Fixed bug in gam update chromepolicy

.github/workflows/build.yml

@@ -126,7 +126,7 @@ jobs:
         with:
           path: |
             cache.tar.xz
-          key: gam-${{ matrix.jid }}-20250422
+          key: gam-${{ matrix.jid }}-20250603
 
       - name: Untar Cache archive
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'

src/GamCommands.txt

@@ -1383,7 +1383,7 @@ gam show projects [[admin] <EmailAddress>] [all|<ProjectIDEntity>]
         [states all|active|deleterequested] [showiampolicies 0|1|3]
 gam print projects [[admin] <EmailAddress>] [all|<ProjectIDEntity>] [todrive <ToDriveAttribute>*]
         [states all|active|deleterequested] [showiampolicies 0|1|3 [onememberperrow]]
-        [delimiter <Character>]] [[formatjson [quotechar <Character>]]
+        [delimiter <Character>] [[formatjson [quotechar <Character>]]
 gam info currentprojectid
 
 gam create|add svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
@@ -4119,7 +4119,7 @@ gam print devices [todrive <ToDriveAttribute>*]
         <DeviceFieldName>* [fields <DeviceFieldNameList>] [userfields <DeviceUserFieldNameList>]
         [orderby <DeviceOrderByFieldName> [ascending|descending]]
         [all|company|personal|nocompanydevices|nopersonaldevices]
-        [nodeviceusers]
+        [nodeviceusers|oneuserperrow]
         [formatjson [quotechar <Character>]]
         [showitemcountonly]
 
@@ -4819,6 +4819,17 @@ gam show shareddrives
         [fields <SharedDriveFieldNameList>] [noorgunits [<Boolean>]]
         [formatjson] [noorgunits [<Boolean>]]
 
+gam print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [(shareddriveadminquery|query <QuerySharedDrive>) |
+         (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
 gam print oushareddrives [todrive <ToDriveAttribute>*]
         [ou|org|orgunit <OrgUnitPath>]
         [formatjson [quotechar <Character>]]
@@ -8326,6 +8337,19 @@ gam <UserTypeEntity> show shareddrives
         [fields <SharedDriveFieldNameList>] [noorgunits [<Boolean>]]
         [formatjson]
 
+gam <UserTypeEntity> print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [adminaccess|asadmin]
+        [(shareddriveadminquery|query <QuerySharedDrive>) |
+         (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
+	
 # Users - Force Signout and Turn Off 2-Step Verification
 
 gam <UserTypeEntity> signout

src/GamUpdate.txt

@@ -1,3 +1,96 @@
+7.09.01
+
+Fixed bug in `gam <UserTypeEntity> print diskusage` where the `ownedByMe` column was
+blank for the top folder.
+
+Fixed bug in `gam update chromepolicy` where the following error was generated
+when updating policies with simple numerical values.
+```
+ERROR: Missing argument: Expected <value>"
+```
+
+7.09.00
+
+Removed the overly broad service account `IAM and Access Management API` scope `https://www.googleapis.com/auth/cloud-platform`
+from DWD. The `gam <UserTypeEntity> check|Update serviceaccount` commands issue an error message if this scope
+is enabled prompting you to update your service account authorization so that the scope can be removed.
+
+GAM commands that need IAM access now use the more limited scope `https://www.googleapis.com/auth/iam` in a non-DWD manner.
+
+Added `enforce_expansive_access` Boolean variable to `gam.cfg` that provides the default value
+for option `enforceexpansiveaccess` in all commands that delete or update drive file ACLs/permissions.
+It's default value is False.
+```
+gam <UserTypeEntity> delete permissions
+gam <UserTypeEntity> delete drivefileacl
+gam <UserTypeEntity> update drivefileacl
+gam <UserTypeEntity> copy drivefile
+gam <UserTypeEntity> move drivefile
+gam <UserTypeEntity> transfer ownership
+gam <UserTypeEntity> claim ownership
+gam <UserTypeEntity> transfer drive
+```
+
+Fixed bug in `gam print shareddriveorganizers` that caused a trap when an organizer was a deleted user.
+
+Updated to Python 3.13.4
+
+7.08.02
+
+Updated the defaults in `gam print shareddriveorganizers` to match the most common use case, not the script.
+
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+To select organizers from any domain, use: `domainlist ""`
+
+These commands produce the same result.
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
+```
+
+7.08.01
+
+Added option `shareddrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))` to
+`gam print shareddriveorganizers` that displays organizers for a specific list of Shared Drive IDs.
+
+7.08.00
+
+Added the following command that can be used instead of the `GetTeamDriveOrganizers.py` script.
+
+```
+gam [<UserTypeEntity>] print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [adminaccess|asadmin] [shareddriveadminquery|query <QuerySharedDrive>]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
+```
+The command defaults match the script defaults:
+* `domainlist` - All domains
+* `includetypes` - user,group
+* `oneorganizer` - False
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+For example, to get a single organizer from your domain for all Shared Drives including no organizer drives:
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+```
+
+7.07.17
+
+Added option `oneuserperrow` to `gam print devices` to have each of a
+device's users displayed on a separate row with all of the other device fields.
+
 7.07.16
 
 Added `chromeostype`, `diskspaceusage` and `faninfo` to `<CrOSFieldName>` for use in `gam info|print cros`.

src/callgam.py

@@ -11,7 +11,7 @@ if __name__ == '__main__':
 # One time initialization
   if platform.system() != 'Linux':
     multiprocessing.freeze_support()
-    multiprocessing.set_start_method('spawn')
+    multiprocessing.set_start_method('spawn', force=True)
   initializeLogging()
 #
   CallGAMCommand(['gam', 'version'])

src/gam.py

@@ -11,5 +11,5 @@ from gam.__main__ import main
 if __name__ == '__main__':
   if platform.system() != 'Linux':
     multiprocessing.freeze_support()
-    multiprocessing.set_start_method('spawn')
+    multiprocessing.set_start_method('spawn', force=True)
   main()

src/gam/__init__.py

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """
 
 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.07.16'
+__version__ = '7.09.01'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 #pylint: disable=wrong-import-position
@@ -4785,8 +4785,9 @@ def defaultSvcAcctScopes():
   scopesList = API.getSvcAcctScopesList(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], False)
   saScopes = {}
   for scope in scopesList:
-    saScopes.setdefault(scope['api'], [])
-    saScopes[scope['api']].append(scope['scope'])
+    if not scope.get('offByDefault'):
+      saScopes.setdefault(scope['api'], [])
+      saScopes[scope['api']].append(scope['scope'])
   saScopes[API.DRIVEACTIVITY].append(API.DRIVE_SCOPE)
   saScopes[API.DRIVE2] = saScopes[API.DRIVE3]
   saScopes[API.DRIVETD] = saScopes[API.DRIVE3]
@@ -12232,7 +12233,7 @@ def checkServiceAccount(users):
 
   def authorizeScopes(message):
     long_url = ('https://admin.google.com/ac/owl/domainwidedelegation'
-                f'?clientScopeToAdd={",".join(checkScopes)}'
+                f'?clientScopeToAdd={",".join(sorted(checkScopes))}'
                 f'&clientIdToAdd={service_account}&overwriteClientId=true')
     if GC.Values[GC.DOMAIN]:
       long_url += f'&dn={GC.Values[GC.DOMAIN]}'
@@ -12244,10 +12245,12 @@ def checkServiceAccount(users):
   allScopes = API.getSvcAcctScopes(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], Act.Get() == Act.UPDATE)
   checkScopesSet = set()
   saScopes = {}
+  checkDeprecatedScopes = True
   useColor = False
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
     if myarg in {'scope', 'scopes'}:
+      checkDeprecatedScopes = False
       for scope in getString(Cmd.OB_API_SCOPE_URL_LIST).lower().replace(',', ' ').split():
         api = API.getSvcAcctScopeAPI(scope)
         if api is not None:
@@ -12264,10 +12267,12 @@ def checkServiceAccount(users):
     testPass = createGreenText('PASS')
     testFail = createRedText('FAIL')
     testWarn = createYellowText('WARN')
+    testDeprecated = createRedText('DEPRECATED')
   else:
     testPass = 'PASS'
     testFail = 'FAIL'
     testWarn = 'WARN'
+    testDeprecated = 'DEPRECATED'
   if Act.Get() == Act.CHECK:
     if not checkScopesSet:
       for scope in iter(GM.Globals[GM.SVCACCT_SCOPES].values()):
@@ -12275,7 +12280,7 @@ def checkServiceAccount(users):
   else:
     if not checkScopesSet:
       scopesList = API.getSvcAcctScopesList(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], True)
-      selectedScopes = getScopesFromUser(scopesList, False, GM.Globals[GM.SVCACCT_SCOPES])
+      selectedScopes = getScopesFromUser(scopesList, False, GM.Globals[GM.SVCACCT_SCOPES] if GM.Globals[GM.SVCACCT_SCOPES_DEFINED] else None)
       if selectedScopes is None:
         return False
       i = 0
@@ -12337,8 +12342,8 @@ def checkServiceAccount(users):
   if saTokenStatus == testFail:
     invalidOauth2serviceJsonExit(f'Authentication{auth_error}')
   _getSvcAcctData() # needed to read in GM.OAUTH2SERVICE_JSON_DATA
-  if GM.Globals[GM.SVCACCT_SCOPES_DEFINED] and API.IAM not in GM.Globals[GM.SVCACCT_SCOPES]:
-    GM.Globals[GM.SVCACCT_SCOPES][API.IAM] = [API.CLOUD_PLATFORM_SCOPE]
+  if API.IAM not in GM.Globals[GM.SVCACCT_SCOPES]:
+    GM.Globals[GM.SVCACCT_SCOPES][API.IAM] = [API.IAM_SCOPE]
   key_type = GM.Globals[GM.OAUTH2SERVICE_JSON_DATA].get('key_type', 'default')
   if key_type == 'default':
     printMessage(Msg.SERVICE_ACCOUNT_CHECK_PRIVATE_KEY_AGE)
@@ -12399,6 +12404,38 @@ def checkServiceAccount(users):
         allScopesPass = False
       printPassFail(scope, f'{scopeStatus}{currentCount(j, jcount)}')
     Ind.Decrement()
+    if checkDeprecatedScopes:
+      deprecatedScopes = sorted(API.DEPRECATED_SCOPES)
+      jcount = len(deprecatedScopes)
+      printKeyValueListWithCount([Msg.DEPRECATED_SCOPES, '',
+                                  Ent.Singular(Ent.USER), user,
+                                  Ent.Choose(Ent.SCOPE, jcount), jcount],
+                                 i, count)
+      Ind.Increment()
+      j = 0
+      for scope in deprecatedScopes:
+        j += 1
+        # try with and without email scope
+        for scopes in [[scope, API.USERINFO_EMAIL_SCOPE], [scope]]:
+          try:
+            credentials = getSvcAcctCredentials(scopes, user)
+            credentials.refresh(request)
+            break
+          except (httplib2.HttpLib2Error, google.auth.exceptions.TransportError, RuntimeError) as e:
+            handleServerError(e)
+          except google.auth.exceptions.RefreshError:
+            continue
+        if credentials.token:
+          token_info = callGAPI(oa2, 'tokeninfo', access_token=credentials.token)
+          if scope in token_info.get('scope', '').split(' ') and user == token_info.get('email', user).lower():
+            scopeStatus = testDeprecated
+            allScopesPass = False
+          else:
+            scopeStatus = testPass
+        else:
+          scopeStatus = testPass
+        printPassFail(scope, f'{scopeStatus}{currentCount(j, jcount)}')
+      Ind.Decrement()
     service_account = GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['client_id']
     if allScopesPass:
       if Act.Get() == Act.CHECK:
@@ -17102,11 +17139,11 @@ DATA_TRANSFER_SORT_TITLES = ['id', 'requestTime', 'oldOwnerUserEmail', 'newOwner
 
 # gam print datatransfers|transfers [todrive <ToDriveAttribute>*]
 #	[olduser|oldowner <UserItem>] [newuser|newowner <UserItem>]
-#	[status <String>] [delimiter <Character>]]
+#	[status <String>] [delimiter <Character>]
 #	(addcsvdata <FieldName> <String>)*
 # gam show datatransfers|transfers
 #	[olduser|oldowner <UserItem>] [newuser|newowner <UserItem>]
-#	[status <String>] [delimiter <Character>]]
+#	[status <String>] [delimiter <Character>]
 def doPrintShowDataTransfers():
   dt = buildGAPIObject(API.DATATRANSFER)
   apps = getTransferApplications(dt)
@@ -28081,6 +28118,7 @@ def simplifyChromeSchema(schema):
                  'settings': {}
                 }
   fieldDescriptions = schema['fieldDescriptions']
+  savedSettingName = ''
   for mtype in schema['definition']['messageType']:
     for setting in mtype['field']:
       setting_name = setting['name']
@@ -28089,6 +28127,9 @@ def simplifyChromeSchema(schema):
                       'descriptions':  [],
                       'type': setting['type'],
                      }
+      if setting_dict['type'] == 'TYPE_INT64' and savedSettingName:
+        setting_dict['name'] = savedSettingName
+      savedSettingName = ''
       if setting_dict['type'] == 'TYPE_STRING' and setting.get('label') == 'LABEL_REPEATED':
         setting_dict['type'] = 'TYPE_LIST'
       if setting_dict['type'] == 'TYPE_ENUM':
@@ -28110,6 +28151,7 @@ def simplifyChromeSchema(schema):
                   break
             break
       elif setting_dict['type'] == 'TYPE_MESSAGE':
+        savedSettingName = setting_name
         continue
       else:
         setting_dict['enums'] = None
@@ -28215,14 +28257,11 @@ def doDeleteChromePolicy():
     entityActionFailedWarning(kvList, str(e))
 
