a new column `Found` indicates domain membership; no errors are generated
+
+Add additional columns of data from the command line to the output
+* `addcsvdata <FieldName> <String>`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.
 
@@ -1249,3 +1266,34 @@ count=$(gam print users query "orgUnitPath='/Students/Middle School'" showitemco
 Windows PowerShell
 count = & gam print users query "orgUnitPath='/Students/Middle School'" showitemcountonly
 ```
+## Verify domain membership
+You have a CSV file of email addresses and want to verify of the addresses are valid users in your domain.
+```
+# Users.csv
+$ more Users.csv
+primaryEmail,name
+testuser1@domain.com,Test User 1
+testuserxxx@domain.com,Test User XXX
+testuser2@domain.com,Test User 2
+
+# Without showvalidcolumn, non-domain users generate an error
+$ gam redirect csv - multiprocess csv Users.csv gam user "~primaryEmail" print users fields primaryemail,id addcsvdata name "~name"
+2024-02-23T11:29:00.407-08:00,0/3,Using 3 processes...
+2024-02-23T11:29:00.410-08:00,0,Processing item 3/3
+User: testuserxxx@domain.com, Does not exist
+2024-02-23T11:29:06.511-08:00,0/3,Processing complete
+primaryEmail,id,name
+testuser1@domain.com,118080758787650801331,Test User 1
+testuser2@domain.com,107344800159717682514,Test User 2
+
+# Using showvalidcolumn, a new column `Valid` indicates domain membership; no errors are generated
+$ gam redirect csv - multiprocess csv Users.csv gam user "~primaryEmail" print users fields primaryemail,id addcsvdata name "~name" showvalidcolumn
+2024-02-23T11:29:22.287-08:00,0/3,Using 3 processes...
+2024-02-23T11:29:22.292-08:00,0,Processing item 3/3
+2024-02-23T11:29:23.366-08:00,0/3,Processing complete
+primaryEmail,id,Valid,name
+testuser1@domain.com,118080758787650801331,True,Test User 1
+testuserxxx@domain.com,,False,Test User XXX
+testuser2@domain.com,107344800159717682514,True,Test User 2
+```
+

docs/Version-and-Help.md

@@ -3,7 +3,7 @@
 Print the current version of Gam with details
 ```
 gam version
-GAMADV-XTD3 6.70.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.71.05 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
 Python 3.12.2 64-bit final
 MacOS Sonoma 14.2.1 x86_64
@@ -15,7 +15,7 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAMADV-XTD3 6.70.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.71.05 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
 Python 3.12.2 64-bit final
 MacOS Sonoma 14.2.1 x86_64
@@ -27,7 +27,7 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAMADV-XTD3 6.70.00 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 6.71.05 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
 Python 3.12.2 64-bit final
 MacOS Sonoma 14.2.1 x86_64
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Version Check:
   Current: 5.35.08
-   Latest: 6.70.00
+   Latest: 6.71.05
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-6.70.00
+6.71.05
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,7 +82,7 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 6.70.00 - https://github.com/taers232c/GAMADV-XTD3
+GAM 6.71.05 - https://github.com/taers232c/GAMADV-XTD3
 Ross Scroggs <ross.scroggs@gmail.com>
 Python 3.12.2 64-bit final
 MacOS Sonoma 14.2.1 x86_64

docs/gam.cfg.md

@@ -255,6 +255,10 @@ csv_output_row_filter_mode
 csv_output_row_limit
         A limit on the number of rows to write to a CSV file; a value of 0 sets no limit.
         Default: 0
+csv_output_sort_headers
+        A list of column headers that causes GAM to sort CSV output rows by those headers.
+        The column headers are case insensitive and if column header does not appear in the CSV output, it is ignored.
+        Default: Blank
 csv_output_subfield_delimiter
         Character used to delimit fields and subfields in headers when writing CSV files;
         this must be a single character

src/GamCommands.txt

@@ -22,43 +22,6 @@ If an item contains spaces, it should be surrounded by ".
 <FalseValues>= false|off|no|disabled|0
 <TrueValues> ::= true|on|yes|enabled|1
 
