Update gam info user <UserItem> to eliminate 5 second delay when getting license info.

[no ci] actions: Use Windows 2025
2026-06-07 15:51:38 +00:00 · 2025-08-27 19:38:24 -07:00 · 2025-08-27 19:38:09 -07:00 · 2025-08-27 12:46:20 -04:00 · 2025-08-27 12:24:28 -04:00 · 2025-08-27 11:04:09 -04:00
74 changed files with 5259 additions and 2009 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -30,6 +30,7 @@ env:
  PYTHON_SOURCE_PATH: ${{ github.workspace }}/src/cpython
  CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY: 1
  CRYPTOGRAPHY_OPENSSL_NO_LEGACY: 1
+  WINDOWS_CODESIGN_CERT_HASH: 590dc5bb10dfb31dbff38c0e2f9c35ef0f6d0e9e

 jobs:
  build:
@@ -76,7 +77,7 @@ jobs:
            jid: 9
            goal: build
            name: Build Arm MacOS 15
-          - os: windows-2022
+          - os: windows-2025
            jid: 10
            goal: build
            name: Build Intel Windows
@@ -107,26 +108,26 @@ jobs:

    steps:

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
        with:
          persist-credentials: false
          fetch-depth: 0

      - id: auth
        name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@v2
+        uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # 2.1.12
        with:
          workload_identity_provider: projects/297925809119/locations/global/workloadIdentityPools/gha-pool/providers/gha-provider
          service_account: github-actions-testing-for-gam@gam-project-wyo-lub-ivl.iam.gserviceaccount.com

      - name: Cache multiple paths
        if: matrix.goal == 'build'
-        uses: actions/cache@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # 4.2.4
        id: cache-python-ssl
        with:
          path: |
            cache.tar.xz
-          key: gam-${{ matrix.jid }}-20250611
+          key: gam-${{ matrix.jid }}-20250814

      - name: Untar Cache archive
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -136,7 +137,7 @@ jobs:

      - name: Use pre-compiled Python for testing
        if: matrix.python != ''
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
        with:
          python-version: ${{ matrix.python }}
          allow-prereleases: true
@@ -216,14 +217,13 @@ jobs:

      - name: MacOS import developer certificates for signing
        if: runner.os == 'macOS'
-        uses: apple-actions/import-codesign-certs@v3
+        uses: apple-actions/import-codesign-certs@95e84a1a18f2bdbc5c6ab9b7f4429372e4b13a8b # 5.0.3
        with:
-          keychain: signing_temp
          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}

      - name: Windows Configure VCode
-        uses: ilammy/msvc-dev-cmd@v1
+        uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # 1.13.0
        if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        with:
          arch: ${{ runner.arch }}
@@ -285,17 +285,17 @@ jobs:
          echo "COMPILED_OPENSSL_VERSION=${COMPILED_OPENSSL_VERSION}" >> $GITHUB_ENV

      - name: Windows NASM Install
-        uses: ilammy/setup-nasm@v1
+        uses: ilammy/setup-nasm@72793074d3c8cdda771dba85f6deafe00623038b # 1.5.2
        if: matrix.goal == 'build' && runner.os == 'Windows' && runner.arch == 'X64' && steps.cache-python-ssl.outputs.cache-hit != 'true'

      - name: Config OpenSSL
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        run: |
          cd "${OPENSSL_SOURCE_PATH}"
-          if ([ "$RUNNER_OS" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
+          #if ([ "$RUNNER_OS" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
            # https://github.com/openssl/openssl/issues/26239
            export CFLAGS=-DNO_INTERLOCKEDOR64
-          fi
+          #fi
          # --libdir=lib is needed so Python can find OpenSSL libraries
          "${PERL}" ./Configure --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS

@@ -457,28 +457,16 @@ jobs:
      - name: Custom wheels for Win arm64
        if: runner.os == 'Windows' && runner.arch == 'ARM64'
        run: |
-          latest_lxml_whl=$(curl https://api.github.com/repos/GAM-team/lxml-wheel/releases/latest -s | jq -r .assets.[0].browser_download_url)
-          echo "Downloading ${latest_lxml_whl}..."
-          curl -O -L "$latest_lxml_whl"
-          "$PYTHON" -m pip install lxml*.whl
          latest_crypt_whl=$(curl https://api.github.com/repos/jay0lee/cryptography/releases/latest -s | jq -r .assets.[0].browser_download_url)
          echo "Downloading ${latest_crypt_whl}..."
          curl -O -L "$latest_crypt_whl"
          "$PYTHON" -m pip install cryptography*.whl

-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-
-     # - name: Compile cryptography from source (no legacy)
-     #   if: runner.os != 'Windows' || runner.arch != 'ARM64'
-     #   run: |
-     #     pip install --no-binary ":all:" --force cryptography
-
      - name: Install pip requirements
        run: |
          echo "before anything..."
          "$PYTHON" -m pip list
-          "$PYTHON" -m pip install --upgrade -r requirements.txt
-          echo "after requirements..."
+          "$PYTHON" -m pip install --upgrade ..[yubikey]
          "$PYTHON" -m pip list
          #"$PYTHON" -m pip install --force-reinstall --no-deps --upgrade cryptography
          echo "after everything..."
@@ -606,6 +594,72 @@ jobs:
          echo "GAM Version ${GAMVERSION}"
          echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV

+      - name: Install WinAppDriver
+        if: runner.os == 'Windows'
+        run: |
+          choco install -y winappdriver
+
+      - name: Enabled dev mode for WinAppDriver
+        if: runner.os == 'Windows'
+        shell: cmd
+        run : |
+         reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowDevelopmentWithoutDevLicense" /d "1"
+
+      - name: Install appium and totp tools
+        if: runner.os == 'Windows'
+        run: |
+          echo "Installing appium..."
+          npm install -g appium
+          echo "Installing totp-generator..."
+          npm install "totp-generator"
+          echo "Installing wdio..."
+          npm install @wdio/cli
+          echo "Installing appium win driver..."
+          appium driver install windows
+
+      - name: Install Certum MSI
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          $url = "https://files.certum.eu/software/SimplySignDesktop/Windows/9.3.2.67/SimplySignDesktop-9.3.2.67-64-bit-en.msi"
+          $file = "SimplySignDesktop-9.3.2.67-64-bit-en.msi"
+          Invoke-WebRequest $url -OutFile $file
+          $log = "install.log" 
+          $procMain = Start-Process "msiexec" "/i `"$file`" /qn /l*! `"$log`"" -NoNewWindow -PassThru
+          $procLog = Start-Process "powershell" "Get-Content -Path `"$log`" -Wait" -NoNewWindow -PassThru 
+          $procMain.WaitForExit() 
+          $procLog.Kill()
+
+      - name: Login to Certum
+        if: runner.os == 'Windows'
+        shell: pwsh
+        env:
+          TOTP_SECRET: ${{ secrets.TOTP_SECRET }}
+        run: |
+          # disable win private firewall that interferes with appium server
+          Set-NetFirewallProfile -Profile Private -Enabled False
+          $appiumCmd = Get-Command appium
+          $appiumPath = $appiumCmd.Path
+          Start-Process -Filepath "powershell.exe" -ArgumentList "-File", $appiumPath, "--address", "127.0.0.1", "--log-level", "error"
+          Start-Sleep -Seconds 10
+          write-host "appium started"
+          write-host "running SimplySignDesktop login..."
+          node tools/ssd.mjs --log-level warn
+          write-host "sleeping during login..."
+          Start-Sleep 10
+
+      - name: Sign gam.exe
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          write-Host "Signing ${env:gam}...."
+          # Always explicitely use x64 version os signtool.exe, arm64 version apparently can't
+          # see Certum certs since SimplySignDesktop is x64-only today.
+          Start-Process -Wait -NoNewWindow -ErrorAction Continue -FilePath 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe'  -ArgumentList "sign", "/sha1", "590dc5bb10dfb31dbff38c0e2f9c35ef0f6d0e9e", "/tr", "http://time.certum.pl", "/td", "SHA256", "/fd", "SHA256", "/v", "$env:gam"
+          write-Host "Verifying signature of ${env:gam}...."
+          # verify signature. If we failed to sign we should fail to verify and die.
+          & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe' verify /pa /v "$env:gam"
+
      - name: Configure user and service account auth
        id: configserviceaccount
        env:
@@ -614,36 +668,8 @@ jobs:
          ../.github/actions/decrypt.sh "${GAMCFGDIR}"
          $gam create signjwtserviceaccount

-      - name: Upload gam.exe Windows for signing
-        if: runner.os == 'Windows' && matrix.goal != 'test'
-        run: |
-          export folder_number=$(date +%s)
-          export folder_id=$($gam user gam-win-signer@pdl.jaylee.us add drivefile drivefilename "UPLOADING_FOR_SIGN ${folder_number}" parentid "1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp" mimetype gfolder returnidonly)
-          $gam user gam-win-signer@pdl.jaylee.us add drivefile localfile "$gam" parentid "$folder_id"
-          $gam user gam-win-signer@pdl.jaylee.us update drivefile "$folder_id" newfilename "READYTOSIGN ${folder_number}"
-          export signed_folder="SIGNED ${folder_number}"
-          zero_results="gam-win-signer@pdl.jaylee.us,0"
-          while true; do
-            result_counts=$($gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" countsonly)
-            echo "$result_counts"
-            if [[ ! "$result_counts" =~ "$zero_results" ]]; then
-              echo "looks like we have results"
-              break
-            fi
-            echo "no results, sleeping 10..."
-            sleep 10
-          done
-          # download signed gam.exe
-          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name = 'gam.exe'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$gampath" targetname "signed-gam.exe" overwrite true acknowledgeabuse true
-          # delete signed folder on drive
-          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us trash drivefile "~id"
-          # remove unsigned gam.exe and rename signed-gam.exe
-          rm -v -f "${gampath}/gam.exe"
-          mv -v -f "${gampath}/signed-gam.exe" "${gampath}/gam.exe"
-          #"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$gam"
-
      - name: Attest gam executable was generated from this Action
-        uses: actions/attest-build-provenance@v1
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # 2.4.0
        if: matrix.goal == 'build'
        with:
          subject-path: ${{ env.gam }}
@@ -694,34 +720,20 @@ jobs:
          rm -v -f *.wixobj
          echo "MSI_FILENAME=${MSI_FILENAME}" >> $GITHUB_ENV

-      - name: Upload gam MSI Windows for signing
-        if: runner.os == 'Windows' && matrix.goal != 'test'
+      - name: Sign GAM MSI
+        if: runner.os == 'Windows'
+        shell: pwsh
        run: |
-          export folder_number=$(date +%s)
-          export folder_id=$($gam user gam-win-signer@pdl.jaylee.us add drivefile drivefilename "UPLOADING_FOR_SIGN ${folder_number}" parentid "1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp" mimetype gfolder returnidonly)
-          $gam user gam-win-signer@pdl.jaylee.us add drivefile localfile "$MSI_FILENAME" parentid "$folder_id"
-          rm -f -v "$MSI_FILENAME"
-          $gam user gam-win-signer@pdl.jaylee.us update drivefile "$folder_id" newfilename "READYTOSIGN ${folder_number}"
-          export signed_folder="SIGNED ${folder_number}"
-          zero_results="gam-win-signer@pdl.jaylee.us,0"
-          while true; do
-            result_counts=$($gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" countsonly)
-            echo "$result_counts"
-            if [[ ! "$result_counts" =~ "$zero_results" ]]; then
-              echo "looks like we have results"
-              break
-            fi
-            echo "no results, sleeping 10..."
-            sleep 10
-          done
-          # download signed package
-          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name contains '.msi'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$GITHUB_WORKSPACE" targetname "$MSI_FILENAME" overwrite true acknowledgeabuse true
-          # delete signed folder on drive
-          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us trash drivefile "~id"
-          #"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$MSI_FILENAME"
+          write-Host "Signing ${env:MSI_FILENAME}...."
+          # Always explicitely use x64 version os signtool.exe, arm64 version apparently can't
+          # see Certum certs since SimplySignDesktop is x64-only today.
+          Start-Process -Wait -NoNewWindow -ErrorAction Continue -FilePath 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe'  -ArgumentList "sign", "/sha1", "590dc5bb10dfb31dbff38c0e2f9c35ef0f6d0e9e", "/tr", "http://time.certum.pl", "/td", "SHA256", "/fd", "SHA256", "/v", "$env:MSI_FILENAME"
+          write-Host "Verifying signature of ${env:MSI_FILENAME}...."
+          # verify signature. If we failed to sign we should fail to verify and die.
+          & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe' verify /pa /v "$env:MSI_FILENAME"

      - name: Attest that gam package files were generated from this Action
-        uses: actions/attest-build-provenance@v1
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # 2.4.0
        if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.goal == 'build'
        with:
          subject-path: |
@@ -730,7 +742,7 @@ jobs:
            gam*.msi

      - name: Archive production artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2
        if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.goal != 'test'
        with:
          name: gam-binaries-${{ env.GAMOS }}-${{ env.arch }}-${{ matrix.jid }}
@@ -810,7 +822,7 @@ jobs:
          echo "Created shared drive ${driveid}"
          $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- ou "${newou}"
          $gam user $newuser add license workspaceenterpriseplus
-          $gam user $newuser update photo https://dummyimage.com/400x600/000/fff
+          $gam user $newuser update photo https://dummyimage.com/98x98/000/fff.jpg
          $gam user $newuser get photo
          $gam user $newuser delete photo
          $gam create alias $newalias user $newuser
@@ -857,7 +869,7 @@ jobs:
          $gam user $newuser show labels > labels.txt
          $gam user $gam_user importemail subject "GHA import $newbase" message "This is a test import" labels IMPORTANT,UNREAD,INBOX,STARRED
          $gam user $gam_user insertemail subject "GHA insert $newbase" file gam.py labels INBOX,UNREAD # yep body is gam code
-          $gam user $gam_user sendemail subject "GHA send $gam_user $newbase" file gam.py recipient admin@pdl.jaylee.us
+          $gam user $gam_user sendemail recipient admin@pdl.jaylee.us subject "GHA send $gam_user $newbase" file gam.py
          $gam user $gam_user draftemail subject "GHA draft $newbase" message "Draft message test"
          $gam csvfile sample.csv:email waitformailbox retries 20
          $gam user $newuser delegate to "${newbase}-bulkuser-1" || if [ $? != 50 ]; then exit $?; fi # expect a 50 return code (delegation failed)
@@ -920,7 +932,7 @@ jobs:
          $gam config enable_dasa true save
          $gam print users query "gha.jid=$JID" | $gam csv - gam delete user ~primaryEmail  || if [ $? != 50 ]; then exit $?; fi # expect a 50 return code (vault hold on user)
          $gam print mobile
-          $gam print devices
+          $gam print devices clientstates
          $gam print browsers
          $gam print cros allfields orderby serialnumber
          $gam show crostelemetry storagepercentonly
@@ -994,16 +1006,16 @@ jobs:

    steps:

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
        with:
          persist-credentials: false
          fetch-depth: 0

      - name: Download artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # 5.0.0

      - name: VirusTotal Scan
-        uses: crazy-max/ghaction-virustotal@v4
+        uses: crazy-max/ghaction-virustotal@d34968c958ae283fe976efed637081b9f9dcf74f # 4.2.0
        with:
          vt_api_key: ${{ secrets.VT_API_KEY }}
          files: |
@@ -1016,12 +1028,14 @@ jobs:
          echo "Date version: ${dateversion}"
          echo "dateversion=${dateversion}" >> $GITHUB_OUTPUT

-      - uses: "marvinpinto/action-automatic-releases@latest"
-        name: Publish draft release
+      - name: Publish draft release
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # 2.3.2
        with:
-          repo_token: "${{ secrets.GITHUB_TOKEN }}"
-          automatic_release_tag: "${{ steps.dateversion.outputs.dateversion }}"
-          prerelease: false
          draft: true
+          prerelease: false
+          tag_name: "${{ steps.dateversion.outputs.dateversion }}"
+          fail_on_unmatched_files: true
          files: |
            gam-binaries/*
+
+        
--- a/.github/workflows/get-cacerts.yml
+++ b/.github/workflows/get-cacerts.yml
@@ -16,7 +16,7 @@ defaults:
    working-directory: src

 jobs:
-  check-apis:
+  check-certs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
--- a/.github/workflows/pushwiki.yml
+++ b/.github/workflows/pushwiki.yml
@@ -5,6 +5,8 @@ on:
  push:
    paths:
      - 'wiki/**'
+  workflow_dispatch:
+
 jobs:
  pushwiki:
    runs-on: ubuntu-latest
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -7,7 +7,8 @@ authors = [
    { name="Jay Lee", email="jay0lee@gmail.com" },
    { name="Ross Scroggs", email="Ross.Scroggs@gmail.com" },
 ]
-# # The following files should be edited to match: setup.cfg, requirements.txt
+# notice that yubikey-manager remains optional further down since it is less command and adds
+#significant compile dependencies.
 dependencies = [
    "chardet>=5.2.0",
    "cryptography>=44.0.2",
@@ -22,7 +23,6 @@ dependencies = [
    "passlib>=1.7.4",
    "pathvalidate>=3.2.3",
    "python-dateutil",
-    "yubikey-manager>=5.6.1",
 ]
 description = "CLI tool to manage Google Workspace"
 readme = "README.md"
--- a/src/GamCommands.txt
+++ b/src/GamCommands.txt
@@ -279,6 +279,7 @@ If an item contains spaces, it should be surrounded by ".
        geminiedu | 1010470004 | Gemini Education |
        geminiedupremium| 1010470005 | Gemini Education Premium |
        geminient| duetai | 1010470001 | Gemini Enterprise |
+        geminiultra | 1010470008 | Google AI Ultra for Business |
        gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
        gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 | Google Workspace Business - Archived User |
@@ -380,10 +381,15 @@ If an item contains spaces, it should be surrounded by ".
        domain:<DomainName>|domain|default
 <CalendarItem> ::= <EmailAddress>
 <ChannelCustomerID> ::= <String>
+<ChatEmojiName> ::= :[0-9a-z_-]+:
+<ChatEmoji> ::= emojiname <ChatEmojiName> | customemojis/<String>
 <ChatMember> ::= spaces/<String>/members/<String>
 <ChatMessage> ::= spaces/<String>/messages/<String>
 <ChatSpace> ::= spaces/<String> | space <String> | space spaces/<String>
 <ChatThread> ::= spaces/<String>/threads/<String>
+<ChromeProfilePermanentID> ::= <String>
+<ChromeProfileName> ::= customers/<CustomerID>/profiles/<ChromeProfilePermanentID> | <ChromeProfilePermanentID>
+<ChromeProfileCommandName> ::= <ChomeProfileName>/commands/<String>
 <GIGroupAlias> ::= <EmailAddress>
 <GIGroupItem> ::= <EmailAddress>|<UniqueID>|groups/<String>
 <CIGroupMemberType> ::= cbcmbrowser|chromeosdevice|customer|group|other|serviceaccount|user
@@ -402,6 +408,11 @@ If an item contains spaces, it should be surrounded by ".
 <ContactGroupItem> ::= <ContactGroupID>|<ContactGroupName>
 <CorporaAttribute> ::= alldrives|allteamdrives|domain|onlyteamdrives|user
 <CourseAlias> ::= <String>
+<CourseAnnouncementContent> ::=
+        ((text <String>)|
+         (textfile <FileName> [charset <Charset>])|
+         (gdoc <UserGoogleDoc>)|
+         (gcsdoc <StorageBucketObjectName>))
 <CourseAnnouncementID> ::= <Number>
 <CourseAnnouncementState> ::= draft|published|deleted
 <CourseID> ::= <Number>|d:<CourseAlias>
@@ -528,6 +539,7 @@ If an item contains spaces, it should be surrounded by ".
        Must match this Python Regular Expression: [a-zA-Z0-9 '"!-]{4,30}
 <PropertyKey> ::= <String>
 <PropertyValue> ::= <String>
+<PubSubTopicName> ::= <String>
 <QueryAlert> ::= <String>
        See: https://developers.google.com/admin-sdk/alertcenter/guides/query-filters
 <QueryBrowser> ::= <String>
@@ -611,6 +623,14 @@ If an item contains spaces, it should be surrounded by ".
        gs://<StorageBucketName>/<StorageObjectName>|
        <StorageBucketName>/<StorageObjectName>
 <Tag> ::= <String>
+<TagManagerAccountID> ::= <String>
+<TagManagerAccountPath> ::= accounts/<TagManagerAccountID>
+<TagManagerContainerID> ::= <String>
+<TagManagerContainerPath> ::= accounts/<TagManagerAccountID>/containers/<TagManagerContainerID>
+<TagManagerWorkspaceID> ::= <String>
+<TagManagerWorkspacePath> ::= accounts/<TagManagerAccountID>/containers/<TagManagerContainerID>/workspaces/<TagManagerWorkspaceID>
+<TagManagerTagID> ::= <String>
+<TagManagerTagPath> ::= accounts/<TagManagerAccountID>/containers/<TagManagerContainerID>/workspaces/<TagManagerWorkspaceID>/tags/<TagManagerTagID>
 <TakeoutBucketName> ::= takeout-export-[a-f,0-9,-]*
 <TaskID> ::= <String>
 <TaskListID> ::= <String>
@@ -664,6 +684,7 @@ If an item contains spaces, it should be surrounded by ".
        (gdoc|ghtml <UserGoogleDoc>)|
        (gcsdoc|gcshtml <StorageBucketObjectName>)
 <YouTubeChannelID> ::= <String>
+
 ## Lists of basic items

 <APIScopeURLList> ::= "<APIScopeURL>(,<APIScopeURL>)*"
@@ -672,9 +693,16 @@ If an item contains spaces, it should be surrounded by ".
 <CalendarACLScopeList> ::= "<CalendarACLScope>(,<CalendarACLScope>)*"
 <CalendarList> ::= "<CalendarItem>(,<CalendarItem>)*"
 <ChatSpaceList> ::= "<ChatSpace>(,<ChatSpace>)*"
+<ChromeProfileNameList> ::= "<ChromeProfileName>(,<ChromeProfileName>)*"
+<ChromeProfileCommandNameList> ::= "<ChromeProfileCommandName>(,<ChromeProfileCommandName>)*"
 <CIGroupAliasList> ::= "<CIGroupAlias>(,<CIGroupAlias>)*"
 <CIGroupMemberTypeList> ::= "<CIGroupMemberType>(,<CIGroupMemberType>)*"
 <CIPolicyNameList> ::= "<CIPolicyName>(,<CIPolicyName>)*"
+<ClassificationLabelIDList> ::= "<ClassificationLabelID>(,<ClassificationLabelID>)*"
+<ClassificationLabelNameList> ::= "<ClassificationLabelName>(,<ClassificationLabelName>)*"
+<ClassificationLabelPermissionNameList> ::= "<ClassificationLabelPermissionName>(,<ClassificationLabelPermissionName>)*"
+<ClassificationLabelFieldIDList> ::= "<ClassificationLabelFieldID>(,<ClassificationLabelFieldID>)*"
+<ClassificationLabelSelectionIDList> ::= "<ClassificationLabelSelectionID>(,<ClassificationLabelSelectionID>)*"
 <ClassroomInvitationIDList> ::= "<ClassroomInvitationID>(,<ClassroomInvitationID>)*"
 <ContactGroupList> ::= "<ContactGroupItem>(,<ContactGroupItem>)*"
 <ContactIDList> ::= "<ContactID>(,<ContactID>)*"
@@ -752,6 +780,9 @@ If an item contains spaces, it should be surrounded by ".
 <SharedDriveACLRoleList> ::= "<SharedDriveACLRole>(,<SharedDriveACLRole>)*"
 <SharedDriveIDList> ::= "<SharedDriveID>(,<SharedDriveID>)*"
 <StringList> ::= "<String>(,<String>)*"
+<TagManagerAccountPathList> ::= "<TagManagerAccountPath>(,<TagManagerAccountPath>)*"
+<TagManagerContainerPathList> ::= "<TagManagerContainerPath>(,<TagManagerContainerPath>)*"
+<TagManagerWorkspacePathList> ::= "<TagManagerWorkspacePath>(,<TagManagerWorkspacePath>)*"
 <TasklistIDList> ::= "<TasklistID>(,<TasklistID>)*"
 <TasklistTitleList> ::= "'<TasklistTitle>'(,'<TasklistTitle>')*"
 <TasklistIDTaskIDList> ::= "<TasklistIDTaskID>(,<TasklistIDTaskID>)*"
@@ -1006,6 +1037,11 @@ Specify a collection of items by directly specifying them; the item type is dete
        <CalendarACLScopeList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <CalendarEntity> ::=
        <CalendarList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<ChromeProfileNameEntity> ::=
+        <ChromeProfileNameList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+        (filter <String> (filtertime<String> <Time>)* [orderby <ChromeProfileOrderByFieldName> [ascending|descending]]) |
+        (commands <ChromeProfileCommandNameList>|<FileSelector>|<CSVFileSelector>)
 <CIPolicyNameEntity> ::=
        <CIPolicyNameList> | <FileSelector> | <CSVFileSelector>
 <ClassificationLabelNameEntity> ::=
@@ -1208,6 +1244,15 @@ Specify a collection of items by directly specifying them; the item type is dete
        <SiteACLScopeList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <SiteEntity> ::=
        <SiteList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<TagManagerAccountPathEntity> ::=
+        <TagManagerAccountPathList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+<TagManagerContainerPathEntity> ::=
+        <TagManagerContainerPathList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+<TagManagerWorkspacePathEntity> ::=
+        <TagManagerWorkspacePathList> |
+        (select <FileSelector>|<CSVFileSelector>) |
 <TasklistEntity> ::=
        <TasklistIDList> | <TaskListTitleList> | <FileSelector> | <CSVFileSelector>
 <TasklistIDTaskIDEntity> ::=
@@ -1467,15 +1512,22 @@ gam show privileges
 <RoleItem> ::= id:<String>|uid:<string>|<String>

 gam create adminrole <String> [description <String>]
-        privileges all|all_ou|<PrivilegesList>|(select <FileSelector>|<CSVFileSelector>)
+        privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>)|<JSONData>
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 gam update adminrole <RoleItem> [name <String>] [description <String>]
-         [privileges all|all_ou|<PrivilegesList>|(select <FileSelector>|<CSVFileSelector>)]
+        [privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>)|<JSONData>]
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 gam delete adminrole <RoleItem>
 gam info adminrole <RoleItem> [privileges]
+        [formatjson]
 gam print adminroles|roles [todrive <ToDriveAttribute>*]
        [role <RoleItem>] [privileges] [oneitemperrow]
+        [nosystemroles]
+        [formatjson [quotechar <Character>]]
 gam show adminroles|roles
        [role <RoleItem>] [privileges]
+	[nosystemroles]
+	[formatjson]

 gam create|add admin <EmailAddress>|<UniqueID> <RoleItem> customer|(org_unit <OrgUnitItem>)
        [condition securitygroup|nonsecuritygroup]
@@ -1489,6 +1541,10 @@ gam show admins

 # Alert Center

+gam show alertsettings
+gam update alertsettings <PubsubTopicName>
+gam clear alertsettings
+
 gam delete alert <AlertID>
 gam undelete alert <AlertID>
 gam info alert <AlertID> [formatjson]
@@ -2206,6 +2262,17 @@ gam show chromeneedsattn

 # Chrome Profile Management

+<ChromeProfilePermanentID> ::= <String>
+<ChromeProfileName> ::= customers/<CustomerID>/profiles/<ChromeProfilePermanentID> | <ChromeProfilePermanentID>
+<ChromeProfileNameList> ::= "<ChromeProfileName>(,<ChromeProfileName>)*"
+<ChromeProfileCommandName> ::= <ChomeProfileName>/commands/<String>
+<ChromeProfileCommandNameList> ::= "<ChromeProfileCommandName>(,<ChromeProfileCommandName>)*"
+<ChromeProfileNameEntity> ::=
+        <ChromeProfileNameList> |
+        (select <ChromeProfileNameList>|<FileSelector>|<CSVFileSelector>) |
+        (filter <String> (filtertime<String> <Time>)* [orderby <ChromeProfileOrderByFieldName> [ascending|descending]]) |
+        (commands <ChromeProfileCommandNameList>|<FileSelector>|<CSVFileSelector>)
+
 <ChromeProfileFieldName> ::=
        affiliationstate|
        annotatedlocation|
@@ -2256,15 +2323,27 @@ gam delete chromeprofile <ChromeProfileName>
 gam info chromeprofile <ChromeProfileName>
        <ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]
 gam show chromeprofiles
-        [filtertime.* <Time>] [filter <String>]
+        [filter <String> (filtertime<String> <Time>)*]
        [orderby <ChromeProfileOrderByFieldName> [ascending|descending]]
        <ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]
        [formatjson]
 gam print chromeprofiles [todrive <ToDriveAttribute>*]
-        [filtertime.* <Time>] [filter <String>]
+        [filter <String> (filtertime<String> <Time>)*]
        [orderby <ChromeProfileOrderByFieldName> [ascending|descending]]
        <ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]
-        [[formatjson [quotechar <Character>]]
+        [formatjson [quotechar <Character>]]
+
+gam create chromeprofilecommand <ChromeProfileNameEntity>
+        [clearcache [<Boolean>]] [clearcookies [<Boolean>]]
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]]
+
+gam info chromeprofilecommand <ChromeProfileCommandName>
+        [formatjson]
+
+gam show chromeprofilecommands <ChromeProfileNameEntity>
+        [formatjson]
+gam print chromeprofilecommands <ChromeProfileNameEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]

 # Chrome Versions Counts

@@ -3116,8 +3195,21 @@ gam delete courses <CourseEntity> [archive|archived]
 gam course <CourseID> create|add alias <CourseAlias>
 gam course <CourseID> delete alias <CourseAlias>

+<CourseAnnouncementContent> ::=
+        ((text <String>)|
+         (textfile <FileName> [charset <Charset>])|
+         (gdoc <UserGoogleDoc>)|
+         (gcsdoc <StorageBucketObjectName>))
+
+gam course <CourseID> create announcement
+        <CourseAnnouncementContent> [scheduledtime <Time>] [state draft|published]
+gam course <CourseID> remove announcement <CourseAnnouncementID>
+gam course <CourseID> update announcement <CourseAnnouncementID>
+        [<CourseAnnouncementContent>] [scheduledtime <Time>] [state published]
+
 gam course <CourseID> create|add topic <CourseTopic>
 gam course <CourseID> delete topic <CourseTopicID>
+gam course <CourseID> update topic <CourseTopicID> <CourseTopic>

 gam course <CourseID> create|add teachers [makefirstteacherowner] <UserItem>
 gam course <CourseID> create|add students <UserItem>
@@ -3129,8 +3221,15 @@ gam course <CourseID> sync students [addonly|removeonly] <UserTypeEntity>
 gam courses <CourseEntity> create|add alias <CourseAliasEntity>
 gam courses <CourseEntity> delete alias <CourseAliasEntity>

+gam courses <CourseEntity> create announcement
+        <CourseAnnouncementContent>> [scheduledtime <Time>] [state draft|published]
+gam courses <CourseEntity> remove announcement <CourseAnnouncementIDEntity>
+gam courses <CourseEntity> update announcement <CourseAnnouncementIDEntity>
+        [<CourseAnnouncementContent>] [scheduledtime <Time>] [state published]
+
 gam courses <CourseEntity> create|add topic <CourseTopicEntity>
 gam courses <CourseEntity> delete topic <CourseTopicIDEntity>
+gam courses <CourseEntity> update topic <CourseTopicIDEntity> <CourseTopic>

 gam courses <CourseEntity> create|add teachers [makefirstteacherowner] <UserTypeEntity>
 gam courses <CourseEntity> create|add students <UserTypeEntity>
@@ -3349,6 +3448,13 @@ gam print guardian|guardians [todrive <ToDriveAttribute>*] [accepted|invitations
        [showstudentemails]
        [formatjson [quotechar <Character>]]

+# Business Profile Accounts
+
+gam show businessprofileaccounts
+        [type locationgroup|organization|personal|usergroup]
+gam print businessprofileaccounts [todrive <ToDriveAttribute>*]
+        [type locationgroup|organization|personal|usergroup]
+
 # Classroom User Profiles

 gam <UserTypeEntity> print classroomprofile [todrive <ToDriveAttribute>*]
@@ -3383,8 +3489,7 @@ gam print|show transferapps

 <DataTransferService> ::=
        calendar|
-        currents|
-        datastudio|lookerstudio|"google data studio"|
+        datastudio|lookerstudio|"looker studio"|
        googledrive|gdrive|drive|"drive and docs"
 <DataTransferServiceList> ::= "<DataTransferService>(,<DataTransferService>)*"

@@ -4121,6 +4226,7 @@ gam print devices [todrive <ToDriveAttribute>*]
        [orderby <DeviceOrderByFieldName> [ascending|descending]]
        [all|company|personal|nocompanydevices|nopersonaldevices]
        [nodeviceusers|oneuserperrow]
+        [clientstates]
        [formatjson [quotechar <Character>]]
        [showitemcountonly]

@@ -4176,19 +4282,19 @@ gam show policies
 <SSOProfileItem> ::= <SSOProfileDisplayName>|<SSOProfileName>
 <SSOProfileItemList> ::= "<SSOProfileItem>(,<SSOProfileItem>)*"

-gam create inboundssoprofile [name <SSOProfileDisplayName>]
+gam create inboundssoprofile [saml|oidc] [name <SSOProfileDisplayName>]
        [entityid <String>] [loginurl <URL>] [logouturl <URL>] [changepasswordurl <URL>]
        [returnnameonly]
-gam update inboundssoprofile <SSOProfileItem>
+gam update inboundssoprofile [saml|oidc] <SSOProfileItem>
        [entityid <String>] [loginurl <URL>] [logouturl <URL>] [changepasswordurl <URL>]
        [returnnameonly]
-gam delete inboundssoprofile <SSOProfileItem>
+gam delete inboundssoprofile [saml|oidc] <SSOProfileItem>

-gam info inboundssoprofile <SSOProfileItem>
+gam info inboundssoprofile [all|saml|oidc] <SSOProfileItem>
        [formatjson]
-gam show inboundssoprofiles
+gam show inboundssoprofiles [all|saml|oidc]
        [formatjson]
-gam print inboundssoprofiles [todrive <ToDriveAttribute>*]
+gam print inboundssoprofiles [all|saml|oidc] [todrive <ToDriveAttribute>*]
        [[formatjson [quotechar <Character>]]

 <SSOCredentialsName> ::= [id:]inboundSamlSsoProfiles/<String>/idpCredentials/<String>
@@ -4212,10 +4318,14 @@ gam print inboundssocredentials [profile|profiles <SSOProfileItemList>]
        orgunits/<String> |
        orgunit:<OrgUnitPath>

-gam create inboundssoassignment (group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)
-        (mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled) [neverredirect]
-gam update inboundssoassignment [(group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)]
-        [(mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled)] [neverredirect]
+gam create inboundssoassignment
+        (group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)
+        (mode sso_off)|(mode saml_sso profile <SSOProfileItem>)|(mode oidc_sso profile <SSOProfileName>}|(mode domain_wide_saml_if_enabled)
+        [neverredirect]
+gam update inboundssoassignment <SSOAssignmentName>
+        [(group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)]
+        (mode sso_off)|(mode saml_sso profile <SSOProfileItem>)|(mode oidc_sso profile <SSOProfileName>}|(mode domain_wide_saml_if_enabled)
+        [neverredirect]
 gam delete inboundssoassignment <SSOAssignmentSelector>

 gam info inboundssoassignment <SSOAssignmentSelector>
@@ -4432,19 +4542,19 @@ gam report usage customer [todrive <ToDriveAttribute>*]
        [convertmbtogb]

 <ActivityApplicationName> ::=
-        access|accesstransparency|
+        accesstransparency|access|
        admin|
        calendar|calendars|
        chat|
        chrome|
+        classroom|
        contextawareaccess|
-        currents|gplus|google+|
        datastudio|
-        devices|mobile|
-        domain|
        drive|doc|docs|
-        gcp|
-        gemini|geminiforworkspace|
+        gcp|cloud|
+        geminiinworkspaceapps|gemini|geminiforworkspace|
+        gmail|
+        gplus|currents|google+|
        groups|group|
        groupsenterprise|enterprisegroups|
        jamboard|
@@ -4462,7 +4572,7 @@ gam report <ActivityApplicationName> [todrive <ToDriveAttribute>*]
        [(user all|<UserItem>)|(orgunit|org|ou <OrgUnitPath> [showorgunit])|(select <UserTypeEntity>)]
        [([start <Time>] [end <Time>])|(range <Time> <Time>)|
         yesterday|today|thismonth|(previousmonths <Integer>)]
-        [filtertime.* <Time>] [filter|filters <String>]
+        [filter <String> (filtertime<String> <Time>)*]
        [event|events <EventNameList>] [ip <String>]
        [groupidfilter <String>]
        [maxactivities <Number>] [maxevents <Number>] [maxresults <Number>]
@@ -4509,7 +4619,7 @@ gam report users|user [todrive <ToDriveAttribute>*]
        [(date <Date>)|(range <Date> <Date>)|
          yesterday|today|thismonth|(previousmonths <Integer>)]
        [(nodatechange | limitdatechanges <Integer>) | (fulldatarequired all|<UserServiceNameList>)]
-        [filtertime.* <Time>] [filter|filters <String>]
+        [filter <String> (filtertime<String> <Time>)*]
        [(fields|parameters <String>)|(services <UserServiceNameList>)]
        [aggregatebydate|aggregatebyuser [Boolean]]
        [maxresults <Number>]
@@ -4535,7 +4645,7 @@ gam update resoldcustomer <CustomerID> <ResoldCustomerAttribues>+
 gam info resoldcustomer <CustomerID> [formatjson]

 gam create|add resoldsubscription <CustomerID> (sku <SKUID>)
-        (plan annual_monthly_pay|annual_yearly_pay|flexible|trial) (seats <Number>)
+        (plan annual_monthly_pay|annual_yearly_pay|flexible|trial|free) (seats <Number>)
        [customer_auth_token <String>] [deal <String>] [purchaseorderid <String>]
 gam update resoldsubscription <CustomerID> <SKUID>
        activate|suspend|startpaidservice|
@@ -4628,10 +4738,10 @@ gam delete building <BuildingID>
 gam info building <BuildingID>
        [formatjson]
 gam show buildings
-        [allfields|<BuildingFildName>*|(fields <BuildingFieldNameList>)]
+        [allfields|<BuildingFieldName>*|(fields <BuildingFieldNameList>)]
        [formatjson]
 gam print buildings [todrive <ToDriveAttribute>*]
-        [allfields|<BuildingFildName>*|(fields <BuildingFieldNameList>)]
+        [allfields|<BuildingFieldName>*|(fields <BuildingFieldNameList>)]
        [delimiter <Character>] [formatjson [quotechar <Character>]]

 gam create|add feature name <Name>
@@ -4774,6 +4884,8 @@ gam <UserTypeEntity> sendemail from <EmailAddress>
        allowcontentmanagerstosharefolders|
        copyrequireswriterpermission|
        domainusersonly|
+        downloadrestrictedforreaders|downloadrestrictions.restrictedforreaders|
+        downloadrestrictedforwriters|downloadrestrictions.restrictedforwriters|
        drivemembersonly|teammembersonly|
        sharingfoldersrequiresorganizerpermission

@@ -4790,7 +4902,7 @@ In these commands, the Google administrator named in oauth2.txt is used.
 gam show shareddrivethemes
 gam create shareddrive <Name>
        [(theme|themeid <String>) | ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
-        (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
+        ([restrictions.]<SharedDriveRestrictionsSubfieldName> <Boolean>)*
        [hide|hidden <Boolean>] [ou|org|orgunit <OrgUnitItem>]
        [errorretries <Integer>] [updateinitialdelay <Integer>] [updateretrydelay <Integer>]
        [movetoorgunitdelay <Integer>]
@@ -4813,11 +4925,13 @@ gam print shareddrives [todrive <ToDriveAttribute>*]
        [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        [fields <SharedDriveFieldNameList>] [noorgunits [<Boolean>]]
+        [showwebviewlink text|hyperlink]
        [formatjson [quotechar <Character>]]
 gam show shareddrives
        [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        [fields <SharedDriveFieldNameList>] [noorgunits [<Boolean>]]
+        [showwebviewlink text|hyperlink]
        [formatjson] [noorgunits [<Boolean>]]

 gam print shareddriveorganizers [todrive <ToDriveAttribute>*]
@@ -4842,7 +4956,7 @@ In these commands, you specify an administrator and then indicate that you want

 gam <UserTypeEntity> create shareddrive <Name> adminaccess
        [(theme|themeid <String>) | ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
-        (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
+        ([restrictions.]<SharedDriveRestrictionsSubfieldName> <Boolean>)*
        [hide|hidden <Boolean>] [ou|org|orgunit <OrgUnitItem>]
        [errorretries <Integer>] [updateinitialdelay <Integer>] [updateretrydelay <Integer>]
        [movetoorgunitdelay <Integer>]
@@ -4876,7 +4990,7 @@ In these commands, you specify a user, administrator access is not used.

 gam <UserTypeEntity> create shareddrive <Name>
        [(theme|themeid <String>) | ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
-        (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
+        ([restrictions.]<SharedDriveRestrictionsSubfieldName> <Boolean>)*
        [hide|hidden <Boolean>] [ou|org|orgunit <OrgUnitItem>]
        [errorretries <Integer>] [updateinitialdelay <Integer>] [updateretrydelay <Integer>]
        [movetoorgunitdelay <Integer>]
@@ -4898,12 +5012,14 @@ gam <UserTypeEntity> print shareddrives [todrive <ToDriveAttribute>*]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        (role|roles <SharedDriveACLRoleList>)*
        [fields <SharedDriveFieldNameList>]
+        [showwebviewlink text|hyperlink]
        [guiroles [<Boolean>]] [formatjson [quotechar <Character>]]
 gam <UserTypeEntity> show shareddrives
        [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        (role|roles <SharedDriveACLRoleList>)*
        [fields <SharedDriveFieldNameList>]
+        [showwebviewlink text|hyperlink]
        [guiroles [<Boolean>]] [formatjson]

 <PermissionMatch> ::=
@@ -5031,18 +5147,18 @@ gam <UserTypeEntity> delete permissions <SharedDriveEntityAdmin> <DriveFilePermi

 In these commands, the Google administrator named in oauth2.txt is used.

