Added enforce_expansive_access Boolean variable to gam.cfg

.github/workflows/build.yml

@@ -126,7 +126,7 @@ jobs:
         with:
           path: |
             cache.tar.xz
-          key: gam-${{ matrix.jid }}-20250422
+          key: gam-${{ matrix.jid }}-20250603
 
       - name: Untar Cache archive
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'

src/GamUpdate.txt

@@ -1,3 +1,26 @@
+7.09.00
+
+Removed the overly broad service account `IAM and Access Management API` scope `https://www.googleapis.com/auth/cloud-platform`
+from DWD. The `gam <UserTypeEntity> check|Update serviceaccount` commands issue an error message if this scope
+is enabled promptig you to update your service account authorization so that the scope can be removed.
+
+GAM commands that need IAM access now use the more limited scope `https://www.googleapis.com/auth/iam` in a non-DWD manner.
+
+Added `enforce_expansive_access` Boolean variable to `gam.cfg` that provides the default value
+for option `enforceexpansiveaccess` in all commands that delete or update drive file ACLs/permissions.
+```
+gam <UserTypeEntity> delete permissions
+gam <UserTypeEntity> delete drivefileacl
+gam <UserTypeEntity> update drivefileacl
+gam <UserTypeEntity> copy drivefile
+gam <UserTypeEntity> move drivefile
+gam <UserTypeEntity> transfer ownership
+gam <UserTypeEntity> claim ownership
+gam <UserTypeEntity> transfer drive
+```
+
+Updated to Python 3.13.4
+
 7.08.02
 
 Updated the defaults in `gam print shareddriveorganizers` to match the most common use case, not the script.

src/callgam.py

@@ -11,7 +11,7 @@ if __name__ == '__main__':
 # One time initialization
   if platform.system() != 'Linux':
     multiprocessing.freeze_support()
-    multiprocessing.set_start_method('spawn')
+    multiprocessing.set_start_method('spawn', force=True)
   initializeLogging()
 #
   CallGAMCommand(['gam', 'version'])

src/gam.py

@@ -11,5 +11,5 @@ from gam.__main__ import main
 if __name__ == '__main__':
   if platform.system() != 'Linux':
     multiprocessing.freeze_support()
-    multiprocessing.set_start_method('spawn')
+    multiprocessing.set_start_method('spawn', force=True)
   main()

src/gam/__init__.py

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """
 
 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.08.02'
+__version__ = '7.09.00'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 #pylint: disable=wrong-import-position
@@ -4785,8 +4785,9 @@ def defaultSvcAcctScopes():
   scopesList = API.getSvcAcctScopesList(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], False)
   saScopes = {}
   for scope in scopesList:
-    saScopes.setdefault(scope['api'], [])
-    saScopes[scope['api']].append(scope['scope'])
+    if not scope.get('offByDefault'):
+      saScopes.setdefault(scope['api'], [])
+      saScopes[scope['api']].append(scope['scope'])
   saScopes[API.DRIVEACTIVITY].append(API.DRIVE_SCOPE)
   saScopes[API.DRIVE2] = saScopes[API.DRIVE3]
   saScopes[API.DRIVETD] = saScopes[API.DRIVE3]
@@ -12232,7 +12233,7 @@ def checkServiceAccount(users):
 
