Updated `Meet API` scopes.
[*] 34) Meet API - Read Only
[*] 35) Meet API - Read Write
`Meet API - Read Only` - Allow apps to read metadata about any meeting space the user has access to.
`Meet API - Read Write` - Allow apps to create, modify, and read metadata about meeting spaces *created by your app*.
Updated `Meet API` scopes.
[*] 34) Meet API - Read Only
[*] 35) Meet API - Read Write
`Meet API - Read Only` - Allow apps to read metadata about any meeting space the user has access to.
`Meet API - Read Write` - Allow apps to create, modify, and read metadata about meeting spaces *created by your app*.
Updated `gam <UserTypeEntity> copy|move drivefile` to hanndle additional instances of
the `cannotModifyInheritedPermission` error.
Added license SKU `Google AI Ultra for Business`
$gam user gam-win-signer@pdl.jaylee.us add drivefile localfile "$gam" parentid "$folder_id"
$gam user gam-win-signer@pdl.jaylee.us update drivefile "$folder_id" newfilename "READYTOSIGN ${folder_number}"
export signed_folder="SIGNED ${folder_number}"
zero_results="gam-win-signer@pdl.jaylee.us,0"
while true; do
result_counts=$($gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" countsonly)
echo "$result_counts"
if [[ ! "$result_counts" =~ "$zero_results" ]]; then
echo "looks like we have results"
break
fi
echo "no results, sleeping 10..."
sleep 10
done
# download signed gam.exe
$gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name = 'gam.exe'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$gampath" targetname "signed-gam.exe" overwrite true acknowledgeabuse true
# delete signed folder on drive
$gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us trash drivefile "~id"
# remove unsigned gam.exe and rename signed-gam.exe
$gam user gam-win-signer@pdl.jaylee.us add drivefile localfile "$MSI_FILENAME" parentid "$folder_id"
rm -f -v "$MSI_FILENAME"
$gam user gam-win-signer@pdl.jaylee.us update drivefile "$folder_id" newfilename "READYTOSIGN ${folder_number}"
export signed_folder="SIGNED ${folder_number}"
zero_results="gam-win-signer@pdl.jaylee.us,0"
while true; do
result_counts=$($gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" countsonly)
echo "$result_counts"
if [[ ! "$result_counts" =~ "$zero_results" ]]; then
echo "looks like we have results"
break
fi
echo "no results, sleeping 10..."
sleep 10
done
# download signed package
$gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name contains '.msi'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$GITHUB_WORKSPACE" targetname "$MSI_FILENAME" overwrite true acknowledgeabuse true
# delete signed folder on drive
$gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us trash drivefile "~id"
$gam user $newuser delegate to "${newbase}-bulkuser-1" || if [ $? != 50 ]; then exit $?; fi # expect a 50 return code (delegation failed)
@@ -920,7 +932,7 @@ jobs:
$gam config enable_dasa true save
$gam print users query "gha.jid=$JID" | $gam csv - gam delete user ~primaryEmail || if [ $? != 50 ]; then exit $?; fi # expect a 50 return code (vault hold on user)
Fixed bug in `gam <UserItem> print|show chatspaces asadmin fields <ChatSpaceFieldNameList>` that caused a trap
when `displayname` was not in `<ChatSpaceFieldNameList>`.
7.17.02
Updated `gam <UserTypeEntity> print|show webmastersites` to handle the following error
that occurs if you haven't updated your project to include the Google Search Console API.
```
ERROR: 403: permissionDenied - Google Search Console API has not been used in project 111055363999 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/searchconsole.googleapis.com/overview?project=111055363999 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
```
7.17.01
Fixed bug in `gam <UserTypeEntity> show webmastersites` that caused a trap.
7.17.00
Added commands to discover Sites and WebResources that managed users (previously unmanaged) may have access to for better governance and visibility.
These are special purpose commands and will not generally be used.
itemDownloadRestriction - The download restriction of the file applied directly by the owner or organizer. This does not take into account shared drive settings or DLP rules.
effectiveDownloadRestrictionWithContext - Output only. The effective download restriction applied to this file. This considers all restriction settings and DLP rules.
restrictedForReaders - Whether download and copy is restricted for readers.
restrictedForWriters - Whether download and copy is restricted for writers. If true, download is also restricted for readers.
```
7.16.00
Removed `drive_v3_native_names` from `gam.cfg`; GAM now only uses Drive API v3 fields names on output.
If you had `drive_v3_native_names = False` in `gam.cfg` or are updating from Legacy GAM:
ALREADY_EXISTS_USE_MERGE_ARGUMENT='Already exists; use the "merge" argument to merge the labels'
API_ACCESS_DENIED='API access Denied'
API_CALLS_RETRY_DATA='API calls retry data\n'
API_CHECK_CLIENT_AUTHORIZATION='Please make sure the Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam oauth create\n'
API_CHECK_SVCACCT_AUTHORIZATION='Please make sure the Service Account Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam user {2} update serviceaccount\n'
API_CHECK_CLIENT_AUTHORIZATION='Please make sure the Client ID: {0} is authorized for the appropriate API or scopes:{1}\n\nRun: gam oauth create\n'
API_CHECK_SVCACCT_AUTHORIZATION='Please make sure the Service Account Client ID: {0} is authorized for the appropriate API or scopes:{1}\n\nRun: gam user {2} update serviceaccount\n'
API_ERROR_SETTINGS='API error, some settings not set'
ARE_BOTH_REQUIRED='Arguments {0} and {1} are both required'
ARE_MUTUALLY_EXCLUSIVE='Arguments {0} and {1} are mutually exclusive'
NO_TRANSFER_LACK_OF_DISK_SPACE='Transfer not performed due to lack of target drive space.'
NO_USAGE_PARAMETERS_DATA_AVAILABLE='No usage parameters data available.'
NO_USER_COUNTS_DATA_AVAILABLE='No User counts data available.'