 CHROME_SCHEMA_SPECIAL_CASES = {
+# duration
   'chrome.users.AutoUpdateCheckPeriodNewV2':
     {'autoupdatecheckperiodminutesnew':
        {'casedField': 'autoUpdateCheckPeriodMinutesNew',
         'type': 'duration', 'minVal': 1, 'maxVal': 720}},
-  'chrome.users.Avatar':
-    {'useravatarimage':
-       {'casedField': 'userAvatarImage',
-        'type': 'downloadUri'}},
   'chrome.users.BrowserSwitcherDelayDurationV2':
     {'browserswitcherdelayduration':
        {'casedField': 'browserSwitcherDelayDuration',
@@ -28264,10 +28303,6 @@ CHROME_SCHEMA_SPECIAL_CASES = {
     {'maxinvalidationfetchdelay':
        {'casedField': 'maxInvalidationFetchDelay',
         'type': 'duration', 'minVal': 1, 'maxVal': 30, 'default': 10}},
-  'chrome.users.PrintingMaxSheetsAllowed':
-    {'printingmaxsheetsallowednullable':
-       {'casedField': 'printingMaxSheetsAllowedNullable',
-        'type': 'value', 'minVal': 1, 'maxVal': None}},
   'chrome.users.PrintJobHistoryExpirationPeriodNewV2':
     {'printjobhistoryexpirationperioddaysnew':
        {'casedField': 'printJobHistoryExpirationPeriodDaysNew',
@@ -28291,10 +28326,6 @@ CHROME_SCHEMA_SPECIAL_CASES = {
      'updatessuppressedstarttime':
        {'casedField': 'updatesSuppressedStartTime',
         'type': 'timeOfDay'}},
-  'chrome.users.Wallpaper':
-    {'wallpaperimage':
-       {'casedField': 'wallpaperImage',
-        'type': 'downloadUri'}},
   'chrome.devices.EnableReportUploadFrequencyV2':
     {'reportdeviceuploadfrequency':
        {'casedField': 'reportDeviceUploadFrequency',
@@ -28303,10 +28334,6 @@ CHROME_SCHEMA_SPECIAL_CASES = {
     {'uptimelimitduration':
        {'casedField': 'uptimeLimitDuration',
         'type': 'duration', 'minVal': 1, 'maxVal': 365}},
-  'chrome.devices.SignInWallpaperImage':
-    {'devicewallpaperimage':
-       {'casedField': 'deviceWallpaperImage',
-        'type': 'downloadUri'}},
   'chrome.devices.kiosk.AcPowerSettingsV2':
     {'acidletimeout':
        {'casedField': 'acIdleTimeout',
@@ -28333,10 +28360,6 @@ CHROME_SCHEMA_SPECIAL_CASES = {
      'batteryscreenofftimeout':
        {'casedField': 'batteryScreenOffTimeout',
         'type': 'duration', 'minVal': 0, 'maxVal': 35000}},
-  'chrome.devices.managedguest.Avatar':
-    {'useravatarimage':
-       {'casedField': 'userAvatarImage',
-        'type': 'downloadUri'}},
   'chrome.devices.managedguest.BrowsingDataLifetimeV2':
     {'browsinghistoryttl':
        {'casedField': 'browsingHistoryTtl',
@@ -28378,6 +28401,56 @@ CHROME_SCHEMA_SPECIAL_CASES = {
     {'sessiondurationlimit':
        {'casedField': 'sessionDurationLimit',
         'type': 'duration', 'minVal': 1, 'maxVal': 1440}},
+# value
+  'chrome.users.GaiaLockScreenOfflineSigninTimeLimitDays':
+    {'gaialockscreenofflinesignintimelimitdays':
+       {'casedField': 'gaiaLockScreenOfflineSigninTimeLimitDays',
+        'type': 'value', 'minVal': 0, 'maxVal': 365}},
+  'chrome.users.GaiaOfflineSigninTimeLimitDays':
+    {'gaiaofflinesignintimelimitdays':
+       {'casedField': 'gaiaOfflineSigninTimeLimitDays',
+        'type': 'value', 'minVal': 0, 'maxVal': 365}},
+  'chrome.users.PrintingMaxSheetsAllowed':
+    {'printingmaxsheetsallowednullable':
+       {'casedField': 'printingMaxSheetsAllowedNullable',
+        'type': 'value', 'minVal': 1, 'maxVal': None}},
+  'chrome.users.RemoteAccessHostClipboardSizeBytes':
+    {'remoteaccesshostclipboardsizebytes':
+       {'casedField': 'remoteAccessHostClipboardSizeBytes',
+        'type': 'value', 'minVal': 0, 'maxVal': 2147483647}},
+  'chrome.users.SamlLockScreenOfflineSigninTimeLimitDays':
+    {'samllockscreenofflinesignintimelimitdays':
+       {'casedField': 'samlLockScreenOfflineSigninTimeLimitDays',
+        'type': 'value', 'minVal': 0, 'maxVal': 365}},
+  'chrome.devices.ExtensionCacheSize':
+    {'extensioncachesize':
+       {'casedField': 'extensionCacheSize',
+        'type': 'value', 'minVal': 1048576, 'maxVal': None, 'default': 268435456}},
+  'chrome.devices.managedguest.PrintingMaxSheetsAllowed':
+    {'printingmaxsheetsallowednullable':
+       {'casedField': 'printingMaxSheetsAllowedNullable',
+        'type': 'value', 'minVal': 1, 'maxVal': None}},
+  'chrome.devices.managedguest.RemoteAccessHostClipboardSizeBytes':
+    {'remoteaccesshostclipboardsizebytes':
+       {'casedField': 'remoteAccessHostClipboardSizeBytes',
+        'type': 'value', 'minVal': 0, 'maxVal': 2147483647}},
+# downloadUri
+  'chrome.users.Avatar':
+    {'useravatarimage':
+       {'casedField': 'userAvatarImage',
+        'type': 'downloadUri'}},
+  'chrome.users.Wallpaper':
+    {'wallpaperimage':
+       {'casedField': 'wallpaperImage',
+        'type': 'downloadUri'}},
+  'chrome.devices.SignInWallpaperImage':
+    {'devicewallpaperimage':
+       {'casedField': 'deviceWallpaperImage',
+        'type': 'downloadUri'}},
+  'chrome.devices.managedguest.Avatar':
+    {'useravatarimage':
+       {'casedField': 'userAvatarImage',
+        'type': 'downloadUri'}},
   'chrome.devices.managedguest.Wallpaper':
     {'wallpaperimage':
        {'casedField': 'wallpaperImage',
@@ -29587,7 +29660,7 @@ DEVICE_ORDERBY_CHOICE_MAP = {
 #	<DeviceFieldName>* [fields <DeviceFieldNameList>] [userfields <DeviceUserFieldNameList>]
 #	[orderby <DeviceOrderByFieldName> [ascending|descending]]
 #	[all|company|personal|nocompanydevices|nopersonaldevices]
-#	[nodeviceusers]
+#	[nodeviceusers|oneuserperrow]
 #	[formatjson [quotechar <Character>]]
 # 	[showitemcountonly]
 def doPrintCIDevices():
@@ -29603,7 +29676,7 @@ def doPrintCIDevices():
   queries = [None]
   view, entityType = DEVICE_VIEW_CHOICE_MAP['all']
   getDeviceUsers = True
-  showItemCountOnly = False
+  oneUserPerRow = showItemCountOnly = False
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
     if csvPF and myarg == 'todrive':
@@ -29618,6 +29691,8 @@ def doPrintCIDevices():
       view, entityType = DEVICE_VIEW_CHOICE_MAP[myarg]
     elif myarg == 'nodeviceusers':
       getDeviceUsers = False
+    elif myarg in {'oneuserperrow', 'oneitemperrow'}:
+      getDeviceUsers = oneUserPerRow = True
     elif getFieldsList(myarg, DEVICE_FIELDS_CHOICE_MAP, fieldsList, initialField='name'):
       pass
     elif getFieldsList(myarg, DEVICEUSER_FIELDS_CHOICE_MAP, userFieldsList, initialField='name', fieldsArg='userfields'):
@@ -29631,6 +29706,8 @@ def doPrintCIDevices():
   fields = getItemFieldsFromFieldsList('devices', fieldsList)
   userFields = getItemFieldsFromFieldsList('deviceUsers', userFieldsList)
   substituteQueryTimes(queries, queryTimes)
+  if FJQC.formatJSON and oneUserPerRow:
+    csvPF.SetJSONTitles(['name', 'user.name', 'JSON'])
   itemCount = 0
   for query in queries:
     printGettingAllAccountEntities(entityType, query)
@@ -29672,13 +29749,26 @@ def doPrintCIDevices():
       except (GAPI.invalid, GAPI.invalidArgument, GAPI.permissionDenied) as e:
         entityActionFailedWarning([entityType, None], str(e))
     for device in devices:
-      row = flattenJSON(device, timeObjects=DEVICE_TIME_OBJECTS)
-      if not FJQC.formatJSON:
-        csvPF.WriteRowTitles(row)
-      elif csvPF.CheckRowTitles(row):
-        csvPF.WriteRowNoFilter({'name': device['name'],
-                                'JSON': json.dumps(cleanJSON(device, timeObjects=DEVICE_TIME_OBJECTS),
-                                                   ensure_ascii=False, sort_keys=True)})
+      if not oneUserPerRow or 'users' not in device:
+        row = flattenJSON(device, timeObjects=DEVICE_TIME_OBJECTS)
+        if not FJQC.formatJSON:
+          csvPF.WriteRowTitles(row)
+        elif csvPF.CheckRowTitles(row):
+          csvPF.WriteRowNoFilter({'name': device['name'],
+                                  'JSON': json.dumps(cleanJSON(device, timeObjects=DEVICE_TIME_OBJECTS),
+                                                     ensure_ascii=False, sort_keys=True)})
+      else:
+        deviceUsers = device.pop('users')
+        baserow = flattenJSON(device, timeObjects=DEVICE_TIME_OBJECTS)
+        for deviceUser in deviceUsers:
+          row = flattenJSON({'user': deviceUser}, flattened=baserow.copy(), timeObjects=DEVICE_TIME_OBJECTS)
+          if not FJQC.formatJSON:
+            csvPF.WriteRowTitles(row)
+          elif csvPF.CheckRowTitles(row):
+            device['user'] = deviceUser
+            csvPF.WriteRowNoFilter({'name': device['name'], 'user.name': deviceUser['name'],
+                                    'JSON': json.dumps(cleanJSON(device, timeObjects=DEVICE_TIME_OBJECTS),
+                                                       ensure_ascii=False, sort_keys=True)})
   if showItemCountOnly:
     writeStdout(f'{itemCount}\n')
     return
@@ -57242,6 +57332,7 @@ def printDiskUsage(users):
             topFolder['path'] = f'{SHARED_DRIVES}{pathDelimiter}{topFolder["name"]}'
           else:
             topFolder['path'] = topFolder['name']
+          topFolder.pop('ownedByMe', None)
         elif topFolder['name'] == MY_DRIVE and not topFolder.get('parents'):
           topFolder['path'] = MY_DRIVE
         else:
@@ -57252,7 +57343,6 @@ def printDiskUsage(users):
           if owners:
             topFolder['Owner'] = owners[0].get('emailAddress', 'Unknown')
             trashFolder['Owner'] = topFolder['Owner']
-        topFolder.pop('ownedByMe', None)
         topFolder.pop('parents', None)
         topFolder.update(zeroFolderInfo)
         topFolder.pop(sizeField, None)
@@ -58699,7 +58789,7 @@ def initCopyMoveOptions(copyCmd):
     'showPermissionMessages': False,
     'sendEmailIfRequired': False,
     'useDomainAdminAccess': False,
-    'enforceExpansiveAccess': False,
+    'enforceExpansiveAccess': GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS],
     'copiedShortcutsPointToCopiedFiles': True,
     'createShortcutsForNonmovableFiles': False,
     'duplicateFiles': DUPLICATE_FILE_OVERWRITE_OLDER,
@@ -62079,7 +62169,8 @@ def transferDrive(users):
   targetUserFolderPattern = '#user# old files'
   targetUserOrphansFolderPattern = '#user# orphaned files'
   targetIds = [None, None]
-  createShortcutsForNonmovableFiles = enforceExpansiveAccess = False
+  createShortcutsForNonmovableFiles = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   mergeWithTarget = False
   thirdPartyOwners = {}
   skipFileIdEntity = initDriveFileEntity()
@@ -62385,7 +62476,8 @@ def transferOwnership(users):
   body = {}
   newOwner = getEmailAddress()
   OBY = OrderBy(DRIVEFILE_ORDERBY_CHOICE_MAP)
-  changeParents = enforceExpansiveAccess = filepath = includeTrashed = noRecursion = False
+  changeParents = filepath = includeTrashed = noRecursion = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   pathDelimiter = '/'
   csvPF = fileTree = None
   addParents = ''
@@ -62711,7 +62803,8 @@ def claimOwnership(users):
   onlyOwners = set()
   skipOwners = set()
   subdomains = []
-  enforceExpansiveAccess = filepath = includeTrashed = False
+  filepath = includeTrashed = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   pathDelimiter = '/'
   addParents = ''
   parentBody = {}
@@ -63486,7 +63579,7 @@ def doCreateDriveFileACL():
 def updateDriveFileACLs(users, useDomainAdminAccess=False):
   fileIdEntity = getDriveFileEntity()
   isEmail, permissionId = getPermissionId()
-  enforceExpansiveAccess = None
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   removeExpiration = showTitles = updateSheetProtectedRanges = False
   showDetails = True
   csvPF = None
@@ -63524,9 +63617,6 @@ def updateDriveFileACLs(users, useDomainAdminAccess=False):
   _checkFileIdEntityDomainAccess(fileIdEntity, useDomainAdminAccess)
   if 'role' not in body:
     missingArgumentExit(f'role {formatChoiceList(DRIVEFILE_ACL_ROLES_MAP)}')
-  updateKwargs = {'useDomainAdminAccess': useDomainAdminAccess}
-  if enforceExpansiveAccess is not None:
-    updateKwargs['enforceExpansiveAccess'] = enforceExpansiveAccess
   printKeys, timeObjects = _getDriveFileACLPrintKeysTimeObjects()
   if csvPF and showTitles:
     csvPF.AddTitles(fileNameTitle)
@@ -63564,7 +63654,7 @@ def updateDriveFileACLs(users, useDomainAdminAccess=False):
         permission = callGAPI(drive.permissions(), 'update',
                               bailOnInternalError=True,
                               throwReasons=GAPI.DRIVE_ACCESS_THROW_REASONS+GAPI.DRIVE3_UPDATE_ACL_THROW_REASONS+[GAPI.FILE_NEVER_WRITABLE],
-                              **updateKwargs,
+                              useDomainAdminAccess=useDomainAdminAccess, enforceExpansiveAccess=enforceExpansiveAccess,
                               fileId=fileId, permissionId=permissionId, removeExpiration=removeExpiration,
                               transferOwnership=body.get('role', '') == 'owner', body=body, fields='*', supportsAllDrives=True)
         if updateSheetProtectedRanges and mimeType == MIMETYPE_GA_SPREADSHEET:
@@ -63815,7 +63905,7 @@ def doCreatePermissions():
 def deleteDriveFileACLs(users, useDomainAdminAccess=False):
   fileIdEntity = getDriveFileEntity()
   isEmail, permissionId = getPermissionId()
-  enforceExpansiveAccess = None
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   showTitles = updateSheetProtectedRanges = False
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
@@ -63830,9 +63920,6 @@ def deleteDriveFileACLs(users, useDomainAdminAccess=False):
     else:
       unknownArgumentExit()
   _checkFileIdEntityDomainAccess(fileIdEntity, useDomainAdminAccess)
-  deleteKwargs = {'useDomainAdminAccess': useDomainAdminAccess}
-  if enforceExpansiveAccess is not None:
-    deleteKwargs['enforceExpansiveAccess'] = enforceExpansiveAccess
   i, count, users = getEntityArgument(users)
   for user in users:
     i += 1
@@ -63865,7 +63952,7 @@ def deleteDriveFileACLs(users, useDomainAdminAccess=False):
                 break
         callGAPI(drive.permissions(), 'delete',
                  throwReasons=GAPI.DRIVE_ACCESS_THROW_REASONS+GAPI.DRIVE3_DELETE_ACL_THROW_REASONS+[GAPI.FILE_NEVER_WRITABLE],
-                 **deleteKwargs,
+                 useDomainAdminAccess=useDomainAdminAccess, enforceExpansiveAccess=enforceExpansiveAccess,
                  fileId=fileId, permissionId=permissionId, supportsAllDrives=True)
         entityActionPerformed([Ent.USER, user, entityType, fileName, Ent.PERMISSION_ID, permissionId], j, jcount)
         if updateSheetProtectedRanges and mimeType == MIMETYPE_GA_SPREADSHEET:
@@ -63944,7 +64031,7 @@ def deletePermissions(users, useDomainAdminAccess=False):
     jsonData = getJSON([])
     PM = PermissionMatch()
     PM.SetDefaultMatch(False, {'role': 'owner'})
-  enforceExpansiveAccess = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
     if myarg in ADMIN_ACCESS_OPTIONS:
@@ -66033,6 +66120,191 @@ def printShowSharedDriveACLs(users, useDomainAdminAccess=False):
 def doPrintShowSharedDriveACLs():
   printShowSharedDriveACLs([_getAdminEmail()], True)
 
