Update shared drive error handling

Updated `gam <UserTypeEntity> copy|move drivefile` to hanndle additional instances of
the `cannotModifyInheritedPermission` error.

Added license SKU `Google AI Ultra for Business`

.github/workflows/build.yml

@@ -126,7 +126,7 @@ jobs:
         with:
           path: |
             cache.tar.xz
-          key: gam-${{ matrix.jid }}-20250611
+          key: gam-${{ matrix.jid }}-20250701
 
       - name: Untar Cache archive
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -457,10 +457,6 @@ jobs:
       - name: Custom wheels for Win arm64
         if: runner.os == 'Windows' && runner.arch == 'ARM64'
         run: |
-          latest_lxml_whl=$(curl https://api.github.com/repos/GAM-team/lxml-wheel/releases/latest -s | jq -r .assets.[0].browser_download_url)
-          echo "Downloading ${latest_lxml_whl}..."
-          curl -O -L "$latest_lxml_whl"
-          "$PYTHON" -m pip install lxml*.whl
           latest_crypt_whl=$(curl https://api.github.com/repos/jay0lee/cryptography/releases/latest -s | jq -r .assets.[0].browser_download_url)
           echo "Downloading ${latest_crypt_whl}..."
           curl -O -L "$latest_crypt_whl"
@@ -810,7 +806,7 @@ jobs:
           echo "Created shared drive ${driveid}"
           $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- ou "${newou}"
           $gam user $newuser add license workspaceenterpriseplus
-          $gam user $newuser update photo https://dummyimage.com/400x600/000/fff
+          $gam user $newuser update photo https://dummyimage.com/98x98/000/fff.jpg
           $gam user $newuser get photo
           $gam user $newuser delete photo
           $gam create alias $newalias user $newuser
@@ -857,7 +853,7 @@ jobs:
           $gam user $newuser show labels > labels.txt
           $gam user $gam_user importemail subject "GHA import $newbase" message "This is a test import" labels IMPORTANT,UNREAD,INBOX,STARRED
           $gam user $gam_user insertemail subject "GHA insert $newbase" file gam.py labels INBOX,UNREAD # yep body is gam code
-          $gam user $gam_user sendemail subject "GHA send $gam_user $newbase" file gam.py recipient admin@pdl.jaylee.us
+          $gam user $gam_user sendemail recipient admin@pdl.jaylee.us subject "GHA send $gam_user $newbase" file gam.py
           $gam user $gam_user draftemail subject "GHA draft $newbase" message "Draft message test"
           $gam csvfile sample.csv:email waitformailbox retries 20
           $gam user $newuser delegate to "${newbase}-bulkuser-1" || if [ $? != 50 ]; then exit $?; fi # expect a 50 return code (delegation failed)
@@ -920,7 +916,7 @@ jobs:
           $gam config enable_dasa true save
           $gam print users query "gha.jid=$JID" | $gam csv - gam delete user ~primaryEmail  || if [ $? != 50 ]; then exit $?; fi # expect a 50 return code (vault hold on user)
           $gam print mobile
-          $gam print devices
+          $gam print devices clientstates
           $gam print browsers
           $gam print cros allfields orderby serialnumber
           $gam show crostelemetry storagepercentonly

.github/workflows/pushwiki.yml

@@ -5,6 +5,8 @@ on:
   push:
     paths:
       - 'wiki/**'
+  workflow_dispatch:
+
 jobs:
   pushwiki:
     runs-on: ubuntu-latest

src/GamCommands.txt

@@ -1,4 +1,4 @@
-his document describes the GAM command line syntax in modified BNF, see https://en.wikipedia.org/wiki/Backus-Naur_Form
+This document describes the GAM command line syntax in modified BNF, see https://en.wikipedia.org/wiki/Backus-Naur_Form
 Skip the History section and start reading at Introduction.
 
 Items on the command line are space separated, when an actual space character is required, it will be indicated by <Space>.
@@ -279,6 +279,7 @@ If an item contains spaces, it should be surrounded by ".
         geminiedu | 1010470004 | Gemini Education |
         geminiedupremium| 1010470005 | Gemini Education Premium |
         geminient| duetai | 1010470001 | Gemini Enterprise |
+        geminiultra | 1010470008 | Google AI Ultra for Business |
         gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
         gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
         gsuitebusinessarchived | gsbau | businessarchived | 1010340002 | Google Workspace Business - Archived User |
@@ -404,6 +405,11 @@ If an item contains spaces, it should be surrounded by ".
 <ContactGroupItem> ::= <ContactGroupID>|<ContactGroupName>
 <CorporaAttribute> ::= alldrives|allteamdrives|domain|onlyteamdrives|user
 <CourseAlias> ::= <String>
+<CourseAnnouncementContent> ::=
+        ((text <String>)|
+         (textfile <FileName> [charset <Charset>])|
+         (gdoc <UserGoogleDoc>)|
+         (gcsdoc <StorageBucketObjectName>))
 <CourseAnnouncementID> ::= <Number>
 <CourseAnnouncementState> ::= draft|published|deleted
 <CourseID> ::= <Number>|d:<CourseAlias>
@@ -3119,8 +3125,21 @@ gam delete courses <CourseEntity> [archive|archived]
 gam course <CourseID> create|add alias <CourseAlias>
 gam course <CourseID> delete alias <CourseAlias>
 
+<CourseAnnouncementContent> ::=
+        ((text <String>)|
+         (textfile <FileName> [charset <Charset>])|
+         (gdoc <UserGoogleDoc>)|
+         (gcsdoc <StorageBucketObjectName>))
+
+gam course <CourseID> create announcement
+        <CourseAnnouncementContent> [scheduledtime <Time>] [state draft|published]
+gam course <CourseID> remove announcement <CourseAnnouncementID>
+gam course <CourseID> update announcement <CourseAnnouncementID>
+        [<CourseAnnouncementContent>] [scheduledtime <Time>] [state published]
+
 gam course <CourseID> create|add topic <CourseTopic>
 gam course <CourseID> delete topic <CourseTopicID>
+gam course <CourseID> update topic <CourseTopicID> <CourseTopic>
 
 gam course <CourseID> create|add teachers [makefirstteacherowner] <UserItem>
 gam course <CourseID> create|add students <UserItem>
@@ -3132,8 +3151,15 @@ gam course <CourseID> sync students [addonly|removeonly] <UserTypeEntity>
 gam courses <CourseEntity> create|add alias <CourseAliasEntity>
 gam courses <CourseEntity> delete alias <CourseAliasEntity>
 
+gam courses <CourseEntity> create announcement
+        <CourseAnnouncementContent>> [scheduledtime <Time>] [state draft|published]
+gam courses <CourseEntity> remove announcement <CourseAnnouncementIDEntity>
+gam courses <CourseEntity> update announcement <CourseAnnouncementIDEntity>
+        [<CourseAnnouncementContent>] [scheduledtime <Time>] [state published]
+
 gam courses <CourseEntity> create|add topic <CourseTopicEntity>
 gam courses <CourseEntity> delete topic <CourseTopicIDEntity>
+gam courses <CourseEntity> update topic <CourseTopicIDEntity> <CourseTopic>
 
 gam courses <CourseEntity> create|add teachers [makefirstteacherowner] <UserTypeEntity>
 gam courses <CourseEntity> create|add students <UserTypeEntity>
@@ -4124,6 +4150,7 @@ gam print devices [todrive <ToDriveAttribute>*]
         [orderby <DeviceOrderByFieldName> [ascending|descending]]
         [all|company|personal|nocompanydevices|nopersonaldevices]
         [nodeviceusers|oneuserperrow]
+        [clientstates]
         [formatjson [quotechar <Character>]]
         [showitemcountonly]
 
@@ -4435,19 +4462,18 @@ gam report usage customer [todrive <ToDriveAttribute>*]
         [convertmbtogb]
 
 <ActivityApplicationName> ::=
-        access|accesstransparency|
+        accesstransparency|access|
         admin|
         calendar|calendars|
         chat|
         chrome|
+        classroom|
         contextawareaccess|
-        currents|gplus|google+|
+        gplus|currents|google+|
         datastudio|
-        devices|mobile|
-        domain|
         drive|doc|docs|
-        gcp|
-        gemini|geminiforworkspace|
+        gcp|cloud|
+        geminiinworkspaceapps|gemini|geminiforworkspace|
         groups|group|
         groupsenterprise|enterprisegroups|
         jamboard|
@@ -4465,7 +4491,7 @@ gam report <ActivityApplicationName> [todrive <ToDriveAttribute>*]
         [(user all|<UserItem>)|(orgunit|org|ou <OrgUnitPath> [showorgunit])|(select <UserTypeEntity>)]
         [([start <Time>] [end <Time>])|(range <Time> <Time>)|
          yesterday|today|thismonth|(previousmonths <Integer>)]
-        [filtertime.* <Time>] [filter|filters <String>]
+        [filtertime.<String> <Time>] [filter|filters <String>]
         [event|events <EventNameList>] [ip <String>]
         [groupidfilter <String>]
         [maxactivities <Number>] [maxevents <Number>] [maxresults <Number>]
@@ -4777,6 +4803,8 @@ gam <UserTypeEntity> sendemail from <EmailAddress>
         allowcontentmanagerstosharefolders|
         copyrequireswriterpermission|
         domainusersonly|
+        downloadrestrictedforreaders|
+        downloadrestrictedforwriters|
         drivemembersonly|teammembersonly|
         sharingfoldersrequiresorganizerpermission
 