-<Charset> ::= ascii|latin1|mbcs|utf-8|utf-8-sig|utf-16|<String>
-<CalendarColorIndex> ::= <Number in range 1-24>
-<CalendarColorName> ::=
-        amethyst|avocado|banana|basil|birch|blueberry|
-        cherryblossom|citron|cobalt|cocoa|eucalyptus|flamingo|
-        grape|graphite|lavender|mango|peacock|pistachio|
-        pumpkin|radicchio|sage|tangerine|tomato|wisteria|
-<ColorHex> ::= "#<Hex><Hex><Hex><Hex><Hex><Hex>"
-<ColorNameGoogle> ::=
-        asparagus|bluevelvet|bubblegum|cardinal|chocolateicecream|denim|desertsand|
-        earthworm|macaroni|marsorange|mountaingray|mountaingrey|mouse|oldbrickred|
-        pool|purpledino|purplerain|rainysky|seafoam|slimegreen|spearmint|
-        toyeggplant|vernfern|wildstrawberries|yellowcab
-<ColorNameWeb> ::=
-        aliceblue|antiquewhite|aqua|aquamarine|azure|beige|bisque|black|blanchedalmond|
-        blue|blueviolet|brown|burlywood|cadetblue|chartreuse|chocolate|coral|
-        cornflowerblue|cornsilk|crimson|cyan|darkblue|darkcyan|darkgoldenrod|darkgray|
-        darkgrey|darkgreen|darkkhaki|darkmagenta|darkolivegreen|darkorange|darkorchid|
-        darkred|darksalmon|darkseagreen|darkslateblue|darkslategray|darkslategrey|
-        darkturquoise|darkviolet|deeppink|deepskyblue|dimgray|dimgrey|dodgerblue|
-        firebrick|floralwhite|forestgreen|fuchsia|gainsboro|ghostwhite|gold|goldenrod|
-        gray|grey|green|greenyellow|honeydew|hotpink|indianred|indigo|ivory|khaki|
-        lavender|lavenderblush|lawngreen|lemonchiffon|lightblue|lightcoral|lightcyan|
-        lightgoldenrodyellow|lightgray|lightgrey|lightgreen|lightpink|lightsalmon|
-        lightseagreen|lightskyblue|lightslategray|lightslategrey|lightsteelblue|
-        lightyellow|lime|limegreen|linen|magenta|maroon|mediumaquamarine|mediumblue|
-        mediumorchid|mediumpurple|mediumseagreen|mediumslateblue|mediumspringgreen|
-        mediumturquoise|mediumvioletred|midnightblue|mintcream|mistyrose|moccasin|
-        navajowhite|navy|oldlace|olive|olivedrab|orange|orangered|orchid|
-        palegoldenrod|palegreen|paleturquoise|palevioletred|papayawhip|peachpuff|
-        peru|pink|plum|powderblue|purple|red|rosybrown|royalblue|saddlebrown|salmon|
-        sandybrown|seagreen|seashell|sienna|silver|skyblue|slateblue|slategray|
-        slategrey|snow|springgreen|steelblue|tan|teal|thistle|tomato|turquoise|violet|
-        wheat|white|whitesmoke|yellow|yellowgreen
-<ColorName> ::= <ColorNameGoogle>|<ColorNameWeb>
-<ColorValue> ::= <ColorName>|<ColorHex>
-<DayOfWeek> ::= mon|tue|wed|thu|fri|sat|sun
 <BCP47LanguageCode> ::=
         ar-sa| # Arabic Saudi Arabia
         cs-cz| # Czech Czech Republic
@@ -97,6 +60,43 @@ If an item contains spaces, it should be surrounded by ".
         zh-cn| # Chinese China
         zh-hk| # Chinese Hong Kong
         zh-tw  # Chinese Taiwan
+<Charset> ::= ascii|latin1|mbcs|utf-8|utf-8-sig|utf-16|<String>
+<CalendarColorIndex> ::= <Number in range 1-24>
+<CalendarColorName> ::=
+        amethyst|avocado|banana|basil|birch|blueberry|
+        cherryblossom|citron|cobalt|cocoa|eucalyptus|flamingo|
+        grape|graphite|lavender|mango|peacock|pistachio|
+        pumpkin|radicchio|sage|tangerine|tomato|wisteria|
+<ColorHex> ::= "#<Hex><Hex><Hex><Hex><Hex><Hex>"
+<ColorNameGoogle> ::=
+        asparagus|bluevelvet|bubblegum|cardinal|chocolateicecream|denim|desertsand|
+        earthworm|macaroni|marsorange|mountaingray|mountaingrey|mouse|oldbrickred|
+        pool|purpledino|purplerain|rainysky|seafoam|slimegreen|spearmint|
+        toyeggplant|vernfern|wildstrawberries|yellowcab
+<ColorNameWeb> ::=
+        aliceblue|antiquewhite|aqua|aquamarine|azure|beige|bisque|black|blanchedalmond|
+        blue|blueviolet|brown|burlywood|cadetblue|chartreuse|chocolate|coral|
+        cornflowerblue|cornsilk|crimson|cyan|darkblue|darkcyan|darkgoldenrod|darkgray|