+PRINT_ORGANIZER_TYPES = {'group', 'user'}
+
+# gam [<UserTypeEntity>] print shareddriveorganizers [todrive <ToDriveAttribute>*]
+#	[adminaccess|asadmin]
+#	[(shareddriveadminquery|query <QuerySharedDrive>) |
+#	 (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
+#	[matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
+#	[domainlist <DomainList>]
+#	[includetypes user|group]
+#	[oneorganizer [<Boolean>]]
+#	[shownorganizerdrives false|true|only]
+#	[includefileorganizers [<Boolean>]]
+#	[delimiter <Character>]
+def printSharedDriveOrganizers(users, useDomainAdminAccess=False):
+  csvPF = CSVPrintFile(['id', 'name', 'organizers', 'createdTime'], 'sortall')
+  delimiter = GC.Values[GC.CSV_OUTPUT_FIELD_DELIMITER]
+  roles = set(['organizer'])
+  includeTypes = set()
+  showNoOrganizerDrives = SHOW_NO_PERMISSIONS_DRIVES_CHOICE_MAP['false']
+  fieldsList = ['role', 'type', 'emailAddress']
+  cd = entityList = orgUnitId = query = matchPattern = None
+  domainList = [GC.Values[GC.DOMAIN]]
+  oneOrganizer = True
+  while Cmd.ArgumentsRemaining():
+    myarg = getArgument()
+    if csvPF and myarg == 'todrive':
+      csvPF.GetTodriveParameters()
+    elif myarg == 'delimiter':
+      delimiter = getCharacter()
+    elif myarg in {'shareddrive', 'shareddrives', 'teamdrive', 'teamdrives'}:
+      sharedDriveArg = myarg
+      itemList = getString(Cmd.OB_SHAREDDRIVE_ID_LIST)
+      if itemList != 'select':
+        entityList =  itemList.replace(',', ' ').split()
+      else:
+        entityList = getEntityList(Cmd.OB_SHAREDDRIVE_ID_LIST)
+    elif myarg in {'teamdriveadminquery', 'shareddriveadminquery', 'query'}:
+      queryArg = myarg
+      queryLocation = Cmd.Location()
+      query = getString(Cmd.OB_QUERY, minLen=0) or None
+      if query:
+        query = mapQueryRelativeTimes(query, ['createdTime'])
+    elif myarg == 'matchname':
+      matchPattern = getREPattern(re.IGNORECASE)
+    elif myarg in {'ou', 'org', 'orgunit'}:
+      orgLocation = Cmd.Location()
+      if cd is None:
+        cd = buildGAPIObject(API.DIRECTORY)
+      orgUnitPath, orgUnitId = getOrgUnitId(cd)
+      orgUnitId = orgUnitId[3:]
+      orgUnitInfo = {'orgUnit': orgUnitPath, 'orgUnitId': orgUnitId}
+    elif myarg in ADMIN_ACCESS_OPTIONS:
+      useDomainAdminAccess = True
+    elif myarg == 'domainlist':
+      domainList = set(getString(Cmd.OB_DOMAIN_NAME_LIST, minLen=0).replace(',', ' ').lower().split())
+    elif myarg == 'includetypes':
+      for itype in getString(Cmd.OB_ORGANIZER_TYPE_LIST).lower().replace(',', ' ').split():
+        if itype in PRINT_ORGANIZER_TYPES:
+          includeTypes.add(itype)
+        else:
+          invalidChoiceExit(itype, PRINT_ORGANIZER_TYPES, True)
+    elif myarg == 'oneorganizer':
+      oneOrganizer = getBoolean()
+    elif myarg == 'shownoorganizerdrives':
+      showNoOrganizerDrives = getChoice(SHOW_NO_PERMISSIONS_DRIVES_CHOICE_MAP, defaultChoice=1, mapChoice=True)
+    elif myarg in {'includefileorganizers', 'includecontentmanagers'}:
+      if getBoolean():
+        roles.add('fileOrganizer')
+    else:
+      unknownArgumentExit()
+  if query:
+    if not useDomainAdminAccess:
+      Cmd.SetLocation(queryLocation-1)
+      usageErrorExit(Msg.ONLY_ADMINISTRATORS_CAN_PERFORM_SHARED_DRIVE_QUERIES)
+    if entityList:
+      Cmd.SetLocation(queryLocation-1)
+      usageErrorExit(Msg.ARE_MUTUALLY_EXCLUSIVE.format(queryArg, sharedDriveArg))
+  if orgUnitId is not None:
+    if not useDomainAdminAccess:
+      Cmd.SetLocation(orgLocation-1)
+      usageErrorExit(Msg.ONLY_ADMINISTRATORS_CAN_SPECIFY_SHARED_DRIVE_ORGUNIT)
+    csvPF.AddTitles(['orgUnit', 'orgUnitId'])
+  if not includeTypes:
+    includeTypes = set(['user'])
+  fields = getItemFieldsFromFieldsList('permissions', fieldsList, True)
+  i, count, users = getEntityArgument(users)
+  for user in users:
+    i += 1
+    user, drive = buildGAPIServiceObject(API.DRIVE3, user, i, count)
+    if not drive:
+      continue
+    if entityList is None:
+      if useDomainAdminAccess:
+        printGettingAllAccountEntities(Ent.SHAREDDRIVE, query)
+        pageMessage = getPageMessage()
+      else:
+        printGettingAllEntityItemsForWhom(Ent.SHAREDDRIVE, user, i, count, query)
+        pageMessage = getPageMessageForWhom()
+      try:
+        feed = callGAPIpages(drive.drives(), 'list', 'drives',
+                             pageMessage=pageMessage,
+                             throwReasons=GAPI.DRIVE_USER_THROW_REASONS+[GAPI.INVALID_QUERY, GAPI.INVALID,
+                                                                         GAPI.QUERY_REQUIRES_ADMIN_CREDENTIALS,
+                                                                         GAPI.NO_LIST_TEAMDRIVES_ADMINISTRATOR_PRIVILEGE,
+                                                                         GAPI.FILE_NOT_FOUND],
+                             q=query, useDomainAdminAccess=useDomainAdminAccess,
+                             fields='nextPageToken,drives(id,name,createdTime,orgUnitId)', pageSize=100)
+      except (GAPI.invalidQuery, GAPI.invalid, GAPI.queryRequiresAdminCredentials,
+              GAPI.noListTeamDrivesAdministratorPrivilege, GAPI.fileNotFound) as e:
+        entityActionFailedWarning([Ent.USER, user, Ent.SHAREDDRIVE, None], str(e), i, count)
+        continue
+      except (GAPI.serviceNotAvailable, GAPI.authError, GAPI.domainPolicy) as e:
+        userDriveServiceNotEnabledWarning(user, str(e), i, count)
+        continue
+    else:
+      feed = []
+      jcount = len(entityList)
+      j = 0
+      for driveId in entityList:
+        j +=1
+        try:
+          feed.append(callGAPI(drive.drives(), 'get',
+                               throwReasons=GAPI.DRIVE_USER_THROW_REASONS+[GAPI.NOT_FOUND],
+                               useDomainAdminAccess=useDomainAdminAccess,
+                               driveId=driveId, fields='id,name,createdTime,orgUnitId'))
+        except (GAPI.fileNotFound, GAPI.notFound) as e:
+          entityActionNotPerformedWarning([Ent.USER, user, Ent.SHAREDDRIVE_ID, driveId], str(e), j, jcount)
+          continue
+        except (GAPI.serviceNotAvailable, GAPI.authError, GAPI.domainPolicy) as e:
+          userDriveServiceNotEnabledWarning(user, str(e), i, count)
+          break
+    matchFeed = []
+    jcount = len(feed)
+    j = 0
+    for shareddrive in feed:
+      j += 1
+      if ((matchPattern is not None and matchPattern.match(shareddrive['name']) is None) or
+          (orgUnitId is not None and orgUnitId != shareddrive.get('orgUnitId'))):
+        continue
+      printGettingAllEntityItemsForWhom(Ent.PERMISSION, shareddrive['name'], j, jcount)
+      shareddrive['createdTime'] = formatLocalTime(shareddrive['createdTime'])
+      shareddrive['organizers'] = []
+      try:
+        permissions = callGAPIpages(drive.permissions(), 'list', 'permissions',
+                                    pageMessage=getPageMessageForWhom(),
+                                    throwReasons=GAPI.DRIVE3_GET_ACL_REASONS,
+                                    retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
+                                    useDomainAdminAccess=useDomainAdminAccess,
+                                    fileId=shareddrive['id'], fields=fields, supportsAllDrives=True)
+        for permission in permissions:
+          if permission['type'] in includeTypes and permission['role'] in roles and permission.get('emailAddress', ''):
+            if domainList:
+              _, domain = permission['emailAddress'].lower().split('@', 1)
+              if domain not in domainList:
+                continue
+            shareddrive['organizers'].append(permission['emailAddress'])
+            if oneOrganizer:
+              break
+        if not shareddrive['organizers']:
+          if showNoOrganizerDrives == 0: # no organizers and showNoOrganizerDrives False - ignore
+            continue
+          matchFeed.append(shareddrive) # no organizers and showNoOrganizerDrives Only/True - keep
+          continue
+        if showNoOrganizerDrives < 0: # organizers and showNoOrganizerDrives Only/True - ignore
+          continue
+        matchFeed.append(shareddrive)
+      except (GAPI.fileNotFound, GAPI.forbidden, GAPI.internalError,
+              GAPI.insufficientAdministratorPrivileges, GAPI.insufficientFilePermissions,
+              GAPI.unknownError, GAPI.invalid):
+        pass
+    if len(matchFeed) == 0:
+      setSysExitRC(NO_ENTITIES_FOUND_RC)
+    for shareddrive in matchFeed:
+      row = {'id': shareddrive['id'], 'name': shareddrive['name'],
+             'organizers': delimiter.join(shareddrive['organizers']),
+             'createdTime': shareddrive['createdTime']}
+      if orgUnitId:
+        row.update(orgUnitInfo)
+      csvPF.WriteRowTitles(row)
+  if csvPF:
+    csvPF.writeCSVfile('SharedDrive Organizers')
+
+def doPrintSharedDriveOrganizers():
+  printSharedDriveOrganizers([_getAdminEmail()], True)
+
 LOOKERSTUDIO_ASSETTYPE_CHOICE_MAP = {
   'report': ['REPORT'],
   'datasource': ['DATA_SOURCE'],
@@ -75919,6 +76191,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_SCHEMA:		doPrintShowUserSchemas,
       Cmd.ARG_SHAREDDRIVE:	doPrintShowSharedDrives,
       Cmd.ARG_SHAREDDRIVEACLS:	doPrintShowSharedDriveACLs,
+      Cmd.ARG_SHAREDDRIVEORGANIZERS:	doPrintSharedDriveOrganizers,
       Cmd.ARG_SITE:		deprecatedDomainSites,
       Cmd.ARG_SITEACL:		deprecatedDomainSites,
       Cmd.ARG_SITEACTIVITY:	deprecatedDomainSites,
@@ -76267,6 +76540,7 @@ MAIN_COMMANDS_OBJ_ALIASES = {
   Cmd.ARG_TEAMDRIVES:		Cmd.ARG_SHAREDDRIVE,
   Cmd.ARG_TEAMDRIVEACLS:	Cmd.ARG_SHAREDDRIVEACLS,
   Cmd.ARG_TEAMDRIVEINFO:	Cmd.ARG_SHAREDDRIVEINFO,
+  Cmd.ARG_TEAMDRIVEORGANIZERS:	Cmd.ARG_SHAREDDRIVEORGANIZERS,
   Cmd.ARG_TEAMDRIVETHEMES:	Cmd.ARG_SHAREDDRIVETHEMES,
   Cmd.ARG_TOKENS:		Cmd.ARG_TOKEN,
   Cmd.ARG_TRANSFER:		Cmd.ARG_DATATRANSFER,
@@ -76959,6 +77233,7 @@ USER_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_SENDAS:		printShowSendAs,
       Cmd.ARG_SHAREDDRIVE:	printShowSharedDrives,
       Cmd.ARG_SHAREDDRIVEACLS:	printShowSharedDriveACLs,
+      Cmd.ARG_SHAREDDRIVEORGANIZERS:	printSharedDriveOrganizers,
       Cmd.ARG_SHEET:		infoPrintShowSheets,
       Cmd.ARG_SHEETRANGE:	printShowSheetRanges,
       Cmd.ARG_SIGNATURE:	printShowSignature,
@@ -77316,6 +77591,7 @@ USER_COMMANDS_OBJ_ALIASES = {
   Cmd.ARG_TEAMDRIVES:		Cmd.ARG_SHAREDDRIVE,
   Cmd.ARG_TEAMDRIVEACLS:	Cmd.ARG_SHAREDDRIVEACLS,
   Cmd.ARG_TEAMDRIVEINFO:	Cmd.ARG_SHAREDDRIVEINFO,
+  Cmd.ARG_TEAMDRIVEORGANIZERS:	Cmd.ARG_SHAREDDRIVEORGANIZERS,
   Cmd.ARG_TEAMDRIVETHEMES:	Cmd.ARG_SHAREDDRIVETHEMES,
   Cmd.ARG_THREADS:		Cmd.ARG_THREAD,
   Cmd.ARG_TOKENS:		Cmd.ARG_TOKEN,

