Improved adminrole commands

src/GamCommands.txt

@@ -1461,16 +1461,21 @@ gam <UserTypeEntity> update serviceaccount (scope|scopes <APIScopeURLList>)*
 gam print privileges [todrive <ToDriveAttribute>*]
 gam show privileges
 
+<Privilege> ::= <String>
+<PrivilegeList> ::= "<Privilege>(,<Privilege)*"
 <RoleAssignmentID> ::= <String>
 <RoleItem> ::= id:<String>|uid:<string>|<String>
 
-gam create adminrole <String> privileges all|all_ou|<PrivilegesList> [description <String>]
-gam update adminrole <RoleItem> [name <String>] [privileges all|all_ou|<PrivilegesList>] [description <String>]
+gam create adminrole <String> [description <String>]
+        privileges all|all_ou|<PrivilegesList>|(select <FileSelector>|<CSVFileSelector>)
+gam update adminrole <RoleItem> [name <String>] [description <String>]
+         [privileges all|all_ou|<PrivilegesList>|(select <FileSelector>|<CSVFileSelector>)]
 gam delete adminrole <RoleItem>
 gam info adminrole <RoleItem> [privileges]
 gam print adminroles|roles [todrive <ToDriveAttribute>*]
-        [privileges] [oneitemperrow]
-gam show adminroles|roles [privileges]
+        [role <RoleItem>] [privileges] [oneitemperrow]
+gam show adminroles|roles
+        [role <RoleItem>] [privileges]
 
 gam create|add admin <EmailAddress>|<UniqueID> <RoleItem> customer|(org_unit <OrgUnitItem>)
         [condition securitygroup|nonsecuritygroup]

src/GamUpdate.txt

@@ -1,3 +1,11 @@
+7.06.14
+
+Updated `gam create|update adminrole` to allow specifying a collection of privileges
+with `privileges select <FileSelector>|<CSVFileSelector>` which makes copying roles much simpler.
+
+Updated option `role <RoleItem>` to `gam print|show adminroles` to allow display of information
+for a specific role.
+
 7.06.13
 
 Updated `gam print group-members ... recursive` and `gam print cigroup-members ... recursive`

src/gam/__init__.py

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """
 
 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.06.13'
+__version__ = '7.06.14'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 #pylint: disable=wrong-import-position
@@ -16497,8 +16497,10 @@ def getRoleId():
       invalidChoiceExit(role, GM.Globals[GM.MAP_ROLE_NAME_TO_ID], True)
   return (role, roleId)
 
-# gam create adminrole <String> privileges all|all_ou|<PrivilegesList> [description <String>]
-# gam update adminrole <RoleItem> [name <String>] [privileges all|all_ou|<PrivilegesList>] [description <String>]
+# gam create adminrole <String> [description <String>]
+#	privileges all|all_ou|<PrivilegesList>|(select <FileSelector>|<CSVFileSelector>)
+# gam update adminrole <RoleItem> [name <String>] [description <String>]
+#	[privileges all|all_ou|<PrivilegesList>|(select <FileSelector>|<CSVFileSelector>)]
 def doCreateUpdateAdminRoles():
   def expandChildPrivileges(privilege):
     for childPrivilege in privilege.get('childPrivileges', []):
@@ -16529,8 +16531,12 @@ def doCreateUpdateAdminRoles():
       elif privs == 'ALL_OU':
         body['rolePrivileges'] = [{'privilegeName': p, 'serviceId': v} for p, v in ouPrivileges.items()]
       else:
+        if privs == 'SELECT':
+          privsList = [p.upper() for p in getEntityList(Cmd.OB_PRIVILEGE_LIST)]
+        else:
+          privsList = privs.replace(',', ' ').split()
         body.setdefault('rolePrivileges', [])
-        for p in privs.split(','):
+        for p in privsList:
           if p in allPrivileges:
             body['rolePrivileges'].append({'privilegeName': p, 'serviceId': allPrivileges[p]})
           elif p in ouPrivileges:
@@ -16540,6 +16546,8 @@ def doCreateUpdateAdminRoles():
           elif ':' in p:
             priv, serv = p.split(':')
             body['rolePrivileges'].append({'privilegeName': priv, 'serviceId': serv.lower()})
+          elif p == 'SUPPORT':
+            pass
           else:
             invalidChoiceExit(p, list(allPrivileges.keys())+list(ouPrivileges.keys())+list(childPrivileges.keys()), True)
     elif myarg == 'description':
@@ -16557,12 +16565,12 @@ def doCreateUpdateAdminRoles():
                         customer=GC.Values[GC.CUSTOMER_ID], body=body, fields='roleId,roleName')
     else:
       result = callGAPI(cd.roles(), 'patch',
-                        throwReasons=[GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND, GAPI.FORBIDDEN]+[GAPI.NOT_FOUND, GAPI.FAILED_PRECONDITION],
+                        throwReasons=[GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND, GAPI.FORBIDDEN]+[GAPI.NOT_FOUND, GAPI.FAILED_PRECONDITION, GAPI.CONFLICT],
                         customer=GC.Values[GC.CUSTOMER_ID], roleId=roleId, body=body, fields='roleId,roleName')
     entityActionPerformed([Ent.ADMIN_ROLE, f"{result['roleName']}({result['roleId']})"])
   except GAPI.duplicate as e:
     entityActionFailedWarning([Ent.ADMIN_ROLE, f"{body['roleName']}"], str(e))
-  except (GAPI.notFound, GAPI.forbidden, GAPI.failedPrecondition) as e:
+  except (GAPI.notFound, GAPI.forbidden, GAPI.failedPrecondition, GAPI.conflict) as e:
     entityActionFailedWarning([Ent.ADMIN_ROLE, roleId], str(e))
   except (GAPI.badRequest, GAPI.customerNotFound):
     accessErrorExit(cd)
@@ -16605,61 +16613,53 @@ def _showAdminRole(role, i=0, count=0):
   Ind.Decrement()
 
