Wiki updates

docs/Cloud-Identity-Policies.md

@@ -0,0 +1,321 @@
+# Cloud Identity Policies
+- [API documentation](#api-documentation)
+- [Notes](#notes)
+- [Policies](#policies)
+- [Display Cloud Identity Policies](#display-cloud-identity-policies)
+
+## API documentation
+* https://cloud.google.com/identity/docs/concepts/overview-policies
+* https://cloud.google.com/identity/docs/reference/rest/v1beta1/policies
+
+## Notes
+To use these commands you must update your client access authentication.
+```
+gam oauth create
+...
+[*] 19)  Cloud Identity - Policy
+```
+
+## Policies
+These are the supported policies GAM can show today.
+```
+user_takeout_status (is takeout enabled for service)
+  blogger
+  books
+  location_history
+  maps
+  pay
+  photos
+  play
+  play_console
+  youtube
+service_status (is service enabled)
+  ad_manager
+  ads
+  adsense
+  alerts
+  analytics
+  applied_digital_skills
+  appsheet
+  arts_and_culture
+  beyondcorp_enterprise
+  blogger
+  bookmarks
+  books
+  calendar
+  campaign_manager
+  chat
+  chrome_canvas
+  chrome_remote_desktop
+  chrome_sync
+  chrome_web_store
+  classroom
+  cloud
+  cloud_search
+  colab
+  cs_first
+  data_studio
+  developers
+  domains
+  drive_and_docs
+  earth
+  enterprise_service_restrictions
+  experimental_apps
+  feedburner
+  fi
+  gmail
+  groups
+  groups_for_business
+  jamboard
+  keep
+  location_history
+  managed_play
+  maps
+  material_gallery
+  meet
+  merchant_center
+  messages
+  migrate
+  my_business
+  my_maps
+  news
+  partner_dash
+  pay
+  pay_for_business
+  photos
+  pinpoint
+  play
+  play_books_partner_center
+  play_console
+  public_data
+  question_hub
+  scholar_profiles
+  search_ads_360
+  search_and_assistant
+  search_console
+  sites
+  socratic
+  takeout
+  tasks
+  third_party_app_backups
+  translate
+  trips
+  vault
+  voice
+  work_insights
+  youtube
+calendar.appointment_schedules
+  enablePayments
+chat.chat_apps_access
+  enableApps
+  enableWebhooks
+chat.chat_file_sharing
+  externalFileSharing
+  internalFileSharing
+chat.chat_history
+  enableChatHistory
+  historyOnByDefault
+  allowUserModification
+chat.external_chat_restriction
+  allowExternalChat
+chat.space_history
+  historyState
+classroom.api_data_access
+  enableApiAccess
+classroom.class_membership
+  whoCanJoinClasses
+  whichClassesCanUsersJoin
+classroom.guardian_access
+  allowAccess
+  whoCanManageGuardianAccess
+classroom.originality_reports
+  enableOriginalityReportsSchoolMatches
+classroom.roster_import
+  rosterImportOption
+classroom.student_unenrollment
+  whoCanUnenrollStudents
+classroom.teacher_permissions
+  whoCanCreateClasses
+cloud_sharing_options.cloud_data_sharing
+  sharingOptions
+detector.regular_expression
+  displayName
+  regularExpression
+  createTime
+  updateTime
+detector.word_list
+  displayName
+  wordList
+  createTime
+  updateTime
+  description
+drive_and_docs.drive_for_desktop
+  allowDriveForDesktop
+  restrictToAuthorizedDevices
+  showDownloadLink
+  allowRealTimePresence
+drive_and_docs.external_sharing
+  externalSharingMode
+  allowReceivingExternalFiles
+  warnForSharingOutsideAllowlistedDomains
+  allowReceivingFilesOutsideAllowlistedDomains
+  allowNonGoogleInvitesInAllowlistedDomains
+  warnForExternalSharing
+  allowNonGoogleInvites
+  allowPublishingFiles
+  accessCheckerSuggestions
+  allowedPartiesForDistributingContent
+drive_and_docs.file_security_update
+  securityUpdate
+  allowUsersToManageUpdate
+drive_and_docs.shared_drive_creation
+  allowSharedDriveCreation
+  orgUnitForNewSharedDrives
+  customOrgUnit
+  allowManagersToOverrideSettings
+  allowExternalUserAccess
+  allowNonMemberAccess