-gam copy teamdriveacls <SharedDriveEntity> to <SharedDriveEntity>
+gam copy shareddriveacls <SharedDriveEntity> to <SharedDriveEntity>
        [adminaccess|asadmin]
        [showpermissionsmessages [<Boolean>]]
        [excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
        (mappermissionsdomain <DomainName> <DomainName>)*
-gam sync teamdriveacls <SharedDriveEntity> with <SharedDriveEntity>
+gam sync shareddriveacls <SharedDriveEntity> with <SharedDriveEntity>
        [adminaccess|asadmin]
        [showpermissionsmessages [<Boolean>]]
        [excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
        (mappermissionsdomain <DomainName> <DomainName>)*

-gam print teamdriveacls [todrive <ToDriveAttribute>*]
+gam print shareddriveacls [todrive <ToDriveAttribute>*]
        [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
@@ -5050,7 +5166,7 @@ gam print teamdriveacls [todrive <ToDriveAttribute>*]
        [oneitemperrow] [<DrivePermissionsFieldName>*|(fields <DrivePermissionsFieldNameList>)]
        (addcsvdata <FieldName> <String>)*
        [formatjson [quotechar <Character>]]
-gam show teamdriveacls
+gam show shareddriveacls
        [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
@@ -5060,18 +5176,18 @@ gam show teamdriveacls

 In these commands, you specify an administrator and then indicate that you want domain administrator access with the adminaccess option.

-gam <UserTypeEntity> copy teamdriveacls <SharedDriveEntity> to <SharedDriveEntity>
+gam <UserTypeEntity> copy shareddriveacls <SharedDriveEntity> to <SharedDriveEntity>
        [adminaccess|asadmin]
        [showpermissionsmessages [<Boolean>]]
        [excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
        (mappermissionsdomain <DomainName> <DomainName>)*
-gam <UserTypeEntity> sync teamdriveacls <SharedDriveEntity> with <SharedDriveEntity>
+gam <UserTypeEntity> sync shareddriveacls <SharedDriveEntity> with <SharedDriveEntity>
        [adminaccess|asadmin]
        [showpermissionsmessages [<Boolean>]]
        [excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
        (mappermissionsdomain <DomainName> <DomainName>)*

-gam <UserTypeEntity> print teamdriveacls [todrive <ToDriveAttribute>*]
+gam <UserTypeEntity> print shareddriveacls [todrive <ToDriveAttribute>*]
        [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
@@ -5080,7 +5196,7 @@ gam <UserTypeEntity> print teamdriveacls [todrive <ToDriveAttribute>*]
        [shownopermissionsdrives false|true|only]
        (addcsvdata <FieldName> <String>)*
        [formatjson [quotechar <Character>]]
-gam <UserTypeEntity> show teamdriveacls
+gam <UserTypeEntity> show shareddriveacls
        [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
@@ -5606,6 +5722,7 @@ gam update user <UserItem> [ignorenullpassword] <UserAttribute>*
        [logpassword <FileName>]
 gam delete user <UserItem> [noactionifalias]
 gam undelete user <UserItem> [ou|org|orgunit <OrgUnitPath>]
+gam check suspended <UserItem>
 gam suspend user <UserItem> [noactionifalias]
 gam unsuspend user <UserItem> [noactionifalias]
 gam info user [<UserItem>]
@@ -6436,6 +6553,22 @@ gam <UserTypeEntity> print chatevents [todrive <ToDriveAttribute>*]
        filter <String>
        [formatjson [quotechar <Character>]]

+<ChatEmojiName> ::= :[0-9a-z_-]+:
+<ChatEmoji> ::= emojiname <ChatEmojiName> | customemojis/<String>
+
+gam <UserTypeEntity> create chatemoji <ChatEmojiName>
+         ([drivedir|(sourcefolder <FilePath>)] [filename <FileNamePattern>])
+        [formatjson]
+gam <UserTypeEntity> delete chatemoji <ChatEmoji>
+gam <UserTypeEntity> info chatemoji <ChatEmoji>
+        [formatjson]
+gam <UserTypeEntity> show chatemojis
+        [showcreatedby any|me|others]
+        [formatjson]
+gam <UserTypeEntity> print chatemojis [todrive <ToDriveAttribute>*]
+        [showcreatedby any|me|others]
+        [formatjson [quotechar <Character>]]
+
 # Users - Drive

 <DriveFileOrderByFieldName> ::=
@@ -6488,6 +6621,7 @@ gam <UserTypeEntity> print chatevents [todrive <ToDriveAttribute>*]
        (folderColorRgb <ColorValue>)|
        (indexabletext <String>)|
        (inheritedpermissionsdisabled [<Boolean>])|
+        (itemdownloadrestriction restrictedforreaders|restrictedforwriters [<Boolean>])|
        (keeprevisionforever|pinned)|
        (lastviewedbyme <Time>)|
        (mimetype <MimeType>)|
@@ -6906,6 +7040,7 @@ gam <UserTypeEntity> collect orphans
        capabilities.canchangecopyrequireswriterpermission|
        capabilities.canchangecopyrequireswriterpermissionrestriction|
        capabilities.canchangedomainusersonlyrestriction|
+        capabilities.canchangedownloadrestriction|
        capabilities.canchangedrivebackground|
        capabilities.canchangedrivemembersonlyrestriction|
        capabilities.canchangesecurityupdateenabled|
@@ -6961,6 +7096,10 @@ gam <UserTypeEntity> collect orphans
        contentrestrictions.restrictiontime|
        contentrestrictions.type

+<DriveDownloadRestrictionsSubfieldName> ::=
+  downloadrestrictions.itemdownloadrestriction|
+  downloadrestrictions.effectivedownloadrestrictionwithcontext
+
 <ClassificationLabelInfoSubfieldName> ::=
        labels.id|              # modifiedByMe
        labels.revisionid|      # copyRequiresWriterPermission
@@ -7054,6 +7193,8 @@ gam <UserTypeEntity> collect orphans
        copyrequireswriterpermission|
        createddate|createdtime|
        description|
+        downloadrestictions|
+        <DriveDownloadRestrictionsSubfieldName>|
        driveid|
        drivename|
        editable|
@@ -7204,7 +7345,8 @@ gam <UserTypeEntity> show filesharecounts
        owners|
        parents|
        size|
-        trashed
+        trashed|
+        webviewlink
 <FileTreeFieldNameList> ::= "<FileTreeFieldName>(,<FileTreeFieldName>)*"

 gam <UserTypeEntity> print filetree [todrive <ToDriveAttribute>*]
@@ -7397,10 +7539,12 @@ gam <UserTypeEntity> print filters [labelidsonly] [todrive <ToDriveAttribute>*]

 gam <UserTypeEntity> create form
        title <String> [description <String>] [isquiz [<Boolean>]] [<JSONData>]
+        [ispublished [<Boolean>] isacceptingresponses [<Boolean>]]
        [drivefilename <DriveFileName>] [<DriveFileParentAttribute>]
        [(csv [todrive <ToDriveAttribute>*]) | returnidonly]
 gam <UserTypeEntity> update form <DriveFileEntity>
        [title <String>] [description <String>] [isquiz [<Boolean>]] [<JSONData>]
+        [ispublished [<Boolean>] isacceptingresponses [<Boolean>]]

 gam <UserTypeEntity> print forms <DriveFileEntity> [todrive <ToDriveAttribute>*]
        (addcsvdata <FieldName> <String>)*
@@ -7410,10 +7554,10 @@ gam <UserTypeEntity> show forms <DriveFileEntity>

 gam <UserTypeEntity> print formresponses <DriveFileEntity> [todrive <ToDriveAttribute>*]
        (addcsvdata <FieldName> <String>)*
-        [filtertime.* <Time>] [filter <String>]
+        [filter <String> (filtertime<String> <Time>)*]
        [countsonly|(formatjson [quotechar <Character>])]
 gam <UserTypeEntity> show formresponses <DriveFileEntity>
-        [filtertime.* <Time>] [filter <String>]
+        [filter <String> (filtertime<String> <Time>)*]
        [countsonly|formatjson]

 # Users - Gmail - Forwarding
@@ -7592,48 +7736,61 @@ gam <UserTypeEntity> insert message

 gam <UserTypeEntity> archive messages <GroupItem>
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_archive <Number>])|(ids <MessageIDEntity>)
        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> delete messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_delete <Number>])|(ids <MessageIDEntity>)
        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> modify messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_modify <Number>])|(ids <MessageIDEntity>)
        ((addlabel <LabelName>)|(removelabel <LabelName>))+
        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> spam messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_spam <Number>])|(ids <MessageIDEntity>)
        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> trash messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_trash <Number>])|(ids <MessageIDEntity>)
        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> untrash messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_untrash <Number>])|(ids <MessageIDEntity>)
        [csv [todrive <ToDriveAttribute>*]]

 gam <UserTypeEntity> export message|messages
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_export <Number>])|(ids <MessageIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
+         [quick|notquick] [doit] [max_to_export <Number>])|(ids <MessageIDEntity>)
        [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]
 gam <UserTypeEntity> export thread|threads
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_export <Number>])|(ids <ThreadIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
+         [quick|notquick] [doit] [max_to_export <Number>])|(ids <ThreadIDEntity>)
        [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]

 gam <UserTypeEntity> forward message|messages recipient|to <RecipientEntity>
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_forward <Number>])|(ids <MessageIDEntity>)
        [subject <String>] [addorigfieldstosubject [<Boolean>]] [altcharset <String>]
 gam <UserTypeEntity> forward thread|thtreads recipient|to <RecipientEntity>
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         quick|notquick] [doit] [max_to_forward <Number>])|(ids <ThreadIDEntity>)
        [subject <String>] [addorigfieldstosubject [<Boolean>]] [altcharset <String>]

 gam <UserTypeEntity> show messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])*
+         [labelids <LabelIDList>]
         [quick|notquick] [max_to_show <Number>] [includespamtrash])|(ids <MessageIDEntity>)
        [labelmatchpattern <REMatchPattern>] [sendermatchpattern <REMatchPattern>]
        [countsonly|positivecountsonly] [useronly]
@@ -7646,6 +7803,7 @@ gam <UserTypeEntity> show messages|threads
            [uploadattachments [<DriveFileParentAttribute>]]]
 gam <UserTypeEntity> print messages|threads [todrive <ToDriveAttribute>*]
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])*
+         [labelids <LabelIDList>]
         [quick|notquick] [max_to_print <Number>] [includespamtrash])|(ids <MessageIDEntity>)
        [labelmatchpattern <REMatchPattern>] [sendermatchpattern <REMatchPattern>]
        [countsonly|positivecountsonly] [useronly]
@@ -8233,6 +8391,59 @@ gam <UserTypeEntity> profile share|shared|unshare|unshared

 gam <UserTypeEntity> show profile

+# Users - Tag Manager
+
+<TagManagerAccountID> ::= <String>
+<TagManagerAccountPath> ::= accounts/<TagManagerAccountID>
+<TagManagerAccountPathList> ::= "<TagManagerAccountPath>(,<TagManagerAccountPath>)*"
+<TagManagerAccountPathEntity> ::=
+        <TagManagerAccountPathList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+
+<TagManagerContainerID> ::= <String>
+<TagManagerContainerPath> ::= accounts/<TagManagerAccountID>/containers/<TagManagerContainerID>
+<TagManagerContainerPathList> ::= "<TagManagerContainerPath>(,<TagManagerContainerPath>)*"
+<TagManagerContainerPathEntity> ::=
+        <TagManagerContainerPathList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+
+<TagManagerWorkspaceID> ::= <String>
+<TagManagerWorkspacePath> ::= accounts/<TagManagerAccountID>/containers/<TagManagerContainerID>/workspaces/<TagManagerWorkspaceID>
+<TagManagerWorkspacePathList> ::= "<TagManagerWorkspacePath>(,<TagManagerWorkspacePath>)*"
+<TagManagerWorkspacePathEntity> ::=
+        <TagManagerWorkspacePathList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+
+<TagManagerTagID> ::= <String>
+<TagManagerTagPath> ::= accounts/<TagManagerAccountID>/containers/<TagManagerContainerID>/workspaces/<TagManagerWorkspaceID>/tags/<TagManagerTagID>
+
+gam <UserTypeEntity> show tagmanageraccounts
+        [includegoogletags [<Boolean>]]
+        [formatjson]
+gam <UserTypeEntity> print tagmanagerccounts [todrive <ToDriveAttribute>*]
+        [includegoogletags [<Boolean>]]
+        [formatjson [quotechar <Character>]]
+
+gam <UserTypeEntity> show tagmanagercontainers <TagManagerAccountPathEntity>
+        [formatjson]
+gam <UserTypeEntity> print tagmanagercontainers <TagManagerAccountPathEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+
+gam <UserTypeEntity> show tagmanagerworkspaces <TagManagerContainerPathEntity>
+        [formatjson]
+gam <UserTypeEntity> print tagmanagerworkspaces <TagManagerContainerPathEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+
+gam <UserTypeEntity> show tagmanagertags <TagManagerWorkspacePathEntity>
+        [formatjson]
+gam <UserTypeEntity> print tagmanagertags <TagManagerWorkspacePathEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+
+gam <UserTypeEntity> show tagmanagerpermissions <TagManagerAccountPathEntity>
+        [formatjson]
+gam <UserTypeEntity> print tagmanagerpermissions <TagManagerAccountPathEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+
 # Users - Tasks

 <TaskAttribute> ::=
@@ -8295,6 +8506,8 @@ gam <UserTypeEntity> print tasklists [todrive <ToDriveAttribute>*]
        allowcontentmanagerstosharefolders|
        copyrequireswriterpermission|
        domainusersonly|
+        downloadrestrictedforreaders|downloadrestrictions.restrictedforreaders|
+        downloadrestrictedforwriters|downloadrestrictions.restrictedforwriters|
        drivemembersonly|teammembersonly|
        sharingfoldersrequiresorganizerpermission

@@ -8309,13 +8522,13 @@ sharingfoldersrequiresorganizerpermission true
 gam <UserTypeEntity> show shareddrivethemes
 gam <UserTypeEntity> create shareddrive <Name>
        [(theme|themeid <String>) | ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
-        (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
+        ([restrictions.]<SharedDriveRestrictionsSubfieldName> <Boolean>)*
        [hide|hidden <Boolean>]
        [errorretries <Integer>] [updateinitialdelay <Integer>] [updateretrydelay <Integer>]
        [(csv [todrive <ToDriveAttribute>*] (addcsvdata <FieldName> <String>)*) | returnidonly]
 gam <UserTypeEntity> update shareddrive <SharedDriveEntity> [name <Name>]
        [(theme|themeid <String>) | ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
-        (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
+        ([restrictions.]<SharedDriveRestrictionsSubfieldName> <Boolean>)*
        [hide|hidden <Boolean>]
 gam <UserTypeEntity> delete shareddrive <SharedDriveEntity>
        [allowitemdeletion]
@@ -8514,3 +8727,11 @@ gam <UserTypeEntity> print youtubechannels [todrive <ToDriveAttribute>*]
 gam create|add verify|verification <DomainName>
 gam update verify|verification <DomainName> cname|txt|text|site|file
 gam info verify|verification
+
+# Web Resourses and Sites
+
+gam <UserTypeEntity> show webresources
+gam <UserTypeEntity> print webresources [todrive <ToDriveAttribute>*]
+gam <UserTypeEntity> show webmastersites
+gam <UserTypeEntity> print webmastersites [todrive <ToDriveAttribute>*]
+```
--- a/src/GamUpdate.txt
+++ b/src/GamUpdate.txt
@@ -1,3 +1,386 @@
+7.19.02
+
+Update `gam info user <UserItem>` to eliminate 5 second delay when getting license info.
+
+Additional information:
+* See: https://github.com/GAM-team/GAM/wiki/Licenses#info-user-performance
+
+7.19.01
+
+Updated `gam <UserTypeEntity> print|show signature` to handle the following error
+that occurs when an alias is specified.
+```
+ERROR: 404: notFound - Requested entity was not found.
+```
+
+7.19.00
+
+Eliminated `drive_v3_beta` and `meet_v2_beta` from `gam.cfg` as the API betas are no longer used.
+
+Updated `Meet API` scopes so that GAM can read metadata about additional Meet spaces.
+```
+[*] 34)  Meet API - Manage/Display Meeting Spaces
+[*] 35)  Meet API - Read Meeting Spaces metadata
+```
+
+7.18.07
+
+Updated `gam <UserTypeEntity> print drivelastmodification` to put `addcsvdata` columns
+after `User,id,name` rather than after the last column.
+
+7.18.06
+
+Updated `gam <UserTypeEntity> delete|modify messages` to improve the handling
+of the following error.
+```
+quotaExceeded - User-rate limit exceeded
+```
+
+7.18.05
+
+Added support for Inbound SSO OIDC profiles.
+
+Currently, if you enter `gam select <SectionName>` and nothing else on the command line,
+GAM performs no action. Now, it will be treated as if you entered:
+`gam select <SectionName> save`
+
+Updated to Python 3.13.7.
+
+7.18.04
+
+Added commands to display/manage Alert Center Pub/Sub notifications.
+* See: https://github.com/GAM-team/GAM/wiki/Alert-Center#configuring-settings
+
+7.18.03
+
+Updated `gam oauth create` to give a warning if the number of selected scopes will
+probably cause Google to generate a "Something went wrong" error.
+
+7.18.02
+
+Upgraded to OpenSSL 3.5.2.
+
+7.18.01
+
+Added option `nosystemroles` to `gam print|show adminroles` that causes GAM
+to only display non-system roles.
+
+Added option `formatjson` to `gam info|print|show adminroles`; this will be most useful
+when the `privileges` option is used.
+
+Updated `gam create|update adminrole` to allow specification of privileges with
+JSON data: `privileges <JSONData>`. These two updates make it easier to copy admin roles.
+
+Updated `gam create|update adminrole` to allow output of the created/updated
+role data in CSV format; by default, GAM displays `<RoleName>(<RoleID>) created|updated`.
+```
+csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*
+```
+
+7.18.00
+
+Added commands to display Business Profile Accounts.
+These are special purpose commands and will not generally be used.
+```
+gam show businessprofileaccounts
+gam print businessprofileaccounts [todrive <ToDriveAttribute>*]
+```
+
+7.17.03
+
+Fixed bug in `gam <UserItem> print|show chatspaces asadmin fields <ChatSpaceFieldNameList>` that caused a trap
+when `displayname` was not in `<ChatSpaceFieldNameList>`.
+
+7.17.02
+
+Updated `gam <UserTypeEntity> print|show webmastersites` to handle the following error
+that occurs if you haven't updated your project to include the Google Search Console API.
+```
+ERROR: 403: permissionDenied - Google Search Console API has not been used in project 111055363999 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/searchconsole.googleapis.com/overview?project=111055363999 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
+```
+
+7.17.01
+
+Fixed bug in `gam <UserTypeEntity> show webmastersites` that caused a trap.
+
+7.17.00
+
+Added commands to discover Sites and WebResources that managed users (previously unmanaged) may have access to for better governance and visibility.
+These are special purpose commands and will not generally be used.
+```
+gam <UserTypeEntity> show webresources
+gam <UserTypeEntity> print webresources [todrive <ToDriveAttribute>*]
+gam <UserTypeEntity> show webmastersites
+gam <UserTypeEntity> print webmastersites [todrive <ToDriveAttribute>*]
+```
+
+7.16.01
+
+The Drive API now supports setting download restrictions on individual files.
+
+Added `downloadrestictions` and `<DriveDownloadRestrictionsSubfieldName>` to `<DriveFieldName>`.
+```
+<DriveDownloadRestrictionsSubfieldName> ::=
+  downloadrestrictions.itemdownloadrestriction|
+  downloadrestrictions.effectivedownloadrestrictionwithcontext
+```
+
+Added `itemdownloadrestriction restrictedforreaders|restrictedforwriters [<Boolean>]`
+to `<DriveFileAttribute>`.
+
+From the Drive API documentation:
+```
+itemDownloadRestriction - The download restriction of the file applied directly by the owner or organizer. This does not take into account shared drive settings or DLP rules.
+effectiveDownloadRestrictionWithContext - Output only. The effective download restriction applied to this file. This considers all restriction settings and DLP rules.
+restrictedForReaders - Whether download and copy is restricted for readers.
+restrictedForWriters - Whether download and copy is restricted for writers. If true, download is also restricted for readers.
+```
+
+7.16.00
+
+Removed `drive_v3_native_names` from `gam.cfg`; GAM now only uses Drive API v3 fields names on output.
+If you had `drive_v3_native_names = False` in `gam.cfg` or are updating from Legacy GAM:
+
+* See: https://github.com/GAM-team/GAM/wiki/Drive-REST-API-v3
+
+7.15.01
+
+Added `downloadrestrictions.restrictedforreaders` and `downloadrestrictions.restrictedforwriters`
+to `<SharedDriveRestrictionsSubfieldName>`; previously, only the abbreviations `downloadrestrictedforreaders`
+and `downloadrestrictedforwriters` were supported (they are still supported).
+
+Updated `gam <UserTypeEntity> copy drivefile` to handle unexpected data returned by Google that caused a trap.
+
+7.15.00
+
+Updated  `gam print shareddriveorganizers` to make `shownoorganizerdrives` default to `True`
+as documented; it was defaulting to `False`.
+
+Cleaned up code for processing Python dictionary structures; this should have no noticable effect.
+
+7.14.04
+
+Fixed bug in `gam print|show cigroups cimember <UserItem>` that generated the following error:
+```
+ERROR: Cloud Identity Group: groups/-, Print Failed: Error(4013): Insufficient permissions to retrieve memberships.
+```
+
+Updated `gam <UserTypeEntity> update user suspended off` and `gam <UserTypeEntity> unsuspend users`
+to handle the following error that occurs when trying to unsuspend a user that has been suspended for abuse.
+```
+ERROR: 412: adminCannotUnsuspend - Cannot restore a user suspended for abuse.
+```
+
+* See: https://support.google.com/a/answer/1110339
+
+7.14.03
+
+Fixed bug in `gam print cigroup-members includederivedmembership` that caused a trap.
+
+7.14.02
+
+Fixed bug in `gam print|show cigroups|cigroups-members cimember <UserItem>` that generated the following error:
+```
+Cloud Identity Group Print Failed: Request contains an invalid argument.
+```
+
+7.14.01
+
+Don't install yubikey library via pip by default. To install with yubikey support use pip install gam7[yubikey]
+
+7.14.00
+
+Added commands to display Google Tag Manager accounts, containers, workspaces, tags and user permissions.
+
+* See: https://github.com/GAM-team/GAM/wiki/Users-Tag-Manager
+
+7.13.03
+
+Added option `csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]]`
+to `gam create chromeprofilecommand` so that command details are displayed in CSV format.
+
+Added option `commands <ChromeProfileCommandNameList>|<FileSelector>|<CSVFileSelector>` to `<ChromeProfileNameEntity>`
+so that `gam print|show chromeprofilecommands` can directly display the commands generated by
+`gam create chromeprofilecommand` with the `csv` option.
+
+7.13.02
+
+Fixed bug in `gam create chromeprofilecommand` where `select|filter` were not recognized.
+
+Updated `gam create datatransfer <OldOwnerID> datastudio <NewOwnerID>` that generated the following
+error due to an unhandled API change.
+```
+ERROR: Invalid choice (google data studio): Expected <calendar|looker studio|drive and docs>
+```
+
+7.13.01
+
+Enhanced `gam create|print|show chromeprofilecommand` to allow specification
+of multiple Chrome browser profiles rather than just one.
+```
+<ChromeProfilePermanentID> ::= <String>
+<ChromeProfileName> ::= customers/<CustomerID>/profiles/<ChromeProfilePermanentID> | <ChromeProfilePermanentID>
+<ChromeProfileNameList> ::= "<ChromeProfileName>(,<ChromeProfileName>)*"
+<ChromeProfileNameEntity> ::=
+        <ChromeProfileNameList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+        (filter <String> (filtertime<String> <Time>)* [orderby <ChromeProfileOrderByFieldName> [ascending|descending]])
+
+gam create|print_show chromeprofilecommand <ChromeProfileNameEntity>
+```
+
+7.13.00
+
+Added commands that send remote commands to Chrome browser profiles and display the results;
+at the moment, these commands can clear the browser cache and cookies.
+
+* See: https://github.com/GAM-team/GAM/wiki/Chrome-Profile-Management#create-a-chrome-profile-command
+
+7.12.02
+
+Updated `gam print users` to handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable
+```
+
+7.12.01
+
+Added support for `plan free` in `gam create resoldsubscription`.
+
+* The free plan is exclusive to the Cloud Identity SKU and does not incur any billing.
+
+7.12.00
+
+Started updated handling of missing scopes messages in client access commands;
+this is a work in progress.
+
+Updated `gam info|show shareddrive` to handle changes in the Drive API that caused traps.
+
+Added `downloadrestrictedforreaders` and `downloadrestrictedforwriters` to
+`<SharedDriveRestrictionsSubfieldName>` to support new Shared Drive restrictions.
+
+Updated `gam course <CourseID> create|update announcement` to accept input from
+a literal string, a file or a Google Doc.
+```
+<CourseAnnouncementContent> ::=
+        ((text <String>)|
+         (textfile <FileName> [charset <Charset>])|
+         (gdoc <UserGoogleDoc>)|
+         (gcsdoc <StorageBucketObjectName>))
+```
+
+Added command `gam check suspended <UserItem>` that checks the suspension status of a user
+and sets the return code to 0 if the user is not suspended or 26 if it is.
+```
+$ gam check suspended testok@domain.com
+User: testok@domain.com, Account Suspended: False
+$ echo $?
+0
+
+$ gam check suspended testsusp@domain.com
+User: testsusp@domain.com, Account Suspended: True, Suspension Reason: ADMIN
+$ echo $?
+26
+```
+
+Updated `gam <UserTypeEntity> sendemail` to verify that one of `recipient|to|from`
+immediately follows `sendemail`.
+
+7.11.00
+
+Added commands to manage classroom/course announcements.
+
+* See: https://github.com/GAM-team/GAM/wiki/Classroom-Courses#manage-course-announcements
+
+Upgraded to OpenSSL 3.5.1.
+
+7.10.10
+
+Added choices `text` and `hyperlink` to option `showwebviewlink` in `gam [<UserTypeEntity>] print|show shareddrives`.
+* `showwebviewlink text` - Displays `https://drive.google.com/drive/folders/<SharedDriveID>`
+* `showwebviewlink hyperlink` - Displays `=HYPERLINK("https://drive.google.com/drive/folders/<SharedDriveID>", "<SharedDriveName>")`
+
+7.10.09
+
+Added option `showwebviewlink` to `gam [<UserTypeEntity>] print|show shareddrives` that
+displays the web view link for the Shared Drive: `https://drive.google.com/drive/folders/<SharedDriveID>`.
+
+7.10.08
+
+Fixed bug in commands that modify messages where the `labelids <LabelIdList>` option
+could not be used unless one of these options was also specified: `query`, `matchlabel`, `ids`;
+it can be now be used by itself.
+
+7.10.07
+
+Updated `gam <UserTypeEntity> copy|move drivefile` to hanndle additional instances of
+the `cannotModifyInheritedPermission` error.
+
+Added license SKU `Google AI Ultra for Business`
+* ProductID - 101047
+* SKUID - 1010470008 | geminiultra
+
+7.10.06
+
+Added option `clientstates` to `gam print devices` to include client states in device output.
+
+7.10.05
+
+Google renamed an error: `cannotModifyInheritedTeamDrivePermission` became `cannotModifyInheritedPermission`.
+GAM will now handle the new error.
+
+7.10.04
+
+Updated `gam report <ActivityApplicationName>` to accept accept application names as defined
+in the Reports API discovery document; this means that GAM does not have to be updated when
+Google defines a new application name.
+
+`gemini_in_workspace_apps` is now available in `gam report`.
+
+7.10.03
+
+Fixed bug in commands that modify messages where the `labelids <LabelIdList>` option
+was not being applied.
+
+7.10.02
+
+Added option `labelids <LabelIdList>` to all commands that process messages;
+this option causes GAM to only return messages with labels that match all of the specified label IDs.
+
+Updated `gam <UserTypeEntity> print|show forms` to always display `isPublished` and
+`isAcceptingResponses` in `publishSettings/publishState` regardless of their value;
+the API doesn't return these values when they are False.
+
+7.10.01
+
+Added options `ispublished [<Boolean>]` and `isacceptingresponses [<Boolean>]` to
+`gam <UserTypeEntity> create|update form`.
+
+7.10.00
+
+Added commands to manage/display Chat Custom Emojis.
+
+* See: https://github.com/GAM-team/GAM/wiki/Users-Chat#manage-chat-emojis
+* See: https://github.com/GAM-team/GAM/wiki/Users-Chat#display-chat-emojis
+
+Updated `gam <UserItem> print|show chatspaces|chatmembers asadmin` to display
+the spaces in ascending display name order.
+
+7.09.07
+
+Added `webviewlink` to `<FileTreeFieldName>` for use in `gam <UserTypeEntity> print|show filetree`.
+
+7.09.06
+
+Upddated `gam print|show shareddrives`, `gam print|show shareddriveacls`, `gam print shareddriveorganizers`
+to display the Shared Drives in ascending name order; the API returns them in an unidentifiable order.
+
+7.09.05
+
+Improved output of `gam info|show chromeschemas [std]` to more accurately display the schemas.
+
+Fixed bugs in `gam update chromepolicy` that caused invalid error messaages.
+
 7.09.04

 Fixed bug in `gam whatis <EmailItem>` where the check for an invitable user always failed.
@@ -12655,7 +13038,7 @@ gam <UserTypeEntity> update teamdrive <TeamDriveEntity> [adminaccess|asadmin] [n
 Updated gam report users to support new orgUnitID argument in Reports API.

 gam report users|user [todrive <ToDriveAttribute>*] [date <Date>] [nodatechange | (fulldatarequired all|<ReportsAppList>)]
-        [(user all|<UserItem>)|(orgunit|org|ou <OrgUnitPath>)|(select <UserTypeEntity>)] (filtertime.* <Time>)* [filter|filters <String>] [fields|parameters <String>]
+        [(user all|<UserItem>)|(orgunit|org|ou <OrgUnitPath>)|(select <UserTypeEntity>)] (filtertime<String> <Time>)* [filter|filters <String>] [fields|parameters <String>]
        [maxactivities <Number>] [maxresults <Number>]

 Select the users for whom information is desired.
@@ -13246,15 +13629,15 @@ gam print cros query "sync:#querytime1#.." querytime1 -30d
 For example, to print information about CrOS devices synced between 45 days ago and 30 days ago:
 gam print cros query "sync:#querytime1#..#querytime2#" querytime1 -45d querytime2 -30d

-Added filtertime.* <Time> option to gam report to allow times, usually relative, to be substituted into the filter <String> option.
-The filtertime.* value replaces the string #filtertime.*# in the filter <String>.
+Added filtertime<String> <Time> option to gam report to allow times, usually relative, to be substituted into the filter <String> option.
+The filtertime<String> value replaces the string #filtertime<String># in the filter <String>.
 The characters following filtertime can be any combination of lowercase letters and numbers.
    gam report users|user [todrive <ToDriveAttribute>*] [date <Date>] [nodatechange | (fulldatarequired all|<ReportsAppList>)]
-        [(user all|<UserItem>)|(select <UserTypeEntity>)] (filtertime.* <Time>)* [filter|filters <String>] [fields|parameters <String>]
+        [(user all|<UserItem>)|(select <UserTypeEntity>)] (filtertime<String> <Time>)* [filter|filters <String>] [fields|parameters <String>]
        [maxactivities <Number>] [maxresults <Number>]
    gam report admin|calendar|calendars|drive|docs|doc|gplus|groups|group|logins|login|mobile|rules|tokens|token [todrive <ToDriveAttribute>*] [maxresults <Number>] [maxactivities <Number>]
        [([start <Time>] [end <Time>])|yesterday] [(user all|<UserItem>)|(select <UserTypeEntity>)]
-        [event <String>] (filtertime.* <Time>)* [filter|filters <String>] [ip <String>] [countsonly] [summary]
+        [event <String>] (filtertime<String> <Time>)* [filter|filters <String>] [ip <String>] [countsonly] [summary]

 For example, this command reports on the users that haven't logged in in the last 5 years.
 gam report users parameters accounts:last_login_time filters "accounts:last_login_time<#filtertime#" filtertime -5y
@@ -13410,21 +13793,21 @@ Added units of years to <Date>, <DateTime> and <Time>; a year is 365 days. Added
        never|
        now|today

-Added filtertime <Time> option to gam report to allow times, usually relative, to be substituted into the filter <String> option.
-If both filtertime and filter are specified, the filtertime value replaces the string #filtertime# in the filter <String>.
+Added filtertime<String> <Time> option to gam report to allow times, usually relative, to be substituted into the filter <String> option.
+If both filtertime<String> and filter are specified, the filtertime value replaces the string #filtertime<String># in the filter <String>.

 gam report users|user [todrive <ToDriveAttribute>*] [date <Date>] [nodatechange | (fulldatarequired all|<ReportsAppList>)]
-        [(user all|<UserItem>)|(select <UserTypeEntity>)] [filtertime <Time>] [filter|filters <String>] [fields|parameters <String>]
+        [(user all|<UserItem>)|(select <UserTypeEntity>)] [filtertime<String> <Time>] [filter|filters <String>] [fields|parameters <String>]
        [maxactivities <Number>] [maxresults <Number>]
 gam report admin|calendar|calendars|drive|docs|doc|gplus|groups|group|logins|login|mobile|rules|tokens|token [todrive <ToDriveAttribute>*] [maxresults <Number>] [maxactivities <Number>]
        [([start <Time>] [end <Time>])|yesterday] [(user all|<UserItem>)|(select <UserTypeEntity>)]
-        [event <String>] [filtertime <Time>] [filter|filters <String>] [ip <String>] [countsonly] [summary]
+        [event <String>] [filtertime<String> <Time>] [filter|filters <String>] [ip <String>] [countsonly] [summary]

 For example, this command reports on the users that haven't logged in in the last 5 years.
-gam report users parameters accounts:last_login_time filters "accounts:last_login_time<#filtertime#" filtertime -5y
+gam report users parameters accounts:last_login_time filters "accounts:last_login_time<#filtertime5y#" filtertime5y -5y

 For example, this command reports on the users that haven't ever logged in.
-gam report users parameters accounts:last_login_time filters "accounts:last_login_time==#filtertime#" filtertime never
+gam report users parameters accounts:last_login_time filters "accounts:last_login_time==#filtertimeNever#" filtertimeNever never

 4.60.14

--- a/src/README.md
+++ b/src/README.md
@@ -0,0 +1 @@
+../README.md
--- a/src/cacerts.pem
+++ b/src/cacerts.pem
@@ -433,106 +433,6 @@ pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
 mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
 -----END CERTIFICATE-----