NUM_SELECTED_CLIENT_SCOPES='\n{0} scopes are selected, if more than {1} scopes are selected, Google will probably generate a "Something went wrong" error\n'
OAUTH2_GO_TO_LINK_MESSAGE="""
Go to the following link in a browser on this computer or on another computer:
- [Copy privileges from one role to a new role](#copy-privileges-from-one-role-to-a-new-role)
- [Copy roles from one administrator to another](#copy-roles-from-one-administrator-to-another)
- [Copy non-system admin roles from a source workspace to a target workspace](#copy-non-system-admin-roles-from-a-source-workspace-to-a-target-workspace)
By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
* `formatjson` - Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
@@ -95,3 +97,15 @@ the quote character itself, the column delimiter (comma by default) and new-line
When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
## Configuring settings
Alert Center can be configured to send notifications to a Google Cloud Pub/Sub topic, but it first requires configuration.
* See https://developers.google.com/workspace/admin/alertcenter/guides/notifications for information.
Gam can be used to display or modify the settings:
- [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
- [Authorize a user to create projects](#authorize-a-user-to-create-projects)
- [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
- [Authorize GAM to create projects](#authorize-gam-to-create-projects)
- [Create a new GCP project folder](#create-a-new-gcp-project-folder)
@@ -64,6 +64,7 @@ Verify the following steps:
* If groups are used to authenticate access, make sure the super admin is in one of the groups
* Collapse "Service status"
* Expand "Cloud Resource Manager API settings"
* Select the OU in the left that contains the super admin you'll be using
* Make sure that "Allow users to create projects" is checked
Verify that all scopes are available:
@@ -73,11 +74,6 @@ Verify that all scopes are available:
* Select "ON for everyone"
* Click "SAVE"
Verify that internal apps are trusted.
* Access the admin console and go to Security -> Access and data control -> API Controls
* Check that "Trust internal, domain-owned apps" is present in the **Settings** section
* Click "SAVE"
If you run a Google Workspace Education SKU, verify that Classroom API is enabled if required.
* Access the admin console and go to Apps -> Google Workspace - Classroom
* Expand "Data access"
@@ -109,12 +105,13 @@ Verify whether the super admin you'll be using is in an OU where reauthenticatio
* Access the admin console and go to Security -> Overview
* Scroll down and open Google Cloud session control section
* Select the OU containing the super admin
* If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
*If that sounds unappealing, check Exempt Trusted apps
*Click "OVERRIDE"
* If Require reauthentication is selected, you'll need either:
*uncheck Google Cloud Storage and any other GCP APIs that you selected on `gam oauth create` (reauth is only necessary for GCP APIs)
*enable "Exempt Trusted apps"
* rerun `gam oauth create` at whatever frequency is specified
Additional steps may be required if errors are encountered.
* [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
* [Authorize a user to create projects](#authorize-a-user-to-create-projects)
* [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
* [Authorize GAM to create projects](#authorize-gam-to-create-projects)
@@ -168,8 +165,8 @@ For `print|show projects`, you can eliminate the password prompt and authenticat
gam print projects admin admin@domain.com
```
## Authorize a super admin to create projects
If you try to create a project and get an error saying that the admin you specified is not authorized to create projects,
## Authorize a user to create projects
If you try to create a project and get an error saying that the user you specified is not authorized to create projects,
perform these steps and then retry the create project command.
* Login as an existing super admin at console.cloud.google.com
@@ -183,13 +180,12 @@ perform these steps and then retry the create project command.
* Click in the Select a role box
* Type project creator in the Filter box
* Click Project Creator
* Click + Add Another Role
* Type orgpolicy.policyAdmin in the Filter box
* Click Organization Policy Administrator
* Click Save
## Authorize Service Account Key Uploads
*IMPORTANT:* Google best practice is to NOT use service account keys. Rather than overriding Google's default policy please consider [running GAM on Google Compute Engine Securely](https://github.com/GAM-team/GAM/wiki/l-Running-GAM-on-Google-Compute-Engine-(GCE)-Securely) so that service account keys are not necessary.
If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxxxx`,
perform these steps and then you should be able to authorize and use your project.
- [Display Rooms and Chats to which your Bot belongs](#display-rooms-and-chats-to-which-your-bot-belongs)
- [Display Members of a Room or Chat](#display-members-of-a-room-or-chat)
- [Create a Chat Message](#create-a-chat-message)
@@ -10,6 +10,44 @@
- [Delete a Chat Message](#delete-a-chat-message)
- [Display a Chat Message](#display-a-chat-message)
## Introduction
To use these commands you must update your service account authorization.
```
gam user user@domain.com update serviceaccount
[*] 4) Chat API - Memberships (supports readonly)
[*] 5) Chat API - Memberships Admin (supports readonly)
[*] 6) Chat API - Messages (supports readonly)
[*] 7) Chat API - Spaces (supports readonly)
[*] 8) Chat API - Spaces Admin (supports readonly)
[*] 9) Chat API - Spaces Delete
[*] 10) Chat API - Spaces Delete Admin
```
Added `use_chat_admin_access` Boolean variable to `gam.cfg`.
```
* When False, GAM uses user access when making all Chat API calls. For calls that support admin access,
this can be overridden with the asadmin command line option.
* When True, GAM uses admin access for Chat API calls that support admin access; other calls will use user access.
* Default: False
```
Google requires that you have a Chat Bot configured in order to use the Chat API; set up a Chat Bot as described in the next section.
## Set up a Chat Bot
GAM is capable of acting as a Chat Bot and sending messages to Chat Rooms or direct messages to users.
Even if you're not going to use GAM as a Chat Bot, you have to configure a Chat Bot as it is required by the Chat API in [Users - Chat](Users-Chat).
* Run the command `gam setup chat`; it will point you to a URL to configure your Chat Bot.
* Uncheck "Build this Chat app as a Workspace add-on."
* Enter an App name and Description of your choosing.
* For the Avatar URL you can use `https://dummyimage.com/384x256/4d4d4d/0011ff.png&text=+GAM` or a public URL to an image of your own choosing.