@@ -4816,11 +4844,13 @@ gam print shareddrives [todrive <ToDriveAttribute>*]
         [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [fields <SharedDriveFieldNameList>] [noorgunits [<Boolean>]]
+        [showwebviewlink text|hyperlink]
         [formatjson [quotechar <Character>]]
 gam show shareddrives
         [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [fields <SharedDriveFieldNameList>] [noorgunits [<Boolean>]]
+        [showwebviewlink text|hyperlink]
         [formatjson] [noorgunits [<Boolean>]]
 
 gam print shareddriveorganizers [todrive <ToDriveAttribute>*]
@@ -4901,12 +4931,14 @@ gam <UserTypeEntity> print shareddrives [todrive <ToDriveAttribute>*]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         (role|roles <SharedDriveACLRoleList>)*
         [fields <SharedDriveFieldNameList>]
+        [showwebviewlink text|hyperlink]
         [guiroles [<Boolean>]] [formatjson [quotechar <Character>]]
 gam <UserTypeEntity> show shareddrives
         [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         (role|roles <SharedDriveACLRoleList>)*
         [fields <SharedDriveFieldNameList>]
+        [showwebviewlink text|hyperlink]
         [guiroles [<Boolean>]] [formatjson]
 
 <PermissionMatch> ::=
@@ -5609,6 +5641,7 @@ gam update user <UserItem> [ignorenullpassword] <UserAttribute>*
         [logpassword <FileName>]
 gam delete user <UserItem> [noactionifalias]
 gam undelete user <UserItem> [ou|org|orgunit <OrgUnitPath>]
+gam check suspended <UserItem>
 gam suspend user <UserItem> [noactionifalias]
 gam unsuspend user <UserItem> [noactionifalias]
 gam info user [<UserItem>]
@@ -6925,6 +6958,7 @@ gam <UserTypeEntity> collect orphans
         capabilities.canchangecopyrequireswriterpermission|
         capabilities.canchangecopyrequireswriterpermissionrestriction|
         capabilities.canchangedomainusersonlyrestriction|
+        capabilities.canchangedownloadrestriction|
         capabilities.canchangedrivebackground|
         capabilities.canchangedrivemembersonlyrestriction|
         capabilities.canchangesecurityupdateenabled|
@@ -7417,10 +7451,12 @@ gam <UserTypeEntity> print filters [labelidsonly] [todrive <ToDriveAttribute>*]
 
 gam <UserTypeEntity> create form
         title <String> [description <String>] [isquiz [<Boolean>]] [<JSONData>]
+        [ispublished [<Boolean>] isacceptingresponses [<Boolean>]]
         [drivefilename <DriveFileName>] [<DriveFileParentAttribute>]
         [(csv [todrive <ToDriveAttribute>*]) | returnidonly]
 gam <UserTypeEntity> update form <DriveFileEntity>
         [title <String>] [description <String>] [isquiz [<Boolean>]] [<JSONData>]
+        [ispublished [<Boolean>] isacceptingresponses [<Boolean>]]
 
 gam <UserTypeEntity> print forms <DriveFileEntity> [todrive <ToDriveAttribute>*]
         (addcsvdata <FieldName> <String>)*
@@ -7612,48 +7648,61 @@ gam <UserTypeEntity> insert message
 
 gam <UserTypeEntity> archive messages <GroupItem>
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_archive <Number>])|(ids <MessageIDEntity>)
         [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> delete messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_delete <Number>])|(ids <MessageIDEntity>)
         [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> modify messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_modify <Number>])|(ids <MessageIDEntity>)
         ((addlabel <LabelName>)|(removelabel <LabelName>))+
         [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> spam messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_spam <Number>])|(ids <MessageIDEntity>)
         [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> trash messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_trash <Number>])|(ids <MessageIDEntity>)
         [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> untrash messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_untrash <Number>])|(ids <MessageIDEntity>)
         [csv [todrive <ToDriveAttribute>*]]
 
 gam <UserTypeEntity> export message|messages
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_export <Number>])|(ids <MessageIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
+         [quick|notquick] [doit] [max_to_export <Number>])|(ids <MessageIDEntity>)
         [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]
 gam <UserTypeEntity> export thread|threads
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_export <Number>])|(ids <ThreadIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
+         [quick|notquick] [doit] [max_to_export <Number>])|(ids <ThreadIDEntity>)
         [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]
 
 gam <UserTypeEntity> forward message|messages recipient|to <RecipientEntity>
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_forward <Number>])|(ids <MessageIDEntity>)
         [subject <String>] [addorigfieldstosubject [<Boolean>]] [altcharset <String>]
 gam <UserTypeEntity> forward thread|thtreads recipient|to <RecipientEntity>
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          quick|notquick] [doit] [max_to_forward <Number>])|(ids <ThreadIDEntity>)
         [subject <String>] [addorigfieldstosubject [<Boolean>]] [altcharset <String>]
 
 gam <UserTypeEntity> show messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])*
+         [labelids <LabelIDList>]
          [quick|notquick] [max_to_show <Number>] [includespamtrash])|(ids <MessageIDEntity>)
         [labelmatchpattern <REMatchPattern>] [sendermatchpattern <REMatchPattern>]
         [countsonly|positivecountsonly] [useronly]
@@ -7666,6 +7715,7 @@ gam <UserTypeEntity> show messages|threads
             [uploadattachments [<DriveFileParentAttribute>]]]
 gam <UserTypeEntity> print messages|threads [todrive <ToDriveAttribute>*]
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])*
+         [labelids <LabelIDList>]
          [quick|notquick] [max_to_print <Number>] [includespamtrash])|(ids <MessageIDEntity>)
         [labelmatchpattern <REMatchPattern>] [sendermatchpattern <REMatchPattern>]
         [countsonly|positivecountsonly] [useronly]
@@ -8315,6 +8365,8 @@ gam <UserTypeEntity> print tasklists [todrive <ToDriveAttribute>*]
         allowcontentmanagerstosharefolders|
         copyrequireswriterpermission|
         domainusersonly|
+        downloadrestrictedforreaders|
+        downloadrestrictedforwriters|
         drivemembersonly|teammembersonly|
         sharingfoldersrequiresorganizerpermission
 

src/GamUpdate.txt

@@ -1,3 +1,110 @@
+7.12.00
+
+Started updated handling of missing scopes messages in client access commands;
+this is a work in progress.
+
+Updated `gam info|show shareddrive` to handle changes in the Drive API that caused traps.
+
+Added `downloadrestrictedforreaders` and `downloadrestrictedforwriters` to
+`<SharedDriveRestrictionsSubfieldName>` to support new Shared Drive restrictions.
+
+Updated `gam course <CourseID> create|update announcement` to accept input from
+a literal string, a file or a Google Doc.
+```
+<CourseAnnouncementContent> ::=
+        ((text <String>)|
+         (textfile <FileName> [charset <Charset>])|
+         (gdoc <UserGoogleDoc>)|
+         (gcsdoc <StorageBucketObjectName>))
+```
+
+Added command `gam check suspended <UserItem>` that checks the suspension status of a user
+and sets the return code to 0 if the user is not suspended or 26 if it is.
+```
+$ gam check suspended testok@domain.com
+User: testok@domain.com, Account Suspended: False
+$ echo $?
+0
+
+$ gam check suspended testsusp@domain.com
+User: testsusp@domain.com, Account Suspended: True, Suspension Reason: ADMIN
+$ echo $?
+26
+```
+
+Updated `gam <UserTypeEntity> sendemail` to verify that one of `recipient|to|from`
+immediately follows `sendemail`.
+
+7.11.00
+
+Added commands to manage classroom/course announcements.
+
+* See: https://github.com/GAM-team/GAM/wiki/Classroom-Courses#manage-course-announcements
+
+Upgraded to OpenSSL 3.5.1.
+
+7.10.10
+
+Added choices `text` and `hyperlink` to option `showwebviewlink` in `gam [<UserTypeEntity>] print|show shareddrives`.
+* `showwebviewlink text` - Displays `https://drive.google.com/drive/folders/<SharedDriveID>`
+* `showwebviewlink hyperlink` - Displays `=HYPERLINK("https://drive.google.com/drive/folders/<SharedDriveID>", "<SharedDriveName>")`
+
+7.10.09
+
+Added option `showwebviewlink` to `gam [<UserTypeEntity>] print|show shareddrives` that
+displays the web view link for the Shared Drive: `https://drive.google.com/drive/folders/<SharedDriveID>`.
+
+7.10.08
+
+Fixed bug in commands that modify messages where the `labelids <LabelIdList>` option
+could not be used unless one of these options was also specified: `query`, `matchlabel`, `ids`;
+it can be now be used by itself.
+
+7.10.07
+
+Updated `gam <UserTypeEntity> copy|move drivefile` to hanndle additional instances of
+the `cannotModifyInheritedPermission` error.
+
+Added license SKU `Google AI Ultra for Business`
+* ProductID - 101047
+* SKUID - 1010470008 | geminiultra
+
+7.10.06
+
+Added option `clientstates` to `gam print devices` to include client states in device output.
+
+7.10.05
+
+Google renamed an error: `cannotModifyInheritedTeamDrivePermission` became `cannotModifyInheritedPermission`.
+GAM will now handle the new error.
+
+7.10.04
+
+Updated `gam report <ActivityApplicationName>` to accept accept application names as defined
+in the Reports API discovery document; this means that GAM does not have to be updated when
+Google defines a new application name.
+
+`gemini_in_workspace_apps` is now available in `gam report`.
+
+7.10.03
+
+Fixed bug in commands that modify messages where the `labelids <LabelIdList>` option
+was not being applied.
+
+7.10.02
+
+Added option `labelids <LabelIdList>` to all commands that process messages;
+this option causes GAM to only return messages with labels that match all of the specified label IDs.
+
+Updated `gam <UserTypeEntity> print|show forms` to always display `isPublished` and
+`isAcceptingResponses` in `publishSettings/publishState` regardless of their value;
+the API doesn't return these values when they are False.
+
+7.10.01
+
+Added options `ispublished [<Boolean>]` and `isacceptingresponses [<Boolean>]` to
+`gam <UserTypeEntity> create|update form`.
+
 7.10.00
 