-# Operating CA: GoDaddy
-# Issuer: O=Starfield Technologies, Inc. OU=Starfield Class 2 Certification Authority
-# Subject: O=Starfield Technologies, Inc. OU=Starfield Class 2 Certification Authority
-# Label: "Starfield Class 2 CA"
-# Serial: 0
-# MD5 Fingerprint: 32:4a:4b:bb:c8:63:69:9b:be:74:9a:c6:dd:1d:46:24
-# SHA1 Fingerprint: ad:7e:1c:28:b0:64:ef:8f:60:03:40:20:14:c3:d0:e3:37:0e:b5:8a
-# SHA256 Fingerprint: 14:65:fa:20:53:97:b8:76:fa:a6:f0:a9:95:8e:55:90:e4:0f:cc:7f:aa:4f:b7:c2:c8:67:75:21:fb:5f:b6:58
-----BEGIN CERTIFICATE-----
-MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
-MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
-U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
-NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE
-ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp
-ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
-DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf
-8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN
-+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0
-X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa
-K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA
-1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G
-A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR
-zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0
-YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD
-bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3
-L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D
-eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl
-xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp
-VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY
-WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=
-----END CERTIFICATE-----
-
-# Operating CA: GoDaddy
-# Issuer: O=The Go Daddy Group, Inc. OU=Go Daddy Class 2 Certification Authority
-# Subject: O=The Go Daddy Group, Inc. OU=Go Daddy Class 2 Certification Authority
-# Label: "Go Daddy Class 2 CA"
-# Serial: 0
-# MD5 Fingerprint: 91:de:06:25:ab:da:fd:32:17:0c:bb:25:17:2a:84:67
-# SHA1 Fingerprint: 27:96:ba:e6:3f:18:01:e2:77:26:1b:a0:d7:77:70:02:8f:20:ee:e4
-# SHA256 Fingerprint: c3:84:6b:f2:4b:9e:93:ca:64:27:4c:0e:c6:7c:1e:cc:5e:02:4f:fc:ac:d2:d7:40:19:35:0e:81:fe:54:6a:e4
-----BEGIN CERTIFICATE-----
-MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
-MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
-YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
-MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
-ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
-MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
-ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
-PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
-wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
-EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
-avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
-YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
-sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
-/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
-IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
-ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
-OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
-TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
-HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
-dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
-ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----
-
-# Operating CA: Sectigo
-# Issuer: CN=AAA Certificate Services O=Comodo CA Limited
-# Subject: CN=AAA Certificate Services O=Comodo CA Limited
-# Label: "Comodo AAA Services root"
-# Serial: 1
-# MD5 Fingerprint: 49:79:04:b0:eb:87:19:ac:47:b0:bc:11:51:9b:74:d0
-# SHA1 Fingerprint: d1:eb:23:a4:6d:17:d6:8f:d9:25:64:c2:f1:f1:60:17:64:d8:e3:49
-# SHA256 Fingerprint: d7:a7:a0:fb:5d:7e:27:31:d7:71:e9:48:4e:bc:de:f7:1d:5f:0c:3e:0a:29:48:78:2b:c8:3e:e0:ea:69:9e:f4
-----BEGIN CERTIFICATE-----
-MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
-MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
-GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
-YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
-MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
-BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
-GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
-BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
-3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
-YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
-rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
-ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
-oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
-MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
-QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
-b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
-AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
-GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
-Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
-G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
-l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
-smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----
-
 # Operating CA: Sectigo
 # Issuer: CN=COMODO Certification Authority O=COMODO CA Limited
 # Subject: CN=COMODO Certification Authority O=COMODO CA Limited
--- a/src/gam/init.py
+++ b/src/gam/init.py
--- a/src/gam/cacerts.pem
+++ b/src/gam/cacerts.pem
@@ -433,106 +433,6 @@ pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
 mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
 -----END CERTIFICATE-----

-# Operating CA: GoDaddy
-# Issuer: O=Starfield Technologies, Inc. OU=Starfield Class 2 Certification Authority
-# Subject: O=Starfield Technologies, Inc. OU=Starfield Class 2 Certification Authority
-# Label: "Starfield Class 2 CA"
-# Serial: 0
-# MD5 Fingerprint: 32:4a:4b:bb:c8:63:69:9b:be:74:9a:c6:dd:1d:46:24
-# SHA1 Fingerprint: ad:7e:1c:28:b0:64:ef:8f:60:03:40:20:14:c3:d0:e3:37:0e:b5:8a
-# SHA256 Fingerprint: 14:65:fa:20:53:97:b8:76:fa:a6:f0:a9:95:8e:55:90:e4:0f:cc:7f:aa:4f:b7:c2:c8:67:75:21:fb:5f:b6:58
-----BEGIN CERTIFICATE-----
-MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
-MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
-U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
-NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE
-ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp
-ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
-DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf
-8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN
-+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0
-X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa
-K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA
-1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G
-A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR
-zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0
-YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD
-bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3
-L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D
-eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl
-xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp
-VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY
-WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=
-----END CERTIFICATE-----
-
-# Operating CA: GoDaddy
-# Issuer: O=The Go Daddy Group, Inc. OU=Go Daddy Class 2 Certification Authority
-# Subject: O=The Go Daddy Group, Inc. OU=Go Daddy Class 2 Certification Authority
-# Label: "Go Daddy Class 2 CA"
-# Serial: 0
-# MD5 Fingerprint: 91:de:06:25:ab:da:fd:32:17:0c:bb:25:17:2a:84:67
-# SHA1 Fingerprint: 27:96:ba:e6:3f:18:01:e2:77:26:1b:a0:d7:77:70:02:8f:20:ee:e4
-# SHA256 Fingerprint: c3:84:6b:f2:4b:9e:93:ca:64:27:4c:0e:c6:7c:1e:cc:5e:02:4f:fc:ac:d2:d7:40:19:35:0e:81:fe:54:6a:e4
-----BEGIN CERTIFICATE-----
-MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
-MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
-YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
-MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
-ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
-MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
-ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
-PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
-wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
-EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
-avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
-YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
-sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
-/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
-IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
-ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
-OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
-TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
-HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
-dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
-ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----
-
-# Operating CA: Sectigo
-# Issuer: CN=AAA Certificate Services O=Comodo CA Limited
-# Subject: CN=AAA Certificate Services O=Comodo CA Limited
-# Label: "Comodo AAA Services root"
-# Serial: 1
-# MD5 Fingerprint: 49:79:04:b0:eb:87:19:ac:47:b0:bc:11:51:9b:74:d0
-# SHA1 Fingerprint: d1:eb:23:a4:6d:17:d6:8f:d9:25:64:c2:f1:f1:60:17:64:d8:e3:49
-# SHA256 Fingerprint: d7:a7:a0:fb:5d:7e:27:31:d7:71:e9:48:4e:bc:de:f7:1d:5f:0c:3e:0a:29:48:78:2b:c8:3e:e0:ea:69:9e:f4
-----BEGIN CERTIFICATE-----
-MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
-MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
-GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
-YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
-MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
-BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
-GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
-BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
-3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
-YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
-rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
-ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
-oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
-MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
-QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
-b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
-AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
-GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
-Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
-G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
-l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
-smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----
-
 # Operating CA: Sectigo
 # Issuer: CN=COMODO Certification Authority O=COMODO CA Limited
 # Subject: CN=COMODO Certification Authority O=COMODO CA Limited
--- a/src/gam/gamlib/glapi.py
+++ b/src/gam/gamlib/glapi.py
@@ -24,8 +24,10 @@ ACCESSCONTEXTMANAGER = 'accesscontextmanager'
 ALERTCENTER = 'alertcenter'
 ANALYTICS_ADMIN = 'analyticsadmin'
 CALENDAR = 'calendar'
+BUSINESSACCOUNTMANAGEMENT = 'mybusinessaccountmanagement'
 CBCM = 'cbcm'
 CHAT = 'chat'
+CHAT_CUSTOM_EMOJIS = 'chatcustomemojis'
 CHAT_EVENTS = 'chatevents'
 CHAT_MEMBERSHIPS = 'chatmemberships'
 CHAT_MEMBERSHIPS_ADMIN = 'chatmembershipsadmin'
@@ -73,8 +75,8 @@ IAM_CREDENTIALS = 'iamcredentials'
 KEEP = 'keep'
 LICENSING = 'licensing'
 LOOKERSTUDIO = 'datastudio'
-MEET = 'meet'
-MEET_BETA = 'meetbeta'
+MEET_SPACES = 'meet'
+MEET_READONLY = 'meetreadonly'
 OAUTH2 = 'oauth2'
 ORGPOLICY = 'orgpolicy'
 PEOPLE = 'people'
@@ -84,6 +86,7 @@ PRINTERS = 'printers'
 PUBSUB = 'pubsub'
 REPORTS = 'reports'
 RESELLER = 'reseller'
+SEARCHCONSOLE = 'searchconsole'
 SERVICEACCOUNTLOOKUP = 'serviceaccountlookup'
 SERVICEMANAGEMENT = 'servicemanagement'
 SERVICEUSAGE = 'serviceusage'
@@ -93,10 +96,13 @@ SITEVERIFICATION = 'siteVerification'
 STORAGE = 'storage'
 STORAGEREAD = 'storageread'
 STORAGEWRITE = 'storagewrite'
+TAGMANAGER = 'tagmanager'
+TAGMANAGER_USERS = 'tagmanagerusers'
 TASKS = 'tasks'
 VAULT = 'vault'
 YOUTUBE = 'youtube'
 #
+BUSINESSACCOUNTMANAGEMENT_SCOPE = 'https://www.googleapis.com/auth/business.manage'
 CHROMEVERSIONHISTORY_URL = 'https://versionhistory.googleapis.com/v1/chrome/platforms'
 DRIVE_SCOPE = 'https://www.googleapis.com/auth/drive'
 GMAIL_SEND_SCOPE = 'https://www.googleapis.com/auth/gmail.send'
@@ -113,6 +119,7 @@ USERINFO_PROFILE_SCOPE = 'https://www.googleapis.com/auth/userinfo.profile' # pr
 VAULT_SCOPES = ['https://www.googleapis.com/auth/ediscovery', 'https://www.googleapis.com/auth/ediscovery.readonly']
 REQUIRED_SCOPES = [USERINFO_EMAIL_SCOPE, USERINFO_PROFILE_SCOPE]
 REQUIRED_SCOPES_SET = set(REQUIRED_SCOPES)
+NUM_CLIENT_SCOPES_ERROR_LIMIT = 48
 #
 JWT_APIS = {
  ACCESSCONTEXTMANAGER: [CLOUD_PLATFORM_SCOPE],
@@ -170,6 +177,7 @@ PROJECT_APIS = [
  'alertcenter.googleapis.com',
  'analyticsadmin.googleapis.com',
 #  'audit.googleapis.com',
+  'mybusinessaccountmanagement.googleapis.com',
  'calendar-json.googleapis.com',
  'chat.googleapis.com',
  'chromemanagement.googleapis.com',
@@ -195,9 +203,11 @@ PROJECT_APIS = [
  'people.googleapis.com',
  'pubsub.googleapis.com',
  'reseller.googleapis.com',
+  'searchconsole.googleapis.com',
  'sheets.googleapis.com',
  'siteverification.googleapis.com',
  'storage-api.googleapis.com',
+  'tagmanager.googleapis.com',
  'tasks.googleapis.com',
  'vault.googleapis.com',
  'youtube.googleapis.com',
@@ -207,9 +217,11 @@ _INFO = {
  ACCESSCONTEXTMANAGER: {'name': 'Access Context Manager API', 'version': 'v1', 'v2discovery': True},
  ALERTCENTER: {'name': 'AlertCenter API', 'version': 'v1beta1', 'v2discovery': True},
  ANALYTICS_ADMIN: {'name': 'Analytics Admin API', 'version': 'v1beta', 'v2discovery': True},
+  BUSINESSACCOUNTMANAGEMENT: {'name': 'Business Account Management API', 'version': 'v1', 'v2discovery': True},
  CALENDAR: {'name': 'Calendar API', 'version': 'v3', 'v2discovery': True, 'mappedAPI': 'calendar-json'},
  CBCM: {'name': 'Chrome Browser Cloud Management API', 'version': 'v1.1beta1', 'v2discovery': True, 'localjson': True},
  CHAT: {'name': 'Chat API', 'version': 'v1', 'v2discovery': True},
+  CHAT_CUSTOM_EMOJIS: {'name': 'Chat API - Custom Emojis', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
  CHAT_EVENTS: {'name': 'Chat API - Events', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
  CHAT_MEMBERSHIPS: {'name': 'Chat API - Memberships', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
  CHAT_MEMBERSHIPS_ADMIN: {'name': 'Chat API - Memberships Admin', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
@@ -224,15 +236,15 @@ _INFO = {
  CHROMEMANAGEMENT_TELEMETRY: {'name': 'Chrome Management API - Telemetry', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHROMEMANAGEMENT},
  CHROMEPOLICY: {'name': 'Chrome Policy API', 'version': 'v1', 'v2discovery': True},
  CHROMEVERSIONHISTORY: {'name': 'Chrome Version History API', 'version': 'v1', 'v2discovery': True},
-  CLOUDCHANNEL: {'name': 'Channel Channel API', 'version': 'v1', 'v2discovery': True},
-  CLOUDIDENTITY_DEVICES: {'name': 'Cloud Identity Devices API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_GROUPS: {'name': 'Cloud Identity Groups API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_GROUPS_BETA: {'name': 'Cloud Identity Groups API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_INBOUND_SSO: {'name': 'Cloud Identity Inbound SSO API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_ORGUNITS: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_ORGUNITS_BETA: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_POLICY: {'name': 'Cloud Identity Policy API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_USERINVITATIONS: {'name': 'Cloud Identity User Invitations API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDCHANNEL: {'name': 'Cloud Channel API', 'version': 'v1', 'v2discovery': True},
+  CLOUDIDENTITY_DEVICES: {'name': 'Cloud Identity API - Devices', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_GROUPS: {'name': 'Cloud Identity API - Groups', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_GROUPS_BETA: {'name': 'Cloud Identity API - Groups Beta', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_INBOUND_SSO: {'name': 'Cloud Identity API - Inbound SSO Settings', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_ORGUNITS: {'name': 'Cloud Identity API - OrgUnits', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_ORGUNITS_BETA: {'name': 'Cloud Identity API - OrgUnits Beta', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_POLICY: {'name': 'Cloud Identity API - Policy', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_USERINVITATIONS: {'name': 'Cloud Identity API - User Invitations', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDRESOURCEMANAGER: {'name': 'Cloud Resource Manager API v3', 'version': 'v3', 'v2discovery': True},
  CONTACTS: {'name': 'Contacts API', 'version': 'v3', 'v2discovery': False},
  CONTACTDELEGATION: {'name': 'Contact Delegation API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
@@ -255,17 +267,18 @@ _INFO = {
  KEEP: {'name': 'Keep API', 'version': 'v1', 'v2discovery': True},
  LICENSING: {'name': 'License Manager API', 'version': 'v1', 'v2discovery': True},
  LOOKERSTUDIO: {'name': 'Looker Studio API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
-  MEET: {'name': 'Meet API', 'version': 'v2', 'v2discovery': True},
-  MEET_BETA: {'name': 'Meet API', 'version': 'v2beta', 'v2discovery': True, 'localjson': True, 'mappedAPI': MEET},
+  MEET_SPACES: {'name': 'Meet API - Manage/Display Meeting Spaces', 'version': 'v2', 'v2discovery': True},
+  MEET_READONLY: {'name': 'Meet API - Read Meeting Spaces metadata', 'version': 'v2', 'v2discovery': True, 'mappedAPI': MEET_SPACES},
  OAUTH2: {'name': 'OAuth2 API', 'version': 'v2', 'v2discovery': False},
  ORGPOLICY: {'name': 'Organization Policy API', 'version': 'v2', 'v2discovery': True},
  PEOPLE: {'name': 'People API', 'version': 'v1', 'v2discovery': True},
  PEOPLE_DIRECTORY: {'name': 'People Directory API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': PEOPLE},
  PEOPLE_OTHERCONTACTS: {'name': 'People  API - Other Contacts', 'version': 'v1', 'v2discovery': True, 'mappedAPI': PEOPLE},
-  PRINTERS: {'name': 'Directory API Printers', 'version': 'directory_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
+  PRINTERS: {'name': 'Directory API - Printers', 'version': 'directory_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
  PUBSUB: {'name': 'Pub / Sub API', 'version': 'v1', 'v2discovery': True},
  REPORTS: {'name': 'Reports API', 'version': 'reports_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
  RESELLER: {'name': 'Reseller API', 'version': 'v1', 'v2discovery': True},
+  SEARCHCONSOLE: {'name': 'Search Console API', 'version': 'v1', 'v2discovery': True},
  SERVICEACCOUNTLOOKUP: {'name': 'Service Account Lookup pseudo-API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
  SERVICEMANAGEMENT: {'name': 'Service Management API', 'version': 'v1', 'v2discovery': True},
  SERVICEUSAGE: {'name': 'Service Usage API', 'version': 'v1', 'v2discovery': True},
@@ -275,6 +288,8 @@ _INFO = {
  STORAGE: {'name': 'Cloud Storage API', 'version': 'v1', 'v2discovery': True},
  STORAGEREAD: {'name': 'Cloud Storage API - Read', 'version': 'v1', 'v2discovery': True, 'mappedAPI': STORAGE},
  STORAGEWRITE: {'name': 'Cloud Storage API - Write', 'version': 'v1', 'v2discovery': True, 'mappedAPI': STORAGE},
+  TAGMANAGER: {'name': 'Tag Manager API - Accounts, Containers, Workspaces, Tags', 'version': 'v2', 'v2discovery': True},
+  TAGMANAGER_USERS: {'name': 'Tag Manager API - Users', 'version': 'v2', 'v2discovery': True, 'mappedAPI': TAGMANAGER},
  TASKS: {'name': 'Tasks API', 'version': 'v1', 'v2discovery': True},
  VAULT: {'name': 'Vault API', 'version': 'v1', 'v2discovery': True},
  YOUTUBE: {'name': 'Youtube API', 'version': 'v3', 'v2discovery': True},
@@ -283,6 +298,11 @@ _INFO = {
 READONLY = ['readonly',]

 _CLIENT_SCOPES = [
+  {'name': 'Business Account Management API',
+   'api': BUSINESSACCOUNTMANAGEMENT,
+   'subscopes': [],
+   'offByDefault': True,
+   'scope': BUSINESSACCOUNTMANAGEMENT_SCOPE},
  {'name': 'Calendar API',
   'api': CALENDAR,
   'subscopes': READONLY,
@@ -360,29 +380,29 @@ _CLIENT_SCOPES = [
   'subscopes': READONLY,
   'offByDefault': True,
   'scope': 'https://www.googleapis.com/auth/apps.order'},
-  {'name': 'Cloud Identity Groups API',
+  {'name': 'Cloud Identity API - Groups',
   'api': CLOUDIDENTITY_GROUPS,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/cloud-identity.groups'},
-  {'name': 'Cloud Identity Groups API Beta (Enables group locking/unlocking)',
+  {'name': 'Cloud Identity API - Groups Beta (Enables group locking/unlocking)',
   'api': CLOUDIDENTITY_GROUPS_BETA,
   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/cloud-identity.groups'},
-  {'name': 'Cloud Identity - Inbound SSO Settings',
+  {'name': 'Cloud Identity API - Inbound SSO Settings',
   'api': CLOUDIDENTITY_INBOUND_SSO,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/cloud-identity.inboundsso'},
-  {'name': 'Cloud Identity OrgUnits API',
+  {'name': 'Cloud Identity API - OrgUnits Beta',
   'api': CLOUDIDENTITY_ORGUNITS_BETA,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/cloud-identity.orgunits'},
-  {'name': 'Cloud Identity - Policy',
+  {'name': 'Cloud Identity API - Policy',
   'api': CLOUDIDENTITY_POLICY,
   'subscopes': READONLY,
   'roByDefault': True,
   'scope': 'https://www.googleapis.com/auth/cloud-identity.policies'
  },
-  {'name': 'Cloud Identity User Invitations API',
+  {'name': 'Cloud Identity API - User Invitations',
   'api': CLOUDIDENTITY_USERINVITATIONS,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/cloud-identity.userinvitations'},
@@ -544,6 +564,10 @@ _SVCACCT_SCOPES = [
   'api': CALENDAR,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/calendar'},
+  {'name': 'Chat API - Custom Emojis',
+   'api': CHAT_CUSTOM_EMOJIS,
+   'subscopes': READONLY,
+   'scope': 'https://www.googleapis.com/auth/chat.customemojis'},
  {'name': 'Chat API - Memberships',
   'api': CHAT_MEMBERSHIPS,
   'subscopes': READONLY,
@@ -644,7 +668,7 @@ _SVCACCT_SCOPES = [
   'api': GMAIL,
   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/gmail.modify'},
-  {'name': 'Gmail API - Basic Settings (Filters,IMAP, Language, POP, Vacation) - read/write, Sharing Settings (Delegates, Forwarding, SendAs) - read',
+  {'name': 'Gmail API - Basic Settings (Filters, IMAP, Language, POP, Vacation) - read/write, Sharing Settings (Delegates, Forwarding, SendAs) - read',
   'api': GMAIL,
   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/gmail.settings.basic'},
@@ -665,11 +689,15 @@ _SVCACCT_SCOPES = [
   'api': LOOKERSTUDIO,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/datastudio'},
-  {'name': 'Meet API',
-   'api': MEET,
-   'subscopes': READONLY,
-   'scope': 'https://www.googleapis.com/auth/meetings.space.created',
-   'roscope': 'https://www.googleapis.com/auth/meetings.space.readonly'},
+  {'name': 'Meet API - Manage/Display Meeting Spaces',
+   'api': MEET_SPACES,
+   'subscopes': [],
+   'scope': ['https://www.googleapis.com/auth/meetings.space.created',
+             'https://www.googleapis.com/auth/meetings.space.settings']},
+  {'name': 'Meet API - Read Meeting Spaces metadata',
+   'api': MEET_READONLY,
+   'subscopes': [],
+   'scope': 'https://www.googleapis.com/auth/meetings.space.readonly'},
  {'name': 'OAuth2 API',
   'api': OAUTH2,
   'subscopes': [],
@@ -686,10 +714,30 @@ _SVCACCT_SCOPES = [
   'api': PEOPLE_OTHERCONTACTS,
   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/contacts.other.readonly'},
+  {'name': 'Search Console  API - read only',
+   'api': SEARCHCONSOLE,
+   'subscopes': [],
+   'offByDefault': True,
+   'scope': 'https://www.googleapis.com/auth/webmasters.readonly'},
  {'name': 'Sheets API',
   'api': SHEETS,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/spreadsheets'},
+  {'name': 'Site Verification API',
+   'api': SITEVERIFICATION,
+   'subscopes': [],
+   'offByDefault': True,
+   'scope': 'https://www.googleapis.com/auth/siteverification'},
+  {'name': 'Tag Manager API - Accounts, Containers, Workspaces, Tags - read only',
+   'api': TAGMANAGER,
+   'subscopes': [],
+   'offByDefault': True,
+   'scope': 'https://www.googleapis.com/auth/tagmanager.readonly'},
+  {'name': 'Tag Manager API - Users',
+   'api': TAGMANAGER_USERS,
+   'subscopes': [],
+   'offByDefault': True,
+   'scope': 'https://www.googleapis.com/auth/tagmanager.manage.users'},
  {'name': 'Tasks API',
   'api': TASKS,
   'subscopes': READONLY,
@@ -729,56 +777,6 @@ _USER_SVCACCT_ONLY_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/apps.groups.migration'},
  ]

-DRIVE3_TO_DRIVE2_ABOUT_FIELDS_MAP = {
-  'displayName': 'name',
-  'limit': 'quotaBytesTotal',
-  'usage': 'quotaBytesUsedAggregate',
-  'usageInDrive': 'quotaBytesUsed',
-  'usageInDriveTrash': 'quotaBytesUsedInTrash',
-  }
-
-DRIVE3_TO_DRIVE2_CAPABILITIES_FIELDS_MAP = {
-  'canComment': 'canComment',
-  'canReadRevisions': 'canReadRevisions',
-  'canCopy': 'copyable',
-  'canEdit': 'editable',
-  'canShare': 'shareable',
-  }
-
-DRIVE3_TO_DRIVE2_CAPABILITIES_NAMES_MAP = {
-  'canChangeViewersCanCopyContent': 'canChangeRestrictedDownload',
-  }
-
-DRIVE3_TO_DRIVE2_FILES_FIELDS_MAP = {
-  'allowFileDiscovery': 'withLink',
-  'createdTime': 'createdDate',
-  'expirationTime': 'expirationDate',
-  'modifiedByMe': 'modified',
-  'modifiedByMeTime': 'modifiedByMeDate',
-  'modifiedTime': 'modifiedDate',
-  'name': 'title',
-  'restrictionTime': 'restrictionDate',
-  'sharedWithMeTime': 'sharedWithMeDate',
-  'size': 'fileSize',
-  'trashedTime': 'trashedDate',
-  'viewedByMe': 'viewed',
-  'viewedByMeTime': 'lastViewedByMeDate',
-  'webViewLink': 'alternateLink',
-  }
-
-DRIVE3_TO_DRIVE2_LABELS_MAP = {
-  'modifiedByMe': 'modified',
-  'starred': 'starred',
-  'trashed': 'trashed',
-  'viewedByMe': 'viewed',
-  }
-
-DRIVE3_TO_DRIVE2_REVISIONS_FIELDS_MAP = {
-  'modifiedTime': 'modifiedDate',
-  'keepForever': 'pinned',
-  'size': 'fileSize',
-  }
-
 def getAPIName(api):
  return _INFO[api]['name']

@@ -827,3 +825,26 @@ def getSvcAcctScopesList(userServiceAccountAccessOnly, svcAcctSpecialScopes):