src/gam/gamlib/glapi.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (C) 2024 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2025 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #
@@ -118,6 +118,7 @@ JWT_APIS = {
   ACCESSCONTEXTMANAGER: [CLOUD_PLATFORM_SCOPE],
   CHAT: ['https://www.googleapis.com/auth/chat.bot'],
   CLOUDRESOURCEMANAGER: [CLOUD_PLATFORM_SCOPE],
+  IAM: [IAM_SCOPE],
   ORGPOLICY: [CLOUD_PLATFORM_SCOPE],
   }
 #
@@ -131,6 +132,12 @@ APIS_NEEDING_ACCESS_TOKEN = {
   CBCM: ['https://www.googleapis.com/auth/admin.directory.device.chromebrowsers']
   }
 #
+DEPRECATED_SCOPES = {
+  'https://www.googleapis.com/auth/cloud-identity',
+  'https://www.googleapis.com/auth/cloud-platform',
+  'https://www.googleapis.com/auth/iam',
+  }
+#
 REFRESH_PERM_ERRORS = [
   'invalid_grant: reauth related error (rapt_required)', # no way to reauth today
   'invalid_grant: Token has been expired or revoked',
@@ -596,7 +603,7 @@ _SVCACCT_SCOPES = [
   {'name': 'Cloud Identity Devices API',
    'api': CLOUDIDENTITY_DEVICES,
    'subscopes': READONLY,
-   'scope': 'https://www.googleapis.com/auth/cloud-identity'},
+   'scope': 'https://www.googleapis.com/auth/cloud-identity.devices'},
 #  {'name': 'Cloud Identity User Invitations API',
 #   'api': CLOUDIDENTITY_USERINVITATIONS,
 #   'subscopes': READONLY,
@@ -645,10 +652,11 @@ _SVCACCT_SCOPES = [
    'api': GMAIL,
    'subscopes': [],
    'scope': 'https://www.googleapis.com/auth/gmail.settings.sharing'},
-  {'name': 'Identity and Access Management API',
-   'api': IAM,
-   'subscopes': [],
-   'scope': CLOUD_PLATFORM_SCOPE},
+#  {'name': 'Identity and Access Management API',
+#   'api': IAM,
+#   'offByDefault': True,
+#   'subscopes': [],
+#   'scope': CLOUD_PLATFORM_SCOPE},
   {'name': 'Keep API',
    'api': KEEP,
    'subscopes': READONLY,

src/gam/gamlib/glcfg.py

@@ -163,6 +163,8 @@ EMAIL_BATCH_SIZE = 'email_batch_size'
 ENABLE_DASA = 'enable_dasa'
 # Enable Cloud Session Reauthentication by borrowing a RAPT token from gcloud command
 ENABLE_GCLOUD_REAUTH = 'enable_gcloud_reauth'
+# Value for enforceExpansiveAccess for commands that delete or update drive file ACLs/permissions.
+ENFORCE_EXPANSIVE_ACCESS = 'enforce_expansive_access'
 # When retrieving lists of calendar events from API, how many should be retrieved in each chunk
 EVENT_MAX_RESULTS = 'event_max_results'
 # Path to extra_args.txt
@@ -377,6 +379,7 @@ Defaults = {
   DEVICE_MAX_RESULTS: '200',
   DOMAIN: '',
   DRIVE_DIR: '',
+  ENFORCE_EXPANSIVE_ACCESS: FALSE,
   DRIVE_MAX_RESULTS: '1000',
   DRIVE_V3_BETA: FALSE,
   DRIVE_V3_NATIVE_NAMES: TRUE,
@@ -545,6 +548,7 @@ VAR_INFO = {
   DEVICE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
   DOMAIN: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'GA_DOMAIN', VAR_LIMITS: (0, None)},
   DRIVE_DIR: {VAR_TYPE: TYPE_DIRECTORY, VAR_ENVVAR: 'GAMDRIVEDIR'},
+  ENFORCE_EXPANSIVE_ACCESS: {VAR_TYPE: TYPE_BOOLEAN},
   DRIVE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
   DRIVE_V3_BETA: {VAR_TYPE: TYPE_BOOLEAN},
   DRIVE_V3_NATIVE_NAMES: {VAR_TYPE: TYPE_BOOLEAN},

src/gam/gamlib/glclargs.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (C) 2024 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2025 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #
@@ -755,6 +755,7 @@ class GamCLArgs():
   ARG_SHAREDDRIVES = 'shareddrives'
   ARG_SHAREDDRIVEACLS = 'shareddriveacls'
   ARG_SHAREDDRIVEINFO = 'shareddriveinfo'
+  ARG_SHAREDDRIVEORGANIZERS = 'shareddriveorganizers'
   ARG_SHAREDDRIVETHEMES = 'shareddrivethemes'
   ARG_SHEET = 'sheet'
   ARG_SHEETS = 'sheets'
@@ -784,6 +785,7 @@ class GamCLArgs():
   ARG_TEAMDRIVES = 'teamdrives'
   ARG_TEAMDRIVEACLS = 'teamdriveacls'
   ARG_TEAMDRIVEINFO = 'teamdriveinfo'
+  ARG_TEAMDRIVEORGANIZERS = 'teamdriveorganizers'
   ARG_TEAMDRIVETHEMES = 'teamdrivethemes'
   ARG_THREAD = 'thread'
   ARG_THREADS = 'threads'
@@ -964,6 +966,7 @@ class GamCLArgs():
   OB_MOBILE_ENTITY = 'MobileEntity'
   OB_NETWORK_ID = 'networkID'
   OB_NAME = 'Name'
+  OB_ORGANIZER_TYPE_LIST = 'OrganizerTypeList'
   OB_ORGUNIT_ENTITY = 'OrgUnitEntity'
   OB_ORGUNIT_ITEM = 'OrgUnitItem'
   OB_ORGUNIT_PATH = 'OrgUnitPath'

src/gam/gamlib/glmsgs.py

@@ -140,12 +140,13 @@ SERVICE_ACCOUNT_PRIVATE_KEY_AGE = 'Service Account Private Key age: {0} days'
 SERVICE_ACCOUNT_SKIPPING_KEY_AGE_CHECK = 'Skipping Private Key age check: {0} rotation not necessary'
 UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS = 'Please run "gam update project" to view/manage service account keys'
 DOMAIN_WIDE_DELEGATION_AUTHENTICATION = 'Domain-wide Delegation authentication'
+DEPRECATED_SCOPES = 'Deprecated scopes that GAM should NEVER have DwD access to'
 SCOPE_AUTHORIZATION_PASSED = '''All scopes PASSED!
 
 Service Account Client name: {0} is fully authorized.
 '''
 SCOPE_AUTHORIZATION_UPDATE_PASSED = '''All scopes PASSED!
-To authorize them (in case some scopes were unselected), please go to the following link in your browser:
+To update authorization (in case some scopes were unselected), please go to the following link in your browser:
 {0}
     {1}
 
@@ -156,8 +157,8 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 '''
-SCOPE_AUTHORIZATION_FAILED = '''Some scopes FAILED!
-To authorize them, please go to the following link in your browser:
+SCOPE_AUTHORIZATION_FAILED = '''Some scopes FAILED or should be DISABLED!
+To update authorization, please go to the following link in your browser:
 {0}
     {1}
 

wiki/Chrome-Policies.md

@@ -577,7 +577,7 @@ chrome.devices.DeviceAllowEnterpriseRemoteAccessConnections: Enterprise remote a
     false: Prevent remote access connections from enterprise admins.
 
 chrome.devices.DeviceAuthenticationFlowAutoReloadInterval: Automatic online sign-in / lock screen refresh.
-  duration: TYPE_INT64
+  deviceAuthenticationFlowAutoReloadInterval: TYPE_INT64
 
 chrome.devices.DeviceAuthenticationUrlAllowlist: Blocked URL exceptions on the sign-in / lock screens.
   deviceAuthenticationUrlAllowlist: TYPE_LIST
@@ -799,7 +799,7 @@ chrome.devices.DeviceScreensaverLoginScreenEnabled: Screen saver.
     false: Don't display screen saver when idle.
   deviceScreensaverLoginScreenImages: TYPE_LIST
     Screen saver image URLs. Enter one URL per line. Images must be in JPG format(.jpg or .jpeg files.
-  duration: TYPE_INT64
+  deviceScreensaverLoginScreenImageDisplayIntervalSeconds: TYPE_INT64
 
 chrome.devices.DeviceScreenSettings: Screen settings.
   allowUserDisplayChanges: TYPE_BOOL
@@ -967,10 +967,10 @@ chrome.devices.EnableReportUploadFrequency: Device status report upload frequenc
   duration: TYPE_STRING
 
 chrome.devices.EnableReportUploadFrequencyV2: Device status report upload frequency.
-  duration: TYPE_INT64
+  reportDeviceUploadFrequency: TYPE_INT64
 
 chrome.devices.ExtensionCacheSize: Apps and extensions cache size.
-  value: TYPE_INT64
+  extensionCacheSize: TYPE_INT64
 
 chrome.devices.ForcedReenrollment: Forced re-enrollment.
   reenrollmentMode: TYPE_ENUM
@@ -1031,7 +1031,7 @@ chrome.devices.kiosk.AcPowerSettingsV2: AC Kiosk power settings.
     IDLE_ACTION_LOGOUT: Logout.
     IDLE_ACTION_SHUTDOWN: Shutdown.
     IDLE_ACTION_DO_NOTHING: Do nothing.
-  duration: TYPE_INT64
+  acScreenOffTimeout: TYPE_INT64
 
 chrome.devices.kiosk.Alerting: Kiosk device status alerting delivery.
   deviceStatusAlertDeliveryModes: TYPE_LIST
@@ -1121,7 +1121,7 @@ chrome.devices.kiosk.BatteryPowerSettingsV2: Battery Kiosk power settings.
     IDLE_ACTION_LOGOUT: Logout.
     IDLE_ACTION_SHUTDOWN: Shutdown.
     IDLE_ACTION_DO_NOTHING: Do nothing.
-  duration: TYPE_INT64
+  batteryScreenOffTimeout: TYPE_INT64
 
 chrome.devices.kiosk.CaretHighlightEnabled: Kiosk caret highlight.
   caretHighlightEnabled: TYPE_ENUM
@@ -1486,6 +1486,7 @@ chrome.devices.managedguest.apps.EnterpriseChallenge: Allows setting of whether
 
 chrome.devices.managedguest.apps.IncludeInChromeWebStoreCollection: Specifies whether the Chrome Application should appear in the Chrome Web Store collection.
   includeInCollection: TYPE_BOOL
+  spotlightRecommended: TYPE_BOOL
 
 chrome.devices.managedguest.apps.InstallationUrl: Specifies the url from which to install a self hosted Chrome Extension.
   installationUrl: TYPE_STRING
@@ -1606,7 +1607,7 @@ chrome.devices.managedguest.BrowsingDataLifetime: Browsing Data Lifetime.
   duration: TYPE_STRING
 
 chrome.devices.managedguest.BrowsingDataLifetimeV2: Browsing Data Lifetime.
-  duration: TYPE_INT64
+  hostedAppDataTtl: TYPE_INT64
 
 chrome.devices.managedguest.BuiltInDnsClientEnabled: Built-in DNS client.
   builtInDnsClientEnabled: TYPE_ENUM
@@ -1900,6 +1901,8 @@ chrome.devices.managedguest.ExternalStorage: External storage devices.
     READ_WRITE: Allow read and write access to all external storage devices.
     READ_ONLY: Allow read only access to all external storage devices.
     DISALLOW: Do not allow read and write access to external storage devices.
+  externalStorageAllowlist: TYPE_LIST
+    Specify devices to always have read and write access. USB devices which are allowlisted for read and write access. To identify a specific device, enter colon separated hexadecimal pairs of USB Vendor Identifier and Product Identifier.
 