 Added commands to manage/display Chat Custom Emojis.

src/gam/gamlib/glapi.py

@@ -226,15 +226,15 @@ _INFO = {
   CHROMEMANAGEMENT_TELEMETRY: {'name': 'Chrome Management API - Telemetry', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHROMEMANAGEMENT},
   CHROMEPOLICY: {'name': 'Chrome Policy API', 'version': 'v1', 'v2discovery': True},
   CHROMEVERSIONHISTORY: {'name': 'Chrome Version History API', 'version': 'v1', 'v2discovery': True},
-  CLOUDCHANNEL: {'name': 'Channel Channel API', 'version': 'v1', 'v2discovery': True},
-  CLOUDIDENTITY_DEVICES: {'name': 'Cloud Identity Devices API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_GROUPS: {'name': 'Cloud Identity Groups API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_GROUPS_BETA: {'name': 'Cloud Identity Groups API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_INBOUND_SSO: {'name': 'Cloud Identity Inbound SSO API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_ORGUNITS: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_ORGUNITS_BETA: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_POLICY: {'name': 'Cloud Identity Policy API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_USERINVITATIONS: {'name': 'Cloud Identity User Invitations API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDCHANNEL: {'name': 'Cloud Channel API', 'version': 'v1', 'v2discovery': True},
+  CLOUDIDENTITY_DEVICES: {'name': 'Cloud Identity API - Devices', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_GROUPS: {'name': 'Cloud Identity API - Groups', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_GROUPS_BETA: {'name': 'Cloud Identity API - Groups Beta', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_INBOUND_SSO: {'name': 'Cloud Identity API - Inbound SSO Settings', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_ORGUNITS: {'name': 'Cloud Identity API - OrgUnits', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_ORGUNITS_BETA: {'name': 'Cloud Identity API - OrgUnits Beta', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_POLICY: {'name': 'Cloud Identity API - Policy', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_USERINVITATIONS: {'name': 'Cloud Identity API - User Invitations', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
   CLOUDRESOURCEMANAGER: {'name': 'Cloud Resource Manager API v3', 'version': 'v3', 'v2discovery': True},
   CONTACTS: {'name': 'Contacts API', 'version': 'v3', 'v2discovery': False},
   CONTACTDELEGATION: {'name': 'Contact Delegation API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
@@ -258,13 +258,13 @@ _INFO = {
   LICENSING: {'name': 'License Manager API', 'version': 'v1', 'v2discovery': True},
   LOOKERSTUDIO: {'name': 'Looker Studio API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
   MEET: {'name': 'Meet API', 'version': 'v2', 'v2discovery': True},
-  MEET_BETA: {'name': 'Meet API', 'version': 'v2beta', 'v2discovery': True, 'localjson': True, 'mappedAPI': MEET},
+  MEET_BETA: {'name': 'Meet API Beta', 'version': 'v2beta', 'v2discovery': True, 'localjson': True, 'mappedAPI': MEET},
   OAUTH2: {'name': 'OAuth2 API', 'version': 'v2', 'v2discovery': False},
   ORGPOLICY: {'name': 'Organization Policy API', 'version': 'v2', 'v2discovery': True},
   PEOPLE: {'name': 'People API', 'version': 'v1', 'v2discovery': True},
   PEOPLE_DIRECTORY: {'name': 'People Directory API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': PEOPLE},
   PEOPLE_OTHERCONTACTS: {'name': 'People  API - Other Contacts', 'version': 'v1', 'v2discovery': True, 'mappedAPI': PEOPLE},
-  PRINTERS: {'name': 'Directory API Printers', 'version': 'directory_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
+  PRINTERS: {'name': 'Directory API - Printers', 'version': 'directory_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
   PUBSUB: {'name': 'Pub / Sub API', 'version': 'v1', 'v2discovery': True},
   REPORTS: {'name': 'Reports API', 'version': 'reports_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
   RESELLER: {'name': 'Reseller API', 'version': 'v1', 'v2discovery': True},
@@ -362,29 +362,29 @@ _CLIENT_SCOPES = [
    'subscopes': READONLY,
    'offByDefault': True,
    'scope': 'https://www.googleapis.com/auth/apps.order'},
-  {'name': 'Cloud Identity Groups API',
+  {'name': 'Cloud Identity API - Groups',
    'api': CLOUDIDENTITY_GROUPS,
    'subscopes': READONLY,
    'scope': 'https://www.googleapis.com/auth/cloud-identity.groups'},
-  {'name': 'Cloud Identity Groups API Beta (Enables group locking/unlocking)',
+  {'name': 'Cloud Identity API - Groups Beta (Enables group locking/unlocking)',
    'api': CLOUDIDENTITY_GROUPS_BETA,
    'subscopes': [],
    'scope': 'https://www.googleapis.com/auth/cloud-identity.groups'},
-  {'name': 'Cloud Identity - Inbound SSO Settings',
+  {'name': 'Cloud Identity API - Inbound SSO Settings',
    'api': CLOUDIDENTITY_INBOUND_SSO,
    'subscopes': READONLY,
    'scope': 'https://www.googleapis.com/auth/cloud-identity.inboundsso'},
-  {'name': 'Cloud Identity OrgUnits API',
+  {'name': 'Cloud Identity API - OrgUnits Beta',
    'api': CLOUDIDENTITY_ORGUNITS_BETA,
    'subscopes': READONLY,
    'scope': 'https://www.googleapis.com/auth/cloud-identity.orgunits'},
-  {'name': 'Cloud Identity - Policy',
+  {'name': 'Cloud Identity API - Policy',
    'api': CLOUDIDENTITY_POLICY,
    'subscopes': READONLY,
    'roByDefault': True,
    'scope': 'https://www.googleapis.com/auth/cloud-identity.policies'
   },
-  {'name': 'Cloud Identity User Invitations API',
+  {'name': 'Cloud Identity API - User Invitations',
    'api': CLOUDIDENTITY_USERINVITATIONS,
    'subscopes': READONLY,
    'scope': 'https://www.googleapis.com/auth/cloud-identity.userinvitations'},
@@ -650,7 +650,7 @@ _SVCACCT_SCOPES = [
    'api': GMAIL,
    'subscopes': [],
    'scope': 'https://www.googleapis.com/auth/gmail.modify'},
-  {'name': 'Gmail API - Basic Settings (Filters,IMAP, Language, POP, Vacation) - read/write, Sharing Settings (Delegates, Forwarding, SendAs) - read',
+  {'name': 'Gmail API - Basic Settings (Filters, IMAP, Language, POP, Vacation) - read/write, Sharing Settings (Delegates, Forwarding, SendAs) - read',
    'api': GMAIL,
    'subscopes': [],
    'scope': 'https://www.googleapis.com/auth/gmail.settings.basic'},
@@ -833,3 +833,27 @@ def getSvcAcctScopesList(userServiceAccountAccessOnly, svcAcctSpecialScopes):
 
 def hasLocalJSON(api):
   return _INFO[api].get('localjson', False)
+
+def findAPIforScope(scopesList):
+  def checkScopeMatch(scope, cscope):
+    if cscope['scope'] == scope:
+      requiredAPIs.append(cscope['name'])
+      return True
+    if cscope['subscopes'] == READONLY and cscope['scope']+'.readonly' == scope:
+      requiredAPIs.append(cscope['name']+' (supports readonly)')
+      return True
+    return False
+    
+  requiredAPIs = []
+  for scope in scopesList:
+    for cscope in _CLIENT_SCOPES:
+      if checkScopeMatch(scope, cscope):
+        break
+    else:
+      for cscope in _SVCACCT_SCOPES:
+        if checkScopeMatch(scope, cscope):
+          break
+  if not requiredAPIs:
+    requiredAPIs = scopesList
+  return ' or '.join(requiredAPIs)
+    

src/gam/gamlib/glclargs.py

@@ -777,6 +777,7 @@ class GamCLArgs():
   ARG_STORAGEBUCKETS = 'storagebuckets'
   ARG_STORAGEFILE = 'storagefile'
   ARG_STORAGEFILES = 'storagefiles'
+  ARG_SUSPENDED = 'suspended'
   ARG_SVCACCT = 'svcacct'
   ARG_SVCACCTS = 'svcaccts'
   ARG_TASK = 'task'
@@ -875,8 +876,11 @@ class GamCLArgs():
   OB_CONTACT_GROUP_ITEM = 'ContactGroupItem'
   OB_COURSE_ALIAS = 'CourseAlias'
   OB_COURSE_ALIAS_ENTITY = 'CourseAliasEntity'
+  OB_COURSE_ANNOUNCEMENT_ID = "CourseAnnouncementID"
   OB_COURSE_ANNOUNCEMENT_ID_ENTITY = "CourseAnnouncementIDEntity"
   OB_COURSE_ANNOUNCEMENT_STATE_LIST = "CourseAnnouncementStateList"
+  OB_COURSE_ANNOUNCEMENT_ADD_STATE_LIST = "CourseAnnouncementAddStateList"
+  OB_COURSE_ANNOUNCEMENT_UPDATE_STATE_LIST = "CourseAnnouncementUpdateStateList"
   OB_COURSE_ENTITY = 'CourseEntity'
   OB_COURSE_ID = 'CourseID'
   OB_COURSE_MATERIAL_ID_ENTITY = 'CourseMaterialIDEntity'