 # gam info adminrole <RoleItem> [privileges]
-def doInfoAdminRole():
-  cd = buildGAPIObject(API.DIRECTORY)
-  fieldsList = PRINT_ADMIN_ROLES_FIELDS[:]
-  _, roleId = getRoleId()
-  while Cmd.ArgumentsRemaining():
-    myarg = getArgument()
-    if myarg == 'privileges':
-      fieldsList.append('rolePrivileges')
-    else:
-      unknownArgumentExit()
-  fields = getFieldsFromFieldsList(fieldsList)
-  try:
-    role = callGAPI(cd.roles(), 'get',
-                    throwReasons=[GAPI.NOT_FOUND, GAPI.FORBIDDEN, GAPI.FAILED_PRECONDITION,
-                                  GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND],
-                    customer=GC.Values[GC.CUSTOMER_ID], roleId=roleId, fields=fields)
-    role.setdefault('isSuperAdminRole', False)
-    role.setdefault('isSystemRole', False)
-    _showAdminRole(role)
-  except (GAPI.notFound, GAPI.forbidden, GAPI.failedPrecondition) as e:
-    entityActionFailedWarning([Ent.ADMIN_ROLE, roleId], str(e))
-  except (GAPI.badRequest, GAPI.customerNotFound):
-    accessErrorExit(cd)
-
 # gam print adminroles|roles [todrive <ToDriveAttribute>*]
-#	[privileges] [oneitemperrow]
-# gam show adminroles|roles [privileges]
-def doPrintShowAdminRoles():
+#	[role <RoleItem>] [privileges] [oneitemperrow]
+# gam show adminroles|roles
+#	[role <RoleItem>] [privileges]
+def doInfoPrintShowAdminRoles():
   cd = buildGAPIObject(API.DIRECTORY)
   fieldsList = PRINT_ADMIN_ROLES_FIELDS[:]
   csvPF = CSVPrintFile(fieldsList, PRINT_ADMIN_ROLES_FIELDS) if Act.csvFormat() else None
   oneItemPerRow = False
+  if Act.Get() != Act.INFO:
+    roleId = None
+  else:
+    _, roleId = getRoleId()
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
     if csvPF and myarg == 'todrive':
       csvPF.GetTodriveParameters()
+    elif roleId is None and myarg == 'role':
+      _, roleId = getRoleId()
     elif myarg == 'privileges':
       fieldsList.append('rolePrivileges')
     elif myarg == 'oneitemperrow':
       oneItemPerRow = True
     else:
       unknownArgumentExit()
-  if csvPF:
+  if csvPF and 'rolePrivileges' in fieldsList:
     if not oneItemPerRow:
       csvPF.AddTitles(['rolePrivileges'])
     else:
       csvPF.AddTitles(['privilegeName', 'serviceId'])
-  fields = getItemFieldsFromFieldsList('items', fieldsList)
-  printGettingAllAccountEntities(Ent.ADMIN_ROLE)
   try:
-    roles = callGAPIpages(cd.roles(), 'list', 'items',
-                          pageMessage=getPageMessage(),