* In Functionality, uncheck both "Receive 1:1 messages" and "Join spaces and group conversations"
* In Connection settings, choose "Cloud Pub/Sub" and enter `projects/<ProjectID>/topics/no-topic` for the Topic Name. Replace `<ProjectID>` with your GAM project ID. GAM doesn't yet listen to pub/sub so this option is not used.
* In Visibility, uncheck "Make this Chat app available to specific people and groups in Domain Workspace".
Since GAM 6.04.00, GAM is capable of acting as a Chat Bot and sending messages to Chat Rooms or direct messages to users. You first need to configure your Chat Bot.
* Run the command `gam setup chat`; it will point you to a URL to configure your Chat Bot.
* Enter an App name and Description of your choosing.
* For the Avatar URL you can use `https://dummyimage.com/384x256/4d4d4d/0011ff.png&text=+GAM` or a public URL to an image of your own choosing.
* In Functionality, uncheck both "Receive 1:1 messages" and "Join spaces and group conversations"
* In Connection settings, choose "Cloud Pub/Sub" and enter `projects/<ProjectID>/topics/no-topic` for the topic name. Replace `<ProjectID>` with your GAM project ID. GAM doesn't yet listen to pub/sub so this option is not used.
* In Visibility, uncheck "Make this Chat app available to specific people and groups in Domain Workspace".
* Click Save.
----
## Display Rooms and Chats to which your Bot belongs
Display the spaces to which your Chat Bot can send messages.
A space can be a direct message to a user, a chat group or a chat room.
By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
* `formatjson` - Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
### Examples
For Windows PowerShell, replace `\"` with ``` `" ```.
Clear cache and cookies for two specific Chrome profiles:
As of GAM version `6.67.00`, the new API function `batchChangeStatus` replaces the old API function `action`; ChromeOS devices are now processed in batches.
The batch size defaults to 10, the `actionbatchsize <Integer>` option can be used to set a batch size between 10 and 250.
@@ -454,21 +445,18 @@ is configurable from 0 to some large number. If the status reaches `EXPIRED`, `C
Remove user profile data from the device; the device will remain enrolled and connected.
User data not synced to the Cloud including Downloads, Android app data and Crostini Linux VMs will be permanently lost.
Commands with issuecommand directly after gam will work with Legacy GAM & GAM7, whereas commands where the issuecommand is after the cros <CrOSTypeEntity> will work only with GAM7.
```
gam issuecommand cros dd1d659a-0ea4-4e94-905e-4726c7a5f1e9 command wipe_users doit
gam cros dd1d659a-0ea4-4e94-905e-4726c7a5f1e9 issuecommand command wipe_users doit
```
Remove profiles using the annotatedAssetID, which is a user editable field, in this example the device has an asset ID of CB1234.
As course aliases can contain spaces, some care must be used when entering `<CourseAliasList>`, `<CourseID>`, `<CourseIDList>` and `<CourseEntity>`.
Suppose you have a course with the alias `Math Class`. To get information about it you enter the command: `gam info course "d:Math Class"`
The shell strips the `"` leaving a single argument `d:Math Class`; gam correctly processes the argument as it is expecting a single course.
Suppose you enter the command: `gam info courses "d:Math Class"`
The shell strips the `"` leaving a single argument `d:Math Class`; as gam is expecting a list, it splits the argument on space leaving two items and then tries to process `d:Math` and `Class`, not what you want.
You must enter: `gam info courses "'d:Math Class'"`
The shell strips the `"` leaving a single argument `'d:Math Class'`; as gam is expecting a list, it splits the argument on space while honoring the `'` leaving one item `d:Math Class` and correctly processes the item.
For multiple aliases you must enter: `gam info courses "'d:Math Class','d:Science Class'"`
## Special quoting for lists of titles
As student group titles can contain spaces, some care must be used when entering `selevct <StringList>`.
Suppose you want to create a student group `Advanced Students`. `gam create course-studentgroups course <CourseID> title "Advanced Students"`
The shell strips the `"` leaving a single argument `Advanced Math`; gam correctly processes the argument as it is expecting a single title.
Suppose you enter the command: `gam create course-studentgroups course <CourseID> select "Advanced Students"`
The shell strips the `"` leaving a single argument `Advanced Students`; as gam is expecting a list, it splits the argument on space leaving two items and then tries to process `Advanced` and `Students`, not what you want.
You must enter: `gam create course-studentgroups course <CourseID> select "'Advanced Students'"`
The shell strips the `"` leaving a single argument `'Advanced Students'`; as gam is expecting a list, it splits the argument on space while honoring the `'` leaving one item `Advanced Students` and correctly processes the item.
For multiple titles you can enter either of the following:
When creating student groups, the API does not check for duplicate titles; you can have multiple student grpups
with the same title; they will have unique `<StudentGroupID>s`.
The `update|delete course-studentgroups` commands manage a specific course.
By default, the `create|clear course-studentgroups` commands manage student group information about all courses.
To manage student group information for a specific set of courses, use the following option; it can be repeated to select multiple courses.
* `(course|class <CourseID>)*` - Display courses with the specified `<CourseID>`.
To manage student group information for courses based on their having a particular participant, use the following options. Both options can be specified.
* `teacher <UserItem>` - Display courses with the specified teacher.
* `student <UserItem>` - Display courses with the specified student.
To manage student group information for courses based on their state, use the following option. This option can be combined with the `teacher` and `student` options.
By default, all course states are selected.
* `states <CourseStateList>` - Display courses with any of the specified states.
By default, when a student group is created, you will get output like this:
By default, the `print course-studentgroups` command displays student group information about all courses.
To display student group information for a specific set of courses, use the following option; it can be repeated to select multiple courses.
* `(course|class <CourseID>)*` - Display courses with the specified `<CourseID>`.
To display student group information for courses based on their having a particular participant, use the following options. Both options can be specified.
* `teacher <UserItem>` - Display courses with the specified teacher.
* `student <UserItem>` - Display courses with the specified student.