 chrome.devices.managedguest.FastPairEnabled: Fast Pair (fast Bluetooth pairing).
   fastPairEnabled: TYPE_ENUM
@@ -2301,7 +2304,7 @@ chrome.devices.managedguest.MaxInvalidationFetchDelay: Policy fetch delay.
   duration: TYPE_STRING
 
 chrome.devices.managedguest.MaxInvalidationFetchDelayV2: Policy fetch delay.
-  duration: TYPE_INT64
+  maxInvalidationFetchDelay: TYPE_INT64
 
 chrome.devices.managedguest.MemorySaverModeSavings: Memory saver.
   memorySaverModeSavings: TYPE_ENUM
@@ -2503,7 +2506,7 @@ chrome.devices.managedguest.PrintingBackgroundGraphicsDefault: Background graphi
     ENABLED: Enable background graphics printing mode by default.
 
 chrome.devices.managedguest.PrintingMaxSheetsAllowed: Maximum sheets.
-  value: TYPE_INT64
+  printingMaxSheetsAllowedNullable: TYPE_INT64
 
 chrome.devices.managedguest.PrintingPaperSizeDefault: Default printing page size.
   printingPaperSizeEnum: TYPE_ENUM
@@ -2528,7 +2531,7 @@ chrome.devices.managedguest.PrintJobHistoryExpirationPeriodNew: Print job histor
   duration: TYPE_STRING
 
 chrome.devices.managedguest.PrintJobHistoryExpirationPeriodNewV2: Print job history retention period.
-  duration: TYPE_INT64
+  printJobHistoryExpirationPeriodDaysNew: TYPE_INT64
 
 chrome.devices.managedguest.PrintPdfAsImage: Print PDF as image.
   printPdfAsImageAvailability: TYPE_BOOL
@@ -2595,7 +2598,7 @@ chrome.devices.managedguest.RemoteAccessHostClientDomainList: Remote access clie
     Remote access client domain. Configure the required domain names for remote access clients.
 
 chrome.devices.managedguest.RemoteAccessHostClipboardSizeBytes: Clipboard sync max size.
-  value: TYPE_INT64
+  remoteAccessHostClipboardSizeBytes: TYPE_INT64
 
 chrome.devices.managedguest.RemoteAccessHostDomainList: Remote access hosts.
   remoteAccessHostDomainList: TYPE_LIST
@@ -2740,7 +2743,7 @@ chrome.devices.managedguest.SecurityTokenSessionSettingsV2: Security token remov
     IGNORE: Nothing.
     LOGOUT: Log the user out.
     LOCK: Lock the current session.
-  duration: TYPE_INT64
+  securityTokenSessionNotificationSeconds: TYPE_INT64
 
 chrome.devices.managedguest.SelectToSpeakEnabled: Select to speak.
   selectToSpeakEnabled: TYPE_ENUM
@@ -2766,7 +2769,7 @@ chrome.devices.managedguest.SessionLength: Maximum user session length.
   duration: TYPE_STRING
 
 chrome.devices.managedguest.SessionLengthV2: Maximum user session length.
-  duration: TYPE_INT64
+  sessionDurationLimit: TYPE_INT64
 
 chrome.devices.managedguest.SessionLocale: Session locale.
   sessionLocalesRepeatedString: TYPE_LIST
@@ -3218,7 +3221,7 @@ chrome.devices.ScheduledRebootDuration: Reboot after uptime limit.
   duration: TYPE_STRING
 
 chrome.devices.ScheduledRebootDurationV2: Reboot after uptime limit.
-  duration: TYPE_INT64
+  uptimeLimitDuration: TYPE_INT64
 
 chrome.devices.ShowLowDiskSpaceNotification: Low disk space notification.
   showLowDiskSpaceNotification: TYPE_BOOL
@@ -3796,6 +3799,7 @@ chrome.users.apps.EnterpriseChallenge: Allows setting of whether the app can cha
 
 chrome.users.apps.IncludeInChromeWebStoreCollection: Specifies whether the Chrome Application should appear in the Chrome Web Store collection.
   includeInCollection: TYPE_BOOL
+  spotlightRecommended: TYPE_BOOL
 
 chrome.users.apps.InstallationUrl: Specifies the url from which to install a self hosted Chrome Extension.
   installationUrl: TYPE_STRING
@@ -3808,6 +3812,9 @@ chrome.users.apps.InstallType: Specifies the manner in which the app is to be in
     ALLOWED: Allow installation of the app.
     FORCED: Force install the app.
     FORCED_AND_PIN_TO_TOOLBAR: Force install and pin the app to the toolbar.
+    NORMAL: Force install the app, but allow the user to disable it. This option is only available for Chrome extensions.
+    NORMAL_AND_PIN_TO_TOOLBAR: Force install and pin the app to the toolbar, but allow the user to disable it. This option is only available for Chrome extensions.
+    REMOVE: Block installation of the app and remove it from the device. This option is only available for Chrome extensions.
 
 chrome.users.apps.ManagedConfiguration: Allows setting of the managed configuration.
   managedConfiguration: TYPE_STRING
@@ -4081,6 +4088,13 @@ chrome.users.AutofillCreditCardEnabled: Credit card form autofill.
     true: Allow user to configure.
     false: Never Autofill credit card forms.
 
+chrome.users.AutofillPredictionSettings: Autofill with AI.
+  autofillPredictionSettings: TYPE_ENUM
+    ALLOWED: Allow autofill prediction and improve AI models.
+    ALLOWED_WITHOUT_LOGGING: Allow autofill prediction without improving AI models.
+    DISABLED: Do not allow autofill prediction.
+    UNSET: Use the value specified in the Generative AI policy defaults setting.
+
 chrome.users.AutomaticFullscreen: Automatic fullscreen.
   automaticFullscreenAllowedForUrls: TYPE_LIST
     Allow automatic fullscreen on these sites. Supersedes users' personal settings and allows matching origins to call the API without a prior user gesture.
@@ -4101,7 +4115,7 @@ chrome.users.AutoUpdateCheckPeriodNew: Auto-update check period.
   duration: TYPE_STRING
 
 chrome.users.AutoUpdateCheckPeriodNewV2: Auto-update check period.
-  duration: TYPE_INT64
+  autoUpdateCheckPeriodMinutesNew: TYPE_INT64
 
 chrome.users.Avatar: Custom avatar.
   downloadUri: TYPE_STRING
@@ -4227,7 +4241,7 @@ chrome.users.BrowserSwitcherDelayDuration: Delay before launching alternative br
   duration: TYPE_STRING
 
 chrome.users.BrowserSwitcherDelayDurationV2: Delay before launching alternative browser.
-  duration: TYPE_INT64
+  browserSwitcherDelayDuration: TYPE_INT64
 
 chrome.users.BrowserSwitcherExternalGreylistUrl: URL to list of websites to open in either browser.
   browserSwitcherExternalGreylistUrl: TYPE_STRING
@@ -4268,7 +4282,7 @@ chrome.users.BrowsingDataLifetime: Browsing Data Lifetime.
   duration: TYPE_STRING
 
 chrome.users.BrowsingDataLifetimeV2: Browsing Data Lifetime.
-  duration: TYPE_INT64
+  hostedAppDataTtl: TYPE_INT64
 
 chrome.users.BuiltInDnsClientEnabled: Built-in DNS client.
   builtInDnsClientEnabled: TYPE_ENUM
@@ -4418,11 +4432,16 @@ chrome.users.CloudProfileReportingEnabled: Managed profile reporting.
     true: Enable managed profile reporting for managed users.
     false: Disable managed profile reporting for managed users.
 
+chrome.users.CloudReporting: Managed browser reporting.
+  cloudReportingEnabled: TYPE_BOOL
+    true: Enable managed browser cloud reporting.
+    false: Disable managed browser cloud reporting.
+
 chrome.users.CloudReportingUploadFrequency: Managed browser reporting upload frequency.
   duration: TYPE_STRING
 
 chrome.users.CloudReportingUploadFrequencyV2: Managed browser reporting upload frequency.
-  duration: TYPE_INT64
+  cloudReportingUploadFrequency: TYPE_INT64
 
 chrome.users.CloudUserPolicyMerge: User cloud policy merge.
   cloudUserPolicyMerge: TYPE_BOOL
@@ -4843,6 +4862,10 @@ chrome.users.ExplicitlyAllowedNetworkPorts: Allowed network ports.
   explicitlyAllowedNetworkPorts: TYPE_LIST
     {'value': '554', 'description': 'port 554 (expires 2021/10/15).'}
 
+chrome.users.ExtensibleEnterpriseSsoBlocklist: Extensible Enterprise SSO blocking.
+  extensibleEnterpriseSsoBlocklist: TYPE_LIST
+    {'value': 'all', 'description': 'All identity providers.'}
+
 chrome.users.ExtensionExtendedBackgroundLifetimeForPortConnectionsToUrls: Extended background lifetime.
   extensionExtendedBackgroundLifetimeForPortConnectionsToUrls: TYPE_LIST
     Origins that grant extended background lifetime to connecting extensions. Enter a list of origins. Extensions that connect to one of these origins will be be kept running as long as the port is connected. One URL per line.
@@ -4864,6 +4887,8 @@ chrome.users.ExternalStorage: External storage devices.
     READ_WRITE: Allow read and write access to all external storage devices.
     READ_ONLY: Allow read only access to all external storage devices.
     DISALLOW: Do not allow read and write access to external storage devices.
+  externalStorageAllowlist: TYPE_LIST
+    Specify devices to always have read and write access. USB devices which are allowlisted for read and write access. To identify a specific device, enter colon separated hexadecimal pairs of USB Vendor Identifier and Product Identifier.
 
 chrome.users.FastPairEnabled: Fast Pair (fast Bluetooth pairing).
   fastPairEnabled: TYPE_ENUM
@@ -4890,7 +4915,7 @@ chrome.users.FetchKeepaliveDurationSecondsOnShutdown: Keepalive duration.
   duration: TYPE_STRING
 
 chrome.users.FetchKeepaliveDurationSecondsOnShutdownV2: Keepalive duration.
-  duration: TYPE_INT64
+  fetchKeepaliveDurationSecondsOnShutdown: TYPE_INT64
 
 chrome.users.FileOrDirectoryPickerWithoutGestureAllowedForOrigins: File/directory picker without user gesture.
   fileOrDirectoryPickerWithoutGestureAllowedForOrigins: TYPE_LIST
@@ -4989,10 +5014,16 @@ chrome.users.FullscreenAllowed: Fullscreen mode.
     false: Do not allow fullscreen mode.
 
 chrome.users.GaiaLockScreenOfflineSigninTimeLimitDays: Google online unlock frequency.
-  value: TYPE_INT64
+  gaiaLockScreenOfflineSigninTimeLimitDays: TYPE_INT64
 
 chrome.users.GaiaOfflineSigninTimeLimitDays: Google online login frequency.
-  value: TYPE_INT64
+  gaiaOfflineSigninTimeLimitDays: TYPE_INT64
+
+chrome.users.GeminiSettings: Gemini integration.
+  geminiSettings: TYPE_ENUM
+    ENABLED: Allow Gemini integrations.
+    DISABLED: Do not allow Gemini integrations.
+    UNSET: Use the value specified in the Generative AI policy defaults setting.
 
 chrome.users.GenAiDefaultSettings: Generative AI policy defaults.
   genAiDefaultSettings: TYPE_ENUM
@@ -5235,6 +5266,10 @@ chrome.users.InactiveBrowserDeletion: Inactive period for browser deletion.
   inactiveBrowserTtlDays: TYPE_INT64
     Number of days. Shortening this period can cause more enrolled browsers to be considered inactive and, therefore, be irreversibly deleted. Before lowering the value of this policy, make sure you understand the impact. The allowable range is 28-730 days.
 
+chrome.users.InactivePeriodForProfileDeletion: Inactive period for profile deletion.
+  inactiveProfileTtlDays: TYPE_INT64
+    Inactive period for profile deletion. Shortening this period can cause more managed profiles to be considered inactive and, therefore, be deleted. Before lowering the value of this policy, make sure you understand the impact. The allowable range is 28-730 days.
+
 chrome.users.IncognitoMode: Incognito mode.
   incognitoModeAvailability: TYPE_ENUM
     AVAILABLE: Allow incognito mode.
@@ -5515,7 +5550,7 @@ chrome.users.MaxInvalidationFetchDelay: Policy fetch delay.
   duration: TYPE_STRING
 
 chrome.users.MaxInvalidationFetchDelayV2: Policy fetch delay.
-  duration: TYPE_INT64
+  maxInvalidationFetchDelay: TYPE_INT64
 
 chrome.users.MediaRecommendationsEnabled: Media Recommendations.
   mediaRecommendationsEnabled: TYPE_BOOL
@@ -5692,6 +5727,16 @@ chrome.users.NtpMiddleSlotAnnouncementVisible: Middle slot announcement on the N
     true: Show the middle slot announcement on the New Tab Page if it is available.
     false: Do not show the middle slot announcement on the New Tab Page even if it is available.
 