src/gam/gamlib/glgapi.py

@@ -41,6 +41,7 @@ CANNOT_DELETE_PERMISSION = 'cannotDeletePermission'
 CANNOT_DELETE_PRIMARY_CALENDAR = 'cannotDeletePrimaryCalendar'
 CANNOT_DELETE_PRIMARY_SENDAS = 'cannotDeletePrimarySendAs'
 CANNOT_DELETE_RESOURCE_WITH_CHILDREN = 'cannotDeleteResourceWithChildren'
+CANNOT_MODIFY_INHERITED_PERMISSION = 'cannotModifyInheritedPermission'
 CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION = 'cannotModifyInheritedTeamDrivePermission'
 CANNOT_MODIFY_RESTRICTED_LABEL = 'cannotModifyRestrictedLabel'
 CANNOT_MODIFY_VIEWERS_CAN_COPY_CONTENT = 'cannotModifyViewersCanCopyContent'
@@ -133,6 +134,7 @@ OPERATION_NOT_SUPPORTED = 'operationNotSupported'
 ORGANIZER_ON_NON_TEAMDRIVE_NOT_SUPPORTED = 'organizerOnNonTeamDriveNotSupported'
 ORGANIZER_ON_NON_TEAMDRIVE_ITEM_NOT_SUPPORTED = 'organizerOnNonTeamDriveItemNotSupported'
 ORGUNIT_NOT_FOUND = 'orgunitNotFound'
+OUTSIDE_DOMAIN_MEMBER_CANNOT_CHANGE_TEAMDRIVE_RESTRICTIONS = 'outsideDomainMemberCannotChangeTeamDriveRestrictions'
 OWNER_ON_TEAMDRIVE_ITEM_NOT_SUPPORTED = 'ownerOnTeamDriveItemNotSupported'
 OWNERSHIP_CHANGE_ACROSS_DOMAIN_NOT_PERMITTED = 'ownershipChangeAcrossDomainNotPermitted'
 PARTICIPANT_IS_NEITHER_ORGANIZER_NOR_ATTENDEE = 'participantIsNeitherOrganizerNorAttendee'
@@ -228,6 +230,7 @@ DRIVE3_CREATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID, INVALID_SHARING_REQUEST
                                    FILE_ORGANIZER_NOT_YET_ENABLED_FOR_THIS_TEAMDRIVE,
                                    FILE_ORGANIZER_ON_FOLDERS_IN_SHARED_DRIVE_ONLY,
                                    FILE_ORGANIZER_ON_NON_TEAMDRIVE_NOT_SUPPORTED,
+                                   CANNOT_MODIFY_INHERITED_PERMISSION,
                                    TEAMDRIVES_FOLDER_SHARING_NOT_SUPPORTED, INVALID_LINK_VISIBILITY, ABUSIVE_CONTENT_RESTRICTION]
 DRIVE3_GET_ACL_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, FORBIDDEN, INTERNAL_ERROR,
                                                    INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, INSUFFICIENT_FILE_PERMISSIONS,
@@ -248,10 +251,10 @@ DRIVE3_UPDATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID_OWNERSHIP_TRANSFER, CANN
                                    FILE_ORGANIZER_ON_FOLDERS_IN_SHARED_DRIVE_ONLY,
                                    FILE_ORGANIZER_ON_NON_TEAMDRIVE_NOT_SUPPORTED,
                                    CANNOT_UPDATE_PERMISSION,
-                                   CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION,
+                                   CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION, CANNOT_MODIFY_INHERITED_PERMISSION,
                                    FIELD_NOT_WRITABLE, PERMISSION_NOT_FOUND]
 DRIVE3_DELETE_ACL_THROW_REASONS = [BAD_REQUEST, CANNOT_REMOVE_OWNER,
-                                   CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION,
+                                   CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION, CANNOT_MODIFY_INHERITED_PERMISSION,
                                    INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, SHARING_RATE_LIMIT_EXCEEDED,
                                    NOT_FOUND, PERMISSION_NOT_FOUND, CANNOT_DELETE_PERMISSION]
 DRIVE3_MODIFY_LABEL_THROW_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, NOT_FOUND, FORBIDDEN, INTERNAL_ERROR,
@@ -273,11 +276,11 @@ GROUP_SETTINGS_THROW_REASONS = [NOT_FOUND, GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DO
                                 INVALID, INVALID_ARGUMENT, INVALID_PARAMETER, INVALID_ATTRIBUTE_VALUE, INVALID_INPUT,
                                 SERVICE_LIMIT, SERVICE_NOT_AVAILABLE, AUTH_ERROR, REQUIRED]
 GROUP_SETTINGS_RETRY_REASONS = [INVALID, SERVICE_LIMIT, SERVICE_NOT_AVAILABLE]
-GROUP_LIST_THROW_REASONS = [RESOURCE_NOT_FOUND, DOMAIN_NOT_FOUND, FORBIDDEN, BAD_REQUEST]
+GROUP_LIST_THROW_REASONS = [RESOURCE_NOT_FOUND, DOMAIN_NOT_FOUND, FORBIDDEN, BAD_REQUEST, PERMISSION_DENIED]
 GROUP_LIST_USERKEY_THROW_REASONS = GROUP_LIST_THROW_REASONS+[INVALID_MEMBER, INVALID_INPUT]
 KEEP_THROW_REASONS = [AUTH_ERROR, BAD_REQUEST, PERMISSION_DENIED, INVALID_ARGUMENT, NOT_FOUND]
 LOOKERSTUDIO_THROW_REASONS = [INVALID_ARGUMENT, SERVICE_NOT_AVAILABLE, BAD_REQUEST, NOT_FOUND, PERMISSION_DENIED, INTERNAL_ERROR]
-MEMBERS_THROW_REASONS = [GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, INVALID, FORBIDDEN, SERVICE_NOT_AVAILABLE]
+MEMBERS_THROW_REASONS = [GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, INVALID, FORBIDDEN, SERVICE_NOT_AVAILABLE, PERMISSION_DENIED]
 MEMBERS_RETRY_REASONS = [SYSTEM_ERROR, SERVICE_NOT_AVAILABLE]
 ORGUNIT_GET_THROW_REASONS = [INVALID_ORGUNIT, ORGUNIT_NOT_FOUND, BACKEND_ERROR, BAD_REQUEST, INVALID_CUSTOMER_ID, LOGIN_REQUIRED]
 PEOPLE_ACCESS_THROW_REASONS = [SERVICE_NOT_AVAILABLE, FORBIDDEN, PERMISSION_DENIED, FAILED_PRECONDITION]
@@ -398,6 +401,8 @@ class cannotDeletePrimarySendAs(Exception):
   pass
 class cannotDeleteResourceWithChildren(Exception):
   pass
+class cannotModifyInheritedPermission(Exception):
+  pass
 class cannotModifyInheritedTeamDrivePermission(Exception):
   pass
 class cannotModifyRestrictedLabel(Exception):
@@ -574,6 +579,8 @@ class organizerOnNonTeamDriveItemNotSupported(Exception):
   pass
 class orgunitNotFound(Exception):
   pass
+class outsideDomainMemberCannotChangeTeamDriveRestrictions(Exception):
+  pass
 class ownerOnTeamDriveItemNotSupported(Exception):
   pass
 class ownershipChangeAcrossDomainNotPermitted(Exception):
@@ -698,6 +705,7 @@ REASON_EXCEPTION_MAP = {
   CANNOT_DELETE_PRIMARY_CALENDAR: cannotDeletePrimaryCalendar,
   CANNOT_DELETE_PRIMARY_SENDAS: cannotDeletePrimarySendAs,
   CANNOT_DELETE_RESOURCE_WITH_CHILDREN: cannotDeleteResourceWithChildren,
+  CANNOT_MODIFY_INHERITED_PERMISSION: cannotModifyInheritedPermission,
   CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION: cannotModifyInheritedTeamDrivePermission,
   CANNOT_MODIFY_RESTRICTED_LABEL: cannotModifyRestrictedLabel,
   CANNOT_MODIFY_VIEWERS_CAN_COPY_CONTENT: cannotModifyViewersCanCopyContent,
@@ -786,6 +794,7 @@ REASON_EXCEPTION_MAP = {
   ORGANIZER_ON_NON_TEAMDRIVE_NOT_SUPPORTED: organizerOnNonTeamDriveNotSupported,
   ORGANIZER_ON_NON_TEAMDRIVE_ITEM_NOT_SUPPORTED: organizerOnNonTeamDriveItemNotSupported,
   ORGUNIT_NOT_FOUND: orgunitNotFound,
+  OUTSIDE_DOMAIN_MEMBER_CANNOT_CHANGE_TEAMDRIVE_RESTRICTIONS: outsideDomainMemberCannotChangeTeamDriveRestrictions,
   OWNER_ON_TEAMDRIVE_ITEM_NOT_SUPPORTED: ownerOnTeamDriveItemNotSupported,
   OWNERSHIP_CHANGE_ACROSS_DOMAIN_NOT_PERMITTED: ownershipChangeAcrossDomainNotPermitted,
   PARTICIPANT_IS_NEITHER_ORGANIZER_NOR_ATTENDEE: participantIsNeitherOrganizerNorAttendee,