+        darkgrey|darkgreen|darkkhaki|darkmagenta|darkolivegreen|darkorange|darkorchid|
+        darkred|darksalmon|darkseagreen|darkslateblue|darkslategray|darkslategrey|
+        darkturquoise|darkviolet|deeppink|deepskyblue|dimgray|dimgrey|dodgerblue|
+        firebrick|floralwhite|forestgreen|fuchsia|gainsboro|ghostwhite|gold|goldenrod|
+        gray|grey|green|greenyellow|honeydew|hotpink|indianred|indigo|ivory|khaki|
+        lavender|lavenderblush|lawngreen|lemonchiffon|lightblue|lightcoral|lightcyan|
+        lightgoldenrodyellow|lightgray|lightgrey|lightgreen|lightpink|lightsalmon|
+        lightseagreen|lightskyblue|lightslategray|lightslategrey|lightsteelblue|
+        lightyellow|lime|limegreen|linen|magenta|maroon|mediumaquamarine|mediumblue|
+        mediumorchid|mediumpurple|mediumseagreen|mediumslateblue|mediumspringgreen|
+        mediumturquoise|mediumvioletred|midnightblue|mintcream|mistyrose|moccasin|
+        navajowhite|navy|oldlace|olive|olivedrab|orange|orangered|orchid|
+        palegoldenrod|palegreen|paleturquoise|palevioletred|papayawhip|peachpuff|
+        peru|pink|plum|powderblue|purple|red|rosybrown|royalblue|saddlebrown|salmon|
+        sandybrown|seagreen|seashell|sienna|silver|skyblue|slateblue|slategray|
+        slategrey|snow|springgreen|steelblue|tan|teal|thistle|tomato|turquoise|violet|
+        wheat|white|whitesmoke|yellow|yellowgreen
+<ColorName> ::= <ColorNameGoogle>|<ColorNameWeb>
+<ColorValue> ::= <ColorName>|<ColorHex>
+<DayOfWeek> ::= mon|tue|wed|thu|fri|sat|sun
 <EventColorIndex> ::= <Number in range 1-11>
 <EventColorName> ::=
         banana|basil|blueberry|flamingo|graphite|grape|
@@ -267,7 +267,8 @@ If an item contains spaces, it should be surrounded by ".
         cloudidentity | identity | 1010010001 |
         cloudidentitypremium | identitypremium | 1010050001 |
         cloudsearch | 1010350001 |
-        duetai | 1010470001 |
+        geminibiz | 1010470003 |
+        geminient| duetai | 1010470001 |
         gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
         gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
         gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
@@ -441,6 +442,7 @@ If an item contains spaces, it should be surrounded by ".
 <DriveLabelFieldID> ::= <String>
 <DriveLabelSelectionID> ::= <String>
 <DriveLabelName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]
+<DriveLabelPermissionName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]/permissions/(audiences|groups|people)/<String>
 <EmailAddress> ::= <String>@<DomainName>
 <EmailItem> ::= <EmailAddress>|<UniqueID>|<String>
 <EmailReplacement> ::= <String>
@@ -583,6 +585,7 @@ If an item contains spaces, it should be surrounded by ".
 <StorageObjectName> ::= <String>
 <StorageBucketObjectName> ::=
         https://storage.cloud.google.com/<StorageBucketName>/<StorageObjectName>|
+        https://storage.googleapis.com/<StorageBucketName>/<StorageObjectName>|
         gs://<StorageBucketName>/<StorageObjectName>|
         <StorageBucketName>/<StorageObjectName>
 <Tag> ::= <String>
@@ -597,6 +600,7 @@ If an item contains spaces, it should be surrounded by ".
 <Title> ::= <String>
 <ToDriveAttribute> ::=
         (tdaddsheet [<Boolean>])|
+        (tdalert <EmailAddress>)*|
         (tdbackupsheet (id:<Number>)|<String>)|
         (tdcellnumberformat text|number)|
         (tdcellwrap clip|overflow|wrap)|
@@ -604,20 +608,23 @@ If an item contains spaces, it should be surrounded by ".
         (tdcopysheet (id:<Number>)|<String>)|
         (tddescription <String>)|
         (tdfileid <DriveFileID>)|
+        (tdfrom <EmailAddress>)|
         (tdlocalcopy [<Boolean>])|
         (tdlocale <Locale>)|
         (tdnobrowser [<Boolean>])|
         (tdnoemail [<Boolean>])|
         (tdnoescapechar [<Boolean>])|
+        (tdnotify [<Boolean>])|