To display student group information for courses based on their state, use the following option. This option can be combined with the `teacher` and `student` options.
By default, all course states are selected.
* `states <CourseStateList>` - Display courses with any of the specified states.
By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
* `formatjson` - Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
By default, the `print course-studentgroup-members` command displays student group member information about all courses.
To display student group member information for a specific set of courses, use the following option; it can be repeated to select multiple courses.
* `(course|class <CourseID>)*` - Display courses with the specified `<CourseID>`.
To display student group member information for courses based on their having a particular participant, use the following options. Both options can be specified.
* `teacher <UserItem>` - Display courses with the specified teacher.
* `student <UserItem>` - Display courses with the specified student.
To display student group member information for courses based on their state, use the following option. This option can be combined with the `teacher` and `student` options.
By default, all course states are selected.
* `states <CourseStateList>` - Display courses with any of the specified states.
By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
* `formatjson` - Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
The `cimember <UserItem>` option of `gam print|show cigroup-members` requires a Google Workspace Enterprise Standard, Enterprise Plus, and Enterprise for Education;
and Cloud Identity Premium accounts. Unfortunately, even if you have the required account, the API call that supports the query doesn't work.
The `cimember <UserItem>` option of `gam print cigroups` requires a Google Workspace Enterprise Standard, Enterprise Plus, and Enterprise for Education;
and Cloud Identity Premium accounts. Unfortunately, even if you have the required account, the API call that supports the query doesn't work.
@@ -308,12 +308,3 @@ the quote character itself, the column delimiter (comma by default) and new-line
When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
## Display global address list
As of mid-October 2024, Google deprecated the API that retrieved the Global Address List.
!All Google Drive API calls have been converted from v2 to v3, see: https://developers.google.com/drive/v3/web/migration
Many of the changes are internal to Gam and have no visible effect. Google has modified/renamed many field names and these will affect scripts that parse the output from `gam print/show drivesettings/drivefileacls/fileinfo/filelist/filerevisions`. Additionally, Google has dropped some fields and their values are no longer available. On input, Gam accepts both the old and new field names.
Legacy GAM used Drive API v2, GAM7 uses Drive API v3. See: https://developers.google.com/drive/v3/web/migration
Many of the changes are internal to GAM7 and have no visible effect.
Google has modified/renamed many field names and these will affect scripts that parse the output from `gam print/show drivesettings/drivefileacls/fileinfo/filelist/filerevisions`.
Additionally, Google has dropped some fields and their values are no longer available. On input, GAM7 accepts both the old and new field names where applicable.
A variable, `drive_v3_native_names` (default value is True), has been added to `gam.cfg` to control the field names on output: when True, the v3 native field names are used; when False, the v3 native field names are mapped to the v2 field names.
If you have scripts that process the output from these print commands, you may have to make modifications to your scripts.
Run your print/show commands with a version of Legacy Gam and save the output.
With drive_v3_native_names = False, run your print/show commands with this version of Gam and compare the output to that saved in the previous run;
If you use Legacy GAM and have scripts that process the output from these print commands, you may have to make modifications to your scripts when you upgrade to GAM7.
Run your print/show commands with a version of Legacy GAM and save the output.
Run your print/show commands with GAM7 and compare the output to that saved in the previous run;
modify your scripts that process the output as appropriate.
There is a cost to mapping the v3 field names back to the v2 field names; you can avoid this cost by setting drive_v3_native_names = True,
running your print/show commands, comparing the output and making the appropriate script modifications.
```
print/show drivesettings
Dropped fields:
@@ -30,7 +28,7 @@ Dropped fields:
authKey
Renamed fields (Old->New):
name->displayName
withLink->allowFileDiscovery
withLink->allowFileDiscovery - value is complemented
The parents field of a file has undergone the most change. In Drive v2 it was a list of compound items with three sub-fields per item: id, isRoot, parentLink.
In Drive v3 the parents field is a list of simple items, the parent ids. The following examples show how the parents field is output in a CSV file for a file with two parents.
Fixed bug in `gam <UserItem> print|show chatspaces asadmin fields <ChatSpaceFieldNameList>` that caused a trap
when `displayname` was not in `<ChatSpaceFieldNameList>`.
### 7.17.02
Updated `gam <UserTypeEntity> print|show webmastersites` to handle the following error
that occurs if you haven't updated your project to include the Google Search Console API.
```
ERROR: 403: permissionDenied - Google Search Console API has not been used in project 111055363999 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/searchconsole.googleapis.com/overview?project=111055363999 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
```
### 7.17.01
Fixed bug in `gam <UserTypeEntity> show webmastersites` that caused a trap.
### 7.17.00
Added commands to discover Sites and WebResources that managed users (previously unmanaged) may have access to for better governance and visibility.
These are special purpose commands and will not generally be used.
itemDownloadRestriction - The download restriction of the file applied directly by the owner or organizer. This does not take into account shared drive settings or DLP rules.
effectiveDownloadRestrictionWithContext - Output only. The effective download restriction applied to this file. This considers all restriction settings and DLP rules.
restrictedForReaders - Whether download and copy is restricted for readers.
restrictedForWriters - Whether download and copy is restricted for writers. If true, download is also restricted for readers.
```
### 7.16.00
Removed `drive_v3_native_names` from `gam.cfg`; GAM now only uses Drive API v3 fields names on output.
If you had `drive_v3_native_names = False` in `gam.cfg` or are updating from Legacy GAM:
Emails will be sent to the users in `<UserTypeEntity>`.
By default, emails will be sent from the admin user named in oauth2.txt, override this with the `from <EmailAddress>` option.