src/gam/gamlib/glmsgs.py

@@ -184,8 +184,8 @@ ALREADY_EXISTS_IN_TARGET_FOLDER = 'Already exists in {0}: {1}'
 ALREADY_EXISTS_USE_MERGE_ARGUMENT = 'Already exists; use the "merge" argument to merge the labels'
 API_ACCESS_DENIED = 'API access Denied'
 API_CALLS_RETRY_DATA = 'API calls retry data\n'
-API_CHECK_CLIENT_AUTHORIZATION = 'Please make sure the Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam oauth create\n'
-API_CHECK_SVCACCT_AUTHORIZATION = 'Please make sure the Service Account Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam user {2} update serviceaccount\n'
+API_CHECK_CLIENT_AUTHORIZATION = 'Please make sure the Client ID: {0} is authorized for the appropriate API or scopes: {1}\n\nRun: gam oauth create\n'
+API_CHECK_SVCACCT_AUTHORIZATION = 'Please make sure the Service Account Client ID: {0} is authorized for the appropriate API or scopes: {1}\n\nRun: gam user {2} update serviceaccount\n'
 API_ERROR_SETTINGS = 'API error, some settings not set'
 ARE_BOTH_REQUIRED = 'Arguments {0} and {1} are both required'
 ARE_MUTUALLY_EXCLUSIVE = 'Arguments {0} and {1} are mutually exclusive'
@@ -425,7 +425,7 @@ NO_LABELS_TO_PROCESS = 'No Labels to process'
 NO_MESSAGES_WITH_LABEL = 'No Messages with Label'
 NO_PARENTS_TO_CONVERT_TO_SHORTCUTS = 'No parents to convert to shortcuts'
 NO_REPORT_AVAILABLE = 'No {0} report available.'
-NO_SCOPES_FOR_API = 'There are no scopes authorized for the {0}'
+NO_SCOPES_FOR_API = 'There are no scopes authorized for the API(s): {0}'
 NO_SERIAL_NUMBERS_SPECIFIED = 'No serial numbers specified'
 NO_SSO_PROFILE_MATCHES = 'No SSO profile matches display name {0}'
 NO_SSO_PROFILE_ASSIGNED = 'No SSO profile assigned to {0} {1}'

src/gam/gamlib/glskus.py

@@ -107,6 +107,8 @@ _SKUS = {
     'product': '101047', 'aliases': ['aisecurity'], 'displayName': 'AI Security'},
   '1010470007': {
     'product': '101047', 'aliases': ['aimeetingsandmessaging'], 'displayName': 'AI Meetings and Messaging'},
+  '1010470008': {
+    'product': '101047', 'aliases': ['geminiultra'], 'displayName': 'Google AI Ultra for Business'},
   '1010490001': {
     'product': '101049', 'aliases': ['eeu'], 'displayName': 'Endpoint Education Upgrade'},
   '1010500001': {

wiki/Authorization.md

@@ -5,7 +5,7 @@
 - [Python Regular Expressions](Python-Regular-Expressions)
 - [Definitions](#definitions)
 - [Manage Projects](#manage-projects)
-  - [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+  - [Authorize a user to create projects](#authorize-a-user-to-create-projects)
   - [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
   - [Authorize GAM to create projects](#authorize-gam-to-create-projects)
   - [Create a new GCP project folder](#create-a-new-gcp-project-folder)
@@ -74,11 +74,6 @@ Verify that all scopes are available:
 * Select "ON for everyone"
 * Click "SAVE"
 
-Verify that internal apps are trusted.
-* Access the admin console and go to Security -> Access and data control -> API Controls
-* Check that "Trust internal, domain-owned apps" is present in the **Settings** section
-* Click "SAVE"
-
 If you run a Google Workspace Education SKU, verify that Classroom API is enabled if required.
 * Access the admin console and go to Apps -> Google Workspace - Classroom
 * Expand "Data access"
@@ -110,12 +105,13 @@ Verify whether the super admin you'll be using is in an OU where reauthenticatio
 * Access the admin console and go to Security -> Overview
 * Scroll down and open Google Cloud session control section
 * Select the OU containing the super admin
-* If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
-* If that sounds unappealing, check Exempt Trusted apps
-* Click "OVERRIDE"
+* If Require reauthentication is selected, you'll need either:
+  * uncheck Google Cloud Storage and any other GCP APIs that you selected on `gam oauth create` (reauth is only necessary for GCP APIs)
+  * enable "Exempt Trusted apps"
+  * rerun `gam oauth create` at whatever frequency is specified
 
 Additional steps may be required if errors are encountered.
-* [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+* [Authorize a user to create projects](#authorize-a-user-to-create-projects)
 * [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
 * [Authorize GAM to create projects](#authorize-gam-to-create-projects)
 
@@ -169,8 +165,8 @@ For `print|show projects`, you can eliminate the password prompt and authenticat
 gam print projects admin admin@domain.com
 ```
 
-## Authorize a super admin to create projects
-If you try to create a project and get an error saying that the admin you specified is not authorized to create projects,
+## Authorize a user to create projects
+If you try to create a project and get an error saying that the user you specified is not authorized to create projects,
 perform these steps and then retry the create project command.
 
 * Login as an existing super admin at console.cloud.google.com
@@ -184,13 +180,12 @@ perform these steps and then retry the create project command.
 * Click in the Select a role box
 * Type project creator in the Filter box
 * Click Project Creator
-* Click + Add Another Role
-* Type orgpolicy.policyAdmin in the Filter box
-* Click Organization Policy Administrator
 * Click Save
 
 ## Authorize Service Account Key Uploads
 
+*IMPORTANT:* Google best practice is to NOT use service account keys. Rather than overriding Google's default policy please consider [running GAM on Google Compute Engine Securely](https://github.com/GAM-team/GAM/wiki/l-Running-GAM-on-Google-Compute-Engine-(GCE)-Securely) so that service account keys are not necessary.
+
 If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxxxx`,
 perform these steps and then you should be able to authorize and use your project.
 

wiki/Basic-Items.md

@@ -302,6 +302,11 @@
 <ContactGroupItem> ::= <ContactGroupID>|<ContactGroupName>
 <CorporaAttribute> ::= alldrives|allteamdrives|domain|onlyteamdrives|user
 <CourseAlias> ::= <String>
+<CourseAnnouncementContent> ::=
+        ((text <String>)|
+         (textfile <FileName> [charset <Charset>])|
+         (gdoc <UserGoogleDoc>)|
+         (gcsdoc <StorageBucketObjectName>))
 <CourseAnnouncementID> ::= <Number>
 <CourseAnnouncementState> ::= draft|published|deleted
 <CourseID> ::= <Number>|d:<CourseAlias>

wiki/Classroom-Courses.md

@@ -8,6 +8,7 @@
 - [Create and update courses](#create-and-update-courses)
 - [Delete courses](#delete-courses)
 - [Manage course aliases](#manage-course-aliases)
+- [Manage course announcements](#manage-course-announcements)
 - [Manage course topics](#manage-course-topics)
 - [Display courses](#display-courses)
 - [Display course counts](#display-course-counts)
@@ -55,6 +56,11 @@ gam user user@domain.com check|update serviceaccount
 <CourseAliasEntity> ::=
         <CourseAliasList>|<FileSelector>|<CSVFileSelector>|<CSVkmdSelector>|<CSVDataSelector>
         See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
+<CourseAnnouncementContent> ::=
+        ((text <String>)|
+         (textfile <FileName> [charset <Charset>])|
+         (gdoc <UserGoogleDoc>)|
+         (gcsdoc <StorageBucketObjectName>))
 <CourseAnnouncementID> ::= <Number>
 <CourseAnnouncementIDList> ::= "<CourseAnnouncementID>(,<CourseAnnouncementID>)*"
 <CourseAnnouncementIDEntity> ::=
@@ -389,17 +395,40 @@ These commands can process multiple courses.
 gam courses <CourseEntity> add alias <CourseAliasEntity>
 gam courses <CourseEntity> delete alias <CourseAliasEntity>
 ```
+
+## Manage course announcements
+These commands can process a single course.
+```
+gam course <CourseID> add announcement
+        <CourseAnnouncementContent> [scheduledtime <Time>] [state draft|published]
+gam course <CourseID> delete announcement <CourseAnnouncementID>
+gam course <CourseID> update announcement <CourseAnnouncementID>
+        [<CourseAnnouncementContent>] [scheduledtime <Time>] [state published]
+```
+These commands can process multiple courses.
+```
+gam courses <CourseEntity> add announcement
+        <CourseAnnouncementContent> [scheduledtime <Time>] [state draft|published]
+gam courses <CourseEntity> delete announcement <CourseAnnouncementIDEntity>
+gam courses <CourseEntity> update announcement <CourseAnnouncementIDEntity>
+        [<CourseAnnouncementContent>] [scheduledtime <Time>] [state published]
+```
+
 ## Manage course topics
 These commands can process a single course.
 ```
 gam course <CourseID> add topic <CourseTopic>
 gam course <CourseID> delete topic <CourseTopicID>
+gam course <CourseID> update topic <CourseTopicID> <CourseTopic>
+
 ```
 These commands can process multiple courses.
 ```
 gam courses <CourseEntity> add topic <CourseTopicEntity>
 gam courses <CourseEntity> delete topic <CourseTopicIDEntity>
+gam courses <CourseEntity> update topic <CourseTopicIDEntity> <CourseTopic>
 ```
+
 ## Display courses
 ```
 gam info course <CourseID> [owneremail] [alias|aliases] [show all|students|teachers] [countsonly]

wiki/Cloud-Identity-Devices.md

@@ -211,6 +211,7 @@ gam print devices [todrive <ToDriveAttribute>*]
         [orderby <DeviceOrderByFieldName> [ascending|descending]]
         [all|company|personal|nocompanydevices|nopersonaldevices]
         [nodeviceusers|oneuserperrow]
+        [clientstates]
         [formatjson [quotechar <Character>]]
 ```
 By default, all devices are displayed; use the query options to limit the display.