-                          throwReasons=[GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND, GAPI.FORBIDDEN],
-                          customer=GC.Values[GC.CUSTOMER_ID], fields=fields)
-  except (GAPI.badRequest, GAPI.customerNotFound, GAPI.forbidden):
+    if roleId is None:
+      fields = getItemFieldsFromFieldsList('items', fieldsList)
+      printGettingAllAccountEntities(Ent.ADMIN_ROLE)
+      roles = callGAPIpages(cd.roles(), 'list', 'items',
+                            pageMessage=getPageMessage(),
+                            throwReasons=[GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND, GAPI.FORBIDDEN],
+                            customer=GC.Values[GC.CUSTOMER_ID], fields=fields)
+    else:
+      fields = getFieldsFromFieldsList(fieldsList)
+      roles = [callGAPI(cd.roles(), 'get',
+                        throwReasons=[GAPI.NOT_FOUND, GAPI.FORBIDDEN, GAPI.FAILED_PRECONDITION,
+                                      GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND],
+                        customer=GC.Values[GC.CUSTOMER_ID], roleId=roleId, fields=fields)]
+  except (GAPI.notFound, GAPI.forbidden, GAPI.failedPrecondition) as e:
+    entityActionFailedWarning([Ent.ADMIN_ROLE, roleId], str(e))
+  except (GAPI.badRequest, GAPI.customerNotFound):
     accessErrorExit(cd)
   for role in roles:
     role.setdefault('isSuperAdminRole', False)
@@ -75613,7 +75613,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
     ),
   'info':
     (Act.INFO,
-     {Cmd.ARG_ADMINROLE:	doInfoAdminRole,
+     {Cmd.ARG_ADMINROLE:	doInfoPrintShowAdminRoles,
       Cmd.ARG_ALERT:		doInfoAlert,
       Cmd.ARG_ALIAS:		doInfoAliases,
       Cmd.ARG_BUILDING:		doInfoBuilding,
@@ -75688,7 +75688,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
   'print':
     (Act.PRINT,
      {Cmd.ARG_ADDRESSES:	doPrintAddresses,
-      Cmd.ARG_ADMINROLE:	doPrintShowAdminRoles,
+      Cmd.ARG_ADMINROLE:	doInfoPrintShowAdminRoles,
       Cmd.ARG_ADMIN:		doPrintShowAdmins,
       Cmd.ARG_ALERT:		doPrintShowAlerts,
       Cmd.ARG_ALERTFEEDBACK:	doPrintShowAlertFeedback,
@@ -75821,7 +75821,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
     ),
   'show':
     (Act.SHOW,
-     {Cmd.ARG_ADMINROLE:	doPrintShowAdminRoles,
+     {Cmd.ARG_ADMINROLE:	doInfoPrintShowAdminRoles,
       Cmd.ARG_ADMIN:		doPrintShowAdmins,
       Cmd.ARG_ALERT:		doPrintShowAlerts,
       Cmd.ARG_ALERTFEEDBACK:	doPrintShowAlertFeedback,