         (tdparent (id:<DriveFolderID>)|<DriveFolderName>)|
         (tdretaintitle [<Boolean>])|
         (tdshare <EmailAddress> commenter|reader|writer)*|
         (tdsheet (id:<Number>)|<String>)|
         (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
         (tdsheettitle <String>)|
+        (tdsubject <String>)|
         ([tdsheetdaysoffset <Number>] [tdsheethoursoffset <Number>])|
         (tdtimestamp [<Boolean>] [tdtimeformat <String>]
-            [tddaysoffset <Number>] [tdhoursoffset <Number>])|
+            ([tddaysoffset <Number>] [tdhoursoffset <Number>])|
         (tdtimezone <TimeZone>)|
         (tdtitle <String>)|
         (tdupdatesheet [<Boolean>])|
@@ -641,6 +648,7 @@ If an item contains spaces, it should be surrounded by ".
 <AssetTagList> ::= "<AssetTag>(,<AssetTag>)*"
 <CalendarACLScopeList> ::= "<CalendarACLScope>(,<CalendarACLScope>)*"
 <CalendarList> ::= "<CalendarItem>(,<CalendarItem>)*"
+<ChatSpaceList> ::= "<ChatSpace>(,<ChatSpace>)*"
 <CIGroupAliasList> ::= "<CIGroupAlias>(,<CIGroupAlias>)*"
 <CIGroupTypeList> ::= "<CIGroupType>(,<CIGroupType>)*"
 <ClassroomInvitationIDList> ::= "<ClassroomInvitationID>(,<ClassroomInvitationID>)*"
@@ -673,6 +681,7 @@ If an item contains spaces, it should be surrounded by ".
 <DriveFolderNameList> ::= "<DriveFolderName>(,<DriveFolderName>)*"
 <DriveLabelIDList> ::= "<DriveLabelID>(,<DriveLabelID>)*"
 <DriveLabelNameList> ::= "<DriveLabelName>(,<DriveLabelName>)*"
+<DriveLabelPermissionNameList> ::= "<DriveLabelPermissionName>(,<DriveLabelPermissionName>)*"
 <DriveLabelFieldIDList> ::= "<DriveLabelFieldID>(,<DriveLabelFieldID>)*"
 <DriveLabelSelectionIDList> ::= "<DriveLabelSelectionID>(,<DriveLabelSelectionID>)*"
 <EmailAddressList> ::= "<EmailAddress>(,<EmailAddress>)*"
@@ -1095,6 +1104,8 @@ Specify a collection of items by directly specifying them; the item type is dete
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <DriveLabelNameEntity> ::=
         <DriveLabelNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
+<DriveLabelPermissionNameEntity> ::=
+        <DriveLabelPermissionNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
 <EmailAddressEntity> ::=
         <EmailAddressList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <FilterIDEntity> ::=
@@ -1240,7 +1251,7 @@ For redirect csv, the optional arguments must appear in the order shown.
 <Redirect> ::=
         redirect csv <FileName> [multiprocess] [append] [noheader] [charset <Charset>]
                      [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
-                     [timestampcolumn <String>]
+                     [sortheaders <StringList>] [timestampcolumn <String>]
                      [todrive <ToDriveAttribute>*] |
         redirect stdout <FileName> [multiprocess] [append] |
         redirect stdout null [multiprocess] |
@@ -3395,6 +3406,21 @@ gam [<UserTypeEntity>] show drivelabels
         [basic|full] [languagecode <LanguageCode>]
         [publishedonly [<Boolean>]] [minimumrole applier|editor|organizer|reader]
         [formatjson] [adminaccess|asadmin]
+`
+gam [<UserTypeEntity>] create drivelabelpermission <DriveLabelNameEntity>
+        (user <UserItem>) | (group <GroupItem) | (audience <String>)
+        role applier|editor|organizer|reader
+        [formatjson] [adminaccess|asadmin]
+gam [<UserTypeEntity>] delete drivelabelpermission <DriveLabelNameEntity>
+        (user <UserItem>) | (group <GroupItem) | (audience <String>)
+        [adminaccess|asadmin]
+gam [<UserTypeEntity>] remove drivelabelpermission <DriveLabelPermissionNameEntity>
+        [adminaccess|asadmin]
+
+gam [<UserTypeEntity>] print drivelabelpermissions <DriveLabelNameEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]] [adminaccess|asadmin]
+gam [<UserTypeEntity>] show drivelabelpermissions <DriveLabelNameEntity>
+        [formatjson] [adminaccess|asadmin]
 