 def hasLocalJSON(api):
  return _INFO[api].get('localjson', False)
+
+def findAPIforScope(scopesList):
+  def checkScopeMatch(scope, cscope):
+    if cscope['scope'] == scope:
+      requiredAPIs.append(cscope['name'])
+      return True
+    if cscope['subscopes'] == READONLY and cscope['scope']+'.readonly' == scope:
+      requiredAPIs.append(cscope['name']+' (supports readonly)')
+      return True
+    return False
+    
+  requiredAPIs = []
+  for scope in scopesList:
+    for cscope in _CLIENT_SCOPES:
+      if checkScopeMatch(scope, cscope):
+        break
+    else:
+      for cscope in _SVCACCT_SCOPES:
+        if checkScopeMatch(scope, cscope):
+          break
+  if not requiredAPIs:
+    requiredAPIs = scopesList
+  return ' or '.join(requiredAPIs)
--- a/src/gam/gamlib/glcfg.py
+++ b/src/gam/gamlib/glcfg.py
@@ -153,10 +153,6 @@ DOMAIN = 'domain'
 DRIVE_DIR = 'drive_dir'
 # When retrieving lists of Drive files/folders from API, how many should be retrieved in each chunk
 DRIVE_MAX_RESULTS = 'drive_max_results'
-# Use Drive V3 beta
-DRIVE_V3_BETA = 'drive_v3_beta'
-# Use Drive V3 ntive names
-DRIVE_V3_NATIVE_NAMES = 'drive_v3_native_names'
 # When processing email messages in batches, how many should be processed in each batch
 EMAIL_BATCH_SIZE = 'email_batch_size'
 # Enable Delegated Admin Service Account
@@ -179,8 +175,6 @@ INTER_BATCH_WAIT = 'inter_batch_wait'
 LICENSE_MAX_RESULTS = 'license_max_results'
 # License SKUs to process
 LICENSE_SKUS = 'license_skus'
-# Use Meet V2 beta
-MEET_V2_BETA = 'meet_v2_beta'
 # When retrieving lists of Google Group members from API, how many should be retrieved in each chunk
 MEMBER_MAX_RESULTS = 'member_max_results'
 # CI API Group members max page size when view=BASIC
@@ -381,8 +375,6 @@ Defaults = {
  DRIVE_DIR: '',
  ENFORCE_EXPANSIVE_ACCESS: TRUE,
  DRIVE_MAX_RESULTS: '1000',
-  DRIVE_V3_BETA: FALSE,
-  DRIVE_V3_NATIVE_NAMES: TRUE,
  EMAIL_BATCH_SIZE: '50',
  ENABLE_DASA: FALSE,
  ENABLE_GCLOUD_REAUTH: FALSE,
@@ -393,7 +385,6 @@ Defaults = {
  INTER_BATCH_WAIT: '0',
  LICENSE_MAX_RESULTS: '100',
  LICENSE_SKUS: '',
-  MEET_V2_BETA: FALSE,
  MEMBER_MAX_RESULTS: '200',
  MEMBER_MAX_RESULTS_CI_BASIC: '1000',
  MEMBER_MAX_RESULTS_CI_FULL: '500',
@@ -550,8 +541,6 @@ VAR_INFO = {
  DRIVE_DIR: {VAR_TYPE: TYPE_DIRECTORY, VAR_ENVVAR: 'GAMDRIVEDIR'},
  ENFORCE_EXPANSIVE_ACCESS: {VAR_TYPE: TYPE_BOOLEAN},
  DRIVE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
-  DRIVE_V3_BETA: {VAR_TYPE: TYPE_BOOLEAN},
-  DRIVE_V3_NATIVE_NAMES: {VAR_TYPE: TYPE_BOOLEAN},
  EMAIL_BATCH_SIZE: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 100)},
  ENABLE_DASA: {VAR_TYPE: TYPE_BOOLEAN, VAR_SIGFILE: 'enabledasa.txt', VAR_SFFT: (FALSE, TRUE)},
  ENABLE_GCLOUD_REAUTH: {VAR_TYPE: TYPE_BOOLEAN},
@@ -562,7 +551,6 @@ VAR_INFO = {
  INTER_BATCH_WAIT: {VAR_TYPE: TYPE_FLOAT, VAR_LIMITS: (0.0, 60.0)},
  LICENSE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (10, 1000)},
  LICENSE_SKUS: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
-  MEET_V2_BETA: {VAR_TYPE: TYPE_BOOLEAN},
  MEMBER_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
  MEMBER_MAX_RESULTS_CI_BASIC: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
  MEMBER_MAX_RESULTS_CI_FULL: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 500)},
--- a/src/gam/gamlib/glclargs.py
+++ b/src/gam/gamlib/glclargs.py
@@ -411,6 +411,7 @@ class GamCLArgs():
  ARG_ALERTFEEDBACK = 'alertfeedback'
  ARG_ALERTFEEDBACKS = 'alertfeedbacks'
  ARG_ALERTSFEEDBACK = 'alertsfeedback'
+  ARG_ALERTSETTINGS = 'alertsettings'
  ARG_ALIAS = 'alias'
  ARG_ALIASES = 'aliases'
  ARG_ALIASDOMAIN = 'aliasdomain'
@@ -441,6 +442,8 @@ class GamCLArgs():
  ARG_BUCKETS = 'buckets'
  ARG_BUILDING = 'building'
  ARG_BUILDINGS = 'buildings'
+  ARG_BUSINESSPROFILEACCOUNT = 'businessprofileaccount'
+  ARG_BUSINESSPROFILEACCOUNTS = 'businessprofileaccounts'
  ARG_CAALEVEL = 'caalevel'
  ARG_CAALEVELS = 'caalevels'
  ARG_CALATTENDEES = 'calattendees'
@@ -461,6 +464,8 @@ class GamCLArgs():
  ARG_CHANNELSKU = 'channelsku'
  ARG_CHANNELSKUS = 'channelskus'
  ARG_CHAT = 'chat'
+  ARG_CHATEMOJI = 'chatemoji'
+  ARG_CHATEMOJIS = 'chatemojis'
  ARG_CHATEVENT = 'chatevent'
  ARG_CHATEVENTS = 'chatevents'
  ARG_CHATMEMBER = 'chatmember'
@@ -483,6 +488,8 @@ class GamCLArgs():
  ARG_CHROMEPOLICIES = 'chromepolicies'
  ARG_CHROMEPROFILE = 'chromeprofile'
  ARG_CHROMEPROFILES = 'chromeprofiles'
+  ARG_CHROMEPROFILECOMMAND = 'chromeprofilecommand'
+  ARG_CHROMEPROFILECOMMANDS = 'chromeprofilecommands'
  ARG_CHROMESCHEMA = 'chromeschema'
  ARG_CHROMESCHEMAS = 'chromeschemas'
  ARG_CHROMESNVALIDITY = 'chromesnvalidity'
@@ -775,8 +782,19 @@ class GamCLArgs():
  ARG_STORAGEBUCKETS = 'storagebuckets'
  ARG_STORAGEFILE = 'storagefile'
  ARG_STORAGEFILES = 'storagefiles'
+  ARG_SUSPENDED = 'suspended'
  ARG_SVCACCT = 'svcacct'
  ARG_SVCACCTS = 'svcaccts'
+  ARG_TAGMANAGERACCOUNT = 'tagmanageraccount'
+  ARG_TAGMANAGERACCOUNTS = 'tagmanageraccounts'
+  ARG_TAGMANAGERCONTAINER = 'tagmanagercontainer'
+  ARG_TAGMANAGERCONTAINERS = 'tagmanagercontainers'
+  ARG_TAGMANAGERPERMISSION = 'tagmanagerpermission'
+  ARG_TAGMANAGERPERMISSIONS = 'tagmanagerpermissions'
+  ARG_TAGMANAGERTAG = 'tagmanagertag'
+  ARG_TAGMANAGERTAGS = 'tagmanagertags'
+  ARG_TAGMANAGERWORKSPACE = 'tagmanagerworkspace'
+  ARG_TAGMANAGERWORKSPACES = 'tagmanagerworkspaces'
  ARG_TASK = 'task'
  ARG_TASKS = 'tasks'
  ARG_TASKLIST = 'tasklist'
@@ -815,6 +833,10 @@ class GamCLArgs():
  ARG_VERIFICATION = 'verification'
  ARG_VERIFICATIONCODES = 'verificationcodes'
  ARG_VERIFY = 'verify'
+  ARG_WEBMASTERSITE = 'webmastersite'
+  ARG_WEBMASTERSITES = 'webmastersites'
+  ARG_WEBRESOURCE = 'webresource'
+  ARG_WEBRESOURCES = 'webresources'
  ARG_WORKINGLOCATION = 'workinglocation'
  ARG_WORKINGLOCATIONS = 'workinglocations'
  ARG_YOUTUBECHANNEL = 'youtubechannel'
@@ -843,6 +865,8 @@ class GamCLArgs():
  OB_CHARACTER = 'Character'
  OB_CHAR_SET = 'CharacterSet'
  OG_CHAT_ATTACHMENT = 'ChatAttachment'
+  OB_CHAT_EMOJI = 'ChatEmoji'
+  OB_CHAT_EMOJI_NAME = 'ChatEmojiName'
  OB_CHAT_EVENT = 'ChatEvent'
  OB_CHAT_MEMBER = 'ChatMember'
  OB_CHAT_MESSAGE = 'ChatMessage'
@@ -850,7 +874,10 @@ class GamCLArgs():
  OB_CHAT_SPACE = 'ChatSpace'
  OB_CHAT_SPACE_LIST = 'ChatSpaceList'
  OB_CHAT_THREAD = 'ChatThread'
-  OB_CHROMEPROFILE_ID = 'ChromeProfileId'
+  OB_CHROMEPROFILE_NAME = 'ChromeProfileName'
+  OB_CHROMEPROFILE_NAME_LIST = 'ChromeProfileNameList'
+  OB_CHROMEPROFILE_COMMAND_NAME = 'ChromeProfileCommandName'
+  OB_CHROMEPROFILE_COMMAND_NAME_LIST = 'ChromeProfileNameCommandList'
  OB_CHROME_VERSION = 'ChromeVersion'
  OB_CIDR_NETMASK = 'CIDRnetmask'
  OB_CIGROUP_ALIAS_LIST = "CIGroupAliasList"
@@ -871,8 +898,11 @@ class GamCLArgs():
  OB_CONTACT_GROUP_ITEM = 'ContactGroupItem'
  OB_COURSE_ALIAS = 'CourseAlias'
  OB_COURSE_ALIAS_ENTITY = 'CourseAliasEntity'
+  OB_COURSE_ANNOUNCEMENT_ID = "CourseAnnouncementID"
  OB_COURSE_ANNOUNCEMENT_ID_ENTITY = "CourseAnnouncementIDEntity"
  OB_COURSE_ANNOUNCEMENT_STATE_LIST = "CourseAnnouncementStateList"
+  OB_COURSE_ANNOUNCEMENT_ADD_STATE_LIST = "CourseAnnouncementAddStateList"
+  OB_COURSE_ANNOUNCEMENT_UPDATE_STATE_LIST = "CourseAnnouncementUpdateStateList"
  OB_COURSE_ENTITY = 'CourseEntity'
  OB_COURSE_ID = 'CourseID'
  OB_COURSE_MATERIAL_ID_ENTITY = 'CourseMaterialIDEntity'
@@ -930,6 +960,7 @@ class GamCLArgs():
  OB_FILE_NAME = 'FileName'
  OB_FILE_NAME_FIELD_NAME = OB_FILE_NAME+'(:'+OB_FIELD_NAME+')+'
  OB_FILE_NAME_OR_URL = 'FileName|URL'
+  OB_FILE_NAME_PATTERN = 'FileNamePattern'
  OB_FILE_PATH = 'FilePath'
  OB_FILTER_ID_ENTITY = 'FilterIDEntity'
  OB_FORMAT_LIST = 'FormatList'
@@ -975,7 +1006,6 @@ class GamCLArgs():
  OB_PERMISSION_ID_LIST = 'PermissionIDList'
  OB_PERMISSION_ROLE_LIST = 'PermissionRoleList'
  OB_PERMISSION_TYPE_LIST = 'PermissionTypeList'
-  OB_PHOTO_FILENAME_PATTERN = 'FilenameNamePattern'
  OB_PRINTER_ID = 'PrinterID'
  OB_PRIVILEGE_LIST = 'PrivilegeList'
  OB_PRODUCT_ID = 'ProductID'
@@ -984,6 +1014,7 @@ class GamCLArgs():
  OB_PROJECT_ID_ENTITY = 'ProjectIDEntity'
  OB_PROPERTY_KEY = 'PropertyKey'
  OB_PROPERTY_VALUE = 'PropertyValue'
+  OB_PUBSUB_TOPIC_NAME = 'PubSubTopicName'
  OB_QUERY = 'Query'
  OB_QUERY_ITEM = 'QueryItem'
  OB_QUERY_LIST = 'QueryList'
@@ -1026,6 +1057,7 @@ class GamCLArgs():
  OB_STRING_LIST = 'StringList'
  OB_STUDENT_ITEM = 'StudentItem'
  OB_TAG = 'Tag'
+  OB_TAGMANAGER_PATH_LIST = 'TagManagerPathList'
  OB_TASK_ID = 'TaskID'
  OB_TASKLIST_ID = 'TaskListID'
  OB_TASKLIST_ID_ENTITY = 'TaskListIDEntity'
--- a/src/gam/gamlib/glentity.py
+++ b/src/gam/gamlib/glentity.py
@@ -54,6 +54,7 @@ class GamEntity():
  ALERT_ID = 'alri'
  ALERT_FEEDBACK = 'alfb'
  ALERT_FEEDBACK_ID = 'alfi'
+  ALERT_SETTINGS = 'alrs'
  ALIAS = 'alia'
  ALIAS_EMAIL = 'alie'
  ALIAS_TARGET = 'alit'
@@ -75,6 +76,7 @@ class GamEntity():
  BACKUP_VERIFICATION_CODES = 'buvc'
  BUILDING = 'bldg'
  BUILDING_ID = 'bldi'
+  BUSINESS_PROFILE_ACCOUNT = 'bpac'
  CAA_LEVEL = 'calv'
  CALENDAR = 'cale'
  CALENDAR_ACL = 'cacl'
@@ -86,6 +88,7 @@ class GamEntity():
  CHANNEL_SKU = 'chsk'
  CHAT_BOT = 'chbo'
  CHAT_ADMIN = 'chad'
+  CHAT_EMOJI = 'chem'
  CHAT_EVENT = 'chev'
  CHAT_MANAGER_USER = 'chgu'
  CHAT_MEMBER = 'chme'
@@ -110,6 +113,7 @@ class GamEntity():
  CHROME_POLICY_IMAGE = 'cpim'
  CHROME_POLICY_SCHEMA = 'cpsc'
  CHROME_PROFILE = 'cpro'
+  CHROME_PROFILE_COMMAND = 'cpcm'
  CHROME_RELEASE = 'crel'
  CHROME_VERSION = 'cver'
  CLASSIFICATION_LABEL = 'dlab'
@@ -282,10 +286,11 @@ class GamEntity():
  MIMETYPE = 'mime'
  MOBILE_DEVICE = 'mobi'
  NAME = 'name'
+  NONEDITABLE_ALIAS = 'neal'
  NOTE = 'note'
  NOTE_ACL = 'nota'
  NOTES_ACLS = 'naac'
-  NONEDITABLE_ALIAS = 'neal'
+  NOTIFICATION = 'noti'
  OAUTH2_TXT_FILE = 'oaut'
  OAUTH2SERVICE_JSON_FILE = 'oau2'
  ORGANIZATIONAL_UNIT = 'orgu'
@@ -356,7 +361,12 @@ class GamEntity():
  SUBSCRIPTION = 'subs'
  SVCACCT = 'svac'
  SVCACCT_KEY = 'svky'
-  TARGET_USER = 'tgt'
+  TAGMANAGER_ACCOUNT = 'tmac'
+  TAGMANAGER_CONTAINER = 'tmco'
+  TAGMANAGER_PERMISSION = 'tmpm'
+  TAGMANAGER_TAG = 'tmtg'
+  TAGMANAGER_WORKSPACE = 'tmws'
+  TARGET_USER = 'tgt '
  TASK = 'task'
  TASKLIST = 'tali'
  TEACHER = 'teac'
@@ -387,6 +397,8 @@ class GamEntity():
  VAULT_MATTER_ID = 'vlmi'
  VAULT_OPERATION = 'vlto'
  VAULT_QUERY = 'vltq'
+  WEB_MASTERSITE = 'wems'
+  WEB_RESOURCE = 'were'
  WEBCLIPS_ENABLED = 'webc'
  YOUTUBE_CHANNEL = 'ytch'
  # _NAMES[0] is plural, _NAMES[1] is singular unless the item name is explicitly plural (Calendar Settings)
@@ -404,6 +416,7 @@ class GamEntity():
    ALERT_ID: ['Alert IDs', 'Alert ID'],
    ALERT_FEEDBACK: ['Alert Feedbacks', 'Alert Feedback'],
    ALERT_FEEDBACK_ID: ['Alert Feedback IDs', 'Alert Feedback ID'],
+    ALERT_SETTINGS: ['Alert Settings', 'Alert Settings'],
    ALIAS: ['Aliases', 'Alias'],
    ALIAS_EMAIL: ['Alias Emails', 'Alias Email'],
    ALIAS_TARGET: ['Alias Targets', 'Alias Target'],
@@ -425,6 +438,7 @@ class GamEntity():
    BACKUP_VERIFICATION_CODES: ['Backup Verification Codes', 'Backup Verification Codes'],
    BUILDING: ['Buildings', 'Building'],
    BUILDING_ID: ['Building IDs', 'Building ID'],
+    BUSINESS_PROFILE_ACCOUNT: ['Business Profile Accounts', 'Business Profile Account'],
    CAA_LEVEL: ['CAA Levels', 'CAA Level'],
    CALENDAR: ['Calendars', 'Calendar'],
    CALENDAR_ACL: ['Calendar ACLs', 'Calendar ACL'],
@@ -436,6 +450,7 @@ class GamEntity():
    CHANNEL_SKU: ['Channel SKUs', 'Channel SKU'],
    CHAT_BOT: ['Chat BOTs', 'Chat BOT'],
    CHAT_ADMIN: ['Chat Admins', 'Chat Admin'],
+    CHAT_EMOJI: ['Chat Emojis', 'Chat Emoji'],
    CHAT_EVENT: ['Chat Events', 'Chat Event'],
    CHAT_MANAGER_USER: ['Chat User Managers', 'Chat User Manager'],
    CHAT_MESSAGE: ['Chat Messages', 'Chat Message'],
@@ -460,6 +475,7 @@ class GamEntity():
    CHROME_POLICY_IMAGE: ['Chrome Policy Images', 'Chrome Policy Image'],
    CHROME_POLICY_SCHEMA: ['Chrome Policy Schemas', 'Chrome Policy Schema'],
    CHROME_PROFILE: ['Chrome Profiles', 'Chrome Profile'],
+    CHROME_PROFILE_COMMAND: ['Chrome Profile Commands', 'Chrome Profile Command'],
    CHROME_RELEASE: ['Chrome Releases', 'Chrome Release'],
    CHROME_VERSION: ['Chrome Versions', 'Chrome Version'],
    CLASSIFICATION_LABEL: ['Classification Labels', 'Classification Label'],
@@ -632,10 +648,11 @@ class GamEntity():
    MIMETYPE: ['MIME Types', 'MIME Type'],
    MOBILE_DEVICE: ['Mobile Devices', 'Mobile Device'],
    NAME: ['Names', 'Name'],
+    NONEDITABLE_ALIAS: ['Non-Editable Aliases', 'Non-Editable Alias'],
    NOTE: ['Notes', 'Note'],
    NOTE_ACL: ['Note ACLs', 'Note ACL'],
    NOTES_ACLS: ["'Note's ACLs", "Note's ACLs"],
-    NONEDITABLE_ALIAS: ['Non-Editable Aliases', 'Non-Editable Alias'],
+    NOTIFICATION: ['Notifications', 'Notification'],
    OAUTH2_TXT_FILE: ['Client OAuth2 File', 'Client OAuth2 File'],
    OAUTH2SERVICE_JSON_FILE: ['Service Account OAuth2 File', 'Service Account OAuth2 File'],
    ORGANIZATIONAL_UNIT: ['Organizational Units', 'Organizational Unit'],
@@ -706,6 +723,11 @@ class GamEntity():
    SUBSCRIPTION: ['Subscriptions', 'Subscription'],
    SVCACCT: ['Service Accounts', 'Service Account'],
    SVCACCT_KEY: ['Service Account Keys', 'Service Account Key'],
+    TAGMANAGER_ACCOUNT: ['Tag Manager Accounts', 'Tag Manager Account'],
+    TAGMANAGER_CONTAINER: ['Tag Manager Containers', 'Tag Manager Container'],
+    TAGMANAGER_PERMISSION: ['Tag Manager Permissions', 'Tag Manager Permission'],
+    TAGMANAGER_TAG: ['Tag Manager Tags', 'Tag Manager Tag'],
+    TAGMANAGER_WORKSPACE: ['Tag Manager Workspaces', 'Tag Manager Workspace'],
    TARGET_USER: ['Target Users', 'Target User'],
    TASK: ['Tasks', 'Task'],
    TASKLIST: ['Tasklists', 'Tasklist'],
@@ -738,6 +760,8 @@ class GamEntity():
    VAULT_OPERATION: ['Vault Operations', 'Vault Operation'],
    VAULT_QUERY: ['Vault Queries', 'Vault Query'],
    WEBCLIPS_ENABLED: ['Web Clips Enabled', 'Web Clips Enabled'],
+    WEB_MASTERSITE: ['Web Master Sites', 'Web Master Site'],
+    WEB_RESOURCE: ['Web Resources', 'Web Resource'],
    YOUTUBE_CHANNEL: ['YouTube Channels', 'YouTube Channel'],
    ROLE_MANAGER: ['Managers', 'Manager'],
    ROLE_MEMBER: ['Members', 'Member'],
--- a/src/gam/gamlib/glgapi.py
+++ b/src/gam/gamlib/glgapi.py
@@ -23,6 +23,7 @@
 ABORTED = 'aborted'
 ABUSIVE_CONTENT_RESTRICTION = 'abusiveContentRestriction'
 ACCESS_NOT_CONFIGURED = 'accessNotConfigured'
+ADMIN_CANNOT_UNSUSPEND = 'adminCannotUnsuspend'
 ALREADY_EXISTS = 'alreadyExists'
 APPLY_LABEL_FORBIDDEN = 'applyLabelForbidden'
 AUTH_ERROR = 'authError'
@@ -41,6 +42,7 @@ CANNOT_DELETE_PERMISSION = 'cannotDeletePermission'
 CANNOT_DELETE_PRIMARY_CALENDAR = 'cannotDeletePrimaryCalendar'
 CANNOT_DELETE_PRIMARY_SENDAS = 'cannotDeletePrimarySendAs'
 CANNOT_DELETE_RESOURCE_WITH_CHILDREN = 'cannotDeleteResourceWithChildren'
+CANNOT_MODIFY_INHERITED_PERMISSION = 'cannotModifyInheritedPermission'
 CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION = 'cannotModifyInheritedTeamDrivePermission'
 CANNOT_MODIFY_RESTRICTED_LABEL = 'cannotModifyRestrictedLabel'
 CANNOT_MODIFY_VIEWERS_CAN_COPY_CONTENT = 'cannotModifyViewersCanCopyContent'
@@ -133,6 +135,7 @@ OPERATION_NOT_SUPPORTED = 'operationNotSupported'
 ORGANIZER_ON_NON_TEAMDRIVE_NOT_SUPPORTED = 'organizerOnNonTeamDriveNotSupported'
 ORGANIZER_ON_NON_TEAMDRIVE_ITEM_NOT_SUPPORTED = 'organizerOnNonTeamDriveItemNotSupported'
 ORGUNIT_NOT_FOUND = 'orgunitNotFound'
+OUTSIDE_DOMAIN_MEMBER_CANNOT_CHANGE_TEAMDRIVE_RESTRICTIONS = 'outsideDomainMemberCannotChangeTeamDriveRestrictions'
 OWNER_ON_TEAMDRIVE_ITEM_NOT_SUPPORTED = 'ownerOnTeamDriveItemNotSupported'
 OWNERSHIP_CHANGE_ACROSS_DOMAIN_NOT_PERMITTED = 'ownershipChangeAcrossDomainNotPermitted'
 PARTICIPANT_IS_NEITHER_ORGANIZER_NOR_ATTENDEE = 'participantIsNeitherOrganizerNorAttendee'
@@ -228,6 +231,7 @@ DRIVE3_CREATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID, INVALID_SHARING_REQUEST
                                   FILE_ORGANIZER_NOT_YET_ENABLED_FOR_THIS_TEAMDRIVE,
                                   FILE_ORGANIZER_ON_FOLDERS_IN_SHARED_DRIVE_ONLY,
                                   FILE_ORGANIZER_ON_NON_TEAMDRIVE_NOT_SUPPORTED,
+                                   CANNOT_MODIFY_INHERITED_PERMISSION,
                                   TEAMDRIVES_FOLDER_SHARING_NOT_SUPPORTED, INVALID_LINK_VISIBILITY, ABUSIVE_CONTENT_RESTRICTION]
 DRIVE3_GET_ACL_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, FORBIDDEN, INTERNAL_ERROR,
                                                   INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, INSUFFICIENT_FILE_PERMISSIONS,
@@ -248,10 +252,10 @@ DRIVE3_UPDATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID_OWNERSHIP_TRANSFER, CANN
                                   FILE_ORGANIZER_ON_FOLDERS_IN_SHARED_DRIVE_ONLY,
                                   FILE_ORGANIZER_ON_NON_TEAMDRIVE_NOT_SUPPORTED,
                                   CANNOT_UPDATE_PERMISSION,
-                                   CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION,
+                                   CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION, CANNOT_MODIFY_INHERITED_PERMISSION,
                                   FIELD_NOT_WRITABLE, PERMISSION_NOT_FOUND]
 DRIVE3_DELETE_ACL_THROW_REASONS = [BAD_REQUEST, CANNOT_REMOVE_OWNER,
-                                   CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION,
+                                   CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION, CANNOT_MODIFY_INHERITED_PERMISSION,
                                   INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, SHARING_RATE_LIMIT_EXCEEDED,
                                   NOT_FOUND, PERMISSION_NOT_FOUND, CANNOT_DELETE_PERMISSION]
 DRIVE3_MODIFY_LABEL_THROW_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, NOT_FOUND, FORBIDDEN, INTERNAL_ERROR,
@@ -273,17 +277,18 @@ GROUP_SETTINGS_THROW_REASONS = [NOT_FOUND, GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DO
                                INVALID, INVALID_ARGUMENT, INVALID_PARAMETER, INVALID_ATTRIBUTE_VALUE, INVALID_INPUT,
                                SERVICE_LIMIT, SERVICE_NOT_AVAILABLE, AUTH_ERROR, REQUIRED]
 GROUP_SETTINGS_RETRY_REASONS = [INVALID, SERVICE_LIMIT, SERVICE_NOT_AVAILABLE]
-GROUP_LIST_THROW_REASONS = [RESOURCE_NOT_FOUND, DOMAIN_NOT_FOUND, FORBIDDEN, BAD_REQUEST]
+GROUP_LIST_THROW_REASONS = [RESOURCE_NOT_FOUND, DOMAIN_NOT_FOUND, FORBIDDEN, BAD_REQUEST, PERMISSION_DENIED]
 GROUP_LIST_USERKEY_THROW_REASONS = GROUP_LIST_THROW_REASONS+[INVALID_MEMBER, INVALID_INPUT]
 KEEP_THROW_REASONS = [AUTH_ERROR, BAD_REQUEST, PERMISSION_DENIED, INVALID_ARGUMENT, NOT_FOUND]
 LOOKERSTUDIO_THROW_REASONS = [INVALID_ARGUMENT, SERVICE_NOT_AVAILABLE, BAD_REQUEST, NOT_FOUND, PERMISSION_DENIED, INTERNAL_ERROR]
-MEMBERS_THROW_REASONS = [GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, INVALID, FORBIDDEN, SERVICE_NOT_AVAILABLE]
+MEMBERS_THROW_REASONS = [GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, INVALID, FORBIDDEN, SERVICE_NOT_AVAILABLE, PERMISSION_DENIED]
 MEMBERS_RETRY_REASONS = [SYSTEM_ERROR, SERVICE_NOT_AVAILABLE]
 ORGUNIT_GET_THROW_REASONS = [INVALID_ORGUNIT, ORGUNIT_NOT_FOUND, BACKEND_ERROR, BAD_REQUEST, INVALID_CUSTOMER_ID, LOGIN_REQUIRED]
 PEOPLE_ACCESS_THROW_REASONS = [SERVICE_NOT_AVAILABLE, FORBIDDEN, PERMISSION_DENIED, FAILED_PRECONDITION]
 RESELLER_THROW_REASONS = [BAD_REQUEST, RESOURCE_NOT_FOUND, FORBIDDEN, INVALID]
 SHEETS_ACCESS_THROW_REASONS = DRIVE_USER_THROW_REASONS+[NOT_FOUND, PERMISSION_DENIED, FORBIDDEN, INTERNAL_ERROR, INSUFFICIENT_FILE_PERMISSIONS,
                                                        BAD_REQUEST, INVALID, INVALID_ARGUMENT, FAILED_PRECONDITION]
+TAGMANAGER_THROW_REASONS = [BAD_REQUEST, PERMISSION_DENIED, INVALID, NOT_FOUND, ACCESS_NOT_CONFIGURED]
 TASK_THROW_REASONS = [BAD_REQUEST, PERMISSION_DENIED, INVALID, NOT_FOUND, ACCESS_NOT_CONFIGURED]
 TASKLIST_THROW_REASONS = [BAD_REQUEST, PERMISSION_DENIED, INVALID, NOT_FOUND, ACCESS_NOT_CONFIGURED]
 USER_GET_THROW_REASONS = [USER_NOT_FOUND, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, FORBIDDEN, BAD_REQUEST, SYSTEM_ERROR]
@@ -364,6 +369,8 @@ class abusiveContentRestriction(Exception):
  pass
 class accessNotConfigured(Exception):
  pass
+class adminCannotUnsuspend(Exception):
+  pass
 class alreadyExists(Exception):
  pass
 class applyLabelForbidden(Exception):
@@ -398,6 +405,8 @@ class cannotDeletePrimarySendAs(Exception):
  pass
 class cannotDeleteResourceWithChildren(Exception):
  pass
+class cannotModifyInheritedPermission(Exception):
+  pass
 class cannotModifyInheritedTeamDrivePermission(Exception):
  pass
 class cannotModifyRestrictedLabel(Exception):
@@ -574,6 +583,8 @@ class organizerOnNonTeamDriveItemNotSupported(Exception):
  pass
 class orgunitNotFound(Exception):
  pass
+class outsideDomainMemberCannotChangeTeamDriveRestrictions(Exception):
+  pass
 class ownerOnTeamDriveItemNotSupported(Exception):
  pass
 class ownershipChangeAcrossDomainNotPermitted(Exception):
@@ -681,6 +692,7 @@ REASON_EXCEPTION_MAP = {
  ABORTED: aborted,
  ABUSIVE_CONTENT_RESTRICTION: abusiveContentRestriction,
  ACCESS_NOT_CONFIGURED: accessNotConfigured,
+  ADMIN_CANNOT_UNSUSPEND: adminCannotUnsuspend,
  ALREADY_EXISTS: alreadyExists,
  APPLY_LABEL_FORBIDDEN: applyLabelForbidden,
  AUTH_ERROR: authError,
@@ -698,6 +710,7 @@ REASON_EXCEPTION_MAP = {
  CANNOT_DELETE_PRIMARY_CALENDAR: cannotDeletePrimaryCalendar,
  CANNOT_DELETE_PRIMARY_SENDAS: cannotDeletePrimarySendAs,
  CANNOT_DELETE_RESOURCE_WITH_CHILDREN: cannotDeleteResourceWithChildren,
+  CANNOT_MODIFY_INHERITED_PERMISSION: cannotModifyInheritedPermission,
  CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION: cannotModifyInheritedTeamDrivePermission,
  CANNOT_MODIFY_RESTRICTED_LABEL: cannotModifyRestrictedLabel,
  CANNOT_MODIFY_VIEWERS_CAN_COPY_CONTENT: cannotModifyViewersCanCopyContent,
@@ -786,6 +799,7 @@ REASON_EXCEPTION_MAP = {
  ORGANIZER_ON_NON_TEAMDRIVE_NOT_SUPPORTED: organizerOnNonTeamDriveNotSupported,
  ORGANIZER_ON_NON_TEAMDRIVE_ITEM_NOT_SUPPORTED: organizerOnNonTeamDriveItemNotSupported,
  ORGUNIT_NOT_FOUND: orgunitNotFound,
+  OUTSIDE_DOMAIN_MEMBER_CANNOT_CHANGE_TEAMDRIVE_RESTRICTIONS: outsideDomainMemberCannotChangeTeamDriveRestrictions,
  OWNER_ON_TEAMDRIVE_ITEM_NOT_SUPPORTED: ownerOnTeamDriveItemNotSupported,
  OWNERSHIP_CHANGE_ACROSS_DOMAIN_NOT_PERMITTED: ownershipChangeAcrossDomainNotPermitted,
  PARTICIPANT_IS_NEITHER_ORGANIZER_NOR_ATTENDEE: participantIsNeitherOrganizerNorAttendee,
--- a/src/gam/gamlib/glmsgs.py
+++ b/src/gam/gamlib/glmsgs.py
@@ -184,8 +184,8 @@ ALREADY_EXISTS_IN_TARGET_FOLDER = 'Already exists in {0}: {1}'
 ALREADY_EXISTS_USE_MERGE_ARGUMENT = 'Already exists; use the "merge" argument to merge the labels'
 API_ACCESS_DENIED = 'API access Denied'
 API_CALLS_RETRY_DATA = 'API calls retry data\n'
-API_CHECK_CLIENT_AUTHORIZATION = 'Please make sure the Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam oauth create\n'
-API_CHECK_SVCACCT_AUTHORIZATION = 'Please make sure the Service Account Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam user {2} update serviceaccount\n'
+API_CHECK_CLIENT_AUTHORIZATION = 'Please make sure the Client ID: {0} is authorized for the appropriate API or scopes: {1}\n\nRun: gam oauth create\n'
+API_CHECK_SVCACCT_AUTHORIZATION = 'Please make sure the Service Account Client ID: {0} is authorized for the appropriate API or scopes: {1}\n\nRun: gam user {2} update serviceaccount\n'
 API_ERROR_SETTINGS = 'API error, some settings not set'
 ARE_BOTH_REQUIRED = 'Arguments {0} and {1} are both required'
 ARE_MUTUALLY_EXCLUSIVE = 'Arguments {0} and {1} are mutually exclusive'
@@ -309,6 +309,7 @@ INVALID_ALIAS = 'Invalid Alias'
 INVALID_ATTENDEE_CHANGE = 'Invalid attendee change "{0}"'
 INVALID_CHARSET = 'Invalid charset "{0}"'
 INVALID_DATE_TIME_RANGE = '{0} {1} must be greater than/equal to {2} {3}'
+INVALID_EMOJI_NAME = '{0} does not match pattern :[0-9a-z_-]:'
 INVALID_ENTITY = 'Invalid {0}, {1}'
 INVALID_EVENT_TIMERANGE = '{0} {1} must be less than {2}'
 INVALID_FILE_SELECTION_WITH_ADMIN_ACCESS = 'Invalid file selection with adminaccess|asadmin'
@@ -424,7 +425,7 @@ NO_LABELS_TO_PROCESS = 'No Labels to process'
 NO_MESSAGES_WITH_LABEL = 'No Messages with Label'
 NO_PARENTS_TO_CONVERT_TO_SHORTCUTS = 'No parents to convert to shortcuts'
 NO_REPORT_AVAILABLE = 'No {0} report available.'
-NO_SCOPES_FOR_API = 'There are no scopes authorized for the {0}'
+NO_SCOPES_FOR_API = 'There are no scopes authorized for the API(s): {0}'
 NO_SERIAL_NUMBERS_SPECIFIED = 'No serial numbers specified'
 NO_SSO_PROFILE_MATCHES = 'No SSO profile matches display name {0}'
 NO_SSO_PROFILE_ASSIGNED = 'No SSO profile assigned to {0} {1}'
@@ -432,6 +433,7 @@ NO_SVCACCT_ACCESS_ALLOWED = 'No Service Account Access allowed'
 NO_TRANSFER_LACK_OF_DISK_SPACE = 'Transfer not performed due to lack of target drive space.'
 NO_USAGE_PARAMETERS_DATA_AVAILABLE = 'No usage parameters data available.'
 NO_USER_COUNTS_DATA_AVAILABLE = 'No User counts data available.'
+NUM_SELECTED_CLIENT_SCOPES = '\n{0} scopes are selected, if more than {1} scopes are selected, Google will probably generate a "Something went wrong" error\n'
 OAUTH2_GO_TO_LINK_MESSAGE = """
 Go to the following link in a browser on this computer or on another computer:

@@ -463,6 +465,7 @@ PROCESSING_ITEM_N = '{0},0,Processing item {1}\n'
 PROCESSING_ITEM_N_OF_M = '{0},0,Processing item {1}/{2}\n'
 PROFILE_PHOTO_NOT_FOUND = 'Profile photo not found'
 PROFILE_PHOTO_IS_DEFAULT = 'Profile photo is default'
+QUOTA_EXCEEDED = 'Quota exceeded'
 REASON_ONLY_VALID_WITH_CONTENTRESTRICTIONS_READONLY_TRUE = 'reason only valid with contentrestrictions readonly true'
 REAUTHENTICATION_IS_NEEDED = 'Reauthentication is needed, please run\n\ngam oauth create'
 RECOMMEND_RUNNING_GAM_ROTATE_SAKEY = 'Recommend running "gam rotate sakey" to get a new key\n'
--- a/src/gam/gamlib/glskus.py
+++ b/src/gam/gamlib/glskus.py
@@ -107,6 +107,8 @@ _SKUS = {
    'product': '101047', 'aliases': ['aisecurity'], 'displayName': 'AI Security'},
  '1010470007': {
    'product': '101047', 'aliases': ['aimeetingsandmessaging'], 'displayName': 'AI Meetings and Messaging'},
+  '1010470008': {
+    'product': '101047', 'aliases': ['geminiultra'], 'displayName': 'Google AI Ultra for Business'},
  '1010490001': {
    'product': '101049', 'aliases': ['eeu'], 'displayName': 'Endpoint Education Upgrade'},
  '1010500001': {
--- a/src/requirements.txt
+++ b/src/requirements.txt
@@ -1,14 +0,0 @@
-chardet>=5.2.0
-cryptography>=44.0.2
-distro; sys_platform=='linux'
-filelock>=3.18.0
-google-api-python-client>=2.167.0
-google-auth-httplib2>=0.2.0
-google-auth-oauthlib>=1.2.2
-google-auth>=2.39.0
-httplib2>=0.22.0
-lxml>=5.4.0
-passlib>=1.7.4
-pathvalidate>=3.2.3
-python-dateutil
-yubikey-manager>=5.6.1
--- a/src/setup.cfg
+++ b/src/setup.cfg
@@ -1,55 +0,0 @@
-[metadata]
-name = GAM for Google Workspace
-version = attr: gam.var.GAM_VERSION
-description = Command line management for Google Workspaces
-long_description = file: readme.md
-long_description_content_type = text/markdown
-url = https://github.com/GAM-team/GAM
-author = GAM Team 
-author_email = google-apps-manager@googlegroups.com
-license = Apache
-license_files = LICENSE
-keywords = google, oauth2, gsuite, google-apps, google-admin-sdk, google-drive, google-cloud, google-calendar, gam, google-api, oauth2-client, google-workspace
-classifiers =
-    Programming Language :: Python :: 3
-    Programming Language :: Python :: 3 :: Only
-    Programming Language :: Python :: 3.9
-    Programming Language :: Python :: 3.10
-    Programming Language :: Python :: 3.11
-    Programming Language :: Python :: 3.12
-    Programming Language :: Python :: 3.13
-    License :: OSI Approved :: Apache License
-
-[options]
-packages = find:
-python_requires = >= 3.9
-# The following files should be edited to match: pyproject.toml, requirements.txt
-install_requires =
-    chardet >= 5.2.0
-    cryptography >= 44.0.2
-    distro; sys_platform == 'linux'
-    filelock >= 3.18.0
-    google-api-python-client >= 2.167.0
-    google-auth-httplib2 >= 0.2.0
-    google-auth-oauthlib >= 1.2.2
-    google-auth >= 2.39.0
-    httplib2 >= 0.22.0
-    lxml >= 5.4.0
-    passlib >= 1.7.4
-    pathvalidate >= 3.2.3
-    python-dateutil
-    yubikey-manager >= 5.6.1
-
-[options.package_data]
-* = *.pem
-
-# used during pip install .[test]
-[options.extras_require]
-test = pre-commit
-
-[options.entry_points]
-console_scripts =
-    gam = gam.__main__:main
-
-[bdist_wheel]
-universal = True
--- a/src/setup.py
+++ b/src/setup.py
@@ -1,3 +0,0 @@
-from setuptools import setup
-
-setup()
--- a/src/tools/ssd.mjs
+++ b/src/tools/ssd.mjs
@@ -0,0 +1,125 @@
+// Node.js script that implements an Appium client which will launch
+// Simply Sign Desktop app and log a user in. Once logged in it should
+// be possible to use tools like signtool.exe to sign Windows EXE/MSI files
+// with the Certum certificate.
+
+import { Key, remote } from 'webdriverio';
+import { exec } from 'child_process';
+import { TOTP } from 'totp-generator';
+
+async function screenshot(driver, filename) {
+  // uncomment to save .png screenshots
+  //await driver.saveScreenshot(filename);
+  return
+}
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+async function executeCommand(command) {
+  try {
+    let { stdout, stderr } = await exec(command);
+    return stdout;
+  } catch (error) {
+    console.error(`Error executing command: ${command}`);
+    console.error(`Error details: ${error}`);
+    throw error; 
+  }
+}
+
+async function runSSD() {
+    const opts = {
+        port: 4723,
+        logLevel: "silent",
+        capabilities: {
+            platformName: "Windows",
+            "appium:app": "C:\\Program Files\\Certum\\SimplySign Desktop\\SimplySignDesktop.exe",
+            "appium:automationName": "Windows",
+        },
+    };
+
+    let driver;
+    try {
+        driver = await remote(opts);
+        
+        // Github Actions Win ARM64 is stuck on a OOB screen that steals focus
+        // These enter / escapes should dismiss it.
+        const runner_arch =  process.env.RUNNER_ARCH;
+        if ( runner_arch === "ARM64" ) {
+          console.log('Running on ARM64...');
+          await sleep(3000); // Pause execution for 3 seconds
+          await screenshot(driver, 'oob1.png');
+          await driver.sendKeys([Key.Enter]);
+          await sleep(3000); // Pause execution for 3 seconds
+          await screenshot(driver, 'oob2.png');
+          await driver.sendKeys([Key.Enter]);
+          await sleep(3000); // Pause execution for 3 seconds
+          await screenshot(driver, 'oob3.png');
+          await driver.sendKeys([Key.Escape]);
+          await screenshot(driver, 'oob6.png');
+        } else {
+          console.log('NOT running on ARM64');
+        }
+
+        //  Execute SSD again to open login dialog
+        exec('"C:\\Program Files\\Certum\\SimplySign Desktop\\SimplySignDesktop.exe"', (error, stdout, stderr) => {
+          if (error) {
+            console.error(`exec error: ${error}`);
+            return;
+          }
+        });
+        await sleep(3000);
+
+        // Login
+        const windows = await driver.getWindowHandles();
+        const login_window = windows[0]
+        await driver.switchWindow(login_window);
+        await screenshot(driver, 'login01.png');
+        const id_value = 'jay0lee@gmail.com';
+        const id_arr =  [...id_value];
+        await driver.sendKeys(id_arr);
+        await screenshot(driver, 'login02.png');
+        await driver.sendKeys([Key.Tab]);
+        // We wait until the last possible second to generate
+        // our TOTP to ensure it's still valid.
+        const token_value = TOTP.generate(process.env.TOTP_SECRET, {algorithm: 'SHA-256'}).otp;
+        const token_arr =  [...token_value];
+        await driver.sendKeys(token_arr);
+        await screenshot(driver, 'login03.png');
+        await driver.sendKeys([Key.Enter]);
+
+        // TODO: it's expected that on successful login the window
+        // will close and these screenshots will error out. Figure
+        // out how to handle that gracefully.
+        await screenshot(driver, 'login04.png');
+        await sleep(500);
+        await screenshot(driver, 'login05.png');
+        await sleep(500);
+        await screenshot(driver, 'login06.png');
+        await sleep(500);
+        await screenshot(driver, 'login07.png');
+        await sleep(500);
+        await screenshot(driver, 'login08.png');
+        await sleep(500);
+        await screenshot(driver, 'login09.png');
+        await sleep(500);
+        await screenshot(driver, 'login10.png');
+        await sleep(500);
+        await screenshot(driver, 'login11.png');
+        await sleep(500);
+        await screenshot(driver, 'login12.png');
+
+    } catch (error) {
+        console.error("Error during Appium run:", error.name);
+    }
+
+    // INTENTIONAL Keep driver open so tray icon for Certum doesn't close
+    // finally {
+    //    if (driver) {
+    //        await driver.deleteSession(); // Close the Appium session
+    //    }
+    //}
+}
+
+runSSD();
--- a/wiki/Administrators.md
+++ b/wiki/Administrators.md
@@ -9,6 +9,7 @@
 - [Display administrators](#display-administrators)
 - [Copy privileges from one role to a new role](#copy-privileges-from-one-role-to-a-new-role)
 - [Copy roles from one administrator to another](#copy-roles-from-one-administrator-to-another)
+- [Copy non-system admin roles from a source workspace to a target workspace](#copy-non-system-admin-roles-from-a-source-workspace-to-a-target-workspace)

 ## API documentation
 * [About Administrator roles](https://support.google.com/a/answer/33325?ref_topic=4514341)
@@ -21,13 +22,16 @@
 <DomainName> ::= <String>(.<String>)+
 <EmailAddress> ::= <String>@<DomainName>
 <GroupItem> ::= <EmailAddress>|<UniqueID>|<String>
+<JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
 <OrgUnitID> ::= id:<String>
 <OrgUnitPath> ::= /|(/<String)+
 <OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
 <Privilege> ::= <String>
 <PrivilegeList> ::= "<Privilege>(,<Privilege)*"
 <RoleAssignmentID> ::= <String>
-<RoleItem> ::= id:<String>|uid:<String>|<String>
+<RoleID> ::= <String>
+<RoleName> ::= <String>
+<RoleItem> ::= id:<RoleID>|<RoleName>
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>
 ```
@@ -1383,9 +1387,11 @@ Show 111 Privileges
 ## Manage administrative roles
 ```
 gam create adminrole <String> [description <String>]
-        privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>>)
+        privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>>)|<JSONData>
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 gam update adminrole <RoleItem> [name <String>] [description <String>]
-        [privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>>)] 
+        [privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>>)|<JSONData>] 
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 gam delete adminrole <RoleItem>
 ```
 * `privileges all` - All defined privileges
@@ -1393,24 +1399,61 @@ gam delete adminrole <RoleItem>
 * `privileges <PrivilegeList>` - A specific list of privileges
 * `privileges select <FileSelector>|<CSVFileSelector>>` - A collection of privileges from a flat or CSV file

+By default, when an admin role is created|update, GAM displays `<RoleName>(<RoleID>) created|updated`.
+* `csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]` - Output the admin roledetails in CSV format.
+
+When `csv` is uused, Add additional columns of data from the command line to the output.
+* `addcsvdata <FieldName> <String>`
+
 ## Display administrative roles
 ```
 gam info adminrole <RoleItem> [privileges]
+        [formatjson]
 ```
 * `privileges` - Display privileges associated with role
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam show adminroles|roles
+        [role <RoleItem>] [privileges]
+	[nosystemroles]
+	[formatjson]
+```
+* `privileges` - Display privileges associated with each role
+
+By default, all roles are displayed:
+* `role <RoleItem>` - Display a specific role.
+* `nosystemroles` - Display onnly non-system roles.
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
 ```
 gam print adminroles|roles [todrive <ToDriveAttribute>*]
        [role <RoleItem>] [privileges] [oneitemperrow]
-gam show adminroles|roles
-        [role <RoleItem>] [privileges]
+        [nosystemroles]
+        [formatjson [quotechar <Character>]]
 ```
-By default, all roles are displayed, use `role <RoleItem>` to display a specific role.
-
 * `privileges` - Display privileges associated with each role

-By default, with `print`, all privileges for a role are shown on one row as a repeating item.
+By default, all privileges for a role are shown on one row as a repeating item.
 When `oneitemperrow` is specified, each privilege is output on a separate row/line with the other role fields.

+By default, all roles are displayed:
+* `role <RoleItem>` - Display a specific role.
+* `nosystemroles` - Display onnly non-system roles.
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
 ## Create an administrator
 Add an administrator role to an administrator.
 ```
@@ -1469,3 +1512,15 @@ gam config csv_input_row_filter "scopeType:regex:CUSTOMER" redirect stdout ./Upd
 gam config csv_input_row_filter "scopeType:regex:ORG_UNIT" redirect stdout ./UpdateNewAdminOrgUnitRoles.txt multiprocess redirect stderr stdout csv CurrentAdminRoles.csv gam create admin newadmin@domain.com "id:~~roleId~~" org_unit "id:~~orgUnitId~~"
 ```

+## Copy non-system admin roles from a source workspace to a target workspace
+This requires GAM version 7.18.01 or higher.
+
+In the source workspace to the following:
+```
+gam redirect csv ./SourceNonSystemRoles.csv print adminroles privileges nosystemroles formatjson quotechar "'"
+```
+
+In the target workspacce do the following:
+```
+gam redirect csv ./TargetNonSystemRoles.csv multiprocess quotechar "'"  redirect stderr - multiprocess csv SourceNonSystemRoles.csv quotechar "'" gam create adminrole "~roleName" description "~roleDescription" privileges json "~JSON" csv addcsvdata oldRoleId "~roleId" formatjson
+```
--- a/wiki/Alert-Center.md
+++ b/wiki/Alert-Center.md
@@ -7,6 +7,7 @@
 - [Display alerts](#display-alerts)
 - [Manage alert feedback](#manage-alert-feedback)
 - [Display alert feedback](#display-alert-feedback)
+- [Configuring settings](#configuring-settings)

 ## API documentation
 * [Alert Center API](https://developers.google.com/admin-sdk/alertcenter/reference/rest/)
@@ -18,6 +19,7 @@
 ## Definitions
 ```
 <AlertID> ::= <String>
+<PubSubTopicName> ::= <String>
 <QueryAlert> ::= <String> See: https://developers.google.com/admin-sdk/alertcenter/guides/query-filters
 ```
 ## Introduction
@@ -95,3 +97,15 @@ the quote character itself, the column delimiter (comma by default) and new-line
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+## Configuring settings
+
+Alert Center can be configured to send notifications to a Google Cloud Pub/Sub topic, but it first requires configuration.
+* See https://developers.google.com/workspace/admin/alertcenter/guides/notifications for information.
+
+Gam can be used to display or modify the settings:
+```
+gam show alertsettings
+gam update alertsettings <PubSubTopicName>
+gam clear alertsettings
+```
--- a/wiki/Authorization.md
+++ b/wiki/Authorization.md
@@ -5,7 +5,7 @@
 - [Python Regular Expressions](Python-Regular-Expressions)
 - [Definitions](#definitions)
 - [Manage Projects](#manage-projects)
-  - [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+  - [Authorize a user to create projects](#authorize-a-user-to-create-projects)
  - [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
  - [Authorize GAM to create projects](#authorize-gam-to-create-projects)
  - [Create a new GCP project folder](#create-a-new-gcp-project-folder)
@@ -74,11 +74,6 @@ Verify that all scopes are available:
 * Select "ON for everyone"
 * Click "SAVE"

-Verify that internal apps are trusted.
-* Access the admin console and go to Security -> Access and data control -> API Controls
-* Check that "Trust internal, domain-owned apps" is present in the **Settings** section
-* Click "SAVE"
-
 If you run a Google Workspace Education SKU, verify that Classroom API is enabled if required.
 * Access the admin console and go to Apps -> Google Workspace - Classroom
 * Expand "Data access"
@@ -110,12 +105,13 @@ Verify whether the super admin you'll be using is in an OU where reauthenticatio
 * Access the admin console and go to Security -> Overview
 * Scroll down and open Google Cloud session control section
 * Select the OU containing the super admin
-* If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
-* If that sounds unappealing, check Exempt Trusted apps
-* Click "OVERRIDE"
+* If Require reauthentication is selected, you'll need either:
+  * uncheck Google Cloud Storage and any other GCP APIs that you selected on `gam oauth create` (reauth is only necessary for GCP APIs)
+  * enable "Exempt Trusted apps"
+  * rerun `gam oauth create` at whatever frequency is specified

 Additional steps may be required if errors are encountered.
-* [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+* [Authorize a user to create projects](#authorize-a-user-to-create-projects)
 * [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
 * [Authorize GAM to create projects](#authorize-gam-to-create-projects)

@@ -169,8 +165,8 @@ For `print|show projects`, you can eliminate the password prompt and authenticat
 gam print projects admin admin@domain.com
 ```

-## Authorize a super admin to create projects
-If you try to create a project and get an error saying that the admin you specified is not authorized to create projects,
+## Authorize a user to create projects
+If you try to create a project and get an error saying that the user you specified is not authorized to create projects,
 perform these steps and then retry the create project command.