+  allowedPartiesForDownloadPrintCopy
+  allowContentManagersToShareFolders
+gmail.auto_forwarding
+  enableAutoForwarding
+gmail.confidential_mode
+  enableConfidentialMode
+gmail.email_attachment_safety
+  enableEncryptedAttachmentProtection
+  encryptedAttachmentProtectionConsequence
+  enableAttachmentWithScriptsProtection
+  attachmentWithScriptsProtectionConsequence
+  enableAnomalousAttachmentProtection
+  anomalousAttachmentProtectionConsequence
+  allowedAnomalousAttachmentFiletypes
+  applyFutureRecommendedSettingsAutomatically
+  encryptedAttachmentProtectionQuarantineId
+  attachmentWithScriptsProtectionQuarantineId
+  anomalousAttachmentProtectionQuarantineId
+gmail.email_image_proxy_bypass
+  imageProxyBypassPattern
+  enableImageProxy
+gmail.enhanced_pre_delivery_message_scanning
+  enableImprovedSuspiciousContentDetection
+gmail.enhanced_smime_encryption
+  enableSmimeEncryption
+  allowUserToUploadCertificates
+gmail.gmail_name_format
+  allowCustomDisplayNames
+  defaultDisplayNameFormat
+gmail.imap_access
+  enableImapAccess
+gmail.links_and_external_images
+  enableShortenerScanning
+  enableExternalImageScanning
+  enableAggressiveWarningsOnUntrustedLinks
+  applyFutureSettingsAutomatically
+gmail.per_user_outbound_gateway
+  allowUsersToUseExternalSmtpServers
+gmail.pop_access
+  enablePopAccess
+gmail.spoofing_and_authentication
+  detectDomainNameSpoofing
+  detectEmployeeNameSpoofing
+  detectDomainSpoofingFromUnauthenticatedSenders
+  detectUnauthenticatedEmails
+  domainNameSpoofingConsequence
+  employeeNameSpoofingConsequence
+  domainSpoofingConsequence
+  unauthenticatedEmailConsequence
+  detectGroupsSpoofing
+  groupsSpoofingVisibilityType
+  groupsSpoofingConsequence
+  applyFutureSettingsAutomatically
+  domainNameSpoofingQuarantineId
+  employeeNameSpoofingQuarantineId
+  domainSpoofingQuarantineId
+  unauthenticatedEmailQuarantineId
+  groupsSpoofingQuarantineId
+gmail.user_email_uploads
+  enableMailAndContactsImport
+gmail.workspace_sync_for_outlook
+  enableGoogleWorkspaceSyncForMicrosoftOutlook
+groups_for_business.groups_sharing
+  ownersCanAllowIncomingMailFromPublic
+  collaborationCapability
+  createGroupsAccessLevel
+  ownersCanAllowExternalMembers
+  ownersCanHideGroups
+  newGroupsAreHidden
+  viewTopicsDefaultAccessLevel
+meet.safety_access
+  meetingsAllowedToJoin
+meet.safety_domain
+  usersAllowedToJoin
+meet.safety_external_participants
+  enableExternalLabel
+meet.safety_host_management
+  enableHostManagement
+meet.video_recording
+  enableRecording
+rule.dlp
+  displayName
+  description
+  triggers
+  condition
+  action
+  state
+  createTime
+  updateTime
+  ruleTypeMetadata
+rule.system_defined_alerts
+  displayName
+  description
+  action
+  state
+  createTime
+  updateTime
+security.advanced_protection_program
+  enableAdvancedProtectionSelfEnrollment
+  securityCodeOption
+security.less_secure_apps
+  allowLessSecureApps
+security.login_challenges
+  enableEmployeeIdChallenge
+security.password
+  allowedStrength
+  minimumLength
+  maximumLength
+  enforceRequirementsAtLogin
+  allowReuse
+  expirationDuration
+security.session_controls
+  webSessionDuration
+security.super_admin_account_recovery
+  enableAccountRecovery
+security.user_account_recovery
+  enableAccountRecovery
+sites.sites_creation_and_modification
+  allowSitesCreation
+  allowSitesModification
+workspace_marketplace.apps_allowlist
+  apps
+```
+## Display Cloud Identity Policies
+```
+gam show policies (query <String>) [nowarnings]
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam print policies [todrive <ToDriveAttribute>*]
+        (query <String>) [nowarnings]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