 # Email Audit Monitor
 
@@ -5413,10 +5439,11 @@ gam print users [todrive <ToDriveAttribute>*]
         [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
         [schemas|custom|customschemas all|<SchemaNameList>]
         [emailpart|emailparts|username]
-        [userview] [basic|full|allfields | <UserFieldName>* | fields <UserFieldNameList>]
+        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
         [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
         [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
         [issuspended <Boolean>] [aliasmatchpattern <RegularExpression>]
+        [showvalidcolumn] (addcsvdata <FieldName> <String>)*
         [showitemcountonly]
 
 Print fields for specified users.
@@ -5429,10 +5456,11 @@ gam print users [todrive <ToDriveAttribute>*] select <UserTypeEntity>
         [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
         [schemas|custom|customschemas all|<SchemaNameList>]
         [emailpart|emailparts|username]
-        [userview] [basic|full|allfields | <UserFieldName>* | fields <UserFieldNameList>]
+        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
         [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
         [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
         [issuspended <Boolean>] [aliasmatchpattern <RegularExpression>]
+        [showvalidcolumn] (addcsvdata <FieldName> <String>)*
         [showitemcountonly]
 
 gam <UserTypeEntity> print users [todrive <ToDriveAttribute>*]
@@ -5443,10 +5471,11 @@ gam <UserTypeEntity> print users [todrive <ToDriveAttribute>*]
         [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
         [schemas|custom|customschemas all|<SchemaNameList>]
         [emailpart|emailparts|username]
-        [userview] [basic|full|allfields | <UserFieldName>* | fields <UserFieldNameList>]
+        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
         [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
         [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
         [issuspended <Boolean>] [aliasmatchpattern <RegularExpression>]
+        [showvalidcolumn] (addcsvdata <FieldName> <String>)*
         [showitemcountonly]
 
 The first column will always be primaryEmail; the remaining field names will be sorted if allfields, basic, full or sortheaders is specified;
@@ -7148,9 +7177,13 @@ gam <UserTypeEntity> print smimes [todrive <ToDriveAttribute>*]
 
 # Users - Gmail Client Side Encryption
 
-gam <UserTypeEntity> create cseidentity <KeyPairID> [kpemail <EmailAddress>]
+gam <UserTypeEntity> create cseidentity
+        (primarykeypairid <KeyPairID>) | (signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>)
+        [kpemail <EmailAddress>]
         [formatjson]
-gam <UserTypeEntity> update cseidentity <KeyPairID> [kpemail <EmailAddress>]
+gam <UserTypeEntity> update cseidentity
+        (primarykeypairid <KeyPairID>) | (signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>)
+        [kpemail <EmailAddress>]
         [formatjson]
 gam <UserTypeEntity> delete cseidentity [kpemail <EmailAddress>]
 
@@ -7164,19 +7197,19 @@ gam <UserTypeEntity> print cseidentities [todrive <ToDriveAttribute>*]
 gam <UserTypeEntity> create csekeypair
         [incertdir <FilePath>] [inkeydir <FilePath>]
         [addidentity [<Boolean>]] [kpemail <EmailAddress>]
-        [formatjson|returnidonly]
+        [showpem] [showkaclsdata] [formatjson|returnidonly]
 gam <UserTypeEntity> disable csekeypair <KeyPairID>
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 gam <UserTypeEntity> enable csekeypair <KeyPairID>
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 gam <UserTypeEntity> obliterate csekeypair <KeyPairID>
 
 gam <UserTypeEntity> info csekeypair <KeyPairID>
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 gam <UserTypeEntity> show csekeypairs
-        [formatjson]
+        [showpem] [showkaclsdata] [formatjson]
 gam <UserTypeEntity> print csekeypairs [todrive <ToDriveAttribute>*]
-        [formatjson [quotechar <Character>]]
+        [showpem] [showkaclsdata] [formatjson [quotechar <Character>]]
 