When using the Gmail API/SMTP, GAM gets no/little indication as to the status of the message delivery; the from user will get a non-delivery receipt if the message
- [Display all Shared Drives with no members](#display-all-shared-drives-with-no-members)
- [Display all Shared Drives with no organizers](#display-all-shared-drives-with-no-organizers)
- [Display all Shared Drives with a specific organizer](#display-all-shared-drives-with-a-specific-organizer)
@@ -29,6 +32,7 @@
- [Display ACLs for Shared Drives with all organizers outside of your domain](#display-acls-for-shared-drives-with-all-organizers-outside-of-your-domain)
- [Display ACLs for Shared Drives with all ACLs outside of your domain](#display-acls-for-shared-drives-with-all-acls-outside-of-your-domain)
- [Clean up scammed Shared Drives](#clean-up-scammed-shared-drives)
- [Delete old empty Shared Drives](#delete-old-empty-shared-drives)
## API documentation
* [Drive API - Drives](https://developers.google.com/drive/api/reference/rest/v3/drives)
A domain administrator with the Drive and Docs administrator privilege can search for Shared Drives or update permissions for Shared Drives
owned by their organization, regardless of the admin's membership in any given Shared Drive.
@@ -214,41 +219,73 @@ Three forms of the commands are available:
*`gam <UserTypeEntity> action ... adminaccess` - The user named in `<UserTypeEntty>` is used, adminaccess indicates that the user is a domain administrator
*`gam <UserTypeEntity> action ...` - The user named in `<UserTypeEntty>` is used, access is limited to drives for which they are an organizer
## GUI API permission name mapping
## API GUI permission name mapping
| GUI setting | API setting |
|------------|------------|
| Manager | organizer |
| Content manager | fileOrganizer |
| Contributor | writer |
| Commenter | commenter |
| Viewer | reader |
| API setting | GUI setting |
|-------------|-------------|
| organizer | Manager |
| fileOrganizer | Content manager |
| writer | Contributor |
| commenter | Commenter |
| reader | Viewer |
## API GUI restriction name mapping
| API Setting | Description |
|-------------|-------------|
| adminManagedRestrictions | Whether administrative privileges on this shared drive are required to modify restrictions. |
| domainUsersOnly | Whether access to this shared drive and items inside this shared drive is restricted to users of the domain to which this shared drive belongs. |
| driveMembersOnly | Whether access to items inside this shared drive is restricted to its members. |
| allowContentManagersToShareFolders (GAM defined) | If true, users with either the organizer role or the file organizer role can share folders. If false, only users with the organizer role can share folders. |
| sharingFoldersRequiresOrganizerPermission | If true, only users with the organizer role can share folders. If false, users with either the organizer role or the file organizer role can share folders. |
| copyRequiresWriterPermission | Whether the options to copy, print, or download files inside this shared drive, should be disabled for readers and commenters. |
| downloadRestrictions.restrictedForWriters | Whether download and copy is restricted for writers. If true, download is also restricted for readers. |
| downloadRestrictions.restrictedForReaders | Whether download and copy is restricted for readers. |
These commands are used to manage the ACLs on Shared Drives themselves, not the files/folders on the Shared Drives.
@@ -504,12 +644,12 @@ These commands are used to transfer ACLs from one Shared Drive to another.
* `copy` - Copy all ACLs from the source Shared Drive to the target Shared Drive. The role of an existing ACL in the target Shared Drive will never be reduced.
* `sync` - Add/delete/update ACLs in the target Shared Drive to match those in the source Shared Drive.
```
gam [<UserTypeEntity>] copy teamdriveacls <SharedDriveEntity> to <SharedDriveEntity>
gam [<UserTypeEntity>] copy shareddriveacls <SharedDriveEntity> to <SharedDriveEntity>
@@ -614,7 +754,7 @@ By default, all ACLS are displayed; use the following options to select a subset
* `role|roles <SharedDriveACLRoleList>` - Display ACLs for the specified roles only.
* `<PermissionMatch>* [<PermissionMatchAction>]` - Use permission matching to display a subset of the ACLs for each Shared Drive; this only applies when `pmselect` is not specified
With `print teamdriveacls` or `show teamdrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
With `print shareddriveacls` or `show shareddrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
When `oneitemperrow` is specified, each ACL is output on a separate row/line with the matching Shared Drive id and name. This simplifies processing the CSV file with subsequent Gam commands.
By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
@@ -626,35 +766,35 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
### Examples
Find all organizers and viewers on the shared drive Heart of Gold in CSV form.
```
gam print teamdriveacls matchname "Heart of Gold" role organizer,reader oneitemperrow
gam print shareddriveacls matchname "Heart of Gold" role organizer,reader oneitemperrow
```
Print ACLs for all Shared Drives in the organization created after November 1, 2017.
To use these commands you must update your service account authorization.
```
gam user user@domain.com update serviceaccount
[*] 3) Chat API - Custom Emojis (supports readonly)
[*] 4) Chat API - Memberships (supports readonly)
[*] 5) Chat API - Memberships Admin (supports readonly)
[*] 6) Chat API - Messages (supports readonly)
@@ -46,17 +47,19 @@ Google requires that you have a Chat Bot configured in order to use the Chat API
* Enter an App name and Description of your choosing.
* For the Avatar URL you can use `https://dummyimage.com/384x256/4d4d4d/0011ff.png&text=+GAM` or a public URL to an image of your own choosing.
* In Functionality, uncheck both "Receive 1:1 messages" and "Join spaces and group conversations"
* In Connection settings, choose "Cloud Pub/Sub" and enter `projects/<ProjectID>/topics/no-topic` for the topic name. Replace `<ProjectID>` with your GAM project ID. GAM doesn't yet listen to pub/sub so this option is not used.
* In Visibility, uncheck "Make this Chat app available to specific people and groups in Domain Workspace".
* In Connection settings, choose "Cloud Pub/Sub" and enter `projects/<ProjectID>/topics/no-topic` for the Topic Name. Replace `<ProjectID>` with your GAM project ID. GAM doesn't yet listen to pub/sub so this option is not used.
* In Visibility, uncheck "Make this Chat app available to specific people and groups in Domain Workspace".