wiki/GamUpdates.md

@@ -10,6 +10,11 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation
 
+### 7.06.13
+
+Updated `gam print group-members ... recursive` and `gam print cigroup-members ... recursive`
+to expand groups representing chat spaces.
+
 ### 7.06.12
 
 Deleted commands to display Analytic UA properties; the API has been deprecated.

wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md

@@ -251,7 +251,7 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAM 7.06.12 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.06.13 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.3 64-bit final
 MacOS Sequoia 15.4.1 x86_64
@@ -989,7 +989,7 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM 7.06.12 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.06.13 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.3 64-bit final
 Windows-10-10.0.17134 AMD64

wiki/Users-Drive-Copy-Move.md

@@ -8,6 +8,7 @@
   - [Copy content of My Drive to a Shared Drive](#copy-content-of-my-drive-to-a-shared-drive)
   - [Copy content of a Shared Drive to another Shared Drive](#copy-content-of-a-shared-drive-to-another-shared-drive)
 - [Move files and folders](#move-files-and-folders)
+  - [Move My Drive folder to Shared Drive](#move-my-drive-folder-to-shared-drive)
   - [Simple moves by changing parents](#simple-moves-by-changing-parents)
   - [Move with ownership change](#move-with-ownership-change)
   - [Complex moves](#complex-moves)
@@ -428,6 +429,18 @@ gam user user@domain.com copy drivefile teamdriveid 0AC_1AB teamdriveparentid 0A
 ```
 
 ## Move files and folders
+## Move My Drive folder to Shared Drive
+There are two methods for moving a folder from a My Drive to a Shared Drive:
+* Drive UI - You can simple drag and drop the folder from the My Drive to the Shared Drive
+  * Google inspects the content of the folder and may not perform the move if:
+    * Files and folders within the selected folder are owned by users outside of your domain
+    * Files and folders within the selected folder are owned by other users inside of your domain but the owner of the original folder has only read access
+  * All folder and files IDs are preserved
+* GAM
+  * The Drive API doesn't allow moving a folder from a My Drive to a Shared Drive; GAM has to recreate the folders on the Shared Drive, thus changing their IDs
+  * Files are  simply moved from their existing My Drive folder to the recreated Shared Drive folder; their IDs do not change
+  * Files owmed by users outside of your domain can't be moved
+
 ## Simple moves by changing parents
 Use this command in the following cases:
 * Move a file or folder from one location to another on My Drive

wiki/Users-Drive-Files-Display.md

@@ -628,10 +628,15 @@ querytime5years -5y query "modifiedTime<'#querytime5years#'"
 
 ## File selection of Shared Drive
 You can limit the selection for files on a specific Shared drive.
-Any query will be applied to the Shared drive.
 ```
 select <SharedDriveEntity>
 ```
+
+To apply a query to that Shared Drive.
+```
+select <SharedDriveEntity> shareddrivequery "xxx"
+```
+
 ## File selection by corpora
 Select files by corpora.
 

wiki/Using-GAM7-with-a-delegated-admin-service-account.md

@@ -23,7 +23,7 @@ GAM7 version 6.50.00 or higher is required.
 
 ## Disadvantages
 * DASA accounts can only be delegated admins. [If a task requires super admin rights to perform](https://support.google.com/a/answer/2405986#:~:text=Only%20super%20administrators%20can...), DASA accounts won’t be able to do it.
-Not all Google Admin APIs work with DASA right now. For example, Google Vault API calls will fail with a DASA account.
+Not all Google Admin APIs work with DASA right now. For example, Google Vault API calls will fail with a DASA account; Classroom API calls do not return data.
 * DASA is a delegated admin and can make Workspace / Cloud Identity admin API calls, it does not replace domain-wide delegation (DwD) when using GAM7 commands that interact with Gmail, Drive and Calendar user data.
 * GAM7 support for DASA is still experimental and some things may fail. Please report your findings to the [GAM group](https://groups.google.com/g/google-apps-manager).
 

wiki/Version-and-Help.md

@@ -4,7 +4,7 @@ k
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.06.12 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.06.13 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.3 64-bit final
 MacOS Sequoia 15.4.1 x86_64
@@ -16,7 +16,7 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.06.12 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.06.13 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.3 64-bit final
 MacOS Sequoia 15.4.1 x86_64
@@ -28,7 +28,7 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.06.12 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.06.13 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.3 64-bit final
 MacOS Sequoia 15.4.1 x86_64
@@ -65,7 +65,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gam7
 Version Check:
   Current: 5.35.08
-   Latest: 7.06.12
+   Latest: 7.06.13
 echo $?
 1
 ```
@@ -73,7 +73,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.06.12
+7.06.13
 ```
 In Linux/MacOS you can do:
 ```
@@ -83,7 +83,7 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.06.12 - https://github.com/GAM-team/GAM
+GAM 7.06.13 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.3 64-bit final
 MacOS Sequoia 15.4.1 x86_64