 * Login as an existing super admin at console.cloud.google.com
@@ -184,13 +180,12 @@ perform these steps and then retry the create project command.
 * Click in the Select a role box
 * Type project creator in the Filter box
 * Click Project Creator
-* Click + Add Another Role
-* Type orgpolicy.policyAdmin in the Filter box
-* Click Organization Policy Administrator
 * Click Save

 ## Authorize Service Account Key Uploads

+*IMPORTANT:* Google best practice is to NOT use service account keys. Rather than overriding Google's default policy please consider [running GAM on Google Compute Engine Securely](https://github.com/GAM-team/GAM/wiki/l-Running-GAM-on-Google-Compute-Engine-(GCE)-Securely) so that service account keys are not necessary.
+
 If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxxxx`,
 perform these steps and then you should be able to authorize and use your project.

--- a/wiki/Basic-Items.md
+++ b/wiki/Basic-Items.md
@@ -96,7 +96,7 @@
        banana|basil|blueberry|flamingo|graphite|grape|
        lavender|peacock|sage|tangerine|tomato
 <FileFormat> ::=
-        csv|doc|dot|docx|dotx|epub|html|jpeg|jpg|mht|odp|ods|odt|
+        csv|doc|dot|docx|dotx|epub|html|jpeg|jpg|json|mht|odp|ods|odt|
        pdf|png|ppt|pot|potx|pptx|rtf|svg|tsv|txt|xls|xlt|xlsx|xltx|zip|
        ms|microsoft|openoffice|
 <LabelColorHex> ::=
@@ -278,10 +278,15 @@
        domain:<DomainName>|domain|default
 <CalendarItem> ::= <EmailAddress>
 <ChannelCustomerID> ::= <String>
+<ChatEmojiName> ::= :[0-9a-z_-]+:
+<ChatEmoji> ::= emojiname <ChatEmojiName> | customemojis/<String>
 <ChatMember> ::= spaces/<String>/members/<String>
 <ChatMessage> ::= spaces/<String>/messages/<String>
 <ChatSpace> ::= spaces/<String> | space <String> | space spaces/<String>
 <ChatThread> ::= spaces/<String>/threads/<String>
+<ChromeProfilePermanentID> ::= <String>
+<ChromeProfileName> ::= customers/<CustomerID>/profiles/<ChromeProfilePermanentID> | <ChromeProfilePermanentID>
+<ChromeProfileCommandName> ::= <ChomeProfileName>/commands/<String>
 <GIGroupAlias> ::= <EmailAddress>
 <GIGroupItem> ::= <EmailAddress>|<UniqueID>|groups/<String>
 <CIGroupMemberType> ::= cbcmbrowser|chromeosdevice|customer|group|other|serviceaccount|user
@@ -300,6 +305,11 @@
 <ContactGroupItem> ::= <ContactGroupID>|<ContactGroupName>
 <CorporaAttribute> ::= alldrives|allteamdrives|domain|onlyteamdrives|user
 <CourseAlias> ::= <String>
+<CourseAnnouncementContent> ::=
+        ((text <String>)|
+         (textfile <FileName> [charset <Charset>])|
+         (gdoc <UserGoogleDoc>)|
+         (gcsdoc <StorageBucketObjectName>))
 <CourseAnnouncementID> ::= <Number>
 <CourseAnnouncementState> ::= draft|published|deleted
 <CourseID> ::= <Number>|d:<CourseAlias>
@@ -426,6 +436,7 @@
        Must match this Python Regular Expression: [a-zA-Z0-9 '"!-]{4,30}
 <PropertyKey> ::= <String>
 <PropertyValue> ::= <String>
+<PubSubTopicName> ::= <String>
 <QueryAlert> ::= <String>
        See: https://developers.google.com/admin-sdk/alertcenter/guides/query-filters
 <QueryBrowser> ::= <String>
@@ -509,6 +520,14 @@
        gs://<StorageBucketName>/<StorageObjectName>|
        <StorageBucketName>/<StorageObjectName>
 <Tag> ::= <String>
+<TagManagerAccountID> ::= <String>
+<TagManagerAccountPath> ::= accounts/<TagManagerAccountID>
+<TagManagerContainerID> ::= <String>
+<TagManagerContainerPath> ::= accounts/<TagManagerAccountID>/containers/<TagManagerContainerID>
+<TagManagerWorkspaceID> ::= <String>
+<TagManagerWorkspacePath> ::= accounts/<TagManagerAccountID>/containers/<TagManagerContainerID>/workspaces/<TagManagerWorkspaceID>
+<TagManagerTagID> ::= <String>
+<TagManagerTagPath> ::= accounts/<TagManagerAccountID>/containers/<TagManagerContainerID>/workspaces/<TagManagerWorkspaceID>/tags/<TagManagerTagID>
 <TakeoutBucketName> ::= takeout-export-[a-f,0-9,-]*
 <TaskID> ::= <String>
 <TaskListID> ::= <String>
--- a/wiki/Business-Account-Management.md
+++ b/wiki/Business-Account-Management.md
@@ -0,0 +1,36 @@
+# Users - Business Account Management
+- [API documentation](#api-documentation)
+- [Introduction](#introduction)
+- [Definitions](#definitions)
+- [Display Business Profile Accounts](#display-business-profile-accounts)
+
+## API documentation
+* [Business Account Management](https://developers.google.com/my-business/reference/accountmanagement/rest)
+
+
+## Introduction
+These features were added in version 7.18.00.
+
+To use these commands you add the 'Business Account Management API' to your project and update client authorization.
+```
+gam update project
+gam oauth create
+...
+[*]  0)  Business Account Management API
+
+```
+## Definitions
+* [`<UserTypeEntity>`](Collections-of-Users)
+
+## Display Business Profile Accounts
+```
+gam <UserItem> show businessprofileaccounts
+        [type locationgroup|organization|personal|usergroup]
+```
+Gam displays the information as an indented list of keys and values.
+
+```
+gam <UserItem> print businessprofileaccounts [todrive <ToDriveAttribute>*]
+        [type locationgroup|organization|personal|usergroup]
+```
+Gam displays the information as columns of fields.
--- a/wiki/Chat-Bot-Setup-Use.md
+++ b/wiki/Chat-Bot-Setup-Use.md
@@ -1,4 +1,4 @@
-# Chat Bot
+# Chat Bot Setup and Use
 - [Introduction](#introduction)
 - [Set up a Chat Bot](#set-up-a-chat-bot)
 - [API documentation](#api-documentation)
@@ -40,6 +40,7 @@ GAM is capable of acting as a Chat Bot and sending messages to Chat Rooms or dir
 Even if you're not going to use GAM as a Chat Bot, you have to configure a Chat Bot as it is required by the Chat API in [Users - Chat](Users-Chat).

 * Run the command `gam setup chat`; it will point you to a URL to configure your Chat Bot.
+* Uncheck "Build this Chat app as a Workspace add-on."
 * Enter an App name and Description of your choosing.
 * For the Avatar URL you can use `https://dummyimage.com/384x256/4d4d4d/0011ff.png&text=+GAM` or a public URL to an image of your own choosing.
 * In Functionality, uncheck both "Receive 1:1 messages" and "Join spaces and group conversations"
--- a/wiki/Chrome-Policies.md
+++ b/wiki/Chrome-Policies.md
@@ -239,6 +239,10 @@ bookmarks.json

 gam update chromepolicy chrome.users.ManagedBookmarksSetting  json file bookmarks.json orgunit "/Students/
 ```
+Allowlist the Google Translate extension for the Students OrgUnit
+```
+gam update chromepolicy chrome.users.apps.InstallType appInstallType ALLOWED app_id chrome:aapbdbdomjkkjkaonfhkkikfgjllcleb ou "/Students"
+```

 ## Delete Chrome policy
 You can delete a policy for all devices/users within an OU, users with a group or for a specific printer or application within an OU.
@@ -603,8 +607,7 @@ chrome.devices.DeviceAllowEnterpriseRemoteAccessConnections: Enterprise remote a
    false: Prevent remote access connections from enterprise admins.

 chrome.devices.DeviceAuthenticationFlowAutoReloadInterval: Automatic online sign-in / lock screen refresh.
-  deviceAuthenticationFlowAutoReloadInterval
-    duration: TYPE_INT64
+  deviceAuthenticationFlowAutoReloadInterval: TYPE_INT64

 chrome.devices.DeviceAuthenticationUrlAllowlist: Blocked URL exceptions on the sign-in / lock screens.
  deviceAuthenticationUrlAllowlist: TYPE_LIST
@@ -846,10 +849,8 @@ chrome.devices.DeviceScreensaverLoginScreenEnabled: Screen saver.
    false: Don't display screen saver when idle.
  deviceScreensaverLoginScreenImages: TYPE_LIST
    Screen saver image URLs. Enter one URL per line. Images must be in JPG format(.jpg or .jpeg files.
-  deviceScreensaverLoginScreenIdleTimeoutSeconds
-    duration: TYPE_INT64
-  deviceScreensaverLoginScreenImageDisplayIntervalSeconds
-    duration: TYPE_INT64
+  deviceScreensaverLoginScreenIdleTimeoutSeconds: TYPE_INT64
+  deviceScreensaverLoginScreenImageDisplayIntervalSeconds: TYPE_INT64

 chrome.devices.DeviceScreenSettings: Screen settings.
  allowUserDisplayChanges: TYPE_BOOL
@@ -1042,16 +1043,13 @@ chrome.devices.EnableReportDeviceUsers: Report device user tracking.
    false: Disable tracking recent users.

 chrome.devices.EnableReportUploadFrequency: Device status report upload frequency.
-  reportDeviceUploadFrequency
-    duration: TYPE_STRING
+  reportDeviceUploadFrequency: TYPE_INT64

 chrome.devices.EnableReportUploadFrequencyV2: Device status report upload frequency.
-  reportDeviceUploadFrequency
-    duration: TYPE_INT64
+  reportDeviceUploadFrequency: TYPE_INT64

 chrome.devices.ExtensionCacheSize: Apps and extensions cache size.
-  extensionCacheSize
-    value: TYPE_INT64
+  extensionCacheSize: TYPE_INT64

 chrome.devices.ForcedReenrollment: Forced re-enrollment.
  reenrollmentMode: TYPE_ENUM
@@ -1101,34 +1099,26 @@ chrome.devices.kiosk.AccessibilityShortcutsEnabled: Kiosk accessibility shortcut
    ACCESSIBILITY_ENABLED: Enable accessibility shortcuts.

 chrome.devices.kiosk.AcPowerSettings: AC Kiosk power settings.
-  acIdleTimeout
-    duration: TYPE_STRING
-  acWarningTimeout
-    duration: TYPE_STRING
+  acIdleTimeout: TYPE_INT64
+  acWarningTimeout: TYPE_INT64
  acIdleAction: TYPE_ENUM
    IDLE_ACTION_SUSPEND: Sleep.
    IDLE_ACTION_LOGOUT: Logout.
    IDLE_ACTION_SHUTDOWN: Shutdown.
    IDLE_ACTION_DO_NOTHING: Do nothing.
-  acDimTimeout
-    duration: TYPE_STRING
-  acScreenOffTimeout
-    duration: TYPE_STRING
+  acDimTimeout: TYPE_INT64
+  acScreenOffTimeout: TYPE_INT64

 chrome.devices.kiosk.AcPowerSettingsV2: AC Kiosk power settings.
-  acIdleTimeout
-    duration: TYPE_INT64
-  acWarningTimeout
-    duration: TYPE_INT64
+  acIdleTimeout: TYPE_INT64
+  acWarningTimeout: TYPE_INT64
  acIdleAction: TYPE_ENUM
    IDLE_ACTION_SUSPEND: Sleep.
    IDLE_ACTION_LOGOUT: Logout.
    IDLE_ACTION_SHUTDOWN: Shutdown.
    IDLE_ACTION_DO_NOTHING: Do nothing.
-  acDimTimeout
-    duration: TYPE_INT64
-  acScreenOffTimeout
-    duration: TYPE_INT64
+  acDimTimeout: TYPE_INT64
+  acScreenOffTimeout: TYPE_INT64

 chrome.devices.kiosk.Alerting: Kiosk device status alerting delivery.
  deviceStatusAlertDeliveryModes: TYPE_LIST
@@ -1217,34 +1207,26 @@ chrome.devices.kiosk.AutoclickEnabled: Kiosk auto-click enabled.
    ACCESSIBILITY_ENABLED: Enable auto-click.

 chrome.devices.kiosk.BatteryPowerSettings: Battery Kiosk power settings.
-  batteryIdleTimeout
-    duration: TYPE_STRING
-  batteryWarningTimeout
-    duration: TYPE_STRING
+  batteryIdleTimeout: TYPE_INT64
+  batteryWarningTimeout: TYPE_INT64
  batteryIdleAction: TYPE_ENUM
    IDLE_ACTION_SUSPEND: Sleep.
    IDLE_ACTION_LOGOUT: Logout.
    IDLE_ACTION_SHUTDOWN: Shutdown.
    IDLE_ACTION_DO_NOTHING: Do nothing.
-  batteryDimTimeout
-    duration: TYPE_STRING
-  batteryScreenOffTimeout
-    duration: TYPE_STRING
+  batteryDimTimeout: TYPE_INT64
+  batteryScreenOffTimeout: TYPE_INT64

 chrome.devices.kiosk.BatteryPowerSettingsV2: Battery Kiosk power settings.
-  batteryIdleTimeout
-    duration: TYPE_INT64
-  batteryWarningTimeout
-    duration: TYPE_INT64
+  batteryIdleTimeout: TYPE_INT64
+  batteryWarningTimeout: TYPE_INT64
  batteryIdleAction: TYPE_ENUM
    IDLE_ACTION_SUSPEND: Sleep.
    IDLE_ACTION_LOGOUT: Logout.
    IDLE_ACTION_SHUTDOWN: Shutdown.
    IDLE_ACTION_DO_NOTHING: Do nothing.
-  batteryDimTimeout
-    duration: TYPE_INT64
-  batteryScreenOffTimeout
-    duration: TYPE_INT64
+  batteryDimTimeout: TYPE_INT64
+  batteryScreenOffTimeout: TYPE_INT64

 chrome.devices.kiosk.CaretHighlightEnabled: Kiosk caret highlight.
  caretHighlightEnabled: TYPE_ENUM
@@ -2481,40 +2463,24 @@ chrome.devices.managedguest.BrowserHistory: Browser history.
    false: Always save browser history.

 chrome.devices.managedguest.BrowsingDataLifetime: Browsing Data Lifetime.
-  browsingHistoryTtl
-    duration: TYPE_STRING
-  downloadHistoryTtl
-    duration: TYPE_STRING
-  cookiesAndOtherSiteDataTtl
-    duration: TYPE_STRING
-  cachedImagesAndFilesTtl
-    duration: TYPE_STRING
-  passwordSigninTtl
-    duration: TYPE_STRING
-  autofillTtl
-    duration: TYPE_STRING
-  siteSettingsTtl
-    duration: TYPE_STRING
-  hostedAppDataTtl
-    duration: TYPE_STRING
+  browsingHistoryTtl: TYPE_INT64
+  downloadHistoryTtl: TYPE_INT64
+  cookiesAndOtherSiteDataTtl: TYPE_INT64
+  cachedImagesAndFilesTtl: TYPE_INT64
+  passwordSigninTtl: TYPE_INT64
+  autofillTtl: TYPE_INT64
+  siteSettingsTtl: TYPE_INT64
+  hostedAppDataTtl: TYPE_INT64

 chrome.devices.managedguest.BrowsingDataLifetimeV2: Browsing Data Lifetime.
-  browsingHistoryTtl
-    duration: TYPE_INT64
-  downloadHistoryTtl
-    duration: TYPE_INT64
-  cookiesAndOtherSiteDataTtl
-    duration: TYPE_INT64
-  cachedImagesAndFilesTtl
-    duration: TYPE_INT64
-  passwordSigninTtl
-    duration: TYPE_INT64
-  autofillTtl
-    duration: TYPE_INT64
-  siteSettingsTtl
-    duration: TYPE_INT64
-  hostedAppDataTtl
-    duration: TYPE_INT64
+  browsingHistoryTtl: TYPE_INT64
+  downloadHistoryTtl: TYPE_INT64
+  cookiesAndOtherSiteDataTtl: TYPE_INT64
+  cachedImagesAndFilesTtl: TYPE_INT64
+  passwordSigninTtl: TYPE_INT64
+  autofillTtl: TYPE_INT64
+  siteSettingsTtl: TYPE_INT64
+  hostedAppDataTtl: TYPE_INT64

 chrome.devices.managedguest.BuiltInDnsClientEnabled: Built-in DNS client.
  builtInDnsClientEnabled: TYPE_ENUM
@@ -3009,36 +2975,26 @@ chrome.devices.managedguest.IdleSettingsExtended: Idle settings.
    LOGOUT: Logout.
    SHUTDOWN: Shutdown.
    DO_NOTHING: Do nothing.
-  idleDelayAc
-    duration: TYPE_INT64
-  idleWarningDelayAc
-    duration: TYPE_INT64
+  idleDelayAc: TYPE_INT64
+  idleWarningDelayAc: TYPE_INT64
  idleActionAc: TYPE_ENUM
    SLEEP: Sleep.
    LOGOUT: Logout.
    SHUTDOWN: Shut down.
    DO_NOTHING: Do nothing.
-  screenDimDelayAc
-    duration: TYPE_INT64
-  screenOffDelayAc
-    duration: TYPE_INT64
-  screenLockDelayAc
-    duration: TYPE_INT64
-  idleDelayBattery
-    duration: TYPE_INT64
-  idleWarningDelayBattery
-    duration: TYPE_INT64
+  screenDimDelayAc: TYPE_INT64
+  screenOffDelayAc: TYPE_INT64
+  screenLockDelayAc: TYPE_INT64
+  idleDelayBattery: TYPE_INT64
+  idleWarningDelayBattery: TYPE_INT64
  idleActionBattery: TYPE_ENUM
    SLEEP: Sleep.
    LOGOUT: Logout.
    SHUTDOWN: Shut down.
    DO_NOTHING: Do nothing.
-  screenDimDelayBattery
-    duration: TYPE_INT64
-  screenOffDelayBattery
-    duration: TYPE_INT64
-  screenLockDelayBattery
-    duration: TYPE_INT64
+  screenDimDelayBattery: TYPE_INT64
+  screenOffDelayBattery: TYPE_INT64
+  screenLockDelayBattery: TYPE_INT64
  lockOnSleepOrLidClose: TYPE_ENUM
    UNSET: Allow user to configure.
    FALSE: Don't lock screen.
@@ -3238,12 +3194,10 @@ chrome.devices.managedguest.ManagedGuestSessionV2: Managed guest session.
    ROTATE_270: 270 degrees.

 chrome.devices.managedguest.MaxInvalidationFetchDelay: Policy fetch delay.
-  maxInvalidationFetchDelay
-    duration: TYPE_STRING
+  maxInvalidationFetchDelay: TYPE_INT64

 chrome.devices.managedguest.MaxInvalidationFetchDelayV2: Policy fetch delay.
-  maxInvalidationFetchDelay
-    duration: TYPE_INT64
+  maxInvalidationFetchDelay: TYPE_INT64

 chrome.devices.managedguest.MemorySaverModeSavings: Memory saver.
  memorySaverModeSavings: TYPE_ENUM
@@ -3451,8 +3405,7 @@ chrome.devices.managedguest.PrintingBackgroundGraphicsDefault: Background graphi
    ENABLED: Enable background graphics printing mode by default.

 chrome.devices.managedguest.PrintingMaxSheetsAllowed: Maximum sheets.
-  printingMaxSheetsAllowedNullable
-    value: TYPE_INT64
+  printingMaxSheetsAllowedNullable: TYPE_INT64

 chrome.devices.managedguest.PrintingPaperSizeDefault: Default printing page size.
  printingPaperSizeEnum: TYPE_ENUM
@@ -3474,19 +3427,16 @@ chrome.devices.managedguest.PrintingPinDefault: Default PIN printing mode.
    DEFAULT_TO_NOT_PIN_PRINTING: Without PIN.

 chrome.devices.managedguest.PrintJobHistoryExpirationPeriodNew: Print job history retention period.
-  printJobHistoryExpirationPeriodDaysNew
-    duration: TYPE_STRING
+  printJobHistoryExpirationPeriodDaysNew: TYPE_INT64

 chrome.devices.managedguest.PrintJobHistoryExpirationPeriodNewV2: Print job history retention period.
-  printJobHistoryExpirationPeriodDaysNew
-    duration: TYPE_INT64
+  printJobHistoryExpirationPeriodDaysNew: TYPE_INT64

 chrome.devices.managedguest.PrintPdfAsImage: Print PDF as image.
  printPdfAsImageAvailability: TYPE_BOOL
    true: Allow users to print PDF documents as images.
    false: Do not allow users to print PDF documents as images.
-  printRasterizePdfDpi
-    value: TYPE_INT64
+  printRasterizePdfDpi: TYPE_INT64
  printPdfAsImageDefault: TYPE_BOOL
    true: Default to printing PDFs as images when available.
    false: Default to printing PDFs without being rasterized.
@@ -3547,8 +3497,7 @@ chrome.devices.managedguest.RemoteAccessHostClientDomainList: Remote access clie
    Remote access client domain. Configure the required domain names for remote access clients.

 chrome.devices.managedguest.RemoteAccessHostClipboardSizeBytes: Clipboard sync max size.
-  remoteAccessHostClipboardSizeBytes
-    value: TYPE_INT64
+  remoteAccessHostClipboardSizeBytes: TYPE_INT64

 chrome.devices.managedguest.RemoteAccessHostDomainList: Remote access hosts.
  remoteAccessHostDomainList: TYPE_LIST
@@ -3658,10 +3607,8 @@ chrome.devices.managedguest.ScreensaverLockScreenEnabled: Screen saver.
  screensaverLockScreenEnabled: TYPE_BOOL
    true: Display screen saver on lock screen when idle.
    false: Don't display screen saver on lock screen when idle.
-  screensaverLockScreenIdleTimeoutSeconds
-    duration: TYPE_INT64
-  screensaverLockScreenImageDisplayIntervalSeconds
-    duration: TYPE_INT64
+  screensaverLockScreenIdleTimeoutSeconds: TYPE_INT64
+  screensaverLockScreenImageDisplayIntervalSeconds: TYPE_INT64
  screensaverLockScreenImages: TYPE_LIST
    Screen saver image URLs. Enter one URL per line. Images must be in JPG format(.jpg or .jpeg files.

@@ -3689,16 +3636,14 @@ chrome.devices.managedguest.SecurityTokenSessionSettings: Security token removal
    IGNORE: Nothing.
    LOGOUT: Log the user out.
    LOCK: Lock the current session.
-  securityTokenSessionNotificationSeconds
-    duration: TYPE_STRING
+  securityTokenSessionNotificationSeconds: TYPE_INT64

 chrome.devices.managedguest.SecurityTokenSessionSettingsV2: Security token removal.
  securityTokenSessionBehavior: TYPE_ENUM
    IGNORE: Nothing.
    LOGOUT: Log the user out.
    LOCK: Lock the current session.
-  securityTokenSessionNotificationSeconds
-    duration: TYPE_INT64
+  securityTokenSessionNotificationSeconds: TYPE_INT64

 chrome.devices.managedguest.SelectToSpeakEnabled: Select to speak.
  selectToSpeakEnabled: TYPE_ENUM
@@ -3723,12 +3668,10 @@ chrome.devices.managedguest.ServiceWorkerToControlSrcdocIframeEnabled: Service w
    false: Block service workers from controlling srcdoc iframes.

 chrome.devices.managedguest.SessionLength: Maximum user session length.
-  sessionDurationLimit
-    duration: TYPE_STRING
+  sessionDurationLimit: TYPE_INT64

 chrome.devices.managedguest.SessionLengthV2: Maximum user session length.
-  sessionDurationLimit
-    duration: TYPE_INT64
+  sessionDurationLimit: TYPE_INT64

 chrome.devices.managedguest.SessionLocale: Session locale.
  sessionLocalesRepeatedString: TYPE_LIST
@@ -4327,6 +4270,13 @@ chrome.devices.MobileDataRoaming: Mobile data roaming.
    true: Allow mobile data roaming.
    false: Do not allow mobile data roaming.

+chrome.devices.PartnerAccess: Allow EMM partners access to device management.
+  chromeDeviceManagementApiEnabled: TYPE_BOOL
+    true: Enable Chrome management - partner access.
+    false: Disable Chrome management - partner access.
+  ackNoticeForChromeDeviceManagementApiEnabledSetToTrue: TYPE_BOOL
+    This field must be set to true to acknowledge the notice message associated with the field 'chrome_device_management_api_enabled' set to value 'true'. Please sse the notices listed with this policy for more information.
+
 chrome.devices.PowerManagement: Power management.
  loginScreenPowerManagement: TYPE_BOOL
    true: Allow device to sleep/shut down when idle on the sign-in screen.
@@ -4361,12 +4311,10 @@ chrome.devices.RestrictedManagedGuestSessionExtensionCleanupExemptList: Shared a
    Extension IDs. Enter a list of extension IDs. Each extension ID must be exactly 32 characters.

 chrome.devices.ScheduledRebootDuration: Reboot after uptime limit.
-  uptimeLimitDuration
-    duration: TYPE_STRING
+  uptimeLimitDuration: TYPE_INT64

 chrome.devices.ScheduledRebootDurationV2: Reboot after uptime limit.
-  uptimeLimitDuration
-    duration: TYPE_INT64
+  uptimeLimitDuration: TYPE_INT64

 chrome.devices.ShowLowDiskSpaceNotification: Low disk space notification.
  showLowDiskSpaceNotification: TYPE_BOOL
@@ -4519,8 +4467,7 @@ chrome.devices.ThrottleDeviceBandwidth: Throttle device bandwidth.
    Upload rate (kbits). Sets the maximum upload rate if network bandwidth throttling is enabled on a ChromeOS device.

 chrome.devices.Timezone: Timezone.
-  systemTimezone
-    value: TYPE_STRING
+  systemTimezone: TYPE_STRING
  timezoneDetectionType: TYPE_ENUM
    USERS_DECIDE: Let users decide.
    DISABLED: Never auto-detect timezone.
@@ -6043,6 +5990,9 @@ chrome.users.appsconfig.AllowedAppTypes: Allowed types of apps and extensions.
    platform_app: Chrome packaged app.

 chrome.users.appsconfig.AllowedInstallSources: Allows setting of the allowed install sources for apps. Note these must be set together.
+  playStoreInstallSources: TYPE_ENUM
+    ALLOW_ALL_APPS: All apps allowed, admin manages blocklist.
+    BLOCK_ALL_APPS: All apps blocked, admin manages allowlist.
  chromeWebStoreInstallSources: TYPE_ENUM
    ALLOW_ALL_APPS: All apps allowed, admin manages blocklist.
    BLOCK_ALL_APPS: All apps blocked, admin manages allowlist.
@@ -6518,12 +6468,10 @@ chrome.users.AutoplayAllowlist: Autoplay video.
    Allowed URLs. URL patterns allowed to autoplay. Prefix domain with [*.] to include all subdomains. Use * to allow all domains.

 chrome.users.AutoUpdateCheckPeriodNew: Auto-update check period.
-  autoUpdateCheckPeriodMinutesNew
-    duration: TYPE_STRING
+  autoUpdateCheckPeriodMinutesNew: TYPE_INT64

 chrome.users.AutoUpdateCheckPeriodNewV2: Auto-update check period.
-  autoUpdateCheckPeriodMinutesNew
-    duration: TYPE_INT64
+  autoUpdateCheckPeriodMinutesNew: TYPE_INT64

 chrome.users.Avatar: Custom avatar.
  userAvatarImage
@@ -6608,8 +6556,7 @@ chrome.users.BrowserHistory: Browser history.
    false: Always save browser history.

 chrome.users.BrowserIdleTimeout: Browser idle timeout.
-  idleTimeout
-    duration: TYPE_INT64
+  idleTimeout: TYPE_INT64
  idleTimeoutActions: TYPE_LIST
    close_browsers: Close Browsers.
    show_profile_picker: Show Profile Picker.
@@ -6658,12 +6605,10 @@ chrome.users.BrowserSwitcherChromePath: Chrome path.
    Path to the Chrome executable. Windows-only. Path to the Chrome executable to launch when switching from the alternative browser to Chrome. If unset, the alternative browser will auto-detect the path to Chrome.

 chrome.users.BrowserSwitcherDelayDuration: Delay before launching alternative browser.
-  browserSwitcherDelayDuration
-    duration: TYPE_STRING
+  browserSwitcherDelayDuration: TYPE_INT64

 chrome.users.BrowserSwitcherDelayDurationV2: Delay before launching alternative browser.
-  browserSwitcherDelayDuration
-    duration: TYPE_INT64
+  browserSwitcherDelayDuration: TYPE_INT64

 chrome.users.BrowserSwitcherExternalGreylistUrl: URL to list of websites to open in either browser.
  browserSwitcherExternalGreylistUrl: TYPE_STRING
@@ -6701,40 +6646,24 @@ chrome.users.BrowserThemeColor: Custom theme color.
    Hex color. Enter a valid hex color, for instance #FFFFFF.

 chrome.users.BrowsingDataLifetime: Browsing Data Lifetime.
-  browsingHistoryTtl
-    duration: TYPE_STRING
-  downloadHistoryTtl
-    duration: TYPE_STRING
-  cookiesAndOtherSiteDataTtl
-    duration: TYPE_STRING
-  cachedImagesAndFilesTtl
-    duration: TYPE_STRING
-  passwordSigninTtl
-    duration: TYPE_STRING
-  autofillTtl
-    duration: TYPE_STRING
-  siteSettingsTtl
-    duration: TYPE_STRING
-  hostedAppDataTtl
-    duration: TYPE_STRING
+  browsingHistoryTtl: TYPE_INT64
+  downloadHistoryTtl: TYPE_INT64
+  cookiesAndOtherSiteDataTtl: TYPE_INT64
+  cachedImagesAndFilesTtl: TYPE_INT64
+  passwordSigninTtl: TYPE_INT64
+  autofillTtl: TYPE_INT64
+  siteSettingsTtl: TYPE_INT64
+  hostedAppDataTtl: TYPE_INT64

 chrome.users.BrowsingDataLifetimeV2: Browsing Data Lifetime.
-  browsingHistoryTtl
-    duration: TYPE_INT64
-  downloadHistoryTtl
-    duration: TYPE_INT64
-  cookiesAndOtherSiteDataTtl
-    duration: TYPE_INT64
-  cachedImagesAndFilesTtl
-    duration: TYPE_INT64
-  passwordSigninTtl
-    duration: TYPE_INT64
-  autofillTtl
-    duration: TYPE_INT64
-  siteSettingsTtl
-    duration: TYPE_INT64
-  hostedAppDataTtl
-    duration: TYPE_INT64
+  browsingHistoryTtl: TYPE_INT64
+  downloadHistoryTtl: TYPE_INT64
+  cookiesAndOtherSiteDataTtl: TYPE_INT64
+  cachedImagesAndFilesTtl: TYPE_INT64
+  passwordSigninTtl: TYPE_INT64
+  autofillTtl: TYPE_INT64
+  siteSettingsTtl: TYPE_INT64
+  hostedAppDataTtl: TYPE_INT64

 chrome.users.BuiltInDnsClientEnabled: Built-in DNS client.
  builtInDnsClientEnabled: TYPE_ENUM
@@ -6890,12 +6819,10 @@ chrome.users.CloudReporting: Managed browser reporting.
    false: Disable managed browser cloud reporting.

 chrome.users.CloudReportingUploadFrequency: Managed browser reporting upload frequency.
-  cloudReportingUploadFrequency
-    duration: TYPE_STRING
+  cloudReportingUploadFrequency: TYPE_INT64

 chrome.users.CloudReportingUploadFrequencyV2: Managed browser reporting upload frequency.
-  cloudReportingUploadFrequency
-    duration: TYPE_INT64
+  cloudReportingUploadFrequency: TYPE_INT64

 chrome.users.CloudUserPolicyMerge: User cloud policy merge.
  cloudUserPolicyMerge: TYPE_BOOL
@@ -7374,12 +7301,10 @@ chrome.users.FElevenKeyModifier: Control the shortcut used to trigger F11.
    RECOMMENDED: Allow users to override.

 chrome.users.FetchKeepaliveDurationSecondsOnShutdown: Keepalive duration.
-  fetchKeepaliveDurationSecondsOnShutdown
-    duration: TYPE_STRING
+  fetchKeepaliveDurationSecondsOnShutdown: TYPE_INT64

 chrome.users.FetchKeepaliveDurationSecondsOnShutdownV2: Keepalive duration.
-  fetchKeepaliveDurationSecondsOnShutdown
-    duration: TYPE_INT64
+  fetchKeepaliveDurationSecondsOnShutdown: TYPE_INT64

 chrome.users.FileOrDirectoryPickerWithoutGestureAllowedForOrigins: File/directory picker without user gesture.
  fileOrDirectoryPickerWithoutGestureAllowedForOrigins: TYPE_LIST
@@ -7639,12 +7564,10 @@ chrome.users.FullscreenAllowed: Fullscreen mode.
    false: Do not allow fullscreen mode.

 chrome.users.GaiaLockScreenOfflineSigninTimeLimitDays: Google online unlock frequency.
-  gaiaLockScreenOfflineSigninTimeLimitDays
-    value: TYPE_INT64
+  gaiaLockScreenOfflineSigninTimeLimitDays: TYPE_INT64

 chrome.users.GaiaOfflineSigninTimeLimitDays: Google online login frequency.
-  gaiaOfflineSigninTimeLimitDays
-    value: TYPE_INT64
+  gaiaOfflineSigninTimeLimitDays: TYPE_INT64

 chrome.users.GeminiSettings: Gemini integration.
  geminiSettings: TYPE_ENUM
@@ -7812,36 +7735,26 @@ chrome.users.IdleSettingsExtended: Idle settings.
    LOGOUT: Logout.
    SHUTDOWN: Shutdown.
    DO_NOTHING: Do nothing.
-  idleDelayAc
-    duration: TYPE_INT64
-  idleWarningDelayAc
-    duration: TYPE_INT64
+  idleDelayAc: TYPE_INT64
+  idleWarningDelayAc: TYPE_INT64
  idleActionAc: TYPE_ENUM
    SLEEP: Sleep.
    LOGOUT: Logout.
    SHUTDOWN: Shut down.
    DO_NOTHING: Do nothing.
-  screenDimDelayAc
-    duration: TYPE_INT64
-  screenOffDelayAc
-    duration: TYPE_INT64
-  screenLockDelayAc
-    duration: TYPE_INT64
-  idleDelayBattery
-    duration: TYPE_INT64
-  idleWarningDelayBattery
-    duration: TYPE_INT64
+  screenDimDelayAc: TYPE_INT64
+  screenOffDelayAc: TYPE_INT64
+  screenLockDelayAc: TYPE_INT64
+  idleDelayBattery: TYPE_INT64
+  idleWarningDelayBattery: TYPE_INT64
  idleActionBattery: TYPE_ENUM
    SLEEP: Sleep.
    LOGOUT: Logout.
    SHUTDOWN: Shut down.
    DO_NOTHING: Do nothing.
-  screenDimDelayBattery
-    duration: TYPE_INT64
-  screenOffDelayBattery
-    duration: TYPE_INT64
-  screenLockDelayBattery
-    duration: TYPE_INT64
+  screenDimDelayBattery: TYPE_INT64
+  screenOffDelayBattery: TYPE_INT64
+  screenLockDelayBattery: TYPE_INT64
  lockOnSleepOrLidClose: TYPE_ENUM
    UNSET: Allow user to configure.
    FALSE: Don't lock screen.
@@ -7956,6 +7869,11 @@ chrome.users.InsertKeyModifier: Control the shortcut used to trigger the Insert
    MANDATORY: Do not allow users to override.
    RECOMMENDED: Allow users to override.

+chrome.users.InstantTetheringAllowed: Instant Tethering.
+  instantTetheringAllowed: TYPE_BOOL
+    true: Allow users to use Instant Tethering.
+    false: Do not allow users to use Instant Tethering.
+
 chrome.users.IntegratedWebAuthenticationAllowed: Login credentials for network authentication.
  integratedWebAuthenticationAllowed: TYPE_BOOL
    true: Use login credentials for network authentication to a managed proxy.
@@ -8199,12 +8117,10 @@ chrome.users.MaxConnectionsPerProxy: Max connections per proxy.
    Maximum number of concurrent connections to the proxy server. Specifies the maximal number of simultaneous connections to the proxy server. The value of this policy should be lower than 100 and higher than 6 and the default value is 32.

 chrome.users.MaxInvalidationFetchDelay: Policy fetch delay.
-  maxInvalidationFetchDelay
-    duration: TYPE_STRING
+  maxInvalidationFetchDelay: TYPE_INT64

 chrome.users.MaxInvalidationFetchDelayV2: Policy fetch delay.
-  maxInvalidationFetchDelay
-    duration: TYPE_INT64
+  maxInvalidationFetchDelay: TYPE_INT64

 chrome.users.MediaRecommendationsEnabled: Media Recommendations.
  mediaRecommendationsEnabled: TYPE_BOOL
@@ -8678,8 +8594,7 @@ chrome.users.PrintingLpacSandboxEnabled: Printing LPAC Sandbox.
    false: Run printing services in a less secure sandbox.

 chrome.users.PrintingMaxSheetsAllowed: Maximum sheets.
-  printingMaxSheetsAllowedNullable
-    value: TYPE_INT64
+  printingMaxSheetsAllowedNullable: TYPE_INT64

 chrome.users.PrintingPaperSizeDefault: Default printing page size.
  printingPaperSizeEnum: TYPE_ENUM
@@ -8706,19 +8621,16 @@ chrome.users.PrintingSendUsernameAndFilenameEnabled: CUPS Print job information.
    false: Do not include user account and filename in print job.

 chrome.users.PrintJobHistoryExpirationPeriodNew: Print job history retention period.
-  printJobHistoryExpirationPeriodDaysNew
-    duration: TYPE_STRING
+  printJobHistoryExpirationPeriodDaysNew: TYPE_INT64

 chrome.users.PrintJobHistoryExpirationPeriodNewV2: Print job history retention period.
-  printJobHistoryExpirationPeriodDaysNew
-    duration: TYPE_INT64
+  printJobHistoryExpirationPeriodDaysNew: TYPE_INT64

 chrome.users.PrintPdfAsImage: Print PDF as image.
  printPdfAsImageAvailability: TYPE_BOOL
    true: Allow users to print PDF documents as images.
    false: Do not allow users to print PDF documents as images.
-  printRasterizePdfDpi
-    value: TYPE_INT64
+  printRasterizePdfDpi: TYPE_INT64
  printPdfAsImageDefault: TYPE_BOOL
    true: Default to printing PDFs as images when available.
    false: Default to printing PDFs without being rasterized.
@@ -8861,36 +8773,30 @@ chrome.users.RelaunchNotificationWithDuration: Relaunch notification.
    NO_NOTIFICATION: No relaunch notification.
    RECOMMENDED: Show notification recommending relaunch.
    REQUIRED: Force relaunch after a period.
-  relaunchNotificationPeriodDuration
-    duration: TYPE_STRING
-  relaunchInitialQuietPeriodDuration
-    duration: TYPE_STRING
+  relaunchNotificationPeriodDuration: TYPE_INT64
+  relaunchInitialQuietPeriodDuration: TYPE_INT64
  relaunchWindowStartTime
    timeOfDay
      hours: TYPE_INT32
      minutes: TYPE_INT32
      seconds: TYPE_INT32
      nanos: TYPE_INT32
-  relaunchWindowDurationMin
-    duration: TYPE_STRING
+  relaunchWindowDurationMin: TYPE_INT64

 chrome.users.RelaunchNotificationWithDurationV2: Relaunch notification.
  relaunchNotificationEnum: TYPE_ENUM
    NO_NOTIFICATION: No relaunch notification.
    RECOMMENDED: Show notification recommending relaunch.
    REQUIRED: Force relaunch after a period.
-  relaunchNotificationPeriodDuration
-    duration: TYPE_INT64
-  relaunchInitialQuietPeriodDuration
-    duration: TYPE_INT64
+  relaunchNotificationPeriodDuration: TYPE_INT64
+  relaunchInitialQuietPeriodDuration: TYPE_INT64
  relaunchWindowStartTime
    timeOfDay
      hours: TYPE_INT32
      minutes: TYPE_INT32
      seconds: TYPE_INT32
      nanos: TYPE_INT32
-  relaunchWindowDurationMin
-    duration: TYPE_INT64
+  relaunchWindowDurationMin: TYPE_INT64

 chrome.users.RemoteAccessHostAllowEnterpriseRemoteSupportConnections: Enterprise remote support connections.
  remoteAccessHostAllowEnterpriseRemoteSupportConnections: TYPE_BOOL
@@ -8907,8 +8813,7 @@ chrome.users.RemoteAccessHostClientDomainList: Remote access clients.
    Remote access client domain. Configure the required domain names for remote access clients.

 chrome.users.RemoteAccessHostClipboardSizeBytes: Clipboard sync max size.
-  remoteAccessHostClipboardSizeBytes
-    value: TYPE_INT64
+  remoteAccessHostClipboardSizeBytes: TYPE_INT64

 chrome.users.RemoteAccessHostDomainList: Remote access hosts.
  remoteAccessHostDomainList: TYPE_LIST
@@ -9033,8 +8938,7 @@ chrome.users.SafeSitesFilterBehavior: SafeSites URL filter.
    SAFE_SITES_FILTER_ENABLED: Filter sites for adult content.

 chrome.users.SamlLockScreenOfflineSigninTimeLimitDays: SAML single sign-on unlock frequency.
-  samlLockScreenOfflineSigninTimeLimitDays
-    value: TYPE_INT64
+  samlLockScreenOfflineSigninTimeLimitDays: TYPE_INT64

 chrome.users.SamlLockScreenReauthenticationEnabled: SAML single sign-on password synchronization flows.
  samlLockScreenReauthenticationEnabled: TYPE_BOOL
@@ -9106,6 +9010,11 @@ chrome.users.SecondaryGoogleAccountSignin: Sign-in to secondary accounts.
  allowedDomainsForApps: TYPE_LIST
    Whether the OS version updates will be set to a version defined in the manifest of a kiosk app.

+chrome.users.SecondaryGoogleAccountUsage: Managed account as secondary account.
+  secondaryGoogleAccountUsage: TYPE_ENUM
+    ALL: All usages of managed accounts are allowed.
+    PRIMARY_ACCOUNT_SIGNIN: Block addition of a managed account as secondary account (in-session).
+
 chrome.users.SecurityKeyAttestation: Security key attestation.
  securityKeyPermitAttestation: TYPE_LIST
    Enter URL or domain. Specifies URLs and domains for which no prompt will be shown when attestation certificates from security keys are requested. Additionally, a signal will be sent to the security key indicating that individual attestation may be used. Without this, users will be prompted in Chrome 65+ when sites request attestation of security keys. URLs (like "https://example.com/some/path") will only match as U2F AppIDs. Domains (like "example.com") only match as WebAuthn RP IDs. Thus, to cover both U2F and WebAuthn APIs for a given site, both the AppID URL and domain would need to be listed.
@@ -9115,16 +9024,14 @@ chrome.users.SecurityTokenSessionSettings: Security token removal.
    IGNORE: Nothing.
    LOGOUT: Log the user out.
    LOCK: Lock the current session.
-  securityTokenSessionNotificationSeconds
-    duration: TYPE_STRING
+  securityTokenSessionNotificationSeconds: TYPE_INT64

 chrome.users.SecurityTokenSessionSettingsV2: Security token removal.
  securityTokenSessionBehavior: TYPE_ENUM
    IGNORE: Nothing.
    LOGOUT: Log the user out.
    LOCK: Lock the current session.
-  securityTokenSessionNotificationSeconds
-    duration: TYPE_INT64
+  securityTokenSessionNotificationSeconds: TYPE_INT64

 chrome.users.SelectToSpeakEnabled: Select to speak.
  selectToSpeakEnabled: TYPE_ENUM
@@ -9149,12 +9056,10 @@ chrome.users.ServiceWorkerToControlSrcdocIframeEnabled: Service worker control o
    false: Block service workers from controlling srcdoc iframes.

 chrome.users.SessionLength: Maximum user session length.
-  sessionDurationLimit
-    duration: TYPE_STRING
+  sessionDurationLimit: TYPE_INT64

 chrome.users.SessionLengthV2: Maximum user session length.
-  sessionDurationLimit
-    duration: TYPE_INT64
+  sessionDurationLimit: TYPE_INT64

 chrome.users.SetTimeoutWithoutOneMsClampEnabled: Javascript setTimeout() minimum.
  setTimeoutWithoutOneMsClampEnabled: TYPE_ENUM
@@ -9330,6 +9235,7 @@ chrome.users.SiteSearchSettings: Site search.
      name: TYPE_STRING
      shortcut: TYPE_STRING
      url: TYPE_STRING
+      allowUserOverride: TYPE_BOOL

 chrome.users.SmartLockAllowed: Smart Lock.
  smartLockAllowed: TYPE_BOOL
@@ -9345,6 +9251,11 @@ chrome.users.SmartScreenDimDelay: Delay screen dim on user activity.
    true: Enable smart dim model.
    false: Disable smart dim model.

+chrome.users.SmsMessagesAllowed: Messages.
+  smsMessagesAllowed: TYPE_BOOL
+    true: Allow users to sync SMS messages between their phone and Chromebook.
+    false: Do not allow users to sync SMS messages between their phone and Chromebook.
+
 chrome.users.SpellcheckEnabled: Spell check.
  spellcheckEnabled: TYPE_ENUM
    UNSET: Allow the user to decide.
@@ -10038,4 +9949,5 @@ chrome.users.ZstdContentEncodingEnabled: Zstd compression.
    true: Allow zstd-compressed web content.
    false: Do not allow zstd-compressed web content.

-```
+
+```
--- a/wiki/Chrome-Profile-Management.md
+++ b/wiki/Chrome-Profile-Management.md
@@ -2,9 +2,12 @@
 - [API documentation](#api-documentation)
 - [Introduction](#introduction)
 - [Definitions](#definitions)
- [Delete Chrome profiles](#delete-chrome-profiles)
- [Display Chrome profiles](#display-chrome-profiles)
+- [Delete Chrome Profiles](#delete-chrome-profiles)
+- [Display Chrome Profiles](#display-chrome-profiles)
 - [Profile Query Searchable Fields](#profile-query-searchable-fields)
+- [Collections of Chrome Profile names for commands](#collections-of-chrome-profile-names-for-commands)
+- [Create a Chrome Profile command](#create-a-chrome-profile-command)
+- [Display Chrome Profile commands](#display-chrome-profile-commands)

 ## Introduction
 These features were added in version 7.01.00.
@@ -21,13 +24,24 @@ Follow instructions at: Turn on managed profile reporting

 ## API documentation
 * [Chrome Management API - Profiles](https://developers.google.com/chrome/management/reference/rest/v1/customers.profiles)
+* [Chrome Management API - Profile Commands](https://developers.google.com/chrome/management/reference/rest/v1/customers.profiles.commands)
 * [Turn on Chrome Browser and Profile Reporting](https://support.google.com/chrome/a/answer/9301421)

 ## Definitions
+* [`<FileSelector> | <CSVFileSelector>`](Collections-of-Items)
+
 ```
 <CustomerID> ::= <String>
 <ChromeProfilePermanentID> ::= <String>
-<ChromeProfileName> ::= customers/<CustomerID>/profiles/<ChromeProfilePermanentID>
+<ChromeProfileName> ::= customers/<CustomerID>/profiles/<ChromeProfilePermanentID> | <ChromeProfilePermanentID>
+<ChromeProfileNameList> ::= "<ChromeProfileName>(,<ChromeProfileName>)*"
+<ChromeProfileCommandName> ::= <ChomeProfileName>/commands/<String>
+<ChromeProfileCommandNameList> ::= "<ChromeProfileCommandName>(,<ChromeProfileCommandName>)*"
+<ChromeProfileNameEntity> ::=
+        <ChromeProfileNameList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+        (filter <String> (filtertime<String> <Time>)* [orderby <ChromeProfileOrderByFieldName> [ascending|descending]]) |
+        (commands <ChromeProfileCommandNameList>|<FileSelector>|<CSVFileSelector>)