Delete members from a chat space by specifying chatmember names, asadmin
```
gam <UserItem> remove chatmember members asadmin <ChatMemberList>
gam <UserItem> remove chatmember asadmin members <ChatMemberList>
```
### Update a members role in a user's chat space
@@ -898,11 +919,81 @@ filter 'start_time=\"2024-03-15T11:30:00-04:00\" AND event_types:\"google.worksp
filter 'start_time=\"2024-03-15T11:30:00+00:00\" AND end_time=\"2024-03-3100:00:00+00:00\" AND event_types:\"google.workspace.chat.message.v1.created\"'
*`showcreatedby any` - Display all emojis regardless of creator
*`showcreatedby ` - Display all emojis created by the user; this is the default
*`showcreatedby others` - Display all emojis not created by the user
By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
*`formatjson` - Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
## Bulk Operations
### Display information about all chat spaces for a collection of users
- [Move with ownership change](#move-with-ownership-change)
- [Complex moves](#complex-moves)
- [Move content of a Shared Drive to another Shared Drive](#move-content-of-a-shared-drive-to-another-shared-drive)
- [Move content of a Shared Drive to a My Drive](#move-content-of-a-shared-drive-to-a-my-drive)
## API documentation
* [Drive API - Files](https://developers.google.com/drive/api/v3/reference/files)
@@ -662,7 +663,7 @@ When moving a folder you can use the `retainsourcefolders` option to cause GAM t
Moving a Drive folder to a Shared Drive is not directly supported by the API; GAM has to make a copy of the folder on the Shared Drive and
recursively adjust the files/folders within it to point to the new parent folder. Once the original folder is emptied, it is deleted unless `retainsourcefolders` is specified.
### Move content of a Shared Drive to another Shared Drive
## Move content of a Shared Drive to another Shared Drive
Suppose you have a source Shared Drive with ID 0AC_1AB with multiple files and folders, and want to move all of its content to the target Shared Drive with ID 0AE_9ZX.
The following command will change the parents of the top level files and folders from 0AC_1AB to 0AE_9ZX; the sub files and folders will move along with their top level folder.
If you want the source Shared Drive with ID 0AC_1AB to be contained in a top level folder of the target Shared Drive with ID 0AE_9ZX, omit the `mergewithparent` argument.
The folder on the target Shared Drive will have the same name as the name of the source Shared Drive; use the `newfilename <DriveFileName>` to use a different name.
```
gam user user@domain.com move drivefile teamdriveid 0AC_1AB teamdriveparentid 0AE_9ZX
gam user user@domain.com move drivefile teamdriveid 0AC_1AB teamdriveparentid 0AE_9ZX newfilename "Copy of source Shared Drive"
```
### Inter-workspace moves
Due to a restructuring, you want to move data from Shared Drive A in domaina.com to Shared Drive B in domainb.com.
* Shared Drive A in domaina.com has the following unchecked: `Allow people outside of Domain A to access files`
* Shared Drive B in domainb.com has the following checked: `Allow people outside of Domain B to access files`
* `user@domaina.com` is a manager of both Shared Drives.
To get this to work, you must check `Allow people outside of Domain A to access files` on Shared Drive A in domaina.com
## Move content of a Shared Drive to a My Drive
Suppose you have a Shared Drive with ID 0AC_1AB with multiple files and folders, and want to move all of its content to the root of a My Drive.
The following command will change the parents of the top level files and folders from 0AC_1AB to the root of the My Drive; the sub files and folders will move along with their top level folder.
* No permissions are processed.
```
gam user user@domain.com move drivefile teamdriveid 0AC_1AB parentid root mergewithparent
```
If you want the contents of Shared Drive with ID 0AC_1AB to be contained in a top level folder of the My Drive, omit the `mergewithparent` argument.
The folder on the My Drive will have the same name as the name of the Shared Drive; use the `newfilename <DriveFileName>` to use a different name.
```
gam user user@domain.com move drivefile teamdriveid 0AC_1AB parentid root
gam user user@domain.com move drivefile teamdriveid 0AC_1AB parentid root newfilename "Copy of Shared Drive"
If you specify `role owner`, Google requires that a notification message be sent to the new owner.
Google sends a preformatted message, use `emailmessage <String>` to include additional information in the message.
If you get the following error message from Google:
```
You are trying to invite user@domain.com. Since there is no Google account associated with this email address, you must check the "Notify people" box to invite this recipient."
```
Use the `sendemail` option and `emailmessage <String>` (if desired) to `check the "Notify people" box`.
The options `withlink|allowfilediscovery|discoverable` are only valid for ACLs to `anyone` or `domain`.
The option `expiration <Time>` is only valid for `role commenter|contributor|viewer` for files and `commenter|viewer` for folders.
@@ -213,6 +226,12 @@ The option `updatesheetprotectedranges` only applies to items in `<DriveFileEnti
* ACLs with role reader or commenter will be removed from existing protected ranges
* ACLs with role writer or higher will be added to existing protected ranges
`
`enforceexpansiveaccess` defaults to the value of `gam.cfg/enforce_expansive_access` that controls
the ability to update inherited ACLs.
* False - Inherited ACLs can be updated
* True = Inherited ACLs can not be updated
By default, the file ID is displayed in the output; to see the file name, use the `showtitles`
option; this requires an additional API call per file.
@@ -233,6 +252,11 @@ The option `updatesheetprotectedranges` only applies to items in `<DriveFileEnti
* Sheet Protected Ranges are updated to reflect the deleted ACL; additional API calls are required.
* ACLs with any role will be removed from existing protected ranges
`enforceexpansiveaccess` defaults to the value of `gam.cfg/enforce_expansive_access` that controls
the ability to delete delete inherited ACLs.
* False - Inherited ACLs can be deleted
* True = Inherited ACLs can not be deleted
By default, the file ID is displayed in the output; to see the file name, use the `showtitles`
option; this requires an additional API call per file.
@@ -251,6 +275,16 @@ From the Google Drive API documentation.
* `false` - Parents are not changed. The file is an orphan for the new owner. This is the default.
* `true` - The item is moved to the new owner's My Drive root folder and all prior parents removed. The file is an orphan for the old owner.
If you specify a pernission with `role owner`, Google requires that a notification message be sent to the new owner.