+chrome.users.NtpOutlookCardVisible: New Tab page Outlook card.
+  ntpOutlookCardVisible: TYPE_BOOL
+    true: Enable New Tab page Outlook calendar card.
+    false: Disable New Tab page Outlook calendar card.
+
+chrome.users.NtpSharepointCardVisible: New Tab page Sharepoint and OneDrive card.
+  ntpSharepointCardVisible: TYPE_BOOL
+    true: Enable New Tab page Sharepoint and OneDrive files card.
+    false: Disable New Tab page Sharepoint and OneDrive files card.
+
 chrome.users.OffsetParentNewSpecBehaviorEnabled: Enable legacy HTMLElement offset behavior.
   offsetParentNewSpecBehaviorEnabled: TYPE_BOOL
     true: Use new offset behavior.
@@ -5972,7 +6017,7 @@ chrome.users.PrintingLpacSandboxEnabled: Printing LPAC Sandbox.
     false: Run printing services in a less secure sandbox.
 
 chrome.users.PrintingMaxSheetsAllowed: Maximum sheets.
-  value: TYPE_INT64
+  printingMaxSheetsAllowedNullable: TYPE_INT64
 
 chrome.users.PrintingPaperSizeDefault: Default printing page size.
   printingPaperSizeEnum: TYPE_ENUM
@@ -6002,7 +6047,7 @@ chrome.users.PrintJobHistoryExpirationPeriodNew: Print job history retention per
   duration: TYPE_STRING
 
 chrome.users.PrintJobHistoryExpirationPeriodNewV2: Print job history retention period.
-  duration: TYPE_INT64
+  printJobHistoryExpirationPeriodDaysNew: TYPE_INT64
 
 chrome.users.PrintPdfAsImage: Print PDF as image.
   printPdfAsImageAvailability: TYPE_BOOL
@@ -6159,7 +6204,7 @@ chrome.users.RelaunchNotificationWithDurationV2: Relaunch notification.
     NO_NOTIFICATION: No relaunch notification.
     RECOMMENDED: Show notification recommending relaunch.
     REQUIRED: Force relaunch after a period.
-  duration: TYPE_INT64
+  relaunchWindowDurationMin: TYPE_INT64
   hours: TYPE_INT32
   minutes: TYPE_INT32
   seconds: TYPE_INT32
@@ -6180,7 +6225,7 @@ chrome.users.RemoteAccessHostClientDomainList: Remote access clients.
     Remote access client domain. Configure the required domain names for remote access clients.
 
 chrome.users.RemoteAccessHostClipboardSizeBytes: Clipboard sync max size.
-  value: TYPE_INT64
+  remoteAccessHostClipboardSizeBytes: TYPE_INT64
 
 chrome.users.RemoteAccessHostDomainList: Remote access hosts.
   remoteAccessHostDomainList: TYPE_LIST
@@ -6299,7 +6344,7 @@ chrome.users.SafeSitesFilterBehavior: SafeSites URL filter.
     SAFE_SITES_FILTER_ENABLED: Filter sites for adult content.
 
 chrome.users.SamlLockScreenOfflineSigninTimeLimitDays: SAML single sign-on unlock frequency.
-  value: TYPE_INT64
+  samlLockScreenOfflineSigninTimeLimitDays: TYPE_INT64
 
 chrome.users.SamlLockScreenReauthenticationEnabled: SAML single sign-on password synchronization flows.
   samlLockScreenReauthenticationEnabled: TYPE_BOOL
@@ -6387,7 +6432,7 @@ chrome.users.SecurityTokenSessionSettingsV2: Security token removal.
     IGNORE: Nothing.
     LOGOUT: Log the user out.
     LOCK: Lock the current session.
-  duration: TYPE_INT64
+  securityTokenSessionNotificationSeconds: TYPE_INT64
 
 chrome.users.SelectToSpeakEnabled: Select to speak.
   selectToSpeakEnabled: TYPE_ENUM
@@ -6413,7 +6458,7 @@ chrome.users.SessionLength: Maximum user session length.
   duration: TYPE_STRING
 
 chrome.users.SessionLengthV2: Maximum user session length.
-  duration: TYPE_INT64
+  sessionDurationLimit: TYPE_INT64
 
 chrome.users.SetTimeoutWithoutOneMsClampEnabled: Javascript setTimeout() minimum.
   setTimeoutWithoutOneMsClampEnabled: TYPE_ENUM
@@ -6768,6 +6813,11 @@ chrome.users.ThirdPartyCookieBlocking: Third-party cookie blocking.
     FALSE: Allow third-party cookies.
     TRUE: Disallow third-party cookies.
 
+chrome.users.ThirdPartyPasswordManagersAllowed: Third-party password managers allowed.
+  thirdPartyPasswordManagersAllowed: TYPE_BOOL
+    true: Allow using third-party password managers in Chrome.
+    false: Block using third-party password managers in Chrome.
+
 chrome.users.ThirdPartyStoragePartitioningSettings: Third-party storage partitioning.
   defaultThirdPartyStoragePartitioningSetting: TYPE_ENUM
     ALLOW_PARTITIONING: Allow third-party storage partitioning to be enabled.
@@ -7019,6 +7069,11 @@ chrome.users.WarnBeforeQuittingEnabled: Warn before quitting.
     MANDATORY: Do not allow users to override.
     RECOMMENDED: Allow users to override.
 
+chrome.users.WebAudioOutputBufferingEnabled: Adaptive buffering for Web Audio.
+  webAudioOutputBufferingEnabled: TYPE_BOOL
+    true: Enable web audio adaptive buffering.
+    false: Disable web audio adaptive buffering.
+
 chrome.users.WebAuthnFactors: WebAuthn.
   webAuthnFactors: TYPE_LIST
     {'value': 'PIN', 'description': 'PIN.'}
@@ -7132,4 +7187,5 @@ chrome.users.ZstdContentEncodingEnabled: Zstd compression.
     true: Allow zstd-compressed web content.
     false: Do not allow zstd-compressed web content.
 
-```
+
+```

wiki/Cloud-Identity-Devices.md

@@ -210,7 +210,7 @@ gam print devices [todrive <ToDriveAttribute>*]
         <DeviceFieldName>* [fields <DeviceFieldNameList>] [userfields <DeviceUserFieldNameList>]
         [orderby <DeviceOrderByFieldName> [ascending|descending]]
         [all|company|personal|nocompanydevices|nopersonaldevices]
-        [nodeviceusers]
+        [nodeviceusers|oneuserperrow]
         [formatjson [quotechar <Character>]]
 ```
 By default, all devices are displayed; use the query options to limit the display.
@@ -231,6 +231,9 @@ Select the view of devices to display:
 By default, Gam makes additional API calls to display the device users for the devices;
 use `nodeviceuser` to suppress making the additional calls.
 
+By default, when device users are displayed, they are all displayed on one row;
+use `oneuserperrow` to have each of a device's users displayed on a separate row with all of the other device fields.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 

wiki/GamUpdates.md

@@ -10,6 +10,91 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation
 
+### 7.09.00
+
+Removed the overly broad service account `IAM and Access Management API` scope `https://www.googleapis.com/auth/cloud-platform`
+from DWD. The `gam <UserTypeEntity> check|Update serviceaccount` commands issue an error message if this scope
+is enabled prompting you to update your service account authorization so that the scope can be removed.
+
+GAM commands that need IAM access now use the more limited scope `https://www.googleapis.com/auth/iam` in a non-DWD manner.
+
+Added `enforce_expansive_access` Boolean variable to `gam.cfg` that provides the default value
+for option `enforceexpansiveaccess` in all commands that delete or update drive file ACLs/permissions.
+It's default value is False.
+```
+gam <UserTypeEntity> delete permissions
+gam <UserTypeEntity> delete drivefileacl
+gam <UserTypeEntity> update drivefileacl
+gam <UserTypeEntity> copy drivefile
+gam <UserTypeEntity> move drivefile
+gam <UserTypeEntity> transfer ownership
+gam <UserTypeEntity> claim ownership
+gam <UserTypeEntity> transfer drive
+```
+
+Fixed bug in `gam print shareddriveorganizers` that caused a trap when an organizer was a deleted user.
+
+Updated to Python 3.13.4
+
+### 7.08.02
+
+Updated the defaults in `gam print shareddriveorganizers` to match the most common use case, not the script.
+
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+To select organizers from any domain, use: `domainlist ""`
+
+These commands produce the same result.
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
+```
+
+### 7.08.01
+
+Added option `shareddrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))` to
+`gam print shareddriveorganizers` that displays organizers for a specific list of Shared Drive IDs.
+
+See: https://github.com/GAM-team/GAM/wiki/Shared-Drives#display-shared-drive-organizers
+
+### 7.08.00
+
+Added the following command that can be used instead of the `GetTeamDriveOrganizers.py` script.
+
+gam [<UserTypeEntity>] print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [adminaccessasadmin] [shareddriveadminquery|query <QuerySharedDrive>]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
+```
+See: https://github.com/GAM-team/GAM/wiki/Shared-Drives#display-shared-drive-organizers
+
+The command defaults match the script defaults:
+* `domainlist` - All domains
+* `includetypes` - user,group
+* `oneorganizer` - False
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+For example, to get a single user organizer from your domain for all Shared Drives including no organizer drives:
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+```
+
+### 7.07.17
+
+Added option `oneuserperrow` to `gam print devices` to have each of a
+device's users displayed on a separate row with all of the other device fields.
+
 ### 7.07.16
 
 Added `chromeostype`, `diskspaceusage` and `faninfo` to `<CrOSFieldName>` for use in `gam info|print cros`.

wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md

@@ -251,9 +251,9 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAM 7.07.16 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.09.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -989,9 +989,9 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM 7.07.16 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.09.00 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 Windows-10-10.0.17134 AMD64
 Path: C:\GAM7
 Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com

wiki/Shared-Drives.md

@@ -15,6 +15,7 @@
 - [Display Shared Drive Counts](#display-shared-drive-counts)
 - [Display List of Shared Drives in an Organizational Unit](#display-list-of-shared-drives-in-an-organizational-unit)
 - [Display Count of Shared Drives in an Organizational Unit](#display-count-of-shared-drives-in-an-organizational-unit)
+- [Display Shared Drive Organizers](#display-shared-drive-organizers)
 - [Display all Shared Drives with no members](#display-all-shared-drives-with-no-members)
 - [Display all Shared Drives with no organizers](#display-all-shared-drives-with-no-organizers)
 - [Display all Shared Drives with a specific organizer](#display-all-shared-drives-with-a-specific-organizer)
@@ -30,6 +31,7 @@
 - [Display ACLs for Shared Drives with all organizers outside of your domain](#display-acls-for-shared-drives-with-all-organizers-outside-of-your-domain)
 - [Display ACLs for Shared Drives with all ACLs outside of your domain](#display-acls-for-shared-drives-with-all-acls-outside-of-your-domain)
 - [Clean up scammed Shared Drives](#clean-up-scammed-shared-drives)
+- [Delete old empty Shared Drives](#delete-old-empty-shared-drives)
 
 ## API documentation
 * [Drive API - Drives](https://developers.google.com/drive/api/reference/rest/v3/drives)
@@ -77,6 +79,9 @@
 ```
 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
 
+<OrganizerType> ::= user|group
+<OrganizerTypeList> ::= "<OrganizerType>(,<OrganizerType>)*"
+
 <OrgUnitID> ::= id:<String>
 <OrgUnitPath> ::= /|(/<String>)+
 <OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
@@ -227,14 +232,14 @@ Three forms of the commands are available:
 
 ## Display Shared Drive themes
 ```
-gam show teamdrivethemes
+gam show shareddrivethemes
 ```
 ## Manage Shared Drives
 
 ## Create a Shared Drive
 The user that creates a Shared Drive is given the permission role organizer for the Shared Drive,
 ```
-gam [<UserTypeEntity>] create teamdrive <Name>
+gam [<UserTypeEntity>] create shareddrive <Name>
         [(theme|themeid <String>)|
          ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
         (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
@@ -243,7 +248,7 @@ gam [<UserTypeEntity>] create teamdrive <Name>
         [(csv [todrive <ToDriveAttribute>*] (addcsvdata <FieldName> <String>)*) | returnidonly]
         [adminaccess|asadmin]
 ```
-* `themeid` - a Shared Drive themeId obtained from `show teamdrivethemes`
+* `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
   * `<Float>` - X coordinate, typically 0.0
   * `<Float>` - Y coordinate, typically 0.0
@@ -276,9 +281,9 @@ When either of these options is chosen, no infomation about Shared Drive restric
 To retrieve the Shared Drive ID with `returnidonly`:
 ```
 Linux/MacOS
-teamDriveId=$(gam create teamdrive ... returnidonly)
+teamDriveId=$(gam create shareddrive ... returnidonly)
 Windows PowerShell
-$teamDriveId = & gam create teamdrive ... returnidonly
+$teamDriveId = & gam create shareddrive ... returnidonly
 ```
 
 ## Bulk Create Shared Drives
@@ -288,7 +293,7 @@ As a newly created Drive can't be updated for 30+ seconds; split the operation i
 
 Make a CSV file SharedDriveNames.csv with at least one column, name.
 ```
-gam redirect csv ./SharedDrivesCreated.csv multiprocess csv SharedDriveNames.csv gam create teamdrive "~name" csv
+gam redirect csv ./SharedDrivesCreated.csv multiprocess csv SharedDriveNames.csv gam create shareddrive "~name" csv
 ```
 This will create a three column CSV file SharedDrivesCreated.csv with columns: User,name,id
 * There will be a row for each Shared Drive.
@@ -319,14 +324,14 @@ gam redirect stdout ./StudentSharedDrivesAccess.txt multiprocess redirect stderr
 
 These commands are used to set basic Shared Drive settings.
 ```
-gam [<UserTypeEntity>] update teamdrive <SharedDriveEntity> [name <Name>]
+gam [<UserTypeEntity>] update shareddrive <SharedDriveEntity> [name <Name>]
         [adminaccess|asadmin]
         [(theme|themeid <String>)|
          ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
         (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
         [hide|hidden <Boolean>] [ou|org|orgunit <OrgUnitItem>]
 ```
-* `themeid` - a Shared Drive themeId obtained from `show teamdrivethemes`
+* `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
 * `color` - set the Shared Drive color
 * `<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
@@ -338,7 +343,7 @@ This option is only available when the command is run as an administrator.
 