 <ChromeProfileFieldName> ::=
        affiliationstate|
@@ -89,11 +103,11 @@ Select the fields to be displayed:
 * `<ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]` - Display a selected list of fields

 By default, Gam displays the information as an indented list of keys and values:
- `formatjson` - Display the fields in JSON format.
+* `formatjson` - Display the fields in JSON format.

 ```
 gam show chromeprofiles
-        [filtertime.* <Time>] [filter <String>]
+        [filter <String> (filtertime<String> <Time>)*]
        [orderby <ChromeProfileOrderByFieldName> [ascending|descending]]
        <ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]
        [formatjson]
@@ -106,18 +120,18 @@ Select the fields to be displayed:
 * `<ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]` - Display a selected list of fields

 Use the `filtertime<String> <Time>` option to allow times, usually relative, to be substituted into the `filter <String>` option.
-The `filtertime<String> <Time>` value replaces the string `#fiktertime<String>#` in the `filter <String>`.
+The `filtertime<String> <Time>` value replaces the string `#filtertime<String>#` in the `filter <String>`.
 The characters following `filtertime` can be any combination of lowercase letters and numbers.

 By default, Gam displays the information as an indented list of keys and values:
- `formatjson` - Display the fields in JSON format.
+* `formatjson` - Display the fields in JSON format.

 ```
 gam print chromeprofiles [todrive <ToDriveAttribute>*]
-        [filtertime.* <Time>] [filter <String>]
+        [filter <String> (filtertime<String> <Time>)*]
        [orderby <ChromeProfileOrderByFieldName> [ascending|descending]]
        <ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]
-        [[formatjson [quotechar <Character>]]
+        [formatjson [quotechar <Character>]]
 ```

 Use these options to select Chrome profiles; if none are chosen, all Chrome profiles in the account are selected:
@@ -192,4 +206,111 @@ gam print chromeprofiles filter "lastPolicySyncTime >= \"#filtertime1#\" lastPol
 Print information about Chrome profiles on Windows.
 ```
 gam print chromeprofiles filter "osPlatformType=WINDOWS"
-```
+```
+## Collections of Chrome Profile names for commands
+```
+<ChromeProfileNameEntity> ::=
+        <ChromeProfileNameList> |
+        (select <ChromeProfileNameList>|<FileSelector>|<CSVFileSelector>) |
+        (filter <String> (filtertime<String> <Time>)* [orderby <ChromeProfileOrderByFieldName> [ascending|descending]]) |
+        (commands <ChromeProfileCommandNameList>|<FileSelector>|<CSVFileSelector>)
+```
+* `<ChromeProfileNameList>` - A list of Chrome profile names
+* `select <ChromeProfileNameList>` - A list of Chrome profile names
+* `select <FileSelector>|<CSVFileSelector>` - A flat or CSV file containing Chrome profile names
+* `filter <String> (filtertime<String> <Time>)*` - A filter to select Chrome profiles
+* `commands  <ChromeProfileCommandNameList>` - A list of  Chrome profile command names
+* `commands  <FileSelector>|<CSVFileSelector>` - A flat or CSV file containing Chrome profile command names
+
+Use the `filtertime<String> <Time>` option to allow times, usually relative, to be substituted into the `filter <String>` option.
+The `filtertime<String> <Time>` value replaces the string `#filtertime<String>#` in the `filter <String>`.
+The characters following `filtertime` can be any combination of lowercase letters and numbers.
+
+## Create a Chrome Profile command
+Clear a Chrome Browser profile cache and/or cookies.
+```
+gam create chromeprofilecommand <ChromeProfileNameEntity>
+        [clearcache [<Boolean>]] [clearcookies [<Boolean>]]
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]]
+```
+By default, when a Chrome profile command is created, GAM outputs details of the command as indented keywords and values.
+* `formatjson` - Display the details in JSON format.
+* `csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]` - Output the details in CSV format.
+
+## Display Chrome Profile commands
+Display the status of a specific Chrome Browser profile command.
+```
+gam info chromeprofilecommand <ChromeProfileCommandName>
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values:
+* `formatjson` - Display the fields in JSON format.
+
+Display the status of selected Chrome Browser profile commands.
+```
+gam show chromeprofilecommands <ChromeProfileNameEntity>
+        [formatjson]
+```
+
+By default, Gam displays the information as an indented list of keys and values:
+* `formatjson` - Display the fields in JSON format.
+```
+gam print chromeprofilecommands <ChromeProfileNameEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+### Examples
+
+For Windows PowerShell, replace `\"` with ``` `" ```.
+
+Clear cache and cookies for two specific Chrome profiles:
+```
+gam create chromeprofilecommand 4c6c0a9f-de78-4285-be86-713fca8cffff,aa03151c-7c1d-41fe-b793-5753e167ffff clearcache clearcookies
+```
+
+Display the command status for those Chrome profiles:
+```
+gam show chromeprofilecommand 4c6c0a9f-de78-4285-be86-713fca8cffff,aa03151c-7c1d-41fe-b793-5753e167ffff
+gam print chromeprofilecommand 4c6c0a9f-de78-4285-be86-713fca8cffff,aa03151c-7c1d-41fe-b793-5753e167ffff
+```
+
+Clear cache and cookies for Chrome profiles in a CSV file named `ChromeProfiles.csv` with a column `name`:
+```
+gam create chromeprofilecommand select csvfile ChromeProfiles.csv:name clearcache clearcookies
+```
+
+Display the command status for those Chrome profiles:
+```
+gam show chromeprofilecommand select csvfile ChromeProfiles.csv:name
+gam print chromeprofilecommand select csvfile ChromeProfiles.csv:name
+```
+
+Clear cache and cookies for Chrome profiles with last activity more that 60 days ago:
+```
+gam create chromeprofilecommand filter "lastActivityTime < \"#filtertime1#\"" filtertime1 -60d clearcache clearcookies
+```
+
+Display the command status for those Chrome profiles:
+```
+gam show chromeprofilecommand filter "lastActivityTime < \"#filtertime1#\"" filtertime1 -60d
+gam print chromeprofilecommand filter "lastActivityTime < \"#filtertime1#\"" filtertime1 -60d
+```
+
+Clear cache and cookies for Chrome profiles with last activity more that 60 days ago:
+```
+gam redirect csv ./ChromeProfileCmds.csv create chromeprofilecommand filter "lastActivityTime < \"#filtertime1#\"" filtertime1 -60d clearcache clearcookies csv
+```
+
+Display the command status for those Chrome profile commands
+```
+gam show chromeprofilecommand commands ChromeProfileCmds.csv:name
+gam print chromeprofilecommand commands ChromeProfileCmds.csv:name
+```
--- a/wiki/ChromeOS-Devices.md
+++ b/wiki/ChromeOS-Devices.md
@@ -62,15 +62,6 @@ To use the `crostelemetry` commands you must authorize an additional scope:
 gam oauth create
 ```

-Many commands come in two forms:
-```
-gam <CrOSTypeEntity> <Command> ...
-gam <Command> cros <CrOSEntity> ...
-```
-The first form allows more powerful selection of devices with `<CrOSTypeEntity>`.
-
-The second form is backwards compatible with Legacy GAM and selection with `<CrOSEntity>` is limited.
-
 ## Definitions
 * [`<CrOSTypeEntity>`](Collections-of-ChromeOS-Devices)
 
@@ -332,7 +323,6 @@ gam select default config update_cros_ou_with_id true save

 ```
 gam <CrOSTypeEntity> update <CrOSAttribute>+ [quickcrosmove [<Boolean>]] [nobatchupdate]
-gam update cros <CrOSEntity> <CrOSAttribute>+ [quickcrosmove [<Boolean>]] [nobatchupdate]
 ```

 Google has introduced a new, faster method for moving CrOS devices to a new OU. The `quickcrosmove` option controls which method Gam uses.
@@ -419,8 +409,6 @@ gam update ou csvkmd cros.csv keyfield OU datafield deviceId add croscsvdata dev

 gam <CrOSTypeEntity> update action <CrOSAction> [acknowledge_device_touch_requirement]
        [actionbatchsize <Integer>]
-gam update cros <CrOSEntity> action <CrOSAction> [acknowledge_device_touch_requirement]
-        [actionbatchsize <Integer>]
 ```
 As of GAM version `6.67.00`, the new API function `batchChangeStatus` replaces the old API function `action`; ChromeOS devices are now processed in batches.
 The batch size defaults to 10, the `actionbatchsize <Integer>` option can be used to set a batch size between 10 and 250.
@@ -457,21 +445,18 @@ is configurable from 0 to some large number. If the status reaches `EXPIRED`, `C
        wipe_users|
        take_a_screenshot

-gam cros <CrOSTypeEntity> issuecommand command <CrOSCommand> [times_to_check_status <Integer>] [doit]
-gam issuecommand cros <CrOSEntity> command <CrOSCommand> [times_to_check_status <Integer>] [doit]
+gam <CrOSTypeEntity> issuecommand command <CrOSCommand> [times_to_check_status <Integer>] [doit]
 ```
 If the final status is not reached before GAM exits, you can issue the following commands to continue checking the status.
 ```
-gam cros <CrOSTypeEntity> getcommand commandid <CommandID> [times_to_check_status <Integer>]
-gam getcommand cros <CrOSEntity> commandid <CommandID> [times_to_check_status <Integer>]
+gam <CrOSTypeEntity> getcommand commandid <CommandID> [times_to_check_status <Integer>]
 ```

 ### Action Examples
 Remove user profile data from the device; the device will remain enrolled and connected.
 User data not synced to the Cloud including Downloads, Android app data and Crostini Linux VMs will be permanently lost.
-Commands with issuecommand directly after gam will work with Legacy GAM & GAM7, whereas commands where the issuecommand is after the cros <CrOSTypeEntity> will work only with GAM7. 
 ```
-gam issuecommand cros dd1d659a-0ea4-4e94-905e-4726c7a5f1e9 command wipe_users doit
+gam cros dd1d659a-0ea4-4e94-905e-4726c7a5f1e9 issuecommand command wipe_users doit
 ```
 Remove profiles using the annotatedAssetID, which is a user editable field, in this example the device has an asset ID of CB1234.
 ```
@@ -483,14 +468,12 @@ gam cros_queries "asset_id:CB1234,asset_id:CB5678" issuecommand command wipe_use
 ```
 Powerwash the device with serial number 143040348.
 ```
-gam issuecommand cros query:id:143040348 command remote_powerwash times_to_check_status 10 doit
 gam cros_sn 143040348 issuecommand command remote_powerwash times_to_check_status 10 doit
 ```

 Powerwash all devices in the /StudentCarts OrgUnit. Devices will need to be manually reconnected to WiFi which may mean entering a PSK.
 Use `wipe_users` if that's going to create too much work for you.
 ```
-gam issuecommand cros "query:orgunitpath:/StudentCarts" command remote_powerwash times_to_check_status 0 doit
 gam cros_ou /StudentCarts issuecommand command remote_powerwash times_to_check_status 0 doit
 ```
 ## ChromeOS device lists
@@ -829,7 +812,6 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara

 ```
 gam <CrOSTypeEntity> info downloadfile latest|<Time> [targetfolder <FilePath>]
-gam info cros <CrOSEntity> downloadfile latest|<Time> [targetfolder <FilePath>]
 ```

 Select the device file to download by its timestamp.
--- a/wiki/Classroom-Courses.md
+++ b/wiki/Classroom-Courses.md
@@ -8,6 +8,7 @@
 - [Create and update courses](#create-and-update-courses)
 - [Delete courses](#delete-courses)
 - [Manage course aliases](#manage-course-aliases)
+- [Manage course announcements](#manage-course-announcements)
 - [Manage course topics](#manage-course-topics)
 - [Display courses](#display-courses)
 - [Display course counts](#display-course-counts)
@@ -55,6 +56,11 @@ gam user user@domain.com check|update serviceaccount
 <CourseAliasEntity> ::=
        <CourseAliasList>|<FileSelector>|<CSVFileSelector>|<CSVkmdSelector>|<CSVDataSelector>
        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
+<CourseAnnouncementContent> ::=
+        ((text <String>)|
+         (textfile <FileName> [charset <Charset>])|
+         (gdoc <UserGoogleDoc>)|
+         (gcsdoc <StorageBucketObjectName>))
 <CourseAnnouncementID> ::= <Number>
 <CourseAnnouncementIDList> ::= "<CourseAnnouncementID>(,<CourseAnnouncementID>)*"
 <CourseAnnouncementIDEntity> ::=
@@ -389,17 +395,40 @@ These commands can process multiple courses.
 gam courses <CourseEntity> add alias <CourseAliasEntity>
 gam courses <CourseEntity> delete alias <CourseAliasEntity>
 ```
+
+## Manage course announcements
+These commands can process a single course.
+```
+gam course <CourseID> add announcement
+        <CourseAnnouncementContent> [scheduledtime <Time>] [state draft|published]
+gam course <CourseID> delete announcement <CourseAnnouncementID>
+gam course <CourseID> update announcement <CourseAnnouncementID>
+        [<CourseAnnouncementContent>] [scheduledtime <Time>] [state published]
+```
+These commands can process multiple courses.
+```
+gam courses <CourseEntity> add announcement
+        <CourseAnnouncementContent> [scheduledtime <Time>] [state draft|published]
+gam courses <CourseEntity> delete announcement <CourseAnnouncementIDEntity>
+gam courses <CourseEntity> update announcement <CourseAnnouncementIDEntity>
+        [<CourseAnnouncementContent>] [scheduledtime <Time>] [state published]
+```
+
 ## Manage course topics
 These commands can process a single course.
 ```
 gam course <CourseID> add topic <CourseTopic>
 gam course <CourseID> delete topic <CourseTopicID>
+gam course <CourseID> update topic <CourseTopicID> <CourseTopic>
+
 ```
 These commands can process multiple courses.
 ```
 gam courses <CourseEntity> add topic <CourseTopicEntity>
 gam courses <CourseEntity> delete topic <CourseTopicIDEntity>
+gam courses <CourseEntity> update topic <CourseTopicIDEntity> <CourseTopic>
 ```
+
 ## Display courses
 ```
 gam info course <CourseID> [owneremail] [alias|aliases] [show all|students|teachers] [countsonly]
--- a/wiki/Classroom-Membership.md
+++ b/wiki/Classroom-Membership.md
@@ -12,6 +12,7 @@
 * [Google Classroom API](https://developers.google.com/classroom/reference/rest)
 * [Google Classroom API - Courses Students](https://developers.google.com/classroom/reference/rest/v1/courses.students)
 * [Google Classroom API - Courses Teachers](https://developers.google.com/classroom/reference/rest/v1/courses.teachers)
+* [Classroom Membership Limits](https://support.google.com/edu/classroom/answer/7300976)

 ## Definitions
 ```
--- a/wiki/Cloud-Identity-Devices.md
+++ b/wiki/Cloud-Identity-Devices.md
@@ -211,6 +211,7 @@ gam print devices [todrive <ToDriveAttribute>*]
        [orderby <DeviceOrderByFieldName> [ascending|descending]]
        [all|company|personal|nocompanydevices|nopersonaldevices]
        [nodeviceusers|oneuserperrow]
+        [clientstates]
        [formatjson [quotechar <Character>]]
 ```
 By default, all devices are displayed; use the query options to limit the display.
--- a/wiki/Cloud-Identity-Groups-Membership.md
+++ b/wiki/Cloud-Identity-Groups-Membership.md
@@ -1,6 +1,5 @@
 # Cloud Identity Groups - Membership
 - [API documentation](#api-documentation)
- [Query documentation](#query-documentation)
 - [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Definitions](#definitions)
 - [Notes](#Notes)
@@ -22,10 +21,6 @@
 * [Cloud Identity Groups](https://gsuiteupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html)
 * [Security Groups](https://gsuiteupdates.googleblog.com/2020/09/security-groups-beta.html)

-## Query documentation
-* [Cloud Identity Groups API - Search Dynamic Groups](https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery)
-* [Member Restrictions](https://cloud.google.com/identity/docs/reference/rest/v1/SecuritySettings#MemberRestriction)
-
 ## Notes

 In the Admin Directory API a group has the following characteristics:
@@ -45,7 +40,7 @@ Dynamic Groups require Cloud Identity Premium accounts.
 * https://cloud.google.com/identity/docs/how-to/create-dynamic-groups

 The `cimember <UserItem>` option of `gam print|show cigroup-members` requires a Google Workspace Enterprise Standard, Enterprise Plus, and Enterprise for Education;
-and Cloud Identity Premium accounts. Unfortunately, even if you have the required account, the API call that supports the query doesn't work.
+and Cloud Identity Premium accounts.

 * https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships/searchTransitiveGroups

--- a/wiki/Cloud-Identity-Groups.md
+++ b/wiki/Cloud-Identity-Groups.md
@@ -19,8 +19,10 @@
 * [Security Groups](https://gsuiteupdates.googleblog.com/2020/09/security-groups-beta.html)

 ## Query documentation
-* [Cloud Identity Groups API - Search Dynamic Groups](https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery)
-* [Member REstrictions](https://cloud.google.com/identity/docs/reference/rest/v1/SecuritySettings#MemberRestriction)
+* [Cloud Identity Groups API - Search](https://cloud.google.com/identity/docs/reference/rest/v1/groups/search)
+* [Cloud Identity Groups API - Dynamic Group Query](https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery)
+* [Dynamic Groups Member Attributes](https://cloud.google.com/identity/docs/how-to/dynamic-groups-attributes)
+* [Member Restrictions](https://cloud.google.com/identity/docs/reference/rest/v1/SecuritySettings#MemberRestriction)

 ## Notes

@@ -50,7 +52,7 @@ Dynamic Groups require Cloud Identity Premium accounts.
 * https://cloud.google.com/identity/docs/how-to/create-dynamic-groups

 The `cimember <UserItem>` option of `gam print cigroups` requires a Google Workspace Enterprise Standard, Enterprise Plus, and Enterprise for Education;
-and Cloud Identity Premium accounts. Unfortunately, even if you have the required account, the API call that supports the query doesn't work.
+and Cloud Identity Premium accounts.

 * https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships/searchTransitiveGroups

--- a/wiki/Cloud-Identity-Policies.md
+++ b/wiki/Cloud-Identity-Policies.md
@@ -12,14 +12,28 @@

 ## Notes
 To use these commands you must update your client access authentication.
-You'll enter 19R to turn on the Cloud Identity Policy scope; then continue
+You'll enter 20r to turn on the Cloud Identity Policy scope; then continue
 with authentication.
 ```
 gam oauth delete
 gam oauth create
 ...
-[R] 19)  Cloud Identity - Policy
+[R] 20)  Cloud Identity - Policy (supports readonly)
 ```
+You must enable access to policies in the GCP cloud console.
+
+* Login at console.cloud.google.com
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click in the box to the right of Google Cloud
+* Click the three dots at the right and select IAM/Permissions
+* Now you should be at "Permissions for organization ..."
+* Click on Grant Access
+* Enter the GAM project creator address in Principals
+* Click in the Select a role box
+* Type orgpolicy.policyAdmin in the Filter box
+* Click Organization Policy Administrator
+* Click Save

 ## Definitions
 ```
--- a/wiki/Collections-of-Items.md
+++ b/wiki/Collections-of-Items.md
@@ -144,6 +144,11 @@ Data fields identified in a `csvkmd` argument.
        <CalendarACLScopeList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <CalendarEntity> ::=
        <CalendarList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<ChromeProfileNameEntity> ::=
+        <ChromeProfileNameList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+        (filter <String> (filtertime<String> <Time>)* [orderby <ChromeProfileOrderByFieldName> [ascending|descending]]) |
+        (commands <ChromeProfileCommandNameList>|<FileSelector>|<CSVFileSelector>)
 <CIPolicyNameEntity> ::=
        <CIPolicyNameList> | <FileSelector> | <CSVFileSelector>
 <ClassificationLabelNameEntity> ::=
@@ -206,6 +211,7 @@ Data fields identified in a `csvkmd` argument.
        all_shortcuts |
        all_3p_shortcuts |
        all_items |
+        my_commentable_items |
        my_docs |
        my_files |
        my_folders |
@@ -231,6 +237,7 @@ Data fields identified in a `csvkmd` argument.
        others_3p_shortcuts |
        others_items |
        writable_files
+
 <DriveFileEntityShortcut> ::=
        alldrives |
        mydrive_any |
@@ -246,6 +253,7 @@ Data fields identified in a `csvkmd` argument.
        sharedwithme_all |
        sharedwithme_mydrive |
        sharedwithme_notmydrive
+
 <DriveFileEntity> ::=
        <DriveFileIDEntity> |
        <DriveFileNameEntity> |
@@ -343,6 +351,15 @@ Data fields identified in a `csvkmd` argument.
        <SiteACLScopeList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <SiteEntity> ::=
        <SiteList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<TagManagerAccountPathEntity> ::=
+        <TagManagerAccountPathList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+<TagManagerContainerPathEntity> ::=
+        <TagManagerContainerPathList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+<TagManagerWorkspacePathEntity> ::=
+        <TagManagerWorkspacePathList> |
+        (select <FileSelector>|<CSVFileSelector>) |
 <TasklistEntity> ::=
        <TasklistIDList> | <TaskListTitleList> | <FileSelector> | <CSVFileSelector>
 <TasklistIDTaskIDEntity> ::=
--- a/wiki/Domain-SharedContacts.md
+++ b/wiki/Domain-SharedContacts.md
@@ -308,12 +308,3 @@ the quote character itself, the column delimiter (comma by default) and new-line
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
-
-## Display global address list
-As of mid-October 2024, Google deprecated the API that retrieved the Global Address List.
-
-These commands are a work-around.
-```
-gam config csv_output_row_filter "includeInGlobalAddressList:boolean:true" redirect csv ./UserGAL.csv print users fields name,gal
-gam config csv_output_row_filter "includeInGlobalAddressList:boolean:true" batch_size 25 redirect csv ./GroupGAL.csv print groups fields name,gal
-```
--- a/wiki/Drive-REST-API-v3.md
+++ b/wiki/Drive-REST-API-v3.md
@@ -1,15 +1,13 @@
-!All Google Drive API calls have been converted from v2 to v3, see: https://developers.google.com/drive/v3/web/migration
-Many of the changes are internal to Gam and have no visible effect. Google has modified/renamed many field names and these will affect scripts that parse the output from `gam print/show drivesettings/drivefileacls/fileinfo/filelist/filerevisions`. Additionally, Google has dropped some fields and their values are no longer available. On input, Gam accepts both the old and new field names.
+Legacy GAM used Drive API v2, GAM7 uses  Drive API v3. See: https://developers.google.com/drive/v3/web/migration
+Many of the changes are internal to GAM7 and have no visible effect.
+Google has modified/renamed many field names and these will affect scripts that parse the output from `gam print/show drivesettings/drivefileacls/fileinfo/filelist/filerevisions`.
+Additionally, Google has dropped some fields and their values are no longer available. On input, GAM7 accepts both the old and new field names where applicable.

-A variable, `drive_v3_native_names` (default value is True), has been added to `gam.cfg` to control the field names on output: when True, the v3 native field names are used; when False, the v3 native field names are mapped to the v2 field names.
-
-If you have scripts that process the output from these print commands, you may have to make modifications to your scripts.
-Run your print/show commands with a version of Legacy Gam and save the output.
-With drive_v3_native_names = False, run your print/show commands with this version of Gam and compare the output to that saved in the previous run;
+If you use Legacy GAM and have scripts that process the output from these print commands, you may have to make modifications to your scripts when you upgrade to GAM7.
+Run your print/show commands with a version of Legacy GAM and save the output.
+Run your print/show commands with GAM7 and compare the output to that saved in the previous run;
 modify your scripts that process the output as appropriate.