   def authorizeScopes(message):
     long_url = ('https://admin.google.com/ac/owl/domainwidedelegation'
-                f'?clientScopeToAdd={",".join(checkScopes)}'
+                f'?clientScopeToAdd={",".join(sorted(checkScopesSet-API.FORCE_OFF_SA_SCOPES))}'
                 f'&clientIdToAdd={service_account}&overwriteClientId=true')
     if GC.Values[GC.DOMAIN]:
       long_url += f'&dn={GC.Values[GC.DOMAIN]}'
@@ -12244,10 +12245,12 @@ def checkServiceAccount(users):
   allScopes = API.getSvcAcctScopes(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], Act.Get() == Act.UPDATE)
   checkScopesSet = set()
   saScopes = {}
+  addForceOffScopes = True
   useColor = False
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
     if myarg in {'scope', 'scopes'}:
+      addForceOffScopes = False
       for scope in getString(Cmd.OB_API_SCOPE_URL_LIST).lower().replace(',', ' ').split():
         api = API.getSvcAcctScopeAPI(scope)
         if api is not None:
@@ -12264,10 +12267,14 @@ def checkServiceAccount(users):
     testPass = createGreenText('PASS')
     testFail = createRedText('FAIL')
     testWarn = createYellowText('WARN')
+    testDisable = createRedText('DISABLE')
+    testSkip = createGreenText('SKIP')
   else:
     testPass = 'PASS'
     testFail = 'FAIL'
     testWarn = 'WARN'
+    testDisable = 'DISABLE'
+    testSkip = 'SKIP'
   if Act.Get() == Act.CHECK:
     if not checkScopesSet:
       for scope in iter(GM.Globals[GM.SVCACCT_SCOPES].values()):
@@ -12275,7 +12282,7 @@ def checkServiceAccount(users):
   else:
     if not checkScopesSet:
       scopesList = API.getSvcAcctScopesList(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], True)
-      selectedScopes = getScopesFromUser(scopesList, False, GM.Globals[GM.SVCACCT_SCOPES])
+      selectedScopes = getScopesFromUser(scopesList, False, GM.Globals[GM.SVCACCT_SCOPES] if GM.Globals[GM.SVCACCT_SCOPES_DEFINED] else None)
       if selectedScopes is None:
         return False
       i = 0
@@ -12302,6 +12309,8 @@ def checkServiceAccount(users):
               json.dumps(GM.Globals[GM.OAUTH2SERVICE_JSON_DATA], ensure_ascii=False, sort_keys=True, indent=2),
               continueOnError=False)
   checkScopes = sorted(checkScopesSet)
+  if addForceOffScopes:
+    checkScopes.extend(sorted(API.FORCE_OFF_SA_SCOPES))
   jcount = len(checkScopes)
   printMessage(Msg.SYSTEM_TIME_STATUS)
   offsetSeconds, offsetFormatted = getLocalGoogleTimeOffset()
@@ -12337,7 +12346,7 @@ def checkServiceAccount(users):
   if saTokenStatus == testFail:
     invalidOauth2serviceJsonExit(f'Authentication{auth_error}')
   _getSvcAcctData() # needed to read in GM.OAUTH2SERVICE_JSON_DATA
-  if GM.Globals[GM.SVCACCT_SCOPES_DEFINED] and API.IAM not in GM.Globals[GM.SVCACCT_SCOPES]:
+  if API.IAM not in GM.Globals[GM.SVCACCT_SCOPES]:
     GM.Globals[GM.SVCACCT_SCOPES][API.IAM] = [API.IAM_SCOPE]
   key_type = GM.Globals[GM.OAUTH2SERVICE_JSON_DATA].get('key_type', 'default')
   if key_type == 'default':
@@ -12390,13 +12399,23 @@ def checkServiceAccount(users):
       if credentials.token:
         token_info = callGAPI(oa2, 'tokeninfo', access_token=credentials.token)
         if scope in token_info.get('scope', '').split(' ') and user == token_info.get('email', user).lower():
-          scopeStatus = testPass
+          if scope not in API.FORCE_OFF_SA_SCOPES:
+            scopeStatus = testPass
+          else:
+            scopeStatus = testDisable
+            allScopesPass = False
         else:
+          if scope not in API.FORCE_OFF_SA_SCOPES:
+            scopeStatus = testFail
+            allScopesPass = False
+          else:
+            scopeStatus = testSkip
+      else:
+        if scope not in API.FORCE_OFF_SA_SCOPES:
           scopeStatus = testFail
           allScopesPass = False
-      else:
-        scopeStatus = testFail
-        allScopesPass = False
+        else:
+          scopeStatus = testSkip
       printPassFail(scope, f'{scopeStatus}{currentCount(j, jcount)}')
     Ind.Decrement()
     service_account = GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['client_id']
@@ -58716,7 +58735,7 @@ def initCopyMoveOptions(copyCmd):
     'showPermissionMessages': False,
     'sendEmailIfRequired': False,
     'useDomainAdminAccess': False,
-    'enforceExpansiveAccess': False,
+    'enforceExpansiveAccess': GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS],
     'copiedShortcutsPointToCopiedFiles': True,
     'createShortcutsForNonmovableFiles': False,
     'duplicateFiles': DUPLICATE_FILE_OVERWRITE_OLDER,
@@ -62096,7 +62115,8 @@ def transferDrive(users):
   targetUserFolderPattern = '#user# old files'
   targetUserOrphansFolderPattern = '#user# orphaned files'
   targetIds = [None, None]
-  createShortcutsForNonmovableFiles = enforceExpansiveAccess = False
+  createShortcutsForNonmovableFiles = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   mergeWithTarget = False
   thirdPartyOwners = {}
   skipFileIdEntity = initDriveFileEntity()
@@ -62402,7 +62422,8 @@ def transferOwnership(users):
   body = {}
   newOwner = getEmailAddress()
   OBY = OrderBy(DRIVEFILE_ORDERBY_CHOICE_MAP)
-  changeParents = enforceExpansiveAccess = filepath = includeTrashed = noRecursion = False
+  changeParents = filepath = includeTrashed = noRecursion = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   pathDelimiter = '/'
   csvPF = fileTree = None
   addParents = ''
@@ -62728,7 +62749,8 @@ def claimOwnership(users):
   onlyOwners = set()
   skipOwners = set()
   subdomains = []
-  enforceExpansiveAccess = filepath = includeTrashed = False
+  filepath = includeTrashed = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   pathDelimiter = '/'
   addParents = ''
   parentBody = {}
@@ -63503,7 +63525,7 @@ def doCreateDriveFileACL():
 def updateDriveFileACLs(users, useDomainAdminAccess=False):
   fileIdEntity = getDriveFileEntity()
   isEmail, permissionId = getPermissionId()
-  enforceExpansiveAccess = None
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   removeExpiration = showTitles = updateSheetProtectedRanges = False
   showDetails = True
   csvPF = None
@@ -63832,7 +63854,7 @@ def doCreatePermissions():
 def deleteDriveFileACLs(users, useDomainAdminAccess=False):
   fileIdEntity = getDriveFileEntity()
   isEmail, permissionId = getPermissionId()
-  enforceExpansiveAccess = None
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   showTitles = updateSheetProtectedRanges = False
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
@@ -63961,7 +63983,7 @@ def deletePermissions(users, useDomainAdminAccess=False):
     jsonData = getJSON([])
     PM = PermissionMatch()
     PM.SetDefaultMatch(False, {'role': 'owner'})
-  enforceExpansiveAccess = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
     if myarg in ADMIN_ACCESS_OPTIONS:

src/gam/gamlib/glapi.py

@@ -118,6 +118,7 @@ JWT_APIS = {
   ACCESSCONTEXTMANAGER: [CLOUD_PLATFORM_SCOPE],
   CHAT: ['https://www.googleapis.com/auth/chat.bot'],
   CLOUDRESOURCEMANAGER: [CLOUD_PLATFORM_SCOPE],
+  IAM: [IAM_SCOPE],
   ORGPOLICY: [CLOUD_PLATFORM_SCOPE],
   }
 #
@@ -131,6 +132,11 @@ APIS_NEEDING_ACCESS_TOKEN = {
   CBCM: ['https://www.googleapis.com/auth/admin.directory.device.chromebrowsers']
   }
 #
+FORCE_OFF_SA_SCOPES = {
+  'https://www.googleapis.com/auth/cloud-identity',
+  'https://www.googleapis.com/auth/cloud-platform',
+  }
+#
 REFRESH_PERM_ERRORS = [
   'invalid_grant: reauth related error (rapt_required)', # no way to reauth today
   'invalid_grant: Token has been expired or revoked',
@@ -645,11 +651,11 @@ _SVCACCT_SCOPES = [
    'api': GMAIL,
    'subscopes': [],
    'scope': 'https://www.googleapis.com/auth/gmail.settings.sharing'},
-  {'name': 'Identity and Access Management API',
-   'api': IAM,
-   'offByDefault': True,
-   'subscopes': [],
-   'scope': IAM_SCOPE},
+#  {'name': 'Identity and Access Management API',
+#   'api': IAM,
+#   'offByDefault': True,
+#   'subscopes': [],
+#   'scope': CLOUD_PLATFORM_SCOPE},
   {'name': 'Keep API',
    'api': KEEP,
    'subscopes': READONLY,

src/gam/gamlib/glcfg.py

@@ -163,6 +163,8 @@ EMAIL_BATCH_SIZE = 'email_batch_size'
 ENABLE_DASA = 'enable_dasa'
 # Enable Cloud Session Reauthentication by borrowing a RAPT token from gcloud command
 ENABLE_GCLOUD_REAUTH = 'enable_gcloud_reauth'
+# Value for enforceExpansiveAccess for commands that delete or update drive file ACLs/permissions.
+ENFORCE_EXPANSIVE_ACCESS = 'enforce_expansive_access'
 # When retrieving lists of calendar events from API, how many should be retrieved in each chunk
 EVENT_MAX_RESULTS = 'event_max_results'
 # Path to extra_args.txt
@@ -377,6 +379,7 @@ Defaults = {
   DEVICE_MAX_RESULTS: '200',
   DOMAIN: '',
   DRIVE_DIR: '',
+  ENFORCE_EXPANSIVE_ACCESS: FALSE,
   DRIVE_MAX_RESULTS: '1000',
   DRIVE_V3_BETA: FALSE,
   DRIVE_V3_NATIVE_NAMES: TRUE,
@@ -545,6 +548,7 @@ VAR_INFO = {
   DEVICE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
   DOMAIN: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'GA_DOMAIN', VAR_LIMITS: (0, None)},
   DRIVE_DIR: {VAR_TYPE: TYPE_DIRECTORY, VAR_ENVVAR: 'GAMDRIVEDIR'},
+  ENFORCE_EXPANSIVE_ACCESS: {VAR_TYPE: TYPE_BOOLEAN},
   DRIVE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
   DRIVE_V3_BETA: {VAR_TYPE: TYPE_BOOLEAN},
   DRIVE_V3_NATIVE_NAMES: {VAR_TYPE: TYPE_BOOLEAN},