 ## Delete a Shared Drive
 ```
-gam [<UserTypeEntity>] delete teamdrive <SharedDriveEntity>
+gam [<UserTypeEntity>] delete shareddrive <SharedDriveEntity>
         [adminaccess|asadmin] [allowitemdeletion]
 ```
 By default, deleting a Shared Drive that contains any files/folders will fail.
@@ -347,24 +352,24 @@ This is not reversible, proceed with caution.
 
 ## Change Shared Drive visibility
 ```
-gam [<UserTypeEntity>] hide teamdrive <SharedDriveEntity>
-gam [<UserTypeEntity>] unhide teamdrive <SharedDriveEntity>
+gam [<UserTypeEntity>] hide shareddrive <SharedDriveEntity>
+gam [<UserTypeEntity>] unhide shareddrive <SharedDriveEntity>
 ```
 
 ## Display Shared Drives
 These commands are used to get information about Shared Drives themselves, not the files/folders on the Shared Drives.
 ```
-gam [<UserTypeEntity>] info teamdrive <SharedDriveEntity>
+gam [<UserTypeEntity>] info shareddrive <SharedDriveEntity>
         [adminaccess|asadmin]
         [fields <SharedDriveFieldNameList>] [formatjson]
-gam [<UserTypeEntity>] show teamdriveinfo <SharedDriveEntity>
+gam [<UserTypeEntity>] show shareddriveinfo <SharedDriveEntity>
         [adminaccess|asadmin]
         [fields <SharedDriveFieldNameList>] [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam [<UserTypeEntity>] show teamdrives
+gam [<UserTypeEntity>] show shareddrives
         [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [fields <SharedDriveFieldNameList>] [formatjson]
@@ -377,7 +382,7 @@ By default, all Shared Drives are displayed; use the following options to select
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam [<UserTypeEntity>] print teamdrives [todrive <ToDriveAttribute>*]
+gam [<UserTypeEntity>] print shareddrives [todrive <ToDriveAttribute>*]
         [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [fields <SharedDriveFieldNameList>] [formatjson [quotechar <Character>]]
@@ -399,22 +404,67 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ### Examples
 Print information about all Shared Drives in the organization.
 ```
-gam print teamdrives
-gam user admin@domain.com print teamdrives adminaccess
+gam print shareddrives
+gam user admin@domain.com print shareddrives adminaccess
 ```
 Print information about Shared Drives that have admin@domain.com as a member.
 ```
-gam user admin@domain.com print teamdrives
+gam user admin@domain.com print shareddrives
+```
+
+## Display Shared Drive Organizers
+The following command can be used instead of the `GetTeamDriveOrganizers.py` script.
+
+```
+gam [<UserTypeEntity>] print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [adminaccess|asadmin]
+        [(shareddriveadminquery|query <QuerySharedDrive>) |
+         (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
+```
+Options `shareddriveadminquery|query` and `shareddrives|teamdrives` are mutually exclusive.
+
+Options `shareddriveadminquery|query` and `orgunit|org|ou` require `adminaccess|asadmin`.
+
+By default, organizers for all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
+* `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
+* `shareddrives|teamdrives <SharedDriveIDList>` - Select the Shared Drive IDs specified in `<SharedDriveIDList>`
+* `shareddrives|teamdrives select <FileSelector>|<CSVFileSelector>` - Select the Shared Drive IDs specified in `<FileSelector>|<CSVFileSelector>`
+* `orgunit|org|ou <OrgUnitPath>` - Only Shared Drives in the specified Org Unit are selected
+* `matchname <REMatchPattern>` - Retrieve Shared Drives with names that match a pattern.
+
+For multiple organizers:
+* `delimiter <Character>` - Separate `organizers` entries with `<Character>`; the default value is `csv_output_field_delimiter` from `gam.cfg`.
+
+The command defaults do not match the script defaults, they are set for the most common use case:
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+To select organizers from any domain, use: `domainlist ""`
+
+For example, to get a single user organizer from your domain for all Shared Drives including no organizer drives:
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
 ```
 
 ## Display all Shared Drives with no members
 ```
-gam print teamdrives query "memberCount = 0"
+gam print shareddrives query "memberCount = 0"
 ```
 
 ## Display all Shared Drives with no organizers
 ```
-gam print teamdrives query "organizerCount = 0"
+gam print shareddrives query "organizerCount = 0"
 ```
 
 ## Display Shared Drive Counts
@@ -450,20 +500,20 @@ count = & gam print shareddrives showitemcountonly
 ## Display all Shared Drives with a specific organizer
 Substitute actual email address for `organizer@domain.com`.
 ```
-gam config csv_output_header_filter "id,name" print teamdriveacls pm emailaddress organizer@domain.com role organizer em pma process pmselect
+gam config csv_output_header_filter "id,name" print shareddriveacls pm emailaddress organizer@domain.com role organizer em pma process pmselect
 ```
 
 ## Display all Shared Drives without a specific organizer
 Substitute actual email address for `organizer@domain.com`.
 ```
-gam config csv_output_header_filter "id,name" print teamdriveacls pm emailaddress organizer@domain.com role organizer em pma skip pmselect
+gam config csv_output_header_filter "id,name" print shareddriveacls pm emailaddress organizer@domain.com role organizer em pma skip pmselect
 ```
 
 ## Display List of Shared Drives in an Organizational Unit
 Get the orgUnitID of the desired OU and use it (without the id:) in the print|show command. Adjust fields as desired.
 ```
-gam show teamdrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
-gam print teamdrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
+gam show shareddrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
+gam print shareddrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
 ```
 Alternative method; `<OrgUnitPath>` defaults to `/`.
 ```
@@ -551,12 +601,12 @@ These commands are used to transfer ACLs from one Shared Drive to another.
 * `copy` - Copy all ACLs from the source Shared Drive to the target Shared Drive. The role of an existing ACL in the target Shared Drive will never be reduced.
 * `sync` - Add/delete/update ACLs in the target Shared Drive to match those in the source Shared Drive.
 ```
-gam [<UserTypeEntity>] copy teamdriveacls <SharedDriveEntity> to <SharedDriveEntity>
+gam [<UserTypeEntity>] copy shareddriveacls <SharedDriveEntity> to <SharedDriveEntity>
         [showpermissionsmessages [<Boolean>]]
         [excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
         (mappermissionsdomain <DomainName> <DomainName>)*
         [adminaccess|asadmin]
-gam [<UserTypeEntity>] sync teamdriveacls <SharedDriveEntity> with <SharedDriveEntity>
+gam [<UserTypeEntity>] sync shareddriveacls <SharedDriveEntity> with <SharedDriveEntity>
         [showpermissionsmessages [<Boolean>]]
         [excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
         (mappermissionsdomain <DomainName> <DomainName>)*
@@ -594,7 +644,7 @@ gam [<UserTypeEntity>] print drivefileacls <SharedDriveEntityAdmin> [todrive <To
 ### Examples:
 Find all the organizers and file organizers on the Golgafrincham shared drive in CSV form.
 ```
- gam print drivefileacls teamdrive "Golgafrincham" pm role organizer em pm role fileorganizer em oneitemperrow
+ gam print drivefileacls shareddrive "Golgafrincham" pm role organizer em pm role fileorganizer em oneitemperrow
 ```
 
 By default, all Shared Drives specified are displayed; use the following option to select a subset of those Shared Drives.
@@ -625,7 +675,7 @@ gam config csv_output_header_drop_filter "User,createdTime,permission.photoLink,
 
 ## Display Shared Drive access for selected Shared Drives
 ```
-gam [<UserTypeEntity>] show teamdriveacls
+gam [<UserTypeEntity>] show shareddriveacls
         [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
@@ -634,7 +684,7 @@ gam [<UserTypeEntity>] show teamdriveacls
         [shownopermissionsdrives false|true|only]
         [formatjson]
 
-gam [<UserTypeEntity>] print teamdriveacls [todrive <ToDriveAttribute>*]
+gam [<UserTypeEntity>] print shareddriveacls [todrive <ToDriveAttribute>*]
         [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
@@ -661,7 +711,7 @@ By default, all ACLS are displayed; use the following options to select a subset
 * `role|roles <SharedDriveACLRoleList>` - Display ACLs for the specified roles only.
 * `<PermissionMatch>* [<PermissionMatchAction>]` - Use permission matching to display a subset of the ACLs for each Shared Drive; this only applies when `pmselect` is not specified
 
-With `print teamdriveacls` or `show teamdrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
+With `print shareddriveacls` or `show shareddrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
 When `oneitemperrow` is specified, each ACL is output on a separate row/line with the matching Shared Drive id and name. This simplifies processing the CSV file with subsequent Gam commands.
 
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
@@ -673,35 +723,35 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ### Examples
 Find all organizers and viewers on the shared drive Heart of Gold in CSV form.
 ```
- gam print teamdriveacls matchname "Heart of Gold" role organizer,reader oneitemperrow
+ gam print shareddriveacls matchname "Heart of Gold" role organizer,reader oneitemperrow
 ```
 
 Print ACLs for all Shared Drives in the organization created after November 1, 2017.
 ```
-gam print teamdriveacls teamdriveadminquery "createdTime > '2017-11-01T00:00:00'"
+gam print shareddriveacls shareddriveadminquery "createdTime > '2017-11-01T00:00:00'"
 ```
 
 Print ACLs for all Shared Drives in the organization with foo@bar.com as an organizer.
 ```
-gam print teamdriveacls user foo@bar.com role organizer
+gam print shareddriveacls user foo@bar.com role organizer
 ```
 
 Print ACLs for all Shared Drives in the organization with foo@bar.com or groups that contain foo@bar.com as a reader.
 ```
-gam print teamdriveacls user foo@bar.com role reader checkgroups
+gam print shareddriveacls user foo@bar.com role reader checkgroups
 ```
 
 ## Display ACLs for Shared Drives with no organizers
 ### For all Shared Drives
 ```
 One row per Shared Drive, all ACLs on the same row
-gam redirect csv ./SharedDriveACLsNoOrganizers.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted query "organizerCount = 0"
+gam redirect csv ./SharedDriveACLsNoOrganizers.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted query "organizerCount = 0"
 
 A row per Shared Drive/ACL combination
-gam redirect csv ./SharedDriveACLsNoOrganizers.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted query "organizerCount = 0" oneitemperrow
+gam redirect csv ./SharedDriveACLsNoOrganizers.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted query "organizerCount = 0" oneitemperrow
 ```
 ### For selected Shared Drives
-Create a CSV file TeamDrives.csv with at least two columns (id, name) for the selected Shared Drives.
+Create a CSV file shareddrives.csv with at least two columns (id, name) for the selected Shared Drives.
 ```
 One row per Shared Drive, all ACLs on the same row
 gam redirect csv ./SharedDriveACLsNoOrganizers.csv multiprocess csv ./SharedDrives.csv gam print drivefileacls "~id" addtitle "~name" fields id,domain,emailaddress,role,type,deleted pm role organizer em pma skip pmselect
@@ -714,13 +764,13 @@ gam redirect csv ./SharedDriveACLsNoOrganizersOIPR.csv multiprocess csv ./Shared
 ### For all Shared Drives
 ```
 One row per Shared Drive, all ACLs on the same row
-gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted role organizer pm role organizer domainlist domain.com,... em pma skip pmselect
+gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted role organizer pm role organizer domainlist domain.com,... em pma skip pmselect
 
 A row per Shared Drive/ACL combination
-gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted role organizer pm role organizer domainlist domain.com,... em pma skip pmselect
+gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted role organizer pm role organizer domainlist domain.com,... em pma skip pmselect
 ```
 ### For selected Shared Drives
-Create a CSV file TeamDrives.csv with at least two columns (id, name) for the selected Shared Drives.
+Create a CSV file shareddrives.csv with at least two columns (id, name) for the selected Shared Drives.
 ```
 One row per Shared Drive, all ACLs on the same row
 gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv multiprocess csv ./SharedDrives.csv gam print drivefileacls "~id" addtitle "~name" fields id,domain,emailaddress,role,type,deleted pm role organizer domainlist domain.com,... em pma skip pmselect
@@ -734,13 +784,13 @@ gam redirect csv ./SharedDriveACLsAllExternalOrganizersOIPR.csv multiprocess csv
 Include a permission match `pm domainlist domain.com,... em` that lists your internal domain(s).
 ```
 One row per Shared Drive, all ACLs on the same row
-gam redirect csv ./SharedDriveACLsAllExternal.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect
+gam redirect csv ./SharedDriveACLsAllExternal.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect
 
 A row per Shared Drive/ACL combination
-gam redirect csv ./SharedDriveACLsAllExternalOIPR.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect oneitemperrow
+gam redirect csv ./SharedDriveACLsAllExternalOIPR.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect oneitemperrow
 ```
 ### For selected Shared Drives
-Create a CSV file TeamDrives.csv with at least two columns (id, name) for the selected Shared Drives.
+Create a CSV file shareddrives.csv with at least two columns (id, name) for the selected Shared Drives.
 
 Include a permission match `pm domainlist domain.com,... em` that lists your internal domain(s).
 ```
@@ -763,16 +813,16 @@ to get the Shared Drive ACLs for the scammed Shared Drives.
 