Google sends a preformatted message, use `emailmessage <String>` to include additional information in the message.
If you get the following error message from Google:
```
You are trying to invite user@domain.com. Since there is no Google account associated with this email address, you must check the "Notify people" box to invite this recipient."
```
Use the `sendemail` option and `emailmessage <String>` (if desired) to `check the "Notify people" box`.
Permission matching only applies when the `(json [charset <Charset>] <JSONData>)|(json file <FileName> [charset <Charset>])`
variant of `<DriveFilePermissionEntity>` and `<DriveFilePermissionIDEntity>` is used.
## Delete all ACLs except owner from a user's My Drive
Get the current ACLs.
```
gam redirect csv ./Permissions.csv user user@domain.com print filelist fields id,name,mimetype,basicpermissions pm not role owner em pmfilter oneitemperrow
```
Inspect Permissions.csv, verify that you want to proceed.
*`labelids <LabelIDList>` - Select messages with labels that match all of the specified label IDs.
*`max_to_archive` - Limit the number of messages that will be archived; use a value of 0 for no limit
*`doit` - No messages are archived unless you specify `doit`. By not specifying `doit`, you can preview the messages selected to verify that the results match your expectations.
@@ -432,10 +436,14 @@ See below for message selection.
*`labelids <LabelIDList>` - Select messages with labels that match all of the specified label IDs.
*`max_to_xxx` - Limit the number of messages that will be processed; use a value of 0 for no limit
*`doit` - No messages are processed unless you specify `doit`. By not specifying `doit`, you can preview the messages selected to verify that the results match your expectations.
@@ -170,7 +182,7 @@ email address signature rather than the alias signature to be set.
If you have a current default signature, the API will update that, but if you delete it, it seems that the API will not over-write any of the other signatures, but instead add a new signature called `My signature`. If you rename that signature, the API will keep on updating that same signature, and not touch the other signatures.
## Display signature
### Display the information as an indented list of keys and values.
### Display the signature as an indented list of keys and values.
```
gam <UserTypeEntity> show signature|sig [compact|format|html]
[primary|default] [verifyonly]
@@ -187,7 +199,19 @@ By default, the signature for `<UserTypeEntity>` is displayed, use these options
Use the `verifyonly` option to display `True` or `False` in the signature field based on whether the signature is non-blank.
### Display the information in CSV form.
To capture a signature for use as input to GAM, do the following.
```
gam redirect stdout ./signature.html user user@domain.com show signature compact
```
Edit signature.html and remove the following data leaving just the HTML.
| adminManagedRestrictions | Whether administrative privileges on this shared drive are required to modify restrictions. |
| domainUsersOnly | Whether access to this shared drive and items inside this shared drive is restricted to users of the domain to which this shared drive belongs. |
| driveMembersOnly | Whether access to items inside this shared drive is restricted to its members. |
| allowContentManagersToShareFolders (GAM defined) | If true, users with either the organizer role or the file organizer role can share folders. If false, only users with the organizer role can share folders. |
| sharingFoldersRequiresOrganizerPermission | If true, only users with the organizer role can share folders. If false, users with either the organizer role or the file organizer role can share folders. |
| copyRequiresWriterPermission | Whether the options to copy, print, or download files inside this shared drive, should be disabled for readers and commenters. |
| downloadRestrictions.restrictedForWriters | Whether download and copy is restricted for writers. If true, download is also restricted for readers. |
| downloadRestrictions.restrictedForReaders | Whether download and copy is restricted for readers. |
The Google Drive API does not list roles for Shared Drives so GAM generates a role from the capabilities:
* `commenter - canComment: True, canEdit: False`
* `reader - canComment: False, canEdit: False`
@@ -356,6 +400,80 @@ When using the `formatjson` option, double quotes are used extensively in the da
The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
@@ -458,7 +576,7 @@ By default, all ACLS are displayed; use the following options to select a subset
* `role|roles <SharedDriveACLRoleList>` - Display ACLs for the specified roles only.
* `<PermissionMatch>* [<PermissionMatchAction>]` - Use permission matching to display a subset of the ACLs for each Shared Drive; this only applies when `pmselect` is not specified
With `print teamdriveacls` or `show teamdrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
With `print shareddriveacls` or `show shareddrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
When `oneitemperrow` is specified, each ACL is output on a separate row/line with the matching Shared Drive id and name. This simplifies processing the CSV file with subsequent Gam commands.
By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
By default, Gam displays the accounts as columns of fields; the following option causes the output to be in JSON format,
*`formatjson` - Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
## Display Tag Manager Containers
```
gam <UserTypeEntity> show tagmanagercontainers <TagManagerAccountPathEntity>
[formatjson]
```
By default, Gam displays the containers as an indented list of keys and values.
*`formatjson` - Display the container in JSON format
By default, Gam displays the containers as columns of fields; the following option causes the output to be in JSON format,
*`formatjson` - Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
## Display Tag Manager Workspaces
```
gam <UserTypeEntity> show tagmanagerworkspaces <TagManagerContainerPathEntity>
[formatjson]
```
By default, Gam displays the workspaces as an indented list of keys and values.
*`formatjson` - Display the workspace in JSON format
By default, Gam displays the workspaces as columns of fields; the following option causes the output to be in JSON format,
*`formatjson` - Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
## Display Tag Manager Tags
```
gam <UserTypeEntity> show tagmanagertags <TagManagerWorkspacePathEntity>
[formatjson]
```
By default, Gam displays the tags as an indented list of keys and values.
By default, Gam displays the tags as columns of fields; the following option causes the output to be in JSON format,
*`formatjson` - Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
## Display Tag Manager User Permissions
```
gam <UserTypeEntity> show tagmanagerpermissions <TagManagerAccountPathEntity>
[formatjson]
```
By default, Gam displays the permissions as an indented list of keys and values.
*`formatjson` - Display the permission in JSON format
By default, Gam displays the permissions as columns of fields; the following option causes the output to be in JSON format,
*`formatjson` - Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
### Examples
Single user - Get CSV data.