wiki/Cloud-Identity-Groups.md

@@ -20,7 +20,8 @@
 
 ## Query documentation
 * [Cloud Identity Groups API - Search Dynamic Groups](https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery)
-* [Member REstrictions](https://cloud.google.com/identity/docs/reference/rest/v1/SecuritySettings#MemberRestriction)
+* [Dynamic Groups Member Attributes](https://cloud.google.com/identity/docs/how-to/dynamic-groups-attributes)
+* [Member Restrictions](https://cloud.google.com/identity/docs/reference/rest/v1/SecuritySettings#MemberRestriction)
 
 ## Notes
 

wiki/Cloud-Identity-Policies.md

@@ -12,14 +12,28 @@
 
 ## Notes
 To use these commands you must update your client access authentication.
-You'll enter 19R to turn on the Cloud Identity Policy scope; then continue
+You'll enter 20r to turn on the Cloud Identity Policy scope; then continue
 with authentication.
 ```
 gam oauth delete
 gam oauth create
 ...
-[R] 19)  Cloud Identity - Policy
+[R] 20)  Cloud Identity - Policy (supports readonly)
 ```
+You must enable access to policies in the GCP cloud console.
+
+* Login at console.cloud.google.com
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click in the box to the right of Google Cloud
+* Click the three dots at the right and select IAM/Permissions
+* Now you should be at "Permissions for organization ..."
+* Click on Grant Access
+* Enter the GAM project creator address in Principals
+* Click in the Select a role box
+* Type orgpolicy.policyAdmin in the Filter box
+* Click Organization Policy Administrator
+* Click Save
 
 ## Definitions
 ```

wiki/GAM-Return-Codes.md

@@ -33,6 +33,7 @@ ENTITY_IS_A_GROUP_RC = 22
 ENTITY_IS_A_GROUP_ALIAS_RC = 23
 ENTITY_IS_AN_UNMANAGED_ACCOUNT_RC = 24
 ORGUNIT_NOT_EMPTY_RC = 25
+USER_SUSPENDED_RC = 26
 CHECK_USER_GROUPS_ERROR_RC = 29
 ORPHANS_COLLECTED_RC = 30
 # Warnings/Errors

wiki/GamUpdates.md

@@ -10,6 +10,113 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation
 
+### 7.12.00
+
+Started updated handling of missing scopes messages in client access commands;
+this is a work in progress.
+
+Updated `gam info|show shareddrive` to handle changes in the Drive API that caused traps.
+
+Added `downloadrestrictedforreaders` and `downloadrestrictedforwriters` to
+`<SharedDriveRestrictionsSubfieldName>` to support new Shared Drive restrictions.
+
+Updated `gam course <CourseID> create|update announcement` to accept input from
+a literal string, a file or a Google Doc.
+```
+<CourseAnnouncementContent> ::=
+        ((text <String>)|
+         (textfile <FileName> [charset <Charset>])|
+         (gdoc <UserGoogleDoc>)|
+         (gcsdoc <StorageBucketObjectName>))
+```
+
+Added command `gam check suspended <UserItem>` that checks the suspension status of a user
+and sets the return code to 0 if the user is not suspended or 26 if it is.
+```
+$ gam check suspended testok@domain.com
+User: testok@domain.com, Account Suspended: False
+$ echo $?
+0
+
+$ gam check suspended testsusp@domain.com
+User: testsusp@domain.com, Account Suspended: True, Suspension Reason: ADMIN
+$ echo $?
+26
+```
+
+Updated `gam <UserTypeEntity> sendemail` to verify that one of `recipient|to|from`
+immediately follows `sendemail`.
+
+### 7.11.00
+
+Added commands to manage classroom/course announcements.
+
+* See: https://github.com/GAM-team/GAM/wiki/Classroom-Courses#manage-course-announcements
+
+Upgraded to OpenSSL 3.5.1.
+
+### 7.10.10
+
+Added choices `text` and `hyperlink` to option `showwebviewlink` in `gam [<UserTypeEntity>] print|show shareddrives`.
+* `showwebviewlink text` - Displays `https://drive.google.com/drive/folders/<SharedDriveID>`
+* `showwebviewlink hyperlink` - Displays `=HYPERLINK("https://drive.google.com/drive/folders/<SharedDriveID>", "<SharedDriveName>")`
+
+### 7.10.09
+
+Added option `showwebviewlink` to `gam [<UserTypeEntity>] print|show shareddrives` that
+displays the web view link for the Shared Drive: `https://drive.google.com/drive/folders/<SharedDriveID>`.
+
+### 7.10.08
+
+Fixed bug in commands that modify messages where the `labelids <LabelIdList>` option
+could not be used unless one of these options was also specified: `query`, `matchlabel`, `ids`;
+it can be now be used by itself.
+
+### 7.10.07
+
+Updated `gam <UserTypeEntity> copy|move drivefile` to hanndle additional instances of
+the `cannotModifyInheritedPermission` error.
+
+Added license SKU `Google AI Ultra for Business`
+* ProductID - 101047
+* SKUID - 1010470008 | geminiultra
+
+### 7.10.06
+
+Added option `clientstates` to `gam print devices` to include client states in device output.
+
+### 7.10.05
+
+Google renamed an error: `cannotModifyInheritedTeamDrivePermission` became `cannotModifyInheritedPermission`.
+GAM will now handle the new error.
+
+### 7.10.04
+
+Updated `gam report <ActivityApplicationName>` to accept accept application names as defined
+in the Reports API discovery document; this means that GAM does not have to be updated when
+Google defines a new application name.
+
+`gemini_in_workspace_apps` is now available in `gam report`.
+
+### 7.10.03
+
+Fixed bug in commands that modify messages where the `labelids <LabelIdList>` option
+was not being applied.
+
+### 7.10.02
+
+Added option `labelids <LabelIdList>` to all commands that process messages;
+this option causes GAM to only return messages with labels that match all of the specified label IDs.
+
+Updated `gam <UserTypeEntity> print|show forms` to always display `isPublished` and
+`isAcceptingResponses` in `publishSettings/publishState` regardless of their value;
+the API doesn't return these values when they are False.
+
+### 7.10.01
+
+Added options `ispublished [<Boolean>]` and `isacceptingresponses [<Boolean>]` to
+`gam <UserTypeEntity> create|update form`.
+
 ### 7.10.00
 
 Added commands to manage/display Chat Custom Emojis.

wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md

@@ -251,7 +251,7 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAM 7.10.00 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.12.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64
@@ -989,7 +989,7 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM 7.10.00 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.12.00 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 Windows-10-10.0.17134 AMD64

wiki/Licenses.md

@@ -62,6 +62,7 @@
 | Gemini Education | 1010470004 | geminiedu |
 | Gemini Education Premium | 1010470005 | geminiedupremium |
 | Gemini Enterprise | 1010470001 | geminient | duetai |
+| Google AI Ultra for Business | 1010470008 | geminiultra |
 | Google Apps Message Security | Google-Apps-For-Postini | postini |
 | Google Chrome Device Management | Google-Chrome-Device-Management | cdm |
 | Google Drive Storage 16TB | Google-Drive-storage-16TB | 16tb |

wiki/Reports.md

@@ -39,19 +39,18 @@ config csv_output_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
 ## Activity reports
 ```
 <ActivityApplicationName> ::=
-        access|accesstransparency|
+        accesstransparency|access|
         admin|
         calendar|calendars|
         chat|
         chrome|
+        classroom|
         contextawareaccess|
-        currents|gplus|google+|
+        gplus|currents|google+|
         datastudio|
-        devices|mobile|
-        domain|
         drive|doc|docs|
-        gcp|
-        gemini|geminiforworkspace|
+        gcp|cloud|
+        geminiinworkspaceapps|gemini|geminiforworkspace|
         groups|group|
         groupsenterprise|enterprisegroups|
         jamboard|

wiki/Shared-Drives.md

@@ -180,6 +180,7 @@
         createdtime|
         id|
         name|
+        restrictions|
         themeid
 <SharedDriveFieldNameList> ::= "<SharedDriveFieldName>(,<SharedDriveFieldName>)*"
 
@@ -200,6 +201,8 @@
         allowcontentmanagerstosharefolders|
         copyrequireswriterpermission|
         domainusersonly|
+        downloadrestrictedforreaders|
+        downloadrestrictedforwriters|
         drivemembersonly|teammembersonly|
         sharingfoldersrequiresorganizerpermission
 