 # Users - Gmail - Settings
 

src/GamUpdate.txt

@@ -2,6 +2,101 @@
 
 Merged GAM-Team version
 
+6.71.05
+
+Fixed a bug introduced in 6.71.00 that caused a trap in `gam <UserTypeEntity> print filelist`.
+
+Added option `tdfrom <EmailAddress>` to  `<ToDriveAttribute>` that causes GAM to use `<EmailAddress>` as the from address
+in all emails sent. By default, the from address is the Google Workspace Admin in `gam oauth info`.o
+
+6.71.04
+
+Updated `gam <UserTypeEntity> create|update cseidentity` to accept either of the following key pair options:
+* `primarykeypairid <KeyPairID>` - The configuration of a CSE identity that uses the same key pair for signing and encryption.
+* `signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>` - The configuration of a CSE identity that uses different key pairs for signing and encryption.
+
+Updated CSV output row sorting to avoid a trap that occurred when a row was missing one of the sort fields.
+
+6.71.03
+
+Added option `tdalert <EmailAddress>` to `<ToDriveAttribute>`. When a todrive file is created or updated,
+GAM will send notification emails to all `tdalert <EmailAddress>` users if `tdnotify` is true.
+`<EmailAddress>` must be valid within your Google Workspace.
+
+6.71.02
+
+Added additional error handling to Gmail Client Side Encryption commands.
+
+6.71.01
+
+Fixed bug in `gam audit monitor create` that caused a trap.
+
+6.71.00
+
+Added `csv_output_sort_headers` string list variable to `gam.cfg` that causes GAM to sort CSV output
+rows by the column headers specified in the variable. The column headers are case insensitive and
+if column header does not appear in the CSV output, it is ignored.
+
+Added `sortheaders <StringList>` to `redirect csv <FileName>` that has the same effect as above.
+
+The sort keys specified in `redirect csv ... sortheaders <StringList>` take precedence over the values from `gam.cfg`.
+
+Added option `tdsubject <String>` to  `<ToDriveAttribute>` that causes GAM to use `<String>` as the subject
+in all emails sent. In `<String>`, `#file#` will, be replaced by the file title and `#sheet#` will be replaced
+by the sheet/tab title. By default, the subject is the file title.
+
+6.70.09
+
+Added additional error handling to Gmail Client Side Encryption commands.
+
+Added options `showpem` and `showkaclsdata` to all Gmail CSE commands that process/display
+CSE key pairs. By default, the `pem` and `kaclsdata` fields will not be displayed unless
+the corresponding `show` option is specified.
+
+6.70.08
+
+Fixed bug in `gam <UserTypeEntity> create cseidentity <KeyPairID>` that caused an error.
+
+6.70.07
+
+Updated user instructions in `gam oauth create` and `gam <UserTypeEntity> update serviceaccount`
+and changed `s` from selecting all scopes to selecting default scopes.
+
+6.70.06
+
+Updated `gam info users <UserTypeEntity>` to not include group tree infornation unless option `grouptree` is specified.
+
+6.70.05
+
+Added commands to create|delete|display Drive Label permissions.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Labels
+
+6.70.04
+
+Added option `showvalidcolumn` to `gam print users` that can be used to identify whether
+users are defined in the domain. Typically, you would read CSV file of email addresses
+to verify as domain members.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users#verify-domain-membership
+
+Added option `addcsvdata <FieldName> <String>` to `gam print users` that adds
+additional columns of data to the CSV file output. Typically, you would read CSV file of email addresses
+to generate a CSV file of results and copy data from the input CSV to the outout CSV.
+
+6.70.03
+
+Renamed license product DuetAI to Gemini
+* ProductID - 101047
+
+Renamed license SKU DuetAI for Google Workspace to Gemini Enterprise
+* ProductID - 101047
+* SKUID - 1010470001 | geminient | duetai 
+
+Added support for license SKU Gemini Business
+* ProductID - 101047
+* SKUID - 1010470003 | geminibiz
+
 6.70.02
 
 In 6.69.00, GAM starting using course owner access when using `copyfrom` in `gam create|update course`

src/gam/gamlib/glapi.py

@@ -642,6 +642,7 @@ _SVCACCT_SCOPES = [
   {'name': 'Youtube API - read only',
    'api': YOUTUBE,
    'subscopes': [],
+   'offByDefault': True,
    'scope': 'https://www.googleapis.com/auth/youtube.readonly'},
   ]
 
@@ -657,10 +658,12 @@ _SVCACCT_SPECIAL_SCOPES = [
   {'name': 'Gmail API - Full Access - read only',
    'api': GMAIL,
    'subscopes': [],
+   'offByDefault': True,
    'scope': 'https://www.googleapis.com/auth/gmail.readonly'},
   {'name': 'Gmail API - Send Messages - including todrive',
    'api': GMAIL,
    'subscopes': [],
+   'offByDefault': True,
    'scope': GMAIL_SEND_SCOPE},
   {'name': 'Sheets API - todrive',
    'api': SHEETSTD,

src/gam/gamlib/glcfg.py

@@ -131,6 +131,8 @@ CSV_OUTPUT_ROW_DROP_FILTER = 'csv_output_row_drop_filter'
 CSV_OUTPUT_ROW_DROP_FILTER_MODE = 'csv_output_row_drop_filter_mode'
 # Limit number of output rows
 CSV_OUTPUT_ROW_LIMIT = 'csv_output_row_limit'
+# Output sort headers
+CSV_OUTPUT_SORT_HEADERS = 'csv_output_sort_headers'
 # Column header subfield name delimiter in CSV output file
 CSV_OUTPUT_SUBFIELD_DELIMITER = 'csv_output_subfield_delimiter'
 # Add timestamp column to CSV output file
@@ -350,6 +352,7 @@ Defaults = {
   CSV_OUTPUT_ROW_DROP_FILTER: '',
   CSV_OUTPUT_ROW_DROP_FILTER_MODE: 'anymatch',
   CSV_OUTPUT_ROW_LIMIT: '0',
+  CSV_OUTPUT_SORT_HEADERS: '',
   CSV_OUTPUT_SUBFIELD_DELIMITER: '.',
   CSV_OUTPUT_TIMESTAMP_COLUMN: '',
   CSV_OUTPUT_USERS_AUDIT: FALSE,
@@ -454,6 +457,7 @@ TYPE_LOCALE = 'locl'
 TYPE_PASSWORD = 'pass'
 TYPE_ROWFILTER = 'rowf'
 TYPE_STRING = 'stri'
+TYPE_STRINGLIST = 'strl'
 TYPE_TIMEZONE = 'tmzn'
 