-There is a cost to mapping the v3 field names back to the v2 field names; you can avoid this cost by setting drive_v3_native_names = True,
-running your print/show commands, comparing the output and making the appropriate script modifications.
 ```
 print/show drivesettings
 Dropped fields:
@@ -30,7 +28,7 @@ Dropped fields:
        authKey
 Renamed fields (Old->New):
        name->displayName
-        withLink->allowFileDiscovery
+        withLink->allowFileDiscovery - value is complemented

 print/show fileinfo/filelist
 Dropped fields:
@@ -40,19 +38,20 @@ Dropped fields:
        labels(hidden)
        markedViewedByMeDate
        openWithLinks
-        selfLink
+        ownerNames
        parents(isRoot)
        parents(parentLink)
        parents(selfLink)
        permissions(selfLink)
        selfLink
-        userPermission(selfLink)
+        userPermission
 Renamed fields (Old->New):
        alternateLink->webViewLink
        capabilities(canChangeRestrictedDownload)->capabilities(canChangeViewersCanCopyContent)
        createdDate->createdTime
        expirationDate->expirationTime
        fileSize->size
+        lastModifyingUserName->lastModifyingUser(displayName)
        lastViewedByMeDate->viewedByMeTime
        modified->modifiedByMe
        modifiedByMeDate->modifiedByMeTime
@@ -76,18 +75,3 @@ Renamed fields (Old->New):
        picture.url->photoLink
        pinned->keepForever
 ```
-The parents field of a file has undergone the most change. In Drive v2 it was a list of compound items with three sub-fields per item: id, isRoot, parentLink.
-In Drive v3 the parents field is a list of simple items, the parent ids. The following examples show how the parents field is output in a CSV file for a file with two parents.
-```
-Previous versions of Gam:
-Owner,title,parents,parents.0.isRoot,parents.0.id,parents.0.parentLink,parents.1.isRoot,parents.1.id,parents.1.parentLink
-testuser@domain.com,TestFile,2,True,PPPP1111,https://www.googleapis.com/drive/v2/files/PPPP1111,False,PPPP2222,https://www.googleapis.com/drive/v2/files/PPPP2222
-
-Current version of Gam with drive_v3_name_names = false
-Owner,title,parents,parents.0.id,parents.1.id
-testuser@domain.com,TestFile,2,PPPP1111,PPPP2222
-
-Current version of Gam with drive_v3_name_names = true
-Owner,name,parents
-testuser@domain.com,TestFile,PPPP1111 PPPP2222
-```
--- a/wiki/GAM-Return-Codes.md
+++ b/wiki/GAM-Return-Codes.md
@@ -33,6 +33,7 @@ ENTITY_IS_A_GROUP_RC = 22
 ENTITY_IS_A_GROUP_ALIAS_RC = 23
 ENTITY_IS_AN_UNMANAGED_ACCOUNT_RC = 24
 ORGUNIT_NOT_EMPTY_RC = 25
+USER_SUSPENDED_RC = 26
 CHECK_USER_GROUPS_ERROR_RC = 29
 ORPHANS_COLLECTED_RC = 30
 # Warnings/Errors
--- a/wiki/GamUpdates.md
+++ b/wiki/GamUpdates.md
@@ -10,6 +10,398 @@ Add the `-s` option to the end of the above commands to suppress creating the `g

 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation

+### 7.19.02
+
+Update `gam info user <UserItem>` to eliminate 5 second delay when getting license info.
+
+Additional information:
+* See: https://github.com/GAM-team/GAM/wiki/Licenses#info-user-performance
+
+### 7.19.01
+
+Updated `gam <UserTypeEntity> print|show signature` to handle the following error
+that occurs when an alias is specified.
+```
+ERROR: 404: notFound - Requested entity was not found.
+```
+
+### 7.19.00
+
+Eliminated `drive_v3_beta` and `meet_v2_beta` from `gam.cfg` as the API betas are no longer used.
+
+Updated `Meet API` scopes so that GAM can read metadata about additional Meet spaces.
+```
+[*] 34)  Meet API - Manage/Display Meeting Spaces
+[*] 35)  Meet API - Read Meeting Spaces metadata
+```
+
+### 7.18.07
+
+Updated `gam <UserTypeEntity> print drivelastmodification` to put `addcsvdata` columns
+after `User,id,name` rather than after the last column.
+
+### 7.18.06
+
+Updated `gam <UserTypeEntity> delete|modify messages` to improve the handling
+of the following error.
+```
+quotaExceeded - User-rate limit exceeded
+```
+
+### 7.18.05
+
+Added support for Inbound SSO OIDC profiles.
+
+Currently, if you enter `gam select <SectionName>` and nothing else on the command line,
+GAM performs no action. Now, it will be treated as if you entered:
+`gam select <SectionName> save`
+
+Updated to Python 3.13.7.
+
+### 7.18.04
+
+Added commands to display/manage Alert Center Pub/Sub notifications.
+* See: https://github.com/GAM-team/GAM/wiki/Alert-Center#configuring-settings
+
+### 7.18.03
+
+Updated `gam oauth create` to give a warning if the number of selected scopes will
+probably cause Google to generate a "Something went wrong" error.
+
+### 7.18.02
+
+Upgraded to OpenSSL 3.5.2.
+
+### 7.18.01
+
+Added option `nosystemroles` to `gam print|show adminroles` that causes GAM
+to only display non-system roles.
+
+Added option `formatjson` to `gam info|print|show adminroles`; this will be most useful
+when the `privileges` option is used.
+
+Updated `gam create|update adminrole` to allow specification of privileges with
+JSON data: `privileges <JSONData>`. These two updates make it easier to copy admin roles.
+
+Updated `gam create|update adminrole` to allow output of the created/updated
+role data in CSV format; by default, GAM displays `<RoleName>(<RoleID>) created|updated`.
+```
+csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*
+```
+
+### 7.18.00
+
+Added commands to display Business Profile Accounts.
+These are special purpose commands and will not generally be used.
+```
+gam show businessprofileaccounts
+gam print businessprofileaccounts [todrive <ToDriveAttribute>*]
+```
+
+### 7.17.03
+
+Fixed bug in `gam <UserItem> print|show chatspaces asadmin fields <ChatSpaceFieldNameList>` that caused a trap
+when `displayname` was not in `<ChatSpaceFieldNameList>`.
+
+### 7.17.02
+
+Updated `gam <UserTypeEntity> print|show webmastersites` to handle the following error
+that occurs if you haven't updated your project to include the Google Search Console API.
+```
+ERROR: 403: permissionDenied - Google Search Console API has not been used in project 111055363999 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/searchconsole.googleapis.com/overview?project=111055363999 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
+```
+
+### 7.17.01
+
+Fixed bug in `gam <UserTypeEntity> show webmastersites` that caused a trap.
+
+### 7.17.00
+
+Added commands to discover Sites and WebResources that managed users (previously unmanaged) may have access to for better governance and visibility.
+These are special purpose commands and will not generally be used.
+```
+gam <UserTypeEntity> show webresources
+gam <UserTypeEntity> print webresources [todrive <ToDriveAttribute>*]
+gam <UserTypeEntity> show webmastersites
+gam <UserTypeEntity> print webmastersites [todrive <ToDriveAttribute>*]
+```
+
+### 7.16.01
+
+The Drive API now supports setting download restrictions on individual files.
+
+Added `downloadrestictions` and `<DriveDownloadRestrictionsSubfieldName>` to `<DriveFieldName>`.
+```
+<DriveDownloadRestrictionsSubfieldName> ::=
+  downloadrestrictions.itemdownloadrestriction|
+  downloadrestrictions.effectivedownloadrestrictionwithcontext
+```
+
+Added `itemdownloadrestriction (restrictedforreaders [<Boolean>]) (restrictedforwriters [<Boolean>])`
+to `<DriveFileAttribute>`.
+
+From the Drive API documentation:
+```
+itemDownloadRestriction - The download restriction of the file applied directly by the owner or organizer. This does not take into account shared drive settings or DLP rules.
+effectiveDownloadRestrictionWithContext - Output only. The effective download restriction applied to this file. This considers all restriction settings and DLP rules.
+restrictedForReaders - Whether download and copy is restricted for readers.
+restrictedForWriters - Whether download and copy is restricted for writers. If true, download is also restricted for readers.
+```
+
+### 7.16.00
+
+Removed `drive_v3_native_names` from `gam.cfg`; GAM now only uses Drive API v3 fields names on output.
+If you had `drive_v3_native_names = False` in `gam.cfg` or are updating from Legacy GAM:
+
+* See: https://github.com/GAM-team/GAM/wiki/Drive-REST-API-v3
+
+### 7.15.01
+
+Added `downloadrestrictions.restrictedforreaders` and `downloadrestrictions.restrictedforwriters`
+to `<SharedDriveRestrictionsSubfieldName>`; previously, only the abbreviations `downloadrestrictedforreaders`
+and `downloadrestrictedforwriters` were supported (they are still supported).
+
+Updated `gam <UserTypeEntity> copy drivefile` to handle unexpected data returned by Google that caused a trap.
+
+### 7.15.00
+
+Updated  `gam print shareddriveorganizers` to make `shownoorganizerdrives` default to `True`
+as documented; it was defaulting to `False`.
+
+Cleaned up code for processing Python dictionary structures; this should have no noticable effect.
+
+### 7.14.04
+
+Fixed bug in `gam print|show cigroups cimember <UserItem>` that generated the following error:
+```
+ERROR: Cloud Identity Group: groups/-, Print Failed: Error(4013): Insufficient permissions to retrieve memberships.
+```
+
+Updated `gam <UserTypeEntity> update user suspended off` and `gam <UserTypeEntity> unsuspend users`
+to handle the following error that occurs when trying to unsuspend a user that has been suspended for abuse.
+```
+ERROR: 412: adminCannotUnsuspend - Cannot restore a user suspended for abuse.
+```
+
+* See: https://support.google.com/a/answer/1110339
+
+### 7.14.03
+
+Fixed bug in `gam print cigroup-members includederivedmembership` that caused a trap.
+
+### 7.14.02
+
+Fixed bug in `gam print|show cigroups|cigroups-members cimember <UserItem>` that generated the following error:
+```
+Cloud Identity Group Print Failed: Request contains an invalid argument.
+```
+
+### 7.14.01
+
+Don't install yubikey library via pip by default. To install with yubikey support use pip install gam7[yubikey]
+
+### 7.14.00
+
+Added commands to display Google Tag Manager accounts, containers, workspaces, tags and user permissions.
+
+* See: https://github.com/GAM-team/GAM/wiki/Users-Tag-Manager
+
+### 7.13.03
+
+Added option `csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]]`
+to `gam create chromeprofilecommand` so that command details are displayed in CSV format.
+
+Added option `commands <ChromeProfileCommandNameList>|<FileSelector>|<CSVFileSelector>` to `<ChromeProfileNameEntity>`
+so that `gam print|show chromeprofilecommands` can directly display the commands generated by
+`gam create chromeprofilecommand` with the `csv` option.
+
+### 7.13.02
+
+Fixed bug in `gam create chromeprofilecommand` where `select|filter` were not recognized.
+
+Updated `gam create datatransfer <OldOwnerID> datastudio <NewOwnerID>` that generated the following
+error due to an unhandled API change.
+```
+ERROR: Invalid choice (google data studio): Expected <calendar|looker studio|drive and docs>
+```
+
+### 7.13.01
+
+Enhanced `gam create|print|show chromeprofilecommand` to allow specification
+of multiple Chrome browser profiles rather than just one.
+```
+<ChromeProfilePermanentID> ::= <String>
+<ChromeProfileName> ::= customers/<CustomerID>/profiles/<ChromeProfilePermanentID> | <ChromeProfilePermanentID>
+<ChromeProfileNameList> ::= "<ChromeProfileName>(,<ChromeProfileName>)*"
+<ChromeProfileNameEntity> ::=
+<ChromeProfileNameEntity> ::=
+        <ChromeProfileNameList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+        (filter <String> (filtertime<String> <Time>)* [orderby <ChromeProfileOrderByFieldName> [ascending|descending]])
+
+gam create|print_show chromeprofilecommand <ChromeProfileNameEntity>
+```
+
+### 7.13.00
+
+Added commands that send remote commands to Chrome browser profiles and display the results;
+at the moment, these commands can clear the browser cache and cookies.
+
+* See: https://github.com/GAM-team/GAM/wiki/Chrome-Profile-Management#create-a-chrome-profile-command
+
+### 7.12.02
+
+Updated `gam print users` to handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable
+```
+
+### 7.12.01
+
+Added support for `plan free` in `gam create resoldsubscription`.
+
+* The free plan is exclusive to the Cloud Identity SKU and does not incur any billing.
+
+### 7.12.00
+
+Started updated handling of missing scopes messages in client access commands;
+this is a work in progress.
+
+Updated `gam info|show shareddrive` to handle changes in the Drive API that caused traps.
+
+Added `downloadrestrictedforreaders` and `downloadrestrictedforwriters` to
+`<SharedDriveRestrictionsSubfieldName>` to support new Shared Drive restrictions.
+
+Updated `gam course <CourseID> create|update announcement` to accept input from
+a literal string, a file or a Google Doc.
+```
+<CourseAnnouncementContent> ::=
+        ((text <String>)|
+         (textfile <FileName> [charset <Charset>])|
+         (gdoc <UserGoogleDoc>)|
+         (gcsdoc <StorageBucketObjectName>))
+```
+
+Added command `gam check suspended <UserItem>` that checks the suspension status of a user
+and sets the return code to 0 if the user is not suspended or 26 if it is.
+```
+$ gam check suspended testok@domain.com
+User: testok@domain.com, Account Suspended: False
+$ echo $?
+0
+
+$ gam check suspended testsusp@domain.com
+User: testsusp@domain.com, Account Suspended: True, Suspension Reason: ADMIN
+$ echo $?
+26
+```
+
+Updated `gam <UserTypeEntity> sendemail` to verify that one of `recipient|to|from`
+immediately follows `sendemail`.
+
+### 7.11.00
+
+Added commands to manage classroom/course announcements.
+
+* See: https://github.com/GAM-team/GAM/wiki/Classroom-Courses#manage-course-announcements
+
+Upgraded to OpenSSL 3.5.1.
+
+### 7.10.10
+
+Added choices `text` and `hyperlink` to option `showwebviewlink` in `gam [<UserTypeEntity>] print|show shareddrives`.
+* `showwebviewlink text` - Displays `https://drive.google.com/drive/folders/<SharedDriveID>`
+* `showwebviewlink hyperlink` - Displays `=HYPERLINK("https://drive.google.com/drive/folders/<SharedDriveID>", "<SharedDriveName>")`
+
+### 7.10.09
+
+Added option `showwebviewlink` to `gam [<UserTypeEntity>] print|show shareddrives` that
+displays the web view link for the Shared Drive: `https://drive.google.com/drive/folders/<SharedDriveID>`.
+
+### 7.10.08
+
+Fixed bug in commands that modify messages where the `labelids <LabelIdList>` option
+could not be used unless one of these options was also specified: `query`, `matchlabel`, `ids`;
+it can be now be used by itself.
+
+### 7.10.07
+
+Updated `gam <UserTypeEntity> copy|move drivefile` to hanndle additional instances of
+the `cannotModifyInheritedPermission` error.
+
+Added license SKU `Google AI Ultra for Business`
+* ProductID - 101047
+* SKUID - 1010470008 | geminiultra
+
+### 7.10.06
+
+Added option `clientstates` to `gam print devices` to include client states in device output.
+
+### 7.10.05
+
+Google renamed an error: `cannotModifyInheritedTeamDrivePermission` became `cannotModifyInheritedPermission`.
+GAM will now handle the new error.
+
+### 7.10.04
+
+Updated `gam report <ActivityApplicationName>` to accept accept application names as defined
+in the Reports API discovery document; this means that GAM does not have to be updated when
+Google defines a new application name.
+
+`gemini_in_workspace_apps` is now available in `gam report`.
+
+### 7.10.03
+
+Fixed bug in commands that modify messages where the `labelids <LabelIdList>` option
+was not being applied.
+
+### 7.10.02
+
+Added option `labelids <LabelIdList>` to all commands that process messages;
+this option causes GAM to only return messages with labels that match all of the specified label IDs.
+
+Updated `gam <UserTypeEntity> print|show forms` to always display `isPublished` and
+`isAcceptingResponses` in `publishSettings/publishState` regardless of their value;
+the API doesn't return these values when they are False.
+
+### 7.10.01
+
+Added options `ispublished [<Boolean>]` and `isacceptingresponses [<Boolean>]` to
+`gam <UserTypeEntity> create|update form`.
+
+### 7.10.00
+
+Added commands to manage/display Chat Custom Emojis.
+
+* See: https://github.com/GAM-team/GAM/wiki/Users-Chat#manage-chat-emojis
+* See: https://github.com/GAM-team/GAM/wiki/Users-Chat#display-chat-emojis
+
+Updated `gam <UserItem> print|show chatspaces|chatmembers asadmin` to display
+the spaces in ascending display name order.
+
+### 7.09.07
+
+Added `webviewlink` to `<FileTreeFieldName>` for use in `gam <UserTypeEntity> print|show filetree`.
+
+### 7.09.06
+
+Upddated `gam print|show shareddrives`, `gam print|show shareddriveacls`, `gam print shareddriveorganizers`
+to display the Shared Drives in ascending name order; the API returns them in an unidentifiable order.
+
+### 7.09.05
+
+Improved output of `gam info|show chromeschemas [std]` to more accurately display the schemas.
+
+Fixed bugs in `gam update chromepolicy` that caused invalid error messaages.
+
+### 7.09.04
+
+Fixed bug in `gam whatis <EmailItem>` where the check for an invitable user always failed.
+
+Fixed bug in `gam print shareddriveorganizers` where no organizers were displayed when `domain` in `gam.cfg` was blank.
+
+Updated to Python 3.13.5
+
 ### 7.09.03

 Updated `gam <UserTypeEntity> create focustime|outofoffice ... timerange <Time> <Time>` to check
--- a/wiki/Global-Address-List.md
+++ b/wiki/Global-Address-List.md
@@ -0,0 +1,17 @@
+# Global Address List
+
+As of mid-October 2024, Google deprecated the API that retrieved the Global Address List.
+
+These commands are a work-around.
+
+Display users/groups in GAL.
+```
+gam config csv_output_row_filter "includeInGlobalAddressList:boolean:true" redirect csv ./UserGAL.csv print users fields name,gal
+gam config csv_output_row_filter "includeInGlobalAddressList:boolean:true" batch_size 25 redirect csv ./GroupGAL.csv print groups fields name,gal
+```
+
+Display users/groups not in GAL.
+```
+gam config csv_output_row_filter "includeInGlobalAddressList:boolean:false" redirect csv ./UserNotGAL.csv print users fields name,gal
+gam config csv_output_row_filter "includeInGlobalAddressList:boolean:false" batch_size 25 redirect csv ./GroupNotGAL.csv print groups fields name,gal
+```
--- a/wiki/Google-Data-Transfers.md
+++ b/wiki/Google-Data-Transfers.md
@@ -13,8 +13,7 @@
 ```
 <DataTransferService> ::=
        calendar|
-        currents|
-        datastudio|lookerstudio|"google data studio"|
+        datastudio|lookerstudio|"looker studio"|
        drive|gdrive|googledrive|"drive and docs"
 <DataTransferServiceList> ::= "<DataTransferService>(,<DataTransferService>)*"

@@ -38,7 +37,7 @@ gam create|add datatransfer|transfer <OldOwnerID> <DataTransferServiceList> <New
        (<ParameterKey> <ParameterValue>)*
        [wait <Integer> <Integer>]
 ```
-For`datastudio` and `drive`, there are options to control the privacy level of the files to be transferred.
+For`lookerstudio` and `drive`, there are options to control the privacy level of the files to be transferred.
 * `private` or `privacy_level private` - Transfer files that are not shared with anyone
 * `shared` or `privacy_level shared` - Transfer files shared with at least one other user; this is the **default**
 * `all` or `privacy_level private,shared` - Transfer all files
--- a/wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md
+++ b/wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md
@@ -2,6 +2,7 @@
 Use these steps if you have used any version of GAM in your domain. They will update your GAM project
 and all necessary authentications.

+- [Drive API v2 to Drive API v3](Drive-REST-v3)
 - [Downloads-Installs](Downloads-Installs)
 - [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
 - [Windows](#windows)
@@ -251,10 +252,10 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAM 7.09.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.19.02 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.4 64-bit final
-MacOS Sequoia 15.5 x86_64
+Python 3.13.7 64-bit final
+MacOS Sequoia 15.6.1 x86_64
 Path: /Users/admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com

@@ -989,9 +990,9 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM 7.09.03 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.19.02 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.4 64-bit final
+Python 3.13.7 64-bit final
 Windows-10-10.0.17134 AMD64
 Path: C:\GAM7
 Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
--- a/wiki/Inbound-SSO.md
+++ b/wiki/Inbound-SSO.md
@@ -1,7 +1,9 @@
 # Inbound SSO
- [Admin Console](#admin-console)
+- [Setup SSO](https://support.google.com/a/answer/12032922)
+- [Admin Console](https://admin.google.com/ac/security/sso)
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
+- [Setup SSO](#setupsso)
 - [Manage profiles](#manage-profiles)
 - [Display profiles](#display-profiles)
 - [Manage credentials](#manage-credentials)
@@ -9,12 +11,10 @@
 - [Manage assignments](#manage-assignments)
 - [Display assignments](#display-assignments)

-## Admin Console
-* https://admin.google.com/ac/security/sso
-
 ## API documentation
 * [Cloud Identity API - Inbound SAML SSO Profiles](https://cloud.google.com/identity/docs/reference/rest/v1beta1/inboundSamlSsoProfiles)
 * [Cloud Identity API - Inbound SAML SSO Profiles idp Credentials](https://cloud.google.com/identity/docs/reference/rest/v1beta1/inboundSamlSsoProfiles.idpCredentials)
+* [Cloud Identity API - Inbound OIDC SSO Profiles](https://cloud.google.com/identity/docs/reference/rest/v1beta1/inboundOidcSsoProfiles)
 * [Cloud Identity API - Inbound SSO Assignments](https://cloud.google.com/identity/docs/reference/rest/v1beta1/inboundSsoAssignments)

 ## Definitions
@@ -41,46 +41,68 @@
 ```
 ## Manage profiles
 ```
-gam create inboundssoprofile [name <SSOProfileDisplayName>]
+gam create inboundssoprofile [saml|oidc] [name <SSOProfileDisplayName>]
        [entityid <String>] [loginurl <URL>] [logouturl <URL>] [changepasswordurl <URL>]
        [returnnameonly]
-gam update inboundssoprofile <SSOProfileItem>
+gam update inboundssoprofile [saml|oidc] <SSOProfileItem>
        [entityid <String>] [loginurl <URL>] [logouturl <URL>] [changepasswordurl <URL>]
        [returnnameonly]
 ```
+Select type of profile:
+* `saml` - SAML profile; this is the default
+* `oidc` - OIDC profile
+
 By default, all fields of the created|updated profile are displayed;
 use the `returnnameonly` option to have GAM display just the profile name of the created|updated profile.
 This will be useful in scripts that create|update a profile and then want to perform subsequent GAM commands that
 reference the profile.

-If `returnnameonly is specified, `inProgress` is returned if the API does not return a complete result.
+If `returnnameonly` is specified, `inProgress` is returned if the API does not return a complete result.

 ```
-gam delete inboundssoprofile <SSOProfileItem>
+gam delete inboundssoprofile [saml|oidc] <SSOProfileItem>
 ```
+Select type of profile:
+* `saml` - SAML profile; this is the default
+* `oidc` - OIDC profile

 ## Display profiles
 Display a specific profile.
 ```
-gam info inboundssoprofile <SSOProfileItem>
+gam info inboundssoprofile [all|saml|oidc] <SSOProfileItem>
        [formatjson]
 ```
+Select type of profile:
+* `all` - All profiles are displayed; this is the default
+* `saml` - SAML profile
+* `oidc` - OIDC profile
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.

-Display all profiles.
+Display profiles.
 ```
-gam show inboundssoprofiles
+gam show inboundssoprofiles [all|saml|oidc]
        [formatjson]
 ```
+Select profiles to display:
+* `all` - All profiles are displayed; this is the default
+* `saml` - Display SAML profiles
+* `oidc` - Display OIDC profiles
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.

-Display all profiles in a CSV file.
+Display profiles in a CSV file.
 ```
-gam print inboundssoprofiles [todrive <ToDriveAttribute>*]
+gam print inboundssoprofiles [all|saml|oidc] [todrive <ToDriveAttribute>*]
        [[formatjson [quotechar <Character>]]
 ```
+Select profiles to display:
+* `all` - All profiles are displayed; this is the default
+* `saml` - Display SAML profiles
+* `oidc` - Display OIDC profiles
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.

@@ -130,10 +152,14 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara

 ## Manage assignments
 ```
-gam create inboundssoassignment (group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)
-        (mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled) [neverredirect]
-gam update inboundssoassignment [(group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)]
-        [(mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled)] [neverredirect]
+gam create inboundssoassignment
+        (group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)
+        (mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled)
+        [neverredirect]
+gam update inboundssoassignment  <SSOAssignmentName>
+        [(group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)]
+        [(mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled)]
+        [neverredirect]
 gam delete inboundssoassignment <SSOAssignmentSelector>
 ```

--- a/wiki/Install-GAM-as-Python-Library.md
+++ b/wiki/Install-GAM-as-Python-Library.md
@@ -1,20 +1,14 @@
 # Install GAM as Python Library

-Thanks to Jay Lee for showing me how to do this.
-
-On Windows, you need to install Git to use the pip command.
-* See: https://pythoninoffice.com/python-pip-install-from-github/
-
-Scroll down to Install Git

 You can install GAM as a Python library with pip.
 ```
-pip install git+https://github.com/GAM-team/GAM.git#subdirectory=src
+pip install gam7
 ```

 Or as a PEP 508 Requirement Specifier, e.g. in requirements.txt file:
 ```
-advanced-gam-for-google-workspace @ git+https://github.com/GAM-team/GAM.git#subdirectory=src
+gam7
 ```

 Or a pyproject.toml file:
@@ -23,13 +17,13 @@ Or a pyproject.toml file:
 name = "your-project"
 # ...
 dependencies = [
-    "advanced-gam-for-google-workspace @ git+https://github.com/GAM-team/GAM.git#subdirectory=src"
+    "gam7"
 ]
 ```

-Target a specific revision or tag:
+Target a specific version:
 ```
-advanced-gam-for-google-workspace @ git+https://github.com/GAM-team/GAM.git@v6.76.01#subdirectory=src
+gam7==/7.13.3
 ```

 ## Using the library
--- a/wiki/Licenses.md
+++ b/wiki/Licenses.md
@@ -3,6 +3,7 @@
 - [License Products and SKUs](#license-products-and-skus)
 - [Definitions](#definitions)
 - [Notes](#Notes)
+- [Info User Performance](#info-user-performance)
 - [Display license counts](#display-license-counts)
 - [Display licenses](#display-licenses)
 - [Add licenses](#add-licenses)
@@ -11,7 +12,7 @@
 - [Synchronize licenses](#synchronize-licenses)

 ## API documentation
-* [License Manager API](https://developers.google.com/admin-sdk/licensing/rest/v1/licenseAssignments)
+* [License Manager API](https://developers.google.com/workspace/admin/licensing/reference/rest/v1/licenseAssignments)

 ## License Products and SKUs
 * [Product and SKU IDs](https://developers.google.com/admin-sdk/licensing/v1/how-tos/products)
@@ -62,6 +63,7 @@
 | Gemini Education | 1010470004 | geminiedu |
 | Gemini Education Premium | 1010470005 | geminiedupremium |
 | Gemini Enterprise | 1010470001 | geminient | duetai |
+| Google AI Ultra for Business | 1010470008 | geminiultra |
 | Google Apps Message Security | Google-Apps-For-Postini | postini |
 | Google Chrome Device Management | Google-Chrome-Device-Management | cdm |
 | Google Drive Storage 16TB | Google-Drive-storage-16TB | 16tb |
@@ -232,6 +234,27 @@ nv:<String>:<String>
 ```
 The first `<String>` is a Product and the second `<String>` is a SKU.

+## Info User Performance
+
+In GAM versions prior 7.18.05, when you did `gam info user`, GAM would make one attempt to get the user's licenses.
+If something went wrong, you might not get the complete list.
+
+The License Manager API doesn't have a call that returns the list of licenses that a user has; you have to ask:
+```
+Does user have license SKU 1?
+Does user have license SKU 2?
+Does user have license SKU 3?
+...
+Does user have license SKU 73?
+```
+If you do a couple of info user commands back to back, you start to run into quota issues.
+
+You can help yourself in the following way: generate a list of all of the SKUs that exist in your workspace.
+
+Then do (example, use actual list): gam config license_skus 1010020028,1010070001, ... save
+Now, rather that asking 73 questions per user, GAM will only ask about the license SKUs in the list.
+It is much less likely that quota issues will occur,
+
 ## Display license counts
 ```
 gam show licenses
--- a/wiki/List-Items.md
+++ b/wiki/List-Items.md
@@ -11,6 +11,8 @@
 <CalendarACLScopeList> ::= "<CalendarACLScope>(,<CalendarACLScope>)*"
 <CalendarList> ::= "<CalendarItem>(,<CalendarItem>)*"
 <ChatSpaceList> ::= "<ChatSpace>(,<ChatSpace>)*"
+<ChromeProfileNameList> ::= "<ChromeProfileName>(,<ChromeProfileName>)*"
+<ChromeProfileCommandNameList> ::= "<ChromeProfileCommandName>(,<ChromeProfileCommandName>)*"
 <CIGroupAliasList> ::= "<CIGroupAlias>(,<CIGroupAlias>)*"
 <CIGroupMemberTypeList> ::= "<CIGroupMemberType>(,<CIGroupMemberType>)*"
 <CIPolicyNameList> ::= "<CIPolicyName>(,<CIPolicyName>)*"
@@ -96,6 +98,9 @@
 <SharedDriveACLRoleList> ::= "<SharedDriveACLRole>(,<SharedDriveACLRole>)*"
 <SharedDriveIDList> ::= "<SharedDriveID>(,<SharedDriveID>)*"
 <StringList> ::= "<String>(,<String>)*"
+<TagManagerAccountPathList> ::= "<TagManagerAccountPath>(,<TagManagerAccountPath>)*"
+<TagManagerContainerPathList> ::= "<TagManagerContainerPath>(,<TagManagerContainerPath>)*"
+<TagManagerWorkspacePathList> ::= "<TagManagerWorkspacePath>(,<TagManagerWorkspacePath>)*"
 <TasklistIDList> ::= "<TasklistID>(,<TasklistID>)*"
 <TasklistTitleList> ::= "'<TasklistTitle>'(,'<TasklistTitle>')*"
 <TasklistIDTaskIDList> ::= "<TasklistIDTaskID>(,<TasklistIDTaskID>)*"
--- a/wiki/Meta-Commands-and-File-Redirection.md
+++ b/wiki/Meta-Commands-and-File-Redirection.md
@@ -35,6 +35,9 @@ Select a section from gam.cfg and process a GAM command using values from that s
  - Print the variable values for the selected section
  - Values are determined in this order: Selected section, DEFAULT section, Program default

+If you enter `gam select <SectionName>` and nothing else on the command line,
+it will be treated as if you entered: `gam select <SectionName> save`
+
 ### Display sections
 Display all of the sections in gam.cfg and mark the currently selected section with a *.
 ```
--- a/wiki/Reports.md
+++ b/wiki/Reports.md
@@ -39,19 +39,18 @@ config csv_output_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
 ## Activity reports
 ```
 <ActivityApplicationName> ::=
-        access|accesstransparency|
+        accesstransparency|access|
        admin|
        calendar|calendars|
        chat|
        chrome|
+        classroom|
        contextawareaccess|
-        currents|gplus|google+|
+        gplus|currents|google+|
        datastudio|
-        devices|mobile|
-        domain|
        drive|doc|docs|
-        gcp|
-        gemini|geminiforworkspace|
+        gcp|cloud|
+        geminiinworkspaceapps|gemini|geminiforworkspace|
        groups|group|
        groupsenterprise|enterprisegroups|
        jamboard|
@@ -69,7 +68,7 @@ gam report <ActivityApplicationName> [todrive <ToDriveAttribute>*]
        [(user all|<UserItem>)|(orgunit|org|ou <OrgUnitPath> [showorgunit])|(select <UserTypeEntity>)]
        [([start <Time>] [end <Time>])|(range <Time> <Time>)|
         yesterday|today|thismonth|(previousmonths <Integer>)]
-        [filtertime<String> <Time>] [filter|filters <String>]
+        [filter <String> (filtertime<String> <Time>)*]
        [event|events <EventNameList>] [ip <String>]
        [groupidfilter <String>]
        [maxactivities <Number>] [maxevents <Number>] [maxresults <Number>]
@@ -364,7 +363,7 @@ gam report users|user [todrive <ToDriveAttribute>*]
        [(date <Date>)|(range <Date> <Date>)|
         yesterday|today|thismonth|(previousmonths <Integer>)]
        [(nodatechange | limitdatechanges <Integer>) | (fulldatarequired all|<UserServiceNameList>)]
-        [filtertime<String> <Time>] [filter|filters <String>]
+        [filter <String> (filtertime<String> <Time>)*]
        [(fields|parameters <String>)|(services <UserServiceNameList>)]
        [aggregatebydate|aggregatebyuser [Boolean]]
        [maxresults <Number>]
@@ -414,7 +413,7 @@ where you can specify a relative date without having to change the script.

 For example, filter for last logins more that 60 days ago.
 ```
-filtertime60d -60d filters "accounts:last_login_time<#filtertime60d#"
+filters "accounts:last_login_time<#filtertime60d#" filtertime60d -60d
 ```

 Select the fields/parameters to display.
--- a/wiki/Reseller.md
+++ b/wiki/Reseller.md
@@ -135,7 +135,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ## Manage Resold Subscriptions
 ```
 gam create resoldsubscription <CustomerID> (sku <SKUID>)
-         (plan annual_monthly_pay|annual_yearly_pay|flexible|trial)
+         (plan annual_monthly_pay|annual_yearly_pay|flexible|trial|free)
         (seats <Number>)
         [customer_auth_token <String>] [deal <String>] [purchaseorderid <String>]
 gam update resoldsubscription <CustomerID> <SKUID>
--- a/wiki/Resources.md
+++ b/wiki/Resources.md
@@ -390,14 +390,14 @@ gam delete building <BuildingID>
 gam info building <BuildingID>
        [formatjson]
 gam show buildings
-        [allfields|<BuildingFildName>*|(fields <BuildingFieldNameList>)]
+        [allfields|<BuildingFieldName>*|(fields <BuildingFieldNameList>)]
        [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
 gam print buildings [todrive <ToDriveAttribute>*]
-        [allfields|<BuildingFildName>*|(fields <BuildingFieldNameList>)]
+        [allfields|<BuildingFieldName>*|(fields <BuildingFieldNameList>)]
        [delimiter <Character>] [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
--- a/wiki/Send-Email.md
+++ b/wiki/Send-Email.md
@@ -392,7 +392,7 @@ Your command line will have: `embedimage file1.jpg image1 embedimage file2.jpg i

 ## Send an email to users
 ```
-gam <UserTypeEntity> sendemail [from <EmailAddress>]
+gam <UserTypeEntity> sendemail from <EmailAddress>
        [replyto <EmailAddress>]
        [cc <RecipientEntity>] [bcc <RecipientEntity>] [singlemessage]
        [subject <String>]
@@ -406,8 +406,6 @@ gam <UserTypeEntity> sendemail [from <EmailAddress>]
 ```
 Emails will be sent to the users in `<UserTypeEntity>`.

-By default, emails will be sent from the admin user named in oauth2.txt, override this with the `from <EmailAddress>` option.
-
 When using the Gmail API/SMTP, GAM gets no/little indication as to the status of the message delivery; the from user will get a non-delivery receipt if the message
 could not be sent to the specified recipients.

--- a/wiki/Shared-Drives.md
+++ b/wiki/Shared-Drives.md
@@ -45,6 +45,8 @@
 * [Shared Drives Search](https://developers.google.com/drive/api/guides/search-shareddrives)

 ## Definitions
+* [`<FileSelector> | <CSVFileSelector>`](Collections-of-Items)
+
 ```
 <ColorHex> ::= "#<Hex><Hex><Hex><Hex><Hex><Hex>"
 <ColorNameGoogle> ::=
@@ -180,6 +182,7 @@
        createdtime|
        id|
        name|
+        restrictions|
        themeid
 <SharedDriveFieldNameList> ::= "<SharedDriveFieldName>(,<SharedDriveFieldName>)*"

@@ -200,6 +203,8 @@
        allowcontentmanagerstosharefolders|
        copyrequireswriterpermission|
        domainusersonly|
+        downloadrestrictedforreaders|downloadrestrictions.restrictedforreaders|
+        downloadrestrictedforwriters|downloadrestrictions.restrictedforwriters|
        drivemembersonly|teammembersonly|
        sharingfoldersrequiresorganizerpermission

@@ -242,7 +247,7 @@ The user that creates a Shared Drive is given the permission role organizer for
 gam [<UserTypeEntity>] create shareddrive <Name>
        [(theme|themeid <String>)|
         ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
-        (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
+        ([restrictions.]<SharedDriveRestrictionsSubfieldName> <Boolean>)*
        [hide <Boolean>] [ou|org|orgunit <OrgUnitItem>]
        [errorretries <Integer>] [updateinitialdelay <Integer>] [updateretrydelay <Integer>]
        [(csv [todrive <ToDriveAttribute>*] (addcsvdata <FieldName> <String>)*) | returnidonly]
@@ -254,7 +259,7 @@ gam [<UserTypeEntity>] create shareddrive <Name>
  * `<Float>` - Y coordinate, typically 0.0
  * `<Float>` - width, typically 1.0
 * `color` - set the Shared Drive color
-* `<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
+* `[restrictions.]<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
 * `hide <Boolean>` - Set Shared Drive visibility

 If any attributes other than `themeid` are specified, GAM must create the Drive and then update the Drive attributes.
@@ -328,13 +333,13 @@ gam [<UserTypeEntity>] update shareddrive <SharedDriveEntity> [name <Name>]
        [adminaccess|asadmin]
        [(theme|themeid <String>)|
         ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
-        (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
+        ([restrictions.]<SharedDriveRestrictionsSubfieldName> <Boolean>)*
        [hide|hidden <Boolean>] [ou|org|orgunit <OrgUnitItem>]
 ```
 * `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
 * `color` - set the Shared Drive color
-* `<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
+* `[restrictions.]<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
 * `hidden <Boolean>` - Set Shared Drive visibility

 * `ou|org|orgunit <OrgUnitItem>` - See: https://workspaceupdates.googleblog.com/2022/05/shared-drives-in-organizational-units-open-beta.html
@@ -372,26 +377,38 @@ By default, Gam displays the information as an indented list of keys and values.
 gam [<UserTypeEntity>] show shareddrives
        [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
-        [fields <SharedDriveFieldNameList>] [formatjson]
+        [fields <SharedDriveFieldNameList>]
+        [showwebviewlink text|hyperlink]
+        [formatjson]
 ```
 By default, all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
 * `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
 * `matchname <REMatchPattern>` - Retrieve Shared Drives with names that match a pattern.
 * `orgunit|org|ou <OrgUnitPath>` - Only Shared Drives in the specified Org Unit are selected

+Use option `showwebviewlink` to display the web view link for the Shared Drive.
+* `showwebviewlink text` - Displays `https://drive.google.com/drive/folders/<SharedDriveID>`
+* `showwebviewlink hyperlink` - Dsiplays `=HYPERLINK("https://drive.google.com/drive/folders/<SharedDriveID>", "<SharedDriveName>")`
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
 gam [<UserTypeEntity>] print shareddrives [todrive <ToDriveAttribute>*]
        [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
-        [fields <SharedDriveFieldNameList>] [formatjson [quotechar <Character>]]
+        [fields <SharedDriveFieldNameList>]
+        [showwebviewlink text|hyperlink]
+        [formatjson [quotechar <Character>]]
 ```
 By default, all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
 * `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
 * `matchname <REMatchPattern>` - Retrieve Shared Drives with names that match a pattern.
 * `orgunit|org|ou <OrgUnitPath>` - Only Shared Drives in the specified Org Unit are selected

+Use option `showwebviewlink` to display the web view link for the Shared Drive.
+* `showwebviewlink text` - Displays `https://drive.google.com/drive/folders/<SharedDriveID>`
+* `showwebviewlink hyperlink` - Dsiplays `=HYPERLINK("https://drive.google.com/drive/folders/<SharedDriveID>", "<SharedDriveName>")`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.

--- a/wiki/Users-Calendars.md
+++ b/wiki/Users-Calendars.md
@@ -125,7 +125,7 @@
        (foregroundcolor <ColorValue>)|
        (hidden <Boolean>)|
        (notification clear|(email <CalendarEmailNotificatonEventTypeList>))|
-        (reminder clear|(email|popup <Number>)|(<Number> email|popup))|
+        (reminder clear|(email|popup <Number>)|(<Number> email|popup))*|
        (selected <Boolean>)|
        (summary <String>)

--- a/wiki/Users-Chat.md
+++ b/wiki/Users-Chat.md
@@ -12,6 +12,8 @@
 - [Manage Chat Messages](#manage-chat-messages)
 - [Display Chat Messages](#display-chat-messages)
 - [Display Chat Events](#display-chat-events)
+- [Manage Chat Emojis](#manage-chat-emojis)
+- [Display Chat Emojis](#display-chat-emojis)
 - [Bulk Operations](#bulk-operations)

 ## Introduction
@@ -19,6 +21,7 @@ To use these commands you must update your service account authorization.
 ```
 gam user user@domain.com update serviceaccount