@@ -372,26 +375,38 @@ By default, Gam displays the information as an indented list of keys and values.
 gam [<UserTypeEntity>] show shareddrives
         [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
-        [fields <SharedDriveFieldNameList>] [formatjson]
+        [fields <SharedDriveFieldNameList>]
+        [showwebviewlink text|hyperlink]
+        [formatjson]
 ```
 By default, all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
 * `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
 * `matchname <REMatchPattern>` - Retrieve Shared Drives with names that match a pattern.
 * `orgunit|org|ou <OrgUnitPath>` - Only Shared Drives in the specified Org Unit are selected
 
+Use option `showwebviewlink` to display the web view link for the Shared Drive.
+* `showwebviewlink text` - Displays `https://drive.google.com/drive/folders/<SharedDriveID>`
+* `showwebviewlink hyperlink` - Dsiplays `=HYPERLINK("https://drive.google.com/drive/folders/<SharedDriveID>", "<SharedDriveName>")`
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
 gam [<UserTypeEntity>] print shareddrives [todrive <ToDriveAttribute>*]
         [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
-        [fields <SharedDriveFieldNameList>] [formatjson [quotechar <Character>]]
+        [fields <SharedDriveFieldNameList>]
+        [showwebviewlink text|hyperlink]
+        [formatjson [quotechar <Character>]]
 ```
 By default, all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
 * `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
 * `matchname <REMatchPattern>` - Retrieve Shared Drives with names that match a pattern.
 * `orgunit|org|ou <OrgUnitPath>` - Only Shared Drives in the specified Org Unit are selected
 
+Use option `showwebviewlink` to display the web view link for the Shared Drive.
+* `showwebviewlink text` - Displays `https://drive.google.com/drive/folders/<SharedDriveID>`
+* `showwebviewlink hyperlink` - Dsiplays `=HYPERLINK("https://drive.google.com/drive/folders/<SharedDriveID>", "<SharedDriveName>")`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 

wiki/Users-Drive-Files-Display.md

@@ -1723,9 +1723,9 @@ User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFil
 user@domain.com,user@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
 user@domain.com,user@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash
 
-$ gam redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage shareddriveid 0AL5LiIe4dqxZUk9PVA  show summaryandtrash
+$ gam redirect csv ./SharedDriveUsage.csv user user@domain.com print diskusage shareddriveid 0AL5LiIe4dqxZUk9PVA show summaryandtrash
 User: user@domain.com, Print 1 Drive Disk Usage
-$ more MyDriveUsage.csv 
+$ more SharedDriveUsage.csv 
 User,id,name,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
 user@domain.com,0125LiIe4dqxZUk9PVA,TS Shared Drive 1,False,False,16,6144,7,42,73799,25,-1,SharedDrives/TS Shared Drive 1
 user@domain.com,Trash,Trash,True,True,1,1024,0,1,1024,0,-1,Trash

wiki/Users-Forms.md

@@ -49,10 +49,19 @@ gam user user@domain.com update serviceaccount
 ```
 gam <UserTypeEntity> create form
         title <String> [description <String>] [isquiz [Boolean>]] [<JSONData>]
+        [ispublished [<Boolean>] isacceptingresponses [<Boolean>]]
         [drivefilename <DriveFileName>] [<DriveFileParentAttribute>]
         [(csv [todrive <ToDriveAttribute>*]) | returnidonly]
 ```
 
+The valid combinations of `ispublished` and `isacceptingresponses` are:
+* `ispublished true isacceptingresponses true`
+* `ispublished true isacceptingresponses false`
+* `ispublished false isacceptingresponses false`
+* `ispublished false` - Sets `isacceptingresponses false`
+* `isacceptingresponses false` - Sets `ispublished false`
+* `isacceptingresponses true` - Sets `ispublished true`
+
 `<JSONData>` is a list of form update requests.
 
 * See: https://developers.google.com/forms/api/reference/rest/v1/forms/batchUpdate
@@ -79,15 +88,24 @@ Select forms with `<DriveFileEntity>`:
 ```
 gam <UserTypeEntity> update form <DriveFileEntity>
         [title <String>] [description <String>] [isquiz [Boolean>]] [<JSONData>]
+        [ispublished [<Boolean>] isacceptingresponses [<Boolean>]]
 ```
 
+The valid combinations of `ispublished` and `isacceptingresponses` are:
+* `ispublished true isacceptingresponses true`
+* `ispublished true isacceptingresponses false`
+* `ispublished false isacceptingresponses false`
+* `ispublished false` - Sets `isacceptingresponses false`
+* `isacceptingresponses false` - Sets `ispublished false`
+* `isacceptingresponses true` - Sets `ispublished true`
+
 `<JSONData>` is a list of form update requests.
 
 * See: https://developers.google.com/forms/api/reference/rest/v1/forms/batchUpdate
 
 ## Extended Example
 
-This example illustrates the use of JSN data to create and update forms
+This example illustrates the use of JSON data to create and update forms
 concerning student classtoom attendance.
 The form has two items: Absences and Notes.
 In `Absences`, the teacher can check `All present.` or check individual student absences.

wiki/Users-Gmail-Messages-Threads.md

@@ -72,6 +72,8 @@ This table and other suggestions came from:
 <EmailAddress> ::= <String>@<DomainName>
 <UniqueID> ::= id:<String>
 <GroupItem> ::= <EmailAddress>|<UniqueID>|<String>
+<LabelID> ::= <String>
+<LabelIDList> ::= "<LabelID>(,<LabelID)*"
 <LabelName> ::= <String>
 <QueryGmail> ::= <String> See: https://support.google.com/mail/answer/7190
 <Time> ::=
@@ -389,6 +391,7 @@ Your command line will have: `embedimage file1.jpg image1` embedimage file2.jpg
 ```
 gam <UserTypeEntity> archive messages <GroupItem>
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_archive <Number>])|(ids <MessageIDEntity>)
         [csv [todrive <ToDriveAttribute>*]]
 ```
@@ -400,6 +403,7 @@ Messages are archived to the group specified by `<GroupItem>`.
 
 ### Archive a selected set of messages
 * `((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+` - Criteria to select messages
+* `labelids <LabelIDList>` - Select messages with labels that match all of the specified label IDs.
 * `max_to_archive` - Limit the number of messages that will be archived; use a value of 0 for no limit
 * `doit` - No messages are archived unless you specify `doit`. By not specifying `doit`, you can preview the messages selected to verify that the results match your expectations.
 
@@ -432,10 +436,14 @@ See below for message selection.
 Export messages in EML format.
 ```
 gam <UserTypeEntity> export message|messages
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [max_to_export <Number>])|(ids <MessageIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
+         [quick|notquick] [max_to_export <Number>])|(ids <MessageIDEntity>)
         [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]
 gam <UserTypeEntity> export thread|threads
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [max_to_export <Number>])|(ids <ThreadIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
+         [quick|notquick] [max_to_export <Number>])|(ids <MessageIDEntity>)
         [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]
 ```
 
@@ -459,10 +467,12 @@ See below for message selection.
 ```
 gam <UserTypeEntity> forward message|messages recipient|to <RecipientEntity>
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_forward <Number>])|(ids <MessageIDEntity>)
          [subject <String>] [addorigfieldstosubject]
 gam <UserTypeEntity> forward thread|threads recipient|to <RecipientEntity>
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_forward <Number>])|(ids <ThreadIDEntity>)
          [subject <String>] [addorigfieldstosubject]
 ```
@@ -482,23 +492,28 @@ See below for message selection.
 ```
 gam <UserTypeEntity> delete messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_delete <Number>])|(ids <MessageIDEntity>)
         [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> modify messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_modify <Number>])|(ids <MessageIDEntity>)
         ((addlabel <LabelName>)|(removelabel <LabelName>))+
         [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> spam messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_spam <Number>])|(ids <MessageIDEntity>)
         [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> trash messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_trash <Number>])|(ids <MessageIDEntity>)
         [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> untrash messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
          [quick|notquick] [doit] [max_to_untrash <Number>])|(ids <MessageIDEntity>)
         [csv [todrive <ToDriveAttribute>*]]
 ```
@@ -522,6 +537,7 @@ user@domain.com,18e9fc58c5491f4c,Deleted,
 
 ### Manage a selected set of messages
 * `((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+` - Criteria to select messages
+* `labelids <LabelIDList>` - Select messages with labels that match all of the specified label IDs.
 * `max_to_xxx` - Limit the number of messages that will be processed; use a value of 0 for no limit
 * `doit` - No messages are processed unless you specify `doit`. By not specifying `doit`, you can preview the messages selected to verify that the results match your expectations.
 