 VAR_TYPE = 'type'
@@ -508,6 +512,7 @@ VAR_INFO = {
   CSV_OUTPUT_ROW_DROP_FILTER: {VAR_TYPE: TYPE_ROWFILTER},
   CSV_OUTPUT_ROW_DROP_FILTER_MODE: {VAR_TYPE: TYPE_CHOICE, VAR_CHOICES: {'allmatch': True, 'anymatch': False}},
   CSV_OUTPUT_ROW_LIMIT: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (0, None)},
+  CSV_OUTPUT_SORT_HEADERS: {VAR_TYPE: TYPE_STRINGLIST},
   CSV_OUTPUT_SUBFIELD_DELIMITER: {VAR_TYPE: TYPE_CHARACTER},
   CSV_OUTPUT_TIMESTAMP_COLUMN: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
   CSV_OUTPUT_USERS_AUDIT: {VAR_TYPE: TYPE_BOOLEAN},

src/gam/gamlib/glclargs.py

@@ -567,6 +567,8 @@ class GamCLArgs():
   ARG_DRIVEFOLDERPATH = 'drivefolderpath'
   ARG_DRIVELABEL = 'drivelabel'
   ARG_DRIVELABELS = 'drivelabels'
+  ARG_DRIVELABELPERMISSION = 'drivelabelpermission'
+  ARG_DRIVELABELPERMISSIONS = 'drivelabelpermissions'
   ARG_DRIVESETTINGS = 'drivesettings'
   ARG_DRIVETRASH = 'drivetrash'
   ARG_EMPTYDRIVEFOLDERS = 'emptydrivefolders'
@@ -877,6 +879,7 @@ class GamCLArgs():
   OB_DRIVE_FOLDER_PATH = 'DriveFolderPath'
   OB_DRIVE_LABEL_ID = 'DriveLabelID'
   OB_DRIVE_LABEL_NAME = 'DriveLabelName'
+  OB_DRIVE_LABEL_PERMISSION_NAME = 'DriveLabelPermissionName'
   OB_DRIVE_LABEL_FIELD_ID = 'DriveLabelFieldID'
   OB_DRIVE_LABEL_SELECTION_ID_LIST = 'DriveLabelSelectionIDList'
   OB_EMAIL_ADDRESS = 'EmailAddress'

src/gam/gamlib/glentity.py

@@ -191,6 +191,8 @@ class GamEntity():
   DRIVE_LABEL_FIELD_ID = 'dlfi'
   DRIVE_LABEL_ID = 'dlid'
   DRIVE_LABEL_NAME = 'dlna'
+  DRIVE_LABEL_PERMISSION = 'dlpe'
+  DRIVE_LABEL_PERMISSION_NAME = 'dlpn'
   DRIVE_ORPHAN_FILE_OR_FOLDER = 'orph'
   DRIVE_PARENT_FOLDER = 'fipf'
   DRIVE_PARENT_FOLDER_ID = 'fipi'
@@ -526,6 +528,8 @@ class GamEntity():
     DRIVE_LABEL_FIELD_ID: ['Drive Label Field IDs', 'Drive Label Field ID'],
     DRIVE_LABEL_ID: ['Drive Label IDs', 'Drive Label ID'],
     DRIVE_LABEL_NAME: ['Drive Label Names', 'Drive Label Name'],
+    DRIVE_LABEL_PERMISSION: ['Drive Label Permissions', 'Drive Label Permission'],
+    DRIVE_LABEL_PERMISSION_NAME: ['Drive Label Permission Names', 'Drive Label Permission Name'],
     DRIVE_ORPHAN_FILE_OR_FOLDER: ['Drive Orphan Files/Folders', 'Drive Orphan File/Folder'],
     DRIVE_PARENT_FOLDER: ['Drive Parent Folders', 'Drive Parent Folder'],
     DRIVE_PARENT_FOLDER_ID: ['Drive Parent Folder IDs', 'Drive Parent Folder ID'],