src/gam/gamlib/glmsgs.py

@@ -145,7 +145,7 @@ SCOPE_AUTHORIZATION_PASSED = '''All scopes PASSED!
 Service Account Client name: {0} is fully authorized.
 '''
 SCOPE_AUTHORIZATION_UPDATE_PASSED = '''All scopes PASSED!
-To authorize them (in case some scopes were unselected), please go to the following link in your browser:
+To update authorization (in case some scopes were unselected), please go to the following link in your browser:
 {0}
     {1}
 
@@ -156,8 +156,8 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 '''
-SCOPE_AUTHORIZATION_FAILED = '''Some scopes FAILED!
-To authorize them, please go to the following link in your browser:
+SCOPE_AUTHORIZATION_FAILED = '''Some scopes FAILED or should be DISABLED!
+To update authorization, please go to the following link in your browser:
 {0}
     {1}
 

wiki/GamUpdates.md

@@ -10,6 +10,34 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation
 
+### 7.08.03
+
+Removed the overly broad service account `IAM and Access Management API` scope `https://www.googleapis.com/auth/cloud-platform`
+from DWD. The `gam <UserTypeEntity> check|Update serviceaccount` commands issue an error message if this scope
+is enabled promptig you to update your service account authorization so that the scope can be removed.
+
+GAM commands that need IAM access now use the more limited scope `https://www.googleapis.com/auth/iam` in a non-DWD manner.
+
+Updated to Python 3.13.4
+
+### 7.08.02
+
+Updated the defaults in `gam print shareddriveorganizers` to match the most common use case, not the script.
+
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+To select organizers from any domain, use: `domainlist ""`
+
+These commands produce the same result.
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
+```
+
 ### 7.08.01
 
 Added option `shareddrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))` to

wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md

@@ -251,9 +251,9 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAM 7.08.01 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.08.03 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -989,9 +989,9 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM 7.08.01 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.08.03 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 Windows-10-10.0.17134 AMD64
 Path: C:\GAM7
 Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com

wiki/Shared-Drives.md

@@ -443,16 +443,18 @@ By default, organizers for all Shared Drives are displayed; use the following op
 For multiple organizers:
 * `delimiter <Character>` - Separate `organizers` entries with `<Character>`; the default value is `csv_output_field_delimiter` from `gam.cfg`.
 
-The command defaults match the script defaults:
-* `domainlist` - All domains
-* `includetypes` - user,group
-* `oneorganizer` - False
+The command defaults do not match the script defaults, they are set for the most common use case:
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
 * `shownoorganizerdrives` - True
 * `includefileorganizers` - False
 
+To select organizers from any domain, use: `domainlist ""`
+
 For example, to get a single user organizer from your domain for all Shared Drives including no organizer drives:
 ```
-gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
 ```
 
 ## Display all Shared Drives with no members

wiki/Users-Shared-Drives.md

@@ -421,16 +421,18 @@ By default, organizers for all Shared Drives are displayed; use the following op
 For multiple organizers:
 * `delimiter <Character>` - Separate `organizers` entries with `<Character>`; the default value is `csv_output_field_delimiter` from `gam.cfg`.
 
-The command defaults match the script defaults:
-* `domainlist` - All domains
-* `includetypes` - user,group
-* `oneorganizer` - False
+The command defaults do not match the script defaults, they are set for the most common use case:
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
 * `shownoorganizerdrives` - True
 * `includefileorganizers` - False
 
+To select organizers from any domain, use: `domainlist ""`
+
 For example, to get a single user organizer from your domain for all Shared Drives including no organizer drives:
 ```
-gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
 ```
 
 ## Manage Shared Drive access

wiki/Version-and-Help.md

@@ -3,9 +3,9 @@
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.08.01 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.08.03 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -15,9 +15,9 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.08.01 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.08.03 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -27,9 +27,9 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.08.01 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.08.03 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gam7
 Version Check:
   Current: 5.35.08
-   Latest: 7.08.01
+   Latest: 7.08.03
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.08.01
+7.08.03
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,9 +82,9 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.08.01 - https://github.com/GAM-team/GAM
+GAM 7.08.03 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com