```
$ gam redirect csv ./tmaccounts.csv user taguser@domain.com print tagmanageraccounts
# Using GAM7 with a delegated admin service account
- [Thanks](#thanks)
- [Introduction](#introduction)
- [Advantages](#advantages)
- [Disadvantages](#disadvantages)
- [Setup Steps](#setup-steps)
## Thanks
Thanks to Jay Lee for the original version of this document.
## Introduction
Delegated admin service accounts (DASA) are regular [GCP service accounts](https://cloud.google.com/iam/docs/service-accounts#what_are_service_accounts) that are granted a Workspace [delegated admin role](https://support.google.com/a/answer/33325). Service accounts have an email address like `gam-project-xuw-sp1-c4b@gam-project-xuw-sp1-c4b.iam.gserviceaccount.com` and are not part of a Workspace or Cloud Identity domain even if they are owned by a project in the domain’s organization. Service accounts cannot login to Google web services interactively, they are only able to call Google APIs.
GAM7 version 6.50.00 or higher is required.
## Advantages
* DASA accounts don’t require a Workspace or Cloud Identity license.
* DASA accounts don’t have a password login that can be phished or captured, they use [RSA private keys](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) to sign authentication requests which makes them very secure. You should however [rotate the key](https://jaylee.us/qwm) on a regular basis and keep it safe and secured!
@@ -23,7 +16,10 @@ GAM7 version 6.50.00 or higher is required.
## Disadvantages
* DASA accounts can only be delegated admins. [If a task requires super admin rights to perform](https://support.google.com/a/answer/2405986#:~:text=Only%20super%20administrators%20can...), DASA accounts won’t be able to do it.
Not all Google Admin APIs work with DASA right now. For example, Google Vault API calls will fail with a DASA account; Classroom API calls do not return data.
Not all Google Admin APIs work with DASA right no:
* Google Vault API calls will fail with a DASA account
* Classroom API calls do not return data
* Cloud Identity Policies are not available
* DASA is a delegated admin and can make Workspace / Cloud Identity admin API calls, it does not replace domain-wide delegation (DwD) when using GAM7 commands that interact with Gmail, Drive and Calendar user data.
* GAM7 support for DASA is still experimental and some things may fail. Please report your findings to the [GAM group](https://groups.google.com/g/google-apps-manager).
@@ -315,8 +326,11 @@ For `corpus calendar`, you can specify the format of the exported data:
For `corpus drive`, you can specify advanced search options:
*`driveversiondate <Date>|<Time>` - Search the versions of the Drive file as of the reference date. These timestamps are in GMT and rounded down to the given date.
*`includeshareddrives False` - Do not include Shared Drives in the search, this is the default.
*`includeshareddrives True` - Include Shared Drives in the search.
*`includeshareddrives False` - Mapped to `sharedrivesoption included_if_account_is_not_a_member`
*`includeshareddrives True` - Mapped to `sharedrivesoption included`
*`sharedrivesoption included` - Resources in shared drives are included in the search
*`sharedrivesoption included_if_account_is_not_a_member` - Resources in shared drives where account is not a member are included in the search, this is the default
*`sharedrivesoption not_included` - Resources in shared drives are not included in the search
*`driveclientsideencryption any` - Include both client-side encrypted and unencrypted content in search, this is the default.
*`driveclientsideencryption encrypted` - Include client-side encrypted content only in search.
*`driveclientsideencryption unencrypted` - Include client-side unencrypted content only in search.
When archiving, printing, showing, trashing, untrashing, marking as spam Gmail messages.
how many should be processed in each batch
Default: 100
Default: 50
Range: 1 - 100
enable_dasa
Enable/disable Delegated Admin Service Account API Access
admin_email, customer_id and domain must be set when enable_dasa is True,
customer_id may not be set to my_customer
Signal file: OldGamPath/enabledasa.txt
enforce_expansive_access
The default value for option `enforceexpansiveaccess` in all commands that delete or update drive file ACLs/permissions.
gam <UserTypeEntity> delete permissions
gam <UserTypeEntity> delete drivefileacl
gam <UserTypeEntity> update drivefileacl
gam <UserTypeEntity> copy drivefile
gam <UserTypeEntity> move drivefile
gam <UserTypeEntity> transfer ownership
gam <UserTypeEntity> claim ownership
Default: True
event_max_results
When retrieving lists of Calendar events from API,
how many should be retrieved in each API call
@@ -384,7 +394,7 @@ message_batch_size
message_max_results
When retrieving lists of Gmail messages from API,
how many should be retrieved in each API call
Default: 1000
Default: 500
Range: 1 - 10000
mobile_max_results
When retrieving lists of Mobile devices from API,
@@ -402,9 +412,8 @@ never_time
has the value "1970-01-01T00:00:00.000Z"
Default: Never
no_browser
If no_browser is True, GAM won't open a browser if todrive is set
when creating CSV files and GAM prints a link and waits for
the verification code when oauth2.txt is being created
If no_browser is True, GAM won't open a browser when it prints a link
and waits for the verification code when oauth2.txt is being created/updated
Signal file: OldGamPath/nobrowser.txt
no_cache
Disable GAM API caching
@@ -416,8 +425,10 @@ no_short_urls
the shortened URL redirects to the long URL.
When True, the long scopes URLs in `gam oauth create` and
`gam <UserTypeEntity> check|update serviceaccount` will be used as is.
Default: True
no_verify_ssl
Disable SSL certificate validation
Default: False
num_tbatch_threads
Number of threads for gam tbatch
Default: 2
@@ -982,6 +993,7 @@ gam update project
gam oauth create
gam info domain
gam config customer_id <CustomerID> save
gam user user@xxx.com update serviceaccount
```
### New clients
@@ -1003,7 +1015,7 @@ gam create project
gam oauth create
gam info domain
gam config customer_id <CustomerID> save
gam user user@foo.com check serviceaccount
gam user user@foo.com update serviceaccount
```
To get information about a client, select a section.
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