src/gam/gamlib/glgapi.py

@@ -24,6 +24,7 @@ ABORTED = 'aborted'
 ABUSIVE_CONTENT_RESTRICTION = 'abusiveContentRestriction'
 ACCESS_NOT_CONFIGURED = 'accessNotConfigured'
 ALREADY_EXISTS = 'alreadyExists'
+APPLY_LABEL_FORBIDDEN = 'applyLabelForbidden'
 AUTH_ERROR = 'authError'
 BACKEND_ERROR = 'backendError'
 BAD_GATEWAY = 'badGateway'
@@ -243,6 +244,7 @@ DRIVE3_DELETE_ACL_THROW_REASONS = [BAD_REQUEST, CANNOT_REMOVE_OWNER,
                                    INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, SHARING_RATE_LIMIT_EXCEEDED,
                                    NOT_FOUND, PERMISSION_NOT_FOUND]
 DRIVE3_MODIFY_LABEL_THROW_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, NOT_FOUND, FORBIDDEN, INTERNAL_ERROR,
+                                                              FILE_NEVER_WRITABLE, APPLY_LABEL_FORBIDDEN,
                                                               INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, INSUFFICIENT_FILE_PERMISSIONS,
                                                               UNKNOWN_ERROR, INVALID_INPUT, BAD_REQUEST,
                                                               LABEL_MULTIPLE_VALUES_FOR_SINGULAR_FIELD, LABEL_MUTATION_FORBIDDEN,
@@ -349,6 +351,8 @@ class accessNotConfigured(Exception):
   pass
 class alreadyExists(Exception):
   pass
+class applyLabelForbidden(Exception):
+  pass
 class authError(Exception):
   pass
 class backendError(Exception):
@@ -649,6 +653,7 @@ REASON_EXCEPTION_MAP = {
   ABUSIVE_CONTENT_RESTRICTION: abusiveContentRestriction,
   ACCESS_NOT_CONFIGURED: accessNotConfigured,
   ALREADY_EXISTS: alreadyExists,
+  APPLY_LABEL_FORBIDDEN: applyLabelForbidden,
   AUTH_ERROR: authError,
   BACKEND_ERROR: backendError,
   BAD_REQUEST: badRequest,

src/gam/gamlib/glglobals.py

@@ -81,6 +81,8 @@ CSV_OUTPUT_ROW_FILTER_MODE = 'corm'
 CSV_OUTPUT_ROW_LIMIT = 'corl'
 # Add timestamp column to CSV output file
 CSV_OUTPUT_TIMESTAMP_COLUMN = 'csv_output_timestamp_column'
+# Output sort headers
+CSV_OUTPUT_SORT_HEADERS = 'cosh'
 # CSV todrive options
 CSV_TODRIVE = 'todr'
 # Current API services
@@ -236,6 +238,7 @@ Globals = {
   CSV_OUTPUT_ROW_FILTER: [],
   CSV_OUTPUT_ROW_FILTER_MODE: True,
   CSV_OUTPUT_ROW_LIMIT: 0,
+  CSV_OUTPUT_SORT_HEADERS: [],
   CSV_OUTPUT_TIMESTAMP_COLUMN: None,
   CSV_TODRIVE: {},
   CURRENT_API_SERVICES: {},

src/gam/gamlib/glmsgs.py

@@ -150,6 +150,7 @@ API_CALLS_RETRY_DATA = 'API calls retry data\n'
 API_CHECK_CLIENT_AUTHORIZATION = 'Please make sure the Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam oauth create\n'
 API_CHECK_SVCACCT_AUTHORIZATION = 'Please make sure the Service Account Client name: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam user {2} check serviceaccount\n'
 API_ERROR_SETTINGS = 'API error, some settings not set'
+ARE_BOTH_REQUIRED = 'Arguments {0} and {1} are both required'
 ARE_MUTUALLY_EXCLUSIVE = 'Arguments {0} and {1} are mutually exclusive'
 AS = 'as'
 ATTENDEES_ADD = 'Add Attendees'

src/gam/gamlib/glskus.py

@@ -34,7 +34,7 @@ _PRODUCTS = {
   '101039': 'Assured Controls',
   '101040': 'Beyond Corp Enterprise',
   '101043': 'Google Workspace Additional Storage',
-  '101047': 'Duet AI',
+  '101047': 'Gemini',
   'Google-Apps': 'Google Workspace',
   'Google-Chrome-Device-Management': 'Google Chrome Device Management',
   'Google-Drive-storage': 'Google Drive Storage',
@@ -86,9 +86,11 @@ _SKUS = {
   '1010430001': {
     'product': '101043', 'aliases': ['gwas', 'plusstorage'], 'displayName': 'Google Workspace Additional Storage'},
   '1010470001': {
-    'product': '101047', 'aliases': ['duetai'], 'displayName': 'Duet AI for Enterprise'},
+    'product': '101047', 'aliases': ['geminient', 'duetai'], 'displayName': 'Gemini Enterprise'},
   '1010470002': {
     'product': '101047', 'aliases': ['gwlabs', 'workspacelabs'], 'displayName': 'Google Workspace Labs'},
+  '1010470003': {
+    'product': '101047', 'aliases': ['geminibiz'], 'displayName': 'Gemini Business'},
   'Google-Apps': {
     'product': 'Google-Apps', 'aliases': ['standard', 'free'], 'displayName': 'G Suite Legacy'},
   'Google-Apps-For-Business': {