docs/GamUpdates.md

@@ -10,12 +10,32 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation
 
+7.00.28
+
+Fixed issue that caused `gam print/show policies` to fail on some group policies.
+
+7.00.27
+
+Updated `gam <UserTypeEntity> collect orphans` and all commands that print file paths to recognize
+that a file owned by a user that has no parents is not an orphan if `sharedWithMeTime` is set.
+This occurs when user A creates a file in a shared folder owned by user B and user B then removes
+user A's access to the folder.
+
+Added commands to display Cloud Identity policies.
+```
+gam print policies [todrive <ToDriveAttribute>*]
+        (query <String>) [nowarnings]
+        [formatjson [quotechar <Character>]]
+gam show policies (query <String>) [nowarnings]
+        [formatjson]
+```
+
 ### 7.00.26
 
 Updated `drive_dir` in `gam.cfg` to allow the value `.` that causes `redirect csv|stdout|stderr <FileName>`
 to write `<FileName>` in the current directory without having to prefix `<FileName>` with `./`.
 
-Upgraded to OpenSSL 3.4.0 where possible.
+Upgraded to OpenSSL 3.4.0.
 
 ### 7.00.25
 

docs/_Sidebar.md

@@ -82,6 +82,7 @@ Client Access
 * [Cloud Identity Devices](Cloud-Identity-Devices)
 * [Cloud Identity Groups](Cloud-Identity-Groups)
 * [Cloud Identity Groups - Membership](Cloud-Identity-Groups-Membership)
+* [Cloud Identity Policies](Cloud-Identity-Policies)
 * [Cloud Storage](Cloud-Storage)
 * [Context Aware Access Levels](Context-Aware-Access-Levels)
 * [Customer](Customer)

src/GamCommands.txt

@@ -4067,6 +4067,14 @@ gam update deviceuserstate <DeviceUserEntity> [clientid <String>]
         [healthscore very_poor|poor|neutral|good|very_good] [scorereason clear|<String>]
         (customvalue (bool|boolean <Boolean>)|(number <Integer>)|(string <String>))*
 
+# Cloud Identity Policies
+
+gam print policies [todrive <ToDriveAttribute>*]
+        (query <String>) [nowarnings]
+        [formatjson [quotechar <Character>]]
+gam show policies (query <String>) [nowarnings]
+        [formatjson]
+
 # Inbound SSO
 
 <SSOProfileDisplayName> ::= <String>

src/GamUpdate.txt

@@ -1,8 +1,30 @@
+7.00.28
+
+Fixed issue that caused `gam print/show policies` to fail on some group policies.
+
+7.00.27
+
+Updated `gam <UserTypeEntity> collect orphans` and all commands that print file paths to recognize
+that a file owned by a user that has no parents is not an orphan if `sharedWithMeTime` is set.
+This occurs when user A creates a file in a shared folder owned by user B and user B then removes
+user A's access to the folder.
+
+Added commands to display Cloud Identity policies.
+```
+gam print policies [todrive <ToDriveAttribute>*]
+        (query <String>) [nowarnings]
+        [formatjson [quotechar <Character>]]
+gam show policies (query <String>) [nowarnings]
+        [formatjson]
+```
+
 7.00.26
 
 Updated `drive_dir` in `gam.cfg` to allow the value `.` that causes `redirect csv|stdout|stderr <FileName>`
 to write `<FileName>` in the current directory without having to prefix `<FileName>` with `./`.
 