@@ -570,6 +586,7 @@ gam config auto_batch_min 1 groups_inde EastOffice delete message query "rfc822m
 ```
 gam <UserTypeEntity> show messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])*
+         [labelids <LabelIDList>]
          [quick|notquick] [max_to_show <Number>] [includespamtrash])|(ids <MessageIDEntity>)
         [labelmatchpattern <REMatchPattern>] [sendermatchpattern <REMatchPattern>]
         [countsonly|positivecountsonly] [useronly]
@@ -581,6 +598,7 @@ gam <UserTypeEntity> show messages|threads
             [targetfolder <FilePath>] [overwrite [<Boolean>]]
 gam <UserTypeEntity> print messages|threads [todrive <ToDriveAttribute>*]
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])*
+         [labelids <LabelIDList>]
          [quick|notquick] [max_to_print <Number>] [includespamtrash])|(ids <MessageIDEntity>)
         [labelmatchpattern <REMatchPattern>] [sendermatchpattern <REMatchPattern>]
         [countsonly|positivecountsonly] [useronly]
@@ -607,6 +625,7 @@ gam user user@domain.com print|show threads maxmessagesperthread 1
 
 ## Display a selected set of messages
 * `((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+` - Criteria to select messages
+* `labelids <LabelIDList>` - Select messages with labels that match all of the specified label IDs.
 * `max_to_xxx` - Limit the number of messages that will be displayed
 * `includespamtrash` - Include messages in the Spam and Trash folders
 * `labelmatchpattern <REMatchPattern>` - Only display messages with some label that matches `<REMatchPattern>`

wiki/Users-Gmail-Send-As-Signature-Vacation.md

@@ -108,7 +108,7 @@ Paul shall send emails from the marketing email address with the name Paul from
 ``` gam user paul add sendas marketing@example.com "Paul from Example" replyto paul```
 
 ## Display sendas
-### Display the information as an indented list of keys and values.
+### Display the sendas information as an indented list of keys and values.
 ```
 gam <UserTypeEntity> info sendas <EmailAddressEntity> [compact|format|html]
 gam <UserTypeEntity> show sendas [compact|format|html]
@@ -126,7 +126,19 @@ By default, all sendas addresses are shown, use these options to limit the displ
 
 Use the `verifyonly` option to display `True` or `False` in the signature field based on whether the signature is non-blank.
 
-### Display the information in CSV form.
+To capture a signature for use as input to GAM, do the following.
+```
+gam redirect stdout ./signature.html user user@domain.com show sendas compact
+```
+Edit signature.html and remove the following data leaving just the HTML.
+```
+SendAs Address: <user@domain.com>
+  IsPrimary: True
+  Default: True
+  Signature:
+```
+
+### Display the sendas information in CSV form.
 ```
 gam <UserTypeEntity> print sendas [compact]
         [primary|default] [verifyonly] [todrive <ToDriveAttribute>*]
@@ -170,7 +182,7 @@ email address signature rather than the alias signature to be set.
 If you have a current default signature, the API will update that, but if you delete it, it seems that the API will not over-write any of the other signatures, but instead add a new signature called `My signature`. If you rename that signature, the API will keep on updating that same signature, and not touch the other signatures.
 
 ## Display signature
-### Display the information as an indented list of keys and values.
+### Display the signature as an indented list of keys and values.
 ```
 gam <UserTypeEntity> show signature|sig [compact|format|html]
         [primary|default] [verifyonly]
@@ -187,7 +199,19 @@ By default, the signature for `<UserTypeEntity>` is displayed, use these options
 
 Use the `verifyonly` option to display `True` or `False` in the signature field based on whether the signature is non-blank.
 
-### Display the information in CSV form.
+To capture a signature for use as input to GAM, do the following.
+```
+gam redirect stdout ./signature.html user user@domain.com show signature compact
+```
+Edit signature.html and remove the following data leaving just the HTML.
+```
+SendAs Address: <user@domain.com>
+  IsPrimary: True
+  Default: True
+  Signature:
+```
+
+### Display the signature in CSV form.
 ```
 gam <UserTypeEntity> print signature [compact]
             [primary|default] [verifyonly] [todrive <ToDriveAttribute>*]

wiki/Users-Shared-Drives.md

@@ -158,6 +158,7 @@
         createdtime|
         id|
         name|
+        restrictions|
         themeid
 <SharedDriveFieldNameList> ::= "<SharedDriveFieldName>(,<SharedDriveFieldName>)*"
 
@@ -180,6 +181,8 @@
         allowcontentmanagerstosharefolders|
         copyrequireswriterpermission|
         domainusersonly|
+        downloadrestrictedforreaders|
+        downloadrestrictedforwriters|
         drivemembersonly|teammembersonly|
         sharingfoldersrequiresorganizerpermission
 
@@ -318,23 +321,34 @@ gam <UserTypeEntity> show shareddriveinfo <SharedDriveEntity>
 gam <UserTypeEntity> show shareddrives
         [matchname <REMatchPattern>] (role|roles <SharedDriveACLRoleList>)*
         [fields <SharedDriveFieldNameList>]
+        [showwebviewlink text|hyperlink]
         [guiroles [<Boolean>] [formatjson]
 ```
 By default, Gam displays all Teams Drives accessible by the user.
 * `matchname <REMatchPattern>` - Display Shared Drives with names that match a pattern.
 * `(role|roles <SharedDriveACLRoleList>)*` - Display Shared Drives where the user has one of the specified roles.
 
+Use option `showwebviewlink` to display the web view link for the Shared Drive.
+* `showwebviewlink text` - Displays `https://drive.google.com/drive/folders/<SharedDriveID>`
+* `showwebviewlink hyperlink` - Dsiplays `=HYPERLINK("https://drive.google.com/drive/folders/<SharedDriveID>", "<SharedDriveName>")`
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
 gam <UserTypeEntity> print shareddrives [todrive <ToDriveAttribute>*]
         [matchname <REMatchPattern>] (role|roles <SharedDriveACLRoleList>)*
-        [fields <SharedDriveFieldNameList>] [formatjson [quotechar <Character>]]
+        [fields <SharedDriveFieldNameList>]
+        [showwebviewlink text|hyperlink]
+        [guiroles [<Boolean>]] [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays all Teams Drives accessible by the user.
 * `matchname <REMatchPattern>` - Display Shared Drives with names that match a pattern.
 * `(role|roles <SharedDriveACLRoleList>)*` - Display Shared Drives where the user has one of the specified roles.
 
+Use option `showwebviewlink` to display the web view link for the Shared Drive.
+* `showwebviewlink text` - Displays `https://drive.google.com/drive/folders/<SharedDriveID>`
+* `showwebviewlink hyperlink` - Dsiplays `=HYPERLINK("https://drive.google.com/drive/folders/<SharedDriveID>", "<SharedDriveName>")`
+
 The Google Drive API does not list roles for Shared Drives so GAM generates a role from the capabilities:
 * `commenter - canComment: True, canEdit: False`
 * `reader - canComment: False, canEdit: False`

wiki/Users.md

@@ -21,6 +21,7 @@
   - [Update a user's attributes with JSON data](#update-a-users-attributes-with-json-data)
   - [Update a user's OU based on group membership](#update-a-users-ou-based-on-group-membership)
   - [Do not update a user's OU if currently in a special purpose OU](#do-not-update-a-users-ou-if-currently-in-a-special-purpose-ou)
+- [Check a user's suspension status](#check-a-users-suspension-status)
 - [Delete or suspend users](#delete-or-suspend-users)
 - [Undelete or unsuspend users](#undelete-or-unsuspend-users)
 - [Display information about users](#display-information-about-users)
@@ -38,7 +39,7 @@
 - [Print user counts by OrgUnit](#print-user-counts-by-orgunit)
 - [Print user list](#print-user-list)
 - [Display user counts](#display-user-counts)
-- [Verify domain membership]($verify-domain-membership)
+- [Verify domain membership](#verify-domain-membership)
 
 ## API documentation
 * [Directory API - Users](https://developers.google.com/admin-sdk/directory/reference/rest/v1/users)
@@ -896,6 +897,25 @@ gam csv SISdata.csv gam update user "~primaryEmail" suspended off firstname "~Fi
         ou "~OU" immutableous "'/Students/Lower School/Restricted,'/Students/Middle School/Restricted'"
 ```
 
+## Check a user's suspension status
+This command checks the suspension status of a single user
+and sets the return code to 0 if the user is not suspended or 26 if it is.
+```
+gam check suspended <UserItem>
+```
+Example.
+```
+$ gam check suspended testok@domain.com
+User: testok@domain.com, Account Suspended: False
+$ echo $?
+0
+
+$ gam check suspended testsusp@domain.com
+User: testsusp@domain.com, Account Suspended: True, Suspension Reason: ADMIN
+$ echo $?
+26
+```
+
 ## Delete or suspend users
 These commands operate on a single user.
 ```

wiki/Using-GAM7-with-a-delegated-admin-service-account.md

@@ -1,19 +1,12 @@
 # Using GAM7 with a delegated admin service account
-- [Thanks](#thanks)
 - [Introduction](#introduction)
 - [Advantages](#advantages)
 - [Disadvantages](#disadvantages)
 - [Setup Steps](#setup-steps)
 
-## Thanks
-
-Thanks to Jay Lee for the original version of this document.
-
 ## Introduction
 Delegated admin service accounts (DASA) are regular [GCP service accounts](https://cloud.google.com/iam/docs/service-accounts#what_are_service_accounts) that are granted a Workspace [delegated admin role](https://support.google.com/a/answer/33325). Service accounts have an email address like `gam-project-xuw-sp1-c4b@gam-project-xuw-sp1-c4b.iam.gserviceaccount.com` and are not part of a Workspace or Cloud Identity domain even if they are owned by a project in the domain’s organization. Service accounts cannot login to Google web services interactively, they are only able to call Google APIs.
 
-GAM7 version 6.50.00 or higher is required.
-
 ## Advantages
 * DASA accounts don’t require a Workspace or Cloud Identity license.
 * DASA accounts don’t have a password login that can be phished or captured, they use [RSA private keys](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) to sign authentication requests which makes them very secure. You should however [rotate the key](https://jaylee.us/qwm) on a regular basis and keep it safe and secured!

wiki/Version-and-Help.md

@@ -3,7 +3,7 @@
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.10.00 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.12.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64
@@ -15,7 +15,7 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.10.00 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.12.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64
@@ -27,7 +27,7 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.10.00 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.12.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gam7
 Version Check:
   Current: 5.35.08
-   Latest: 7.10.00
+   Latest: 7.12.00
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.10.00
+7.12.00
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,7 +82,7 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.10.00 - https://github.com/GAM-team/GAM
+GAM 7.12.00 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64