 ```
 One row per Shared Drive, all ACLs on the same row
-gam redirect csv ./SharedDriveACLsAllExternal.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect
+gam redirect csv ./SharedDriveACLsAllExternal.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect
 
 A row per Shared Drive/ACL combination
-gam redirect csv ./SharedDriveACLsAllExternalOIPR.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect oneitemperrow
+gam redirect csv ./SharedDriveACLsAllExternalOIPR.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect oneitemperrow
 ```
 
 ### Add an organizer from your domain
 Sustitute an appropriate value for `admin@domain.com`.
 ```
-gam redirect stdout ./AddOrganizer.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternal.csv gam add drivefileacl teamdriveid "~id" user admin@domain.com role organizer
+gam redirect stdout ./AddOrganizer.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternal.csv gam add drivefileacl shareddriveid "~id" user admin@domain.com role organizer
 ```
 
 ### Delete non domain ACLs
@@ -781,7 +831,7 @@ you must delete all rows in `SharedDriveACLsAllExternalOIPR.csv` that have the s
 
 This will disable all non-domain users access to the Shared Drive.
 ```
-gam redirect stdout ./DeleteExternalACLs.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternalOIPR.csv gam delete drivefileacl teamdriveid "~id" "id:~~permission.id~~"
+gam redirect stdout ./DeleteExternalACLs.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternalOIPR.csv gam delete drivefileacl shareddriveid "~id" "id:~~permission.id~~"
 ```
 
 ### Delete the Shared Drives
@@ -789,5 +839,21 @@ The `allowitemdeletion` option allows deletion of non-empty Shared Drives. This
 
 This is not reversible, proceed with caution.
 ```
-gam redirect stdout ./DeleteSharedDrives.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternal.csv gam delete teamdrive "~id" allowitemdeletion
+gam redirect stdout ./DeleteSharedDrives.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternal.csv gam delete shareddrive "~id" allowitemdeletion
 ```
+
+## Delete old empty Shared Drives
+```
+# Get a list of Shared Drives organizers for Shared Drives created before one year ago; alter date<-1y as required.
+gam config csv_output_row_filter "createdTime:date<-1y" redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+
+# Inspect shareddriveOrganizers.csv, you'll have to deal with Shared Drives with no organizer/manager
+
+# Get old empty Shared Drives
+gam config num_threads 10 csv_input_row_filter "organizers:regex:^.+$" csv_output_row_filter "Total:count=0" redirect csv ./OldEmptySharedDrives.csv multiprocess redirect stderr - multiprocess csv ./TeamDriveOrganizers.csv gam user "~organizers" print filecounts select shareddriveid "~id" showsize
+
+# Inspect OldEmptySharedDrives.csv, if you're confident of the results, proceed
+
+# Delete old empty Shared Drives
+gam redirect stdout ./DeleteOldEmptySharedDrives.txt multiprocess redirect stderr stdout csv ./OldEmptySharedDrives.csv gam user "~User" delete shareddrive "~id"
+```

wiki/Users-Gmail-Delegates.md

@@ -1,4 +1,5 @@
 # Users - Gmail - Delegates
+- [Notes](#notes)
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Aliases](#aliases)
@@ -8,6 +9,11 @@
 - [Display Gmail delegates](#display-gmail-delegates)
 - [Delete all delegates for a user](#delete-all-delegates-for-a-user)
 
+## Notes
+
+To use Gmail delegation, the delegator and delagatee must be in org units where
+mail delegation is enabled. In the admin console, go to Apps/Google Workspace/Gmail/User Settings.
+
 ## API documentation
 * [Gmail API - Delegates](https://developers.google.com/gmail/api/v1/reference/users.settings.delegates)
 * [Delegation Notes](https://support.google.com/a/answer/7223765)

wiki/Users-Shared-Drives.md

@@ -12,6 +12,7 @@
   - [Change Shared Drive visibility](#change-shared-drive-visibility)
 - [Display Shared Drives](#display-shared-drives)
 - [Display Shared Drive Counts](#display-shared-drive-counts)
+- [Display Shared Drive Organizers](#display-shared-drive-organizers)
 - [Manage Shared Drive access](#manage-shared-drive-access)
 - [Display Shared Drive access](#display-shared-drive-access)
   - [Display Shared Drive access for specific Shared Drives](#display-shared-drive-access-for-specific-shared-drives)
@@ -72,6 +73,9 @@
 ```
 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
 
+<OrganizerType> ::= user|group
+<OrganizerTypeList> ::= "<OrganizerType>(,<OrganizerType>)*"
+
 <OrgUnitID> ::= id:<String>
 <OrgUnitPath> ::= /|(/<String>)+
 <OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
@@ -200,14 +204,14 @@ sharingfoldersrequiresorganizerpermission true
 
 ## Display Shared Drive themes
 ```
-gam <UserTypeEntity> show teamdrivethemes
+gam <UserTypeEntity> show shareddrivethemes
 ```
 ## Manage Shared Drives
 
 ## Create a Shared Drive
 The user that creates a Shared Drive is given the permission role organizer for the Shared Drive,
 ```
-gam <UserTypeEntity> create teamdrive <Name>
+gam <UserTypeEntity> create shareddrive <Name>
         [(theme|themeid <String>)|
          ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
         (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
@@ -215,7 +219,7 @@ gam <UserTypeEntity> create teamdrive <Name>
         [errorretries <Integer>] [updateinitialdelay <Integer>] [updateretrydelay <Integer>]
         [(csv [todrive <ToDriveAttribute>*] (addcsvdata <FieldName> <String>)*) | returnidonly]
 ```
-* `themeid` - a Shared Drive themeId obtained from `show teamdrivethemes`
+* `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
   * `<Float>` - X coordinate, typically 0.0
   * `<Float>` - Y coordinate, typically 0.0
@@ -248,9 +252,9 @@ When either of these options is chosen, no infomation about Shared Drive restric
 To retrieve the Shared Drive ID with `returnidonly`:
 ```
 Linux/MacOS
-teamDriveId=$(gam user user@domain.com create teamdrive ... returnidonly)
+teamDriveId=$(gam user user@domain.com create shareddrive ... returnidonly)
 Windows PowerShell
-$teamDriveId = & gam user user@domain.com create teamdrive ... returnidonly
+$teamDriveId = & gam user user@domain.com create shareddrive ... returnidonly
 ```
 
 ## Bulk Create Shared Drives
@@ -260,7 +264,7 @@ As a newly created Drive can't be updated for 30+ seconds; split the operation i
 
 Make a CSV file SharedDriveNames.csv with at least two columns, User and name.
 ```
-gam redirect csv ./SharedDrivesCreated.csv multiprocess csv SharedDriveNames.csv gam user "~User" create teamdrive "~name" csv
+gam redirect csv ./SharedDrivesCreated.csv multiprocess csv SharedDriveNames.csv gam user "~User" create shareddrive "~name" csv
 ```
 This will create a three column CSV file SharedDriveNamesIDs.csv with columns: User,name,id
 * There will be a row for each Shared Drive.
@@ -274,13 +278,13 @@ gam redirect stdout ./SharedDrivesUpdated.txt multiprocess redirect stderr stdou
 
 This command is used to set basic Shared Drive settings.
 ```
-gam <UserTypeEntity> update teamdrive <SharedDriveEntity> [adminaccess|asadmin] [name <Name>]
+gam <UserTypeEntity> update shareddrive <SharedDriveEntity> [adminaccess|asadmin] [name <Name>]
         [(theme|themeid <String>)|
          ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
         (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
         [hide|hidden <Boolean>] [ou|org|orgunit <OrgUnitItem>]
 ```
-* `themeid` - a Shared Drive themeId obtained from `show teamdrivethemes`
+* `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
 * `color` - set the Shared Drive color
 * `<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
@@ -291,7 +295,7 @@ This option is only available when the command is run as an administrator.
 
 ## Delete a Shared Drive
 ```
-gam <UserTypeEntity> delete teamdrive <SharedDriveEntity> [allowitemdeletion] [adminaccess|asadmin]
+gam <UserTypeEntity> delete shareddrive <SharedDriveEntity> [allowitemdeletion] [adminaccess|asadmin]
 ```
 By default, deleting a Shared Drive that contains any files/folders will fail.
 The `allowitemdeletion` option allows a Super Admin to delete a non-empty Shared Drive.
@@ -299,19 +303,19 @@ This is not reversible, proceed with caution.
 
 ## Change Shared Drive visibility
 ```
-gam <UserTypeEntity> hide teamdrive <SharedDriveEntity>
-gam <UserTypeEntity> unhide teamdrive <SharedDriveEntity>
+gam <UserTypeEntity> hide shareddrive <SharedDriveEntity>
+gam <UserTypeEntity> unhide shareddrive <SharedDriveEntity>
 ```
 ## Display Shared Drives
 ```
-gam <UserTypeEntity> show teamdriveinfo <SharedDriveEntity>
-gam <UserTypeEntity> info teamdrive <SharedDriveEntity>
+gam <UserTypeEntity> show shareddriveinfo <SharedDriveEntity>
+gam <UserTypeEntity> info shareddrive <SharedDriveEntity>
         [fields <SharedDriveFieldNameList>]
         [guiroles [<Boolean>] [formatjson]
-gam <UserTypeEntity> show teamdriveinfo <SharedDriveEntity>
+gam <UserTypeEntity> show shareddriveinfo <SharedDriveEntity>
         [fields <SharedDriveFieldNameList>]
         [guiroles [<Boolean>] [formatjson]
-gam <UserTypeEntity> show teamdrives
+gam <UserTypeEntity> show shareddrives
         [matchname <REMatchPattern>] (role|roles <SharedDriveACLRoleList>)*
         [fields <SharedDriveFieldNameList>]
         [guiroles [<Boolean>] [formatjson]
@@ -323,7 +327,7 @@ By default, Gam displays all Teams Drives accessible by the user.
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam <UserTypeEntity> print teamdrives [todrive <ToDriveAttribute>*]
+gam <UserTypeEntity> print shareddrives [todrive <ToDriveAttribute>*]
         [matchname <REMatchPattern>] (role|roles <SharedDriveACLRoleList>)*
         [fields <SharedDriveFieldNameList>] [formatjson [quotechar <Character>]]
 ```
@@ -386,6 +390,51 @@ count=$(gam user user@domain.com print shareddrives showitemcountonly)
 Windows PowerShell
 count = & gam user user@domain.com print shareddrives showitemcountonly
 ```
+## Display Shared Drive Organizers
+The following command can be used instead of the `GetTeamDriveOrganizers.py` script.
+
+```
+gam <UserTypeEntity> print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [adminaccess|asadmin]
+        [(shareddriveadminquery|query <QuerySharedDrive>) |
+         (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
+```
+Options `shareddriveadminquery|query` and `shareddrives|teamdrives` are mutually exclusive.
+
+Options `shareddriveadminquery|query` and `orgunit|org|ou` require `adminaccess|asadmin`.
+
+By default, organizers for all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
+* `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
+* `shareddrives|teamdrives <SharedDriveIDList>` - Select the Shared Drive IDs specified in `<SharedDriveIDList>`
+* `shareddrives|teamdrives select <FileSelector>|<CSVFileSelector>` - Select the Shared Drive IDs specified in `<FileSelector>|<CSVFileSelector>`
+* `orgunit|org|ou <OrgUnitPath>` - Only Shared Drives in the specified Org Unit are selected
+* `matchname <REMatchPattern>` - Retrieve Shared Drives with names that match a pattern.
+
+For multiple organizers:
+* `delimiter <Character>` - Separate `organizers` entries with `<Character>`; the default value is `csv_output_field_delimiter` from `gam.cfg`.
+
+The command defaults do not match the script defaults, they are set for the most common use case:
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+To select organizers from any domain, use: `domainlist ""`
+
+For example, to get a single user organizer from your domain for all Shared Drives including no organizer drives:
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
+```
+
 ## Manage Shared Drive access
 These commands must be issued by a user with Shared Drive permission role organizer.
 ### Process single ACLs.
@@ -458,14 +507,14 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 
 ## Display Shared Drive access for selected Shared Drives
 ```
-gam <UserTypeEntity> show teamdriveacls
+gam <UserTypeEntity> show shareddriveacls
         adminaccess [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
         <PermissionMatch>* [<PermissionMatchAction>] [pmselect]
         [oneitemperrow] [<DrivePermissionsFieldName>*|(fields <DrivePermissionsFieldNameList>)]
         [formatjson [quotechar <Character>]]
-gam <UserTypeEntity> print teamdriveacls [todrive <ToDriveAttribute>*]
+gam <UserTypeEntity> print shareddriveacls [todrive <ToDriveAttribute>*]
         adminaccess [teamdriveadminquery|query <QueryTeamDrive>]
 	[matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
@@ -488,7 +537,7 @@ By default, all ACLS are displayed; use the following options to select a subset
 * `role|roles <SharedDriveACLRoleList>` - Display ACLs for the specified roles only.
 * `<PermissionMatch>* [<PermissionMatchAction>]` - Use permission matching to display a subset of the ACLs for each Shared Drive; this only applies when `pmselect` is not specified
 
-With `print teamdriveacls` or `show teamdrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
+With `print shareddriveacls` or `show shareddrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
 When `oneitemperrow` is specified, each ACL is output on a separate row/line with the matching Shared Drive id and name. This simplifies processing the CSV file with subsequent Gam commands.
 
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain

wiki/Version-and-Help.md

@@ -3,9 +3,9 @@
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.07.16 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.09.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -15,9 +15,9 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.07.16 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.09.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -27,9 +27,9 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.07.16 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.09.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gam7
 Version Check:
   Current: 5.35.08
-   Latest: 7.07.16
+   Latest: 7.09.00
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.07.16
+7.09.00
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,9 +82,9 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.07.16 - https://github.com/GAM-team/GAM
+GAM 7.09.00 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com

wiki/gam.cfg.md

@@ -328,6 +328,16 @@ enable_dasa
         admin_email, customer_id and domain must be set when enable_dasa is True,
         customer_id may not be set to my_customer
         Signal file: OldGamPath/enabledasa.txt
+enforce_expansive_access
+        The default value for option `enforceexpansiveaccess` in all commands that delete or update drive file ACLs/permissions.
+        gam <UserTypeEntity> delete permissions
+        gam <UserTypeEntity> delete drivefileacl
+        gam <UserTypeEntity> update drivefileacl
+        gam <UserTypeEntity> copy drivefile
+        gam <UserTypeEntity> move drivefile
+        gam <UserTypeEntity> transfer ownership
+        gam <UserTypeEntity> claim ownership
+        Default: False
 event_max_results
         When retrieving lists of Calendar events from API,
         how many should be retrieved in each API call