+Upgraded to OpenSSL 3.4.0 where possible.
+
 7.00.25
 
 Updated authentication process for `gam print|show projects`.
@@ -1223,7 +1245,7 @@ Batch processing will suspend for `<Integer>` seconds before the next command li
 
 Added the following options to `<PermissionMatch>` that allow more powerful matching.
 ```
-nottype	<DriveFileACLType>
+nottype <DriveFileACLType>
 typelist <DriveFileACLTypeList>
 nottypelist <DriveFileACLTypeList>
 rolelist <DriveFileACLRoleList>

src/gam/__init__.py

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """
 
 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.00.26'
+__version__ = '7.00.28'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 #pylint: disable=wrong-import-position
@@ -35082,31 +35082,35 @@ def updateFieldsForCIGroupMatchPatterns(matchPatterns, fieldsList, csvPF=None):
       else:
         fieldsList.append(field)
 
-# gam show policies (query <String>) [nowarnings]
+CIPOLICY_TIME_OBJECTS = {'createTime', 'updateTime'}
+
 # gam print policies [todrive <ToDriveAttribute>*]
-#   (query <String>) [nowarnings]
-def doPrintCIPolicy():
+#	(query <String>) [nowarnings]
+#	[formatjson [quotechar <Character>]]
+# gam show policies (query <String>) [nowarnings]
+#	[formatjson]
+def doPrintCIPolicies():
 
   def _showPolicy(policy, FJQC, i=0, count=0):
     if FJQC is not None and FJQC.formatJSON:
-      printLine(json.dumps(policy,
+      printLine(json.dumps(cleanJSON(policy, timeObjects=CIPOLICY_TIME_OBJECTS),
                            ensure_ascii=False,
                            sort_keys=True))
       return
     printEntity([Ent.POLICY, policy['name']], i, count)
     Ind.Increment()
     policy.pop('name')
-    showJSON(None, policy)
+    showJSON(None, policy, timeObjects=CIPOLICY_TIME_OBJECTS)
     printBlankLine()
     Ind.Decrement()
 
   def _printPolicy(policy):
-    row = flattenJSON(policy)
+    row = flattenJSON(policy, timeObjects=CIPOLICY_TIME_OBJECTS)
     if not FJQC.formatJSON:
       csvPF.WriteRowTitles(row)
     elif csvPF.CheckRowTitles(row):
       csvPF.WriteRowNoFilter({'name': policy['name'],
-                              'JSON': json.dumps(cleanJSON(policy),
+                              'JSON': json.dumps(cleanJSON(policy, timeObjects=CIPOLICY_TIME_OBJECTS),
                                                  ensure_ascii=False,
                                                  sort_keys=True)})
 
@@ -35134,7 +35138,7 @@ def doPrintCIPolicy():
     elif myarg == 'nowarnings':
       add_warnings = False
     else:
-      unknownArgumentExit()
+      FJQC.GetFormatJSONQuoteChar(myarg, True)
   printGettingAllAccountEntities(Ent.POLICY, ifilter)
   pageMessage = getPageMessage()
   throwReasons = [GAPI.INVALID, GAPI.INVALID_ARGUMENT, GAPI.PERMISSION_DENIED]
@@ -35162,7 +35166,7 @@ def doPrintCIPolicy():
     if groupId := policy['policyQuery'].get('group'):
       _, _, policy['policyQuery']['groupEmail'] = convertGroupCloudIDToEmail(groups_ci, groupId)
       # all groups are in the root OU so the orgUnit attribute is useless
-      policy['policyQuery'].pop('orgUnit')
+      policy['policyQuery'].pop('orgUnit', None)
     elif orgId := policy['policyQuery'].get('orgUnit'):
       policy['policyQuery']['orgUnitPath'] = convertOrgUnitIDtoPath(cd, orgId)
   if not csvPF:
@@ -54602,7 +54606,7 @@ def extendFileTree(fileTree, feed, DLP, stripCRsFromName):
         if f_file['mimeType'] == MIMETYPE_GA_FOLDER and f_file['name'] == MY_DRIVE:
           f_file['parents'] = []
         else:
-          f_file['parents'] = [ORPHANS] if f_file.get('ownedByMe', False) else [SHARED_WITHME]
+          f_file['parents'] = [ORPHANS] if f_file.get('ownedByMe', False) and 'sharedWithMeTime' not in f_file else [SHARED_WITHME]
       else:
         f_file['parents'] = [SHARED_DRIVES] if 'sharedWithMeTime' not in f_file else [SHARED_WITHME]
     if fileId not in fileTree:
@@ -54622,11 +54626,11 @@ def extendFileTreeParents(drive, fileTree, fields):
                         fileId=fileId, fields=fields, supportsAllDrives=True)
       if not result.get('parents', []):
         if not result.get('driveId'):
-          result['parents'] = [ORPHANS] if result.get('ownedByMe', False) else [SHARED_WITHME]
+          result['parents'] = [ORPHANS] if result.get('ownedByMe', False) and 'sharedWithMeTime' not in result else [SHARED_WITHME]
         else:
           if result['name'] == TEAM_DRIVE:
             result['name'] = _getSharedDriveNameFromId(drive, result['driveId'])
-          result['parents'] = [SHARED_DRIVES] if 'sharedWithMeTime' not in f_file else [SHARED_WITHME]
+          result['parents'] = [SHARED_DRIVES] if 'sharedWithMeTime' not in result else [SHARED_WITHME]
       fileTree[fileId]['info'] = result
       fileTree[fileId]['info']['noDisplay'] = True
       for parentId in result['parents']:
@@ -60821,7 +60825,8 @@ def collectOrphans(users):
                            pageMessage=getPageMessageForWhom(),
                            throwReasons=GAPI.DRIVE_USER_THROW_REASONS,
                            retryReasons=[GAPI.UNKNOWN_ERROR],
-                           q=query, orderBy=OBY.orderBy, fields='nextPageToken,files(id,name,parents,mimeType,capabilities(canMoveItemWithinDrive))',
+                           q=query, orderBy=OBY.orderBy,
+                           fields='nextPageToken,files(id,name,parents,mimeType,sharedWithMeTime,capabilities(canMoveItemWithinDrive))',
                            pageSize=GC.Values[GC.DRIVE_MAX_RESULTS])
       if targetUserFolderPattern:
         trgtUserFolderName = _substituteForUser(targetUserFolderPattern, user, userName)
@@ -60833,7 +60838,7 @@ def collectOrphans(users):
         continue
       orphanDriveFiles = []
       for fileEntry in feed:
-        if not fileEntry.get('parents'):
+        if not fileEntry.get('parents') and 'sharedWithMeTime' not in fileEntry:
           orphanDriveFiles.append(fileEntry)
       jcount = len(orphanDriveFiles)
       entityPerformActionNumItemsModifier([Ent.USER, user], jcount, Ent.DRIVE_ORPHAN_FILE_OR_FOLDER,
@@ -75189,7 +75194,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_CHROMEVERSIONS:	doPrintShowChromeVersions,
       Cmd.ARG_CIGROUP:		doPrintCIGroups,
       Cmd.ARG_CIGROUPMEMBERS:	doPrintCIGroupMembers,
-      Cmd.ARG_CIPOLICY: doPrintCIPolicy,
+      Cmd.ARG_CIPOLICIES:	doPrintCIPolicies,
       Cmd.ARG_CLASSROOMINVITATION:	doPrintShowClassroomInvitations,
       Cmd.ARG_CONTACT:		doPrintShowDomainContacts,
       Cmd.ARG_COURSE:		doPrintCourses,
@@ -75229,7 +75234,6 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_OWNERSHIP:	doPrintShowOwnership,
       Cmd.ARG_PEOPLECONTACT:	doPrintShowDomainPeopleContacts,
       Cmd.ARG_PEOPLEPROFILE:	doPrintShowDomainPeopleProfiles,
-      Cmd.ARG_CIPOLICY: doPrintCIPolicy,
       Cmd.ARG_PRINTER:		doPrintShowPrinters,
       Cmd.ARG_PRINTERMODEL:	doPrintShowPrinterModels,
       Cmd.ARG_PRIVILEGES:	doPrintShowPrivileges,
@@ -75319,7 +75323,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_CHROMESCHEMA:	doPrintShowChromeSchemas,
       Cmd.ARG_CHROMEVERSIONS:	doPrintShowChromeVersions,
       Cmd.ARG_CIGROUPMEMBERS:	doShowCIGroupMembers,
-      Cmd.ARG_CIPOLICY: doPrintCIPolicy,
+      Cmd.ARG_CIPOLICIES:	doPrintCIPolicies,
       Cmd.ARG_CLASSROOMINVITATION:	doPrintShowClassroomInvitations,
       Cmd.ARG_CONTACT:		doPrintShowDomainContacts,
       Cmd.ARG_CROSTELEMETRY:	doInfoPrintShowCrOSTelemetry,

src/gam/gamlib/glapi.py

@@ -45,8 +45,8 @@ CLOUDCHANNEL = 'cloudchannel'
 CLOUDIDENTITY_DEVICES = 'cloudidentitydevices'
 CLOUDIDENTITY_GROUPS = 'cloudidentitygroups'
 CLOUDIDENTITY_INBOUND_SSO = 'cloudidentityinboundsso'
-CLOUDIDENTITY_POLICY = 'cloudidentitypolicy'
 CLOUDIDENTITY_ORGUNITS = 'cloudidentityorgunits'
+CLOUDIDENTITY_POLICY = 'cloudidentitypolicy'
 CLOUDIDENTITY_ORGUNITS_BETA = 'cloudidentityorgunitsbeta'
 CLOUDIDENTITY_USERINVITATIONS = 'cloudidentityuserinvitations'
 CLOUDRESOURCEMANAGER = 'cloudresourcemanager'
@@ -225,9 +225,9 @@ _INFO = {
   CLOUDIDENTITY_DEVICES: {'name': 'Cloud Identity Devices API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
   CLOUDIDENTITY_GROUPS: {'name': 'Cloud Identity Groups API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
   CLOUDIDENTITY_INBOUND_SSO: {'name': 'Cloud Identity Inbound SSO API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_POLICY: {'name': 'Cloud Identity Policy API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
   CLOUDIDENTITY_ORGUNITS: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
   CLOUDIDENTITY_ORGUNITS_BETA: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_POLICY: {'name': 'Cloud Identity Policy API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
   CLOUDIDENTITY_USERINVITATIONS: {'name': 'Cloud Identity User Invitations API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
   CLOUDRESOURCEMANAGER: {'name': 'Cloud Resource Manager API v3', 'version': 'v3', 'v2discovery': True},
   CONTACTS: {'name': 'Contacts API', 'version': 'v3', 'v2discovery': False},
@@ -362,15 +362,15 @@ _CLIENT_SCOPES = [
    'api': CLOUDIDENTITY_INBOUND_SSO,
    'subscopes': READONLY,
    'scope': 'https://www.googleapis.com/auth/cloud-identity.inboundsso'},
+  {'name': 'Cloud Identity OrgUnits API',
+   'api': CLOUDIDENTITY_ORGUNITS_BETA,
+   'subscopes': READONLY,
+   'scope': 'https://www.googleapis.com/auth/cloud-identity.orgunits'},
   {'name': 'Cloud Identity - Policy',
    'api': CLOUDIDENTITY_POLICY,
    'subscopes': [],
    'scope': 'https://www.googleapis.com/auth/cloud-identity.policies.readonly'
   },
-  {'name': 'Cloud Identity OrgUnits API',
-   'api': CLOUDIDENTITY_ORGUNITS_BETA,
-   'subscopes': READONLY,
-   'scope': 'https://www.googleapis.com/auth/cloud-identity.orgunits'},
   {'name': 'Cloud Identity User Invitations API',
    'api': CLOUDIDENTITY_USERINVITATIONS,
    'subscopes': READONLY,

src/gam/gamlib/glclargs.py

@@ -493,7 +493,7 @@ class GamCLArgs():
   ARG_CIGROUPSMEMBERS = 'cigroupsmembers'
   ARG_CIMEMBER = 'cimember'
   ARG_CIMEMBERS = 'cimembers'
-  ARG_CIPOLICY = 'policies'
+  ARG_CIPOLICIES = 'policies'
   ARG_CLASS = 'class'
   ARG_CLASSES = 'classes'
   ARG_CLASSPARTICIPANTS = 'classparticipants'