+[*]  3)  Chat API - Custom Emojis (supports readonly)
 [*]  4)  Chat API - Memberships (supports readonly)
 [*]  5)  Chat API - Memberships Admin (supports readonly)
 [*]  6)  Chat API - Messages (supports readonly)
@@ -51,10 +54,12 @@ Google requires that you have a Chat Bot configured in order to use the Chat API
 ## API documentation
 * [Overview](https://developers.google.com/workspace/chat/overview)
 * [Chat API](https://developers.google.com/workspace/chat/api/reference/rest)
+* [Chat API - Custom Emojis](https://developers.google.com/workspace/chat/api/reference/rest/v1/customEmojis)
 * [Chat API - Members](https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.members/list)
 * [Chat API - Messages](https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.messages/list)
 * [Chat API - Events](https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.spaceEvents/list)
 * [Apps in Google Chat](https://support.google.com/chat/answer/7655820)
+* [Manage customemoji permissions](https://support.google.com/a/answer/12850085)
 * [Manage Spaces in Admin Console](https://support.google.com/a/answer/13369245)
 * [Predefined permission settings](https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces#Space.FIELDS.predefined_permission_settings)

@@ -83,6 +88,8 @@ Google requires that you have a Chat Bot configured in order to use the Chat API
         (gdoc <UserGoogleDoc>)|
         (gcsdoc <StorageBucketObjectName>))

+<ChatEmojiName> ::= :[0-9a-z_-]+:
+<ChatEmoji> ::= emojiname <ChatEmojiName> | customemojis/<String>
 <ChatEvent> ::= spaces/<String>/spaceEvents/<String>
 <ChatMember> ::= spaces/<String>/members/<String>
 <ChatMemberList> ::= "<ChatMember>(,<ChatMember>)*"
@@ -457,7 +464,7 @@ gam <UserItem> delete chatmember asadmin <ChatSpace>

 Delete members from a chat space by specifying chatmember names, asadmin
 ```
-gam <UserItem> remove chatmember members asadmin <ChatMemberList>
+gam <UserItem> remove chatmember asadmin members <ChatMemberList>
 ```

 ### Update a members role in a user's chat space
@@ -896,6 +903,75 @@ filter 'start_time=\"2024-03-15T11:30:00-04:00\" AND event_types:\"google.worksp
 filter 'start_time=\"2024-03-15T11:30:00+00:00\" AND end_time=\"2024-03-3100:00:00+00:00\" AND event_types:\"google.workspace.chat.message.v1.created\"'
 ```

+## Manage Chat Emojis
+
+### Create a Chat Emoji
+```
+gam <UserTypeEntity> create chatemoji <ChatEmojiName>
+         ([drivedir|(sourcefolder <FilePath>)] [filename <FileNamePattern>])
+        [formatjson]
+```
+Emoji names must start and end with colons, must be lowercase and can only contain alphanumeric characters, hyphens, and underscores.
+Hyphens and underscores should be used to separate words and cannot be used consecutively.
+
+By default, the emoji file will be uploaded from the current working directory.
+* `drivedir` - The emoji file will be uploaded from the directory specified by `drive_dir` in gam.cfg
+* `sourcefolder <FilePath>` - The emoji file will be uploaded from `<FilePath>`
+
+Specify the emoji file name; the following substitutions will be made:
+* `#email#` and `#user#` will be replaced by the user's full email address
+* `#username#` will be replaced by the local part of the user's email address
+
+### Delete a Chat Emoji
+Deletes the given Chat emoji.
+
+```
+gam <UserTypeEntity> delete chatemoji <Chatemoji>
+```
+
+## Display Chat Emojis
+### Display a specific Chat emoji
+
+```
+gam <UserTypeEntity> info chatemoji <Chatemoji>
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Display information about all chat emojis
+```
+gam <UserTypeEntity> show chatemojis
+        [showcreatedby any|me|others]
+        [formatjson]
+```
+Select emojis to display:
+* `showcreatedby any` - Display all emojis regardless of creator
+* `showcreatedby ` - Display all emojis created by the user; this is the default
+* `showcreatedby others` - Display all emojis not created by the user
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam <UserTypeEntity> print chatemojis [todrive <ToDriveAttribute>*]
+        [showcreatedby any|me|others]
+        [formatjson [quotechar <Character>]]
+```
+Select emojis to display:
+* `showcreatedby any` - Display all emojis regardless of creator
+* `showcreatedby ` - Display all emojis created by the user; this is the default
+* `showcreatedby others` - Display all emojis not created by the user
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
 ## Bulk Operations
 ### Display information about all chat spaces for a collection of users
 ```
--- a/wiki/Users-Drive-Copy-Move.md
+++ b/wiki/Users-Drive-Copy-Move.md
@@ -13,6 +13,7 @@
  - [Move with ownership change](#move-with-ownership-change)
  - [Complex moves](#complex-moves)
  - [Move content of a Shared Drive to another Shared Drive](#move-content-of-a-shared-drive-to-another-shared-drive)
+  - [Move content of a Shared Drive to a My Drive](#move-content-of-a-shared-drive-to-a-my-drive)

 ## API documentation
 * [Drive API - Files](https://developers.google.com/drive/api/v3/reference/files)
@@ -673,8 +674,10 @@ gam user user@domain.com move drivefile teamdriveid 0AC_1AB teamdriveparentid 0A
 ```

 If you want the source Shared Drive with ID 0AC_1AB to be contained in a top level folder of the target Shared Drive with ID 0AE_9ZX, omit the `mergewithparent` argument.
+The folder on the target Shared Drive will have the same name as the name of the source Shared Drive; use the `newfilename <DriveFileName>` to use a different name.
 ```
 gam user user@domain.com move drivefile teamdriveid 0AC_1AB teamdriveparentid 0AE_9ZX
+gam user user@domain.com move drivefile teamdriveid 0AC_1AB teamdriveparentid 0AE_9ZX newfilename "Copy of source Shared Drive"
 ```

 ### Inter-workspace moves
@@ -692,3 +695,21 @@ User: user@domaina.com, Move 1 Drive File/Folder
  User: user@domaina.com, Drive Folder: Shared Drive A(<SharedDriveAID>), Retained
 ```
 To get this to work, you must check `Allow people outside of Domain A to access files` on Shared Drive A in domaina.com
+
+## Move content of a Shared Drive to a My Drive
+Suppose you have a Shared Drive with ID 0AC_1AB with multiple files and folders, and want to move all of its content to the root of a My Drive.
+
+The following command will change the parents of the top level files and folders from 0AC_1AB to the root of the My Drive; the sub files and folders will move along with their top level folder.
+
+* No permissions are processed.
+```
+gam user user@domain.com move drivefile teamdriveid 0AC_1AB parentid root mergewithparent 
+```
+
+If you want the contents of Shared Drive with ID 0AC_1AB to be contained in a top level folder of the My Drive, omit the `mergewithparent` argument.
+The folder on the My Drive will have the same name as the name of the Shared Drive; use the `newfilename <DriveFileName>` to use a different name.
+```
+gam user user@domain.com move drivefile teamdriveid 0AC_1AB parentid root
+gam user user@domain.com move drivefile teamdriveid 0AC_1AB parentid root newfilename "Copy of Shared Drive"
+```
+
--- a/wiki/Users-Drive-Files-Display.md
+++ b/wiki/Users-Drive-Files-Display.md
@@ -157,12 +157,16 @@
        contentrestrictions.restrictiontime|
        contentrestrictions.type

-<DriveLabelInfoSubfieldName> ::=
+<DriveDownloadRestrictionsSubfieldName> ::=
+  downloadrestrictions.itemdownloadrestriction|
+  downloadrestrictions.effectivedownloadrestrictionwithcontext
+
+<ClassificationLabelInfoSubfieldName> ::=
        labels.id|              # modifiedByMe
        labels.revisionid|      # copyRequiresWriterPermission
        labels.fields           # viewedByMe

-<DriveLabelsSubfieldName> ::=
+<ClassificationLabelsSubfieldName~> ::=
        labels.modified|        # modifiedByMe
        labels.restricted|      # copyRequiresWriterPermission
        labels.starred|         # starred
@@ -251,6 +255,8 @@
        copyrequireswriterpermission|
        createddate|createdtime|
        description|
+        downloadrestictions|
+        <DriveDownloadRestrictionsSubfieldName>|
        driveid|
        drivename|
        editable|
@@ -269,9 +275,9 @@
        inheritedpermissionsdisabled|
        isappauthorized|
        labelinfo|
-        <DriveLabelInfoSubfieldName>|
+        <ClassificationLabelInfoSubfieldName>|
        labels|
-        <DriveLabelsSubfieldName>|
+        <ClassificationLabelsSubfieldName>|
        lastmodifyinguser|
        <DriveLastModifyingUserSubfieldName>|
        lastmodifyingusername|
@@ -968,7 +974,8 @@ Display a list of file/folder names indented to show structure.
        owners|
        parents|
        size|
-        trashed
+        trashed|
+        webviewlink
 <FileTreeFieldNameList> ::= "<FileTreeFieldName>(,<FileTreeFieldName>)*"

 gam <UserTypeEntity> print filetree [todrive <ToDriveAttribute>*]
@@ -1722,9 +1729,9 @@ User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFil
 user@domain.com,user@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
 user@domain.com,user@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash

-$ gam redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage shareddriveid 0AL5LiIe4dqxZUk9PVA  show summaryandtrash
+$ gam redirect csv ./SharedDriveUsage.csv user user@domain.com print diskusage shareddriveid 0AL5LiIe4dqxZUk9PVA show summaryandtrash
 User: user@domain.com, Print 1 Drive Disk Usage
-$ more MyDriveUsage.csv 
+$ more SharedDriveUsage.csv 
 User,id,name,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
 user@domain.com,0125LiIe4dqxZUk9PVA,TS Shared Drive 1,False,False,16,6144,7,42,73799,25,-1,SharedDrives/TS Shared Drive 1
 user@domain.com,Trash,Trash,True,True,1,1024,0,1,1024,0,-1,Trash
--- a/wiki/Users-Drive-Files-Manage.md
+++ b/wiki/Users-Drive-Files-Manage.md
@@ -125,6 +125,7 @@
        (folderColorRgb <ColorValue>)|
        (indexabletext <String>)|
        (inheritedpermissionsdisabled [<Boolean>])|
+        (itemdownloadrestriction restrictedforreaders|restrictedforwriters [<Boolean>])|
        (keeprevisionforever|pinned)|
        (lastviewedbyme <Time>)|
        (mimetype <MimeType>)|
--- a/wiki/Users-Drive-Permissions.md
+++ b/wiki/Users-Drive-Permissions.md
@@ -10,6 +10,8 @@
 - [Delete all ACLs except owner from a user's My Drive](#delete-all-acls-except-owner-from-a-users-my-drive)
 - [Change shares to User1 to shares to User2](#change-shares-to-user1-to-shares-to-user2)
 - [Map All ACLs from an old domain to a new domain](#map-all-acls-from-an-old-domain-to-a-new-domain)
+- [Remove all ACLs for a specific user or group email address](#remove-all-ACLs-for-a-specific-user-or-group-email-address)
+- [Remove anyone-anyoneWithLink ACLs](#remove-anyone-anyonewithlink-acls)

 ## API documentation
 * [Drive API - Permissions](https://developers.google.com/drive/api/v3/reference/permissions)
@@ -214,6 +216,12 @@ The option `updatesheetprotectedranges` only applies to items in `<DriveFileEnti
    * ACLs with role reader or commenter will be removed from existing protected ranges
    * ACLs with role writer or higher will be added to existing protected ranges

+`
+`enforceexpansiveaccess` defaults to the value of `gam.cfg/enforce_expansive_access` that controls
+the ability to update inherited ACLs.
+* False - Inherited ACLs can be updated
+* True = Inherited ACLs can not be updated
+
 By default, the file ID is displayed in the output; to see the file name, use the `showtitles`
 option; this requires an additional API call per file.

@@ -234,6 +242,11 @@ The option `updatesheetprotectedranges` only applies to items in `<DriveFileEnti
  * Sheet Protected Ranges are updated to reflect the deleted ACL; additional API calls are required.
    * ACLs with any role will be removed from existing protected ranges

+`enforceexpansiveaccess` defaults to the value of `gam.cfg/enforce_expansive_access` that controls
+the ability to delete delete inherited ACLs.
+* False - Inherited ACLs can be deleted
+* True = Inherited ACLs can not be deleted
+
 By default, the file ID is displayed in the output; to see the file name, use the `showtitles`
 option; this requires an additional API call per file.

@@ -266,6 +279,11 @@ gam <UserTypeEntity> delete permissions <DriveFileEntity> <DriveFilePermissionID
        <PermissionMatch>* [<PermissionMatchAction>]
        [enforceexpansiveaccess [<Boolean>]]
 ```
+`enforceexpansiveaccess` defaults to the value of `gam.cfg/enforce_expansive_access` that controls
+the ability to delete delete inherited ACLs.
+* False - Inherited ACLs can be deleted
+* True = Inherited ACLs can not be deleted
+
 When deleting permissions from JSON data, permissions with role `owner` true are never processed.

 ## Display file permissions/sharing
@@ -369,3 +387,83 @@ gam config csv_input_row_filter "permission.type:regex:user|group" redirect stdo
 gam config csv_input_row_filter "permission.type:regex:domain" redirect stdout ./AddNewDomainACLsDomainShares.txt multiprocess redirect stderr stdout csv ./allUsersFiles.csv gam user "~Owner" create drivefileacl "~id" "~permission.type" "~permission.domain" role "~permission.role" allowfilediscovery "~permission.allowFileDiscovery" mappermissionsdomain olddomain.com newdomain.com
 ```
    
+## Remove all ACLs for a specific user or group email address
+
+### My Drives
+
+Get My Drive ACLs sharing to that email address:
+* Replace `<Type>` with user or group
+* Replace `email@domain.com` with actual email address
+```
+gam config auto_batch_min 1 num_threads 20 redirect csv ./MyDriveShares.csv multiprocess redirect stderr - multiprocess all users print filelist fields id,name,mimetype,basicpermissions query "'email@domain.com' in readers or 'email@domain.com' in writers" pm notrole owner type <Type> emailaddress email@domain.com em pmfilter oneitemperrow
+```
+
+Delete those My Drive ACLs.
+```
+gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+```
+
+Add My Drive ACLs with a different email address and the same role.
+```
+gam config num_threads 20 redirect stdout ./AddMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" add drivefleacl "~id" "~permission.type" newemail@domain.rom role "~permission.role"
+```
+
+### Shared Drives
+Get an organizer for each Shared Drive
+```
+gam redirect csv ./SharedDriveOrganizers.csv print shareddriveorganizers
+```
+
+Get Shared Drive ACLs explicitly sharing to that email address:
+* Replace `<Type>` with user or group
+* Replace `email@domain.com` with actual email address
+```
+gam config num_threads 20 csv_input_row_filter "organizers:regex:^.+$" redirect csv ./SharedDriveShares.csv multiprocess redirect stderr - multiprocess csv SharedDriveOrganizers.csv gam user "~organizers"  print filelist select shareddriveid "~id" fields id,name,mimetype,basicpermissions,driveid showdrivename query "'email@domain.com' in readers or 'email@domain.com' in writers" pm type <Type> emailaddress email@domain.com inherited false em pmfilter oneitemperrow
+```
+
+Delete those Shared Drive ACLs.
+```
+gam config num_threads 20 redirect stdout ./DeleteSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+```
+
+Add Shared Drive ACLs with a different email address and the same role.
+```
+gam config num_threads 20 redirect stdout ./ReplaceSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" add drivefleacl "~id" "~permission.type" newemail@domain.rom role "~permission.role"
+```
+
+## Remove anyone-anyoneWithLink ACLs
+
+Here are the queries that will be used in these commands:
+* anyone - query "visibility='anyoneCanFind'"
+* anyoneWithLink - query "visibility='anyoneWithLink'"
+* both - query "(visibility='anyoneCanFind' or visibility='anyoneWithLink')"
+
+### My Drives
+
+Get My Drive anyone/anyoneWithLink ACLs
+```
+gam config auto_batch_min 1 num_threads 20 redirect csv ./MyDriveShares.csv multiprocess redirect stderr - multiprocess all users print filelist fields id,name,mimetype,basicpermissions <Query> pm type anyone em pmfilter oneitemperrow
+```
+
+Delete those My Drive ACLs.
+```
+gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+```
+
+### Shared Drives
+Get an organizer for each Shared Drive
+```
+gam redirect csv ./SharedDriveOrganizers.csv print shareddriveorganizers
+```
+
+Get Shared Drive anyone/anyoneWithLink ACLs
+```
+gam config num_threads 20 csv_input_row_filter "organizers:regex:^.+$" redirect csv ./SharedDriveShares.csv multiprocess redirect stderr - multiprocess csv SharedDriveOrganizers.csv gam user "~organizers"  print filelist select shareddriveid "~id" fields id,name,mimetype,basicpermissions,driveid showdrivename <Query> pm type anyone inherited false em pmfilter oneitemperrow
+```
+
+Delete those Shared Drive ACLs.
+```
+gam config num_threads 20 redirect stdout ./DeleteSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+```
+
+
--- a/wiki/Users-Forms.md
+++ b/wiki/Users-Forms.md
@@ -49,10 +49,19 @@ gam user user@domain.com update serviceaccount
 ```
 gam <UserTypeEntity> create form
        title <String> [description <String>] [isquiz [Boolean>]] [<JSONData>]
+        [ispublished [<Boolean>] isacceptingresponses [<Boolean>]]
        [drivefilename <DriveFileName>] [<DriveFileParentAttribute>]
        [(csv [todrive <ToDriveAttribute>*]) | returnidonly]
 ```

+The valid combinations of `ispublished` and `isacceptingresponses` are:
+* `ispublished true isacceptingresponses true`
+* `ispublished true isacceptingresponses false`
+* `ispublished false isacceptingresponses false`
+* `ispublished false` - Sets `isacceptingresponses false`
+* `isacceptingresponses false` - Sets `ispublished false`
+* `isacceptingresponses true` - Sets `ispublished true`
+
 `<JSONData>` is a list of form update requests.

 * See: https://developers.google.com/forms/api/reference/rest/v1/forms/batchUpdate
@@ -79,15 +88,24 @@ Select forms with `<DriveFileEntity>`:
 ```
 gam <UserTypeEntity> update form <DriveFileEntity>
        [title <String>] [description <String>] [isquiz [Boolean>]] [<JSONData>]
+        [ispublished [<Boolean>] isacceptingresponses [<Boolean>]]
 ```

+The valid combinations of `ispublished` and `isacceptingresponses` are:
+* `ispublished true isacceptingresponses true`
+* `ispublished true isacceptingresponses false`
+* `ispublished false isacceptingresponses false`
+* `ispublished false` - Sets `isacceptingresponses false`
+* `isacceptingresponses false` - Sets `ispublished false`
+* `isacceptingresponses true` - Sets `ispublished true`
+
 `<JSONData>` is a list of form update requests.

 * See: https://developers.google.com/forms/api/reference/rest/v1/forms/batchUpdate

 ## Extended Example

-This example illustrates the use of JSN data to create and update forms
+This example illustrates the use of JSON data to create and update forms
 concerning student classtoom attendance.
 The form has two items: Absences and Notes.
 In `Absences`, the teacher can check `All present.` or check individual student absences.
@@ -272,7 +290,7 @@ Select forms with `<DriveFileEntity>`:
 * `my_forms` - Display responses for all forms owned by the user
 ```
 gam <UserTypeEntity> show formresponses <DriveFileEntity>
-        [filtertime.* <Time>] [filter <String>]
+        [filter <String> (filtertime<String> <Time>)*]
        [countsonly|formatjson]
 ```
 By default, GAM displays form response details, use the `countsonly` option to get the number of responses but no response details.
@@ -284,11 +302,12 @@ By default, GAM displays all form responses, you can filter by response time:
 For example, to get the form responses submitted since the beginning of the year:
 * `filter timestamp >= 2022-01-01T00:00:00Z`

-Use the `filtertime.* <Time>` option to allow times, usually relative, to be substituted into the `filter <String>` option.
+Use the `filtertime<String <Time>` option to allow times, usually relative, to be substituted into the `filter <String>` option.
+The `filtertime<String> <Time>` value replaces the string `#filtertime<String>#` in any filters..
 The characters following `filtertime` can be any combination of lowercase letters and numbers.

-For example, to get the responses subnitted in the last four hours:
-* `filtertime4h -4h filter "timestamp >= #filtertime4h#`
+For example, to get the responses submitted in the last four hours:
+* `filter "timestamp >= #filtertime4h#" filtertime4h -4h`

 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the form response in JSON format
@@ -296,7 +315,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ```
 gam <UserTypeEntity> print formresponses <DriveFileEntity> [todrive <ToDriveAttribute>*]
        (addcsvdata <FieldName> <String>)*
-        [filtertime.* <Time>] [filter <String>]
+        [filter <String> (filtertime<String> <Time>)*]
        [countsonly|(formatjson [quotechar <Character>])]
 ```
 By default, GAM displays form response details, use the `countsonly` option to get the number of responses but no response details.
@@ -310,11 +329,12 @@ By default, GAM displays all form responses, you can filter by response time:
 For example, to get the form responses submitted since the beginning of the year:
 * `filter timestamp >= 2022-01-01T00:00:00Z`

-Use the `filtertime.* <Time>` option to allow times, usually relative, to be substituted into the `filter <String>` option.
+Use the `filtertime<String> <Time>` option to allow times, usually relative, to be substituted into the `filter <String>` option.
+The `filtertime<String> <Time>` value replaces the string `#filtertime<String>#` in any filters..
 The characters following `filtertime` can be any combination of lowercase letters and numbers.

 For example, to get the responses subnitted in the last four hours:
-* `filtertime4h -4h filter "timestamp >= #filtertime4h#`
+* `filter "timestamp >= #filtertime4h#" filtertime4h -4h`

 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
 the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
--- a/wiki/Users-Gmail-Filters.md
+++ b/wiki/Users-Gmail-Filters.md
@@ -80,8 +80,8 @@ All `<FilterAction>s` except `forward <EmailAddress>` involve adding/removing la
 * `label <LabelName>` - Add the user label `<LabelName>`; only one user label can be specified. It will be created if necessary.

 In Gmail, you can have a multi-level label like `Top/Middle/Bottom`; you can also have a single-level label like `Top/Middle/Bottom`,
-* If `buildpath` is omitted or `<Boolean>` is set to False, a <labelName>` containing `/` will be created as single-level.
-* If `buildpath` is present and `<Boolean>` is omitted or set to True, a <labelName>` containing `/` will be created as multi-level;
+* If `buildpath` is omitted or `<Boolean>` is set to False, a `<labelName>` containing `/` will be created as single-level.
+* If `buildpath` is present and `<Boolean>` is omitted or set to True, a `<labelName>` containing `/` will be created as multi-level;
 all parent labels are created as necessary.

 If `forward <EmailAddress>` is specified, the filter creation will fail if the user has not defined `<EmailAddress>` as a forwarding address.
--- a/wiki/Users-Gmail-Messages-Threads.md
+++ b/wiki/Users-Gmail-Messages-Threads.md
@@ -72,6 +72,8 @@ This table and other suggestions came from:
 <EmailAddress> ::= <String>@<DomainName>
 <UniqueID> ::= id:<String>
 <GroupItem> ::= <EmailAddress>|<UniqueID>|<String>
+<LabelID> ::= <String>
+<LabelIDList> ::= "<LabelID>(,<LabelID)*"
 <LabelName> ::= <String>
 <QueryGmail> ::= <String> See: https://support.google.com/mail/answer/7190
 <Time> ::=
@@ -389,6 +391,7 @@ Your command line will have: `embedimage file1.jpg image1` embedimage file2.jpg
 ```
 gam <UserTypeEntity> archive messages <GroupItem>
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_archive <Number>])|(ids <MessageIDEntity>)
        [csv [todrive <ToDriveAttribute>*]]
 ```
@@ -400,6 +403,7 @@ Messages are archived to the group specified by `<GroupItem>`.

 ### Archive a selected set of messages
 * `((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+` - Criteria to select messages
+* `labelids <LabelIDList>` - Select messages with labels that match all of the specified label IDs.
 * `max_to_archive` - Limit the number of messages that will be archived; use a value of 0 for no limit
 * `doit` - No messages are archived unless you specify `doit`. By not specifying `doit`, you can preview the messages selected to verify that the results match your expectations.

@@ -432,10 +436,14 @@ See below for message selection.
 Export messages in EML format.
 ```
 gam <UserTypeEntity> export message|messages
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [max_to_export <Number>])|(ids <MessageIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
+         [quick|notquick] [max_to_export <Number>])|(ids <MessageIDEntity>)
        [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]
 gam <UserTypeEntity> export thread|threads
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [max_to_export <Number>])|(ids <ThreadIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
+         [quick|notquick] [max_to_export <Number>])|(ids <MessageIDEntity>)
        [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]
 ```

@@ -459,10 +467,12 @@ See below for message selection.
 ```
 gam <UserTypeEntity> forward message|messages recipient|to <RecipientEntity>
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_forward <Number>])|(ids <MessageIDEntity>)
         [subject <String>] [addorigfieldstosubject]
 gam <UserTypeEntity> forward thread|threads recipient|to <RecipientEntity>
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_forward <Number>])|(ids <ThreadIDEntity>)
         [subject <String>] [addorigfieldstosubject]
 ```
@@ -482,23 +492,28 @@ See below for message selection.
 ```
 gam <UserTypeEntity> delete messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_delete <Number>])|(ids <MessageIDEntity>)
        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> modify messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_modify <Number>])|(ids <MessageIDEntity>)
        ((addlabel <LabelName>)|(removelabel <LabelName>))+
        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> spam messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_spam <Number>])|(ids <MessageIDEntity>)
        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> trash messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_trash <Number>])|(ids <MessageIDEntity>)
        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> untrash messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
+         [labelids <LabelIDList>]
         [quick|notquick] [doit] [max_to_untrash <Number>])|(ids <MessageIDEntity>)
        [csv [todrive <ToDriveAttribute>*]]
 ```
@@ -522,6 +537,7 @@ user@domain.com,18e9fc58c5491f4c,Deleted,

 ### Manage a selected set of messages
 * `((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+` - Criteria to select messages
+* `labelids <LabelIDList>` - Select messages with labels that match all of the specified label IDs.
 * `max_to_xxx` - Limit the number of messages that will be processed; use a value of 0 for no limit
 * `doit` - No messages are processed unless you specify `doit`. By not specifying `doit`, you can preview the messages selected to verify that the results match your expectations.

@@ -570,6 +586,7 @@ gam config auto_batch_min 1 groups_inde EastOffice delete message query "rfc822m
 ```
 gam <UserTypeEntity> show messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])*
+         [labelids <LabelIDList>]
         [quick|notquick] [max_to_show <Number>] [includespamtrash])|(ids <MessageIDEntity>)
        [labelmatchpattern <REMatchPattern>] [sendermatchpattern <REMatchPattern>]
        [countsonly|positivecountsonly] [useronly]
@@ -581,6 +598,7 @@ gam <UserTypeEntity> show messages|threads
            [targetfolder <FilePath>] [overwrite [<Boolean>]]
 gam <UserTypeEntity> print messages|threads [todrive <ToDriveAttribute>*]
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])*
+         [labelids <LabelIDList>]
         [quick|notquick] [max_to_print <Number>] [includespamtrash])|(ids <MessageIDEntity>)
        [labelmatchpattern <REMatchPattern>] [sendermatchpattern <REMatchPattern>]
        [countsonly|positivecountsonly] [useronly]
@@ -607,6 +625,7 @@ gam user user@domain.com print|show threads maxmessagesperthread 1

 ## Display a selected set of messages
 * `((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+` - Criteria to select messages
+* `labelids <LabelIDList>` - Select messages with labels that match all of the specified label IDs.
 * `max_to_xxx` - Limit the number of messages that will be displayed
 * `includespamtrash` - Include messages in the Spam and Trash folders
 * `labelmatchpattern <REMatchPattern>` - Only display messages with some label that matches `<REMatchPattern>`
--- a/wiki/Users-Gmail-Send-As-Signature-Vacation.md
+++ b/wiki/Users-Gmail-Send-As-Signature-Vacation.md
@@ -108,7 +108,7 @@ Paul shall send emails from the marketing email address with the name Paul from
 ``` gam user paul add sendas marketing@example.com "Paul from Example" replyto paul```

 ## Display sendas
-### Display the information as an indented list of keys and values.
+### Display the sendas information as an indented list of keys and values.
 ```
 gam <UserTypeEntity> info sendas <EmailAddressEntity> [compact|format|html]
 gam <UserTypeEntity> show sendas [compact|format|html]
@@ -126,7 +126,19 @@ By default, all sendas addresses are shown, use these options to limit the displ

 Use the `verifyonly` option to display `True` or `False` in the signature field based on whether the signature is non-blank.

-### Display the information in CSV form.
+To capture a signature for use as input to GAM, do the following.
+```
+gam redirect stdout ./signature.html user user@domain.com show sendas compact
+```
+Edit signature.html and remove the following data leaving just the HTML.
+```
+SendAs Address: <user@domain.com>
+  IsPrimary: True
+  Default: True
+  Signature:
+```
+
+### Display the sendas information in CSV form.
 ```
 gam <UserTypeEntity> print sendas [compact]
        [primary|default] [verifyonly] [todrive <ToDriveAttribute>*]
@@ -170,7 +182,7 @@ email address signature rather than the alias signature to be set.
 If you have a current default signature, the API will update that, but if you delete it, it seems that the API will not over-write any of the other signatures, but instead add a new signature called `My signature`. If you rename that signature, the API will keep on updating that same signature, and not touch the other signatures.

 ## Display signature
-### Display the information as an indented list of keys and values.
+### Display the signature as an indented list of keys and values.
 ```
 gam <UserTypeEntity> show signature|sig [compact|format|html]
        [primary|default] [verifyonly]
@@ -187,7 +199,19 @@ By default, the signature for `<UserTypeEntity>` is displayed, use these options

 Use the `verifyonly` option to display `True` or `False` in the signature field based on whether the signature is non-blank.

-### Display the information in CSV form.
+To capture a signature for use as input to GAM, do the following.
+```
+gam redirect stdout ./signature.html user user@domain.com show signature compact
+```
+Edit signature.html and remove the following data leaving just the HTML.
+```
+SendAs Address: <user@domain.com>
+  IsPrimary: True
+  Default: True
+  Signature:
+```
+
+### Display the signature in CSV form.
 ```
 gam <UserTypeEntity> print signature [compact]
            [primary|default] [verifyonly] [todrive <ToDriveAttribute>*]
--- a/wiki/Users-Meet.md
+++ b/wiki/Users-Meet.md
@@ -29,9 +29,10 @@ To use these commands you must add the 'Meet API' to your project and update you
 gam update project
 gam user user@domain.com update serviceaccount
 ...
-[*] 36)  Meet API (supports readonly)
-
+[*] 34)  Meet API - Manage/Display Meeting Spaces
+[*] 35)  Meet API - Read Meeting Spaces metadata
 ```
+
 ## Definitions
 * [`<UserTypeEntity>`](Collections-of-Users)
 ```
--- a/wiki/Users-Shared-Drives.md
+++ b/wiki/Users-Shared-Drives.md
@@ -158,6 +158,7 @@
        createdtime|
        id|
        name|
+        restrictions|
        themeid
 <SharedDriveFieldNameList> ::= "<SharedDriveFieldName>(,<SharedDriveFieldName>)*"

@@ -180,6 +181,8 @@
        allowcontentmanagerstosharefolders|
        copyrequireswriterpermission|
        domainusersonly|
+        downloadrestrictedforreaders|downloadrestrictions.restrictedforreaders|
+        downloadrestrictedforwriters|downloadrestrictions.restrictedforwriters|
        drivemembersonly|teammembersonly|
        sharingfoldersrequiresorganizerpermission

@@ -214,7 +217,7 @@ The user that creates a Shared Drive is given the permission role organizer for
 gam <UserTypeEntity> create shareddrive <Name>
        [(theme|themeid <String>)|
         ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
-        (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
+        ([restrictions.]<SharedDriveRestrictionsSubfieldName> <Boolean>)*
        [hide <Boolean>] [ou|org|orgunit <OrgUnitItem>]
        [errorretries <Integer>] [updateinitialdelay <Integer>] [updateretrydelay <Integer>]
        [(csv [todrive <ToDriveAttribute>*] (addcsvdata <FieldName> <String>)*) | returnidonly]
@@ -225,7 +228,7 @@ gam <UserTypeEntity> create shareddrive <Name>
  * `<Float>` - Y coordinate, typically 0.0
  * `<Float>` - width, typically 1.0
 * `color` - set the Shared Drive color
-* `<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
+* `[restrictions.]<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
 * `hide <Boolean>` - Set Shared Drive visibility

 If any attributes other than `themeid` are specified, GAM must create the Drive and then update the Drive attributes.
@@ -281,13 +284,13 @@ This command is used to set basic Shared Drive settings.
 gam <UserTypeEntity> update shareddrive <SharedDriveEntity> [adminaccess|asadmin] [name <Name>]
        [(theme|themeid <String>)|
         ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
-        (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
+        ([restrictions.]<SharedDriveRestrictionsSubfieldName> <Boolean>)*
        [hide|hidden <Boolean>] [ou|org|orgunit <OrgUnitItem>]
 ```
 * `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
 * `color` - set the Shared Drive color
-* `<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
+* `[restrictions.]<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
 * `hidden <Boolean>` - Set Shared Drive visibility

 This option is only available when the command is run as an administrator.
@@ -318,23 +321,34 @@ gam <UserTypeEntity> show shareddriveinfo <SharedDriveEntity>
 gam <UserTypeEntity> show shareddrives
        [matchname <REMatchPattern>] (role|roles <SharedDriveACLRoleList>)*
        [fields <SharedDriveFieldNameList>]
+        [showwebviewlink text|hyperlink]
        [guiroles [<Boolean>] [formatjson]
 ```
 By default, Gam displays all Teams Drives accessible by the user.
 * `matchname <REMatchPattern>` - Display Shared Drives with names that match a pattern.
 * `(role|roles <SharedDriveACLRoleList>)*` - Display Shared Drives where the user has one of the specified roles.

+Use option `showwebviewlink` to display the web view link for the Shared Drive.
+* `showwebviewlink text` - Displays `https://drive.google.com/drive/folders/<SharedDriveID>`
+* `showwebviewlink hyperlink` - Dsiplays `=HYPERLINK("https://drive.google.com/drive/folders/<SharedDriveID>", "<SharedDriveName>")`
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
 gam <UserTypeEntity> print shareddrives [todrive <ToDriveAttribute>*]
        [matchname <REMatchPattern>] (role|roles <SharedDriveACLRoleList>)*
-        [fields <SharedDriveFieldNameList>] [formatjson [quotechar <Character>]]
+        [fields <SharedDriveFieldNameList>]
+        [showwebviewlink text|hyperlink]
+        [guiroles [<Boolean>]] [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays all Teams Drives accessible by the user.
 * `matchname <REMatchPattern>` - Display Shared Drives with names that match a pattern.
 * `(role|roles <SharedDriveACLRoleList>)*` - Display Shared Drives where the user has one of the specified roles.

+Use option `showwebviewlink` to display the web view link for the Shared Drive.
+* `showwebviewlink text` - Displays `https://drive.google.com/drive/folders/<SharedDriveID>`
+* `showwebviewlink hyperlink` - Dsiplays `=HYPERLINK("https://drive.google.com/drive/folders/<SharedDriveID>", "<SharedDriveName>")`
+
 The Google Drive API does not list roles for Shared Drives so GAM generates a role from the capabilities:
 * `commenter - canComment: True, canEdit: False`
 * `reader - canComment: False, canEdit: False`
--- a/wiki/Users-Tag-Manager.md
+++ b/wiki/Users-Tag-Manager.md
@@ -0,0 +1,213 @@
+# Users - Tag Manager
+- [API documentation](#api-documentation)
+- [Notes](#notes)
+- [Definitions](#definitions)
+- [Display Tag Manager Accounts](#display-tag-manager-accounts)
+- [Display Tag Manager Containers](#display-tag-manager-containers)
+- [Display Tag Manager Workspaces](#display-tag-manager-workspaces)
+- [Display Tag Manager Tags](#display-tag-manager-tags)
+- [Display Tag Manager User Permissions](#display-tag-manager-user-permissions)
+- [Examples](#examples)
+
+## API documentation
+* [Tag Manager API](https://developers.google.com/tag-manager/reference/rest)
+
+## Notes
+To use these commands you must add the 'Tag Manager API' to your project and update your service account authorization.
+```
+gam update project
+gam user user@domain.com update serviceaccount
+
+[*] 41)  Tag Manager API - Accounts, Containers, Workspaces, Tags - read only
+[*] 42)  Tag Manager API - Users
+
+```
+
+## Definitions
+* [`<UserTypeEntity>`](Collections-of-Users)
+* [`<FileSelector> | <CSVFileSelector>`](Collections-of-Items)
+```
+<TagManagerAccountID> ::= <String>
+<TagManagerAccountPath> ::= accounts/<TagManagerAccountID>
+<TagManagerAccountPathList> ::= "<TagManagerAccountPath>(,<TagManagerAccountPath>)*"
+<TagManagerAccountPathEntity> ::=
+        <TagManagerAccountPathList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+
+<TagManagerContainerID> ::= <String>
+<TagManagerContainerPath> ::= accounts/<TagManagerAccountID>/containers/<TagManagerContainerID>
+<TagManagerContainerPathList> ::= "<TagManagerContainerPath>(,<TagManagerContainerPath>)*"
+<TagManagerContainerPathEntity> ::=
+        <TagManagerContainerPathList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+
+<TagManagerWorkspaceID> ::= <String>
+<TagManagerWorkspacePath> ::= accounts/<TagManagerAccountID>/containers/<TagManagerContainerID>/workspaces/<TagManagerWorkspaceID>
+<TagManagerWorkspacePathList> ::= "<TagManagerWorkspacePath>(,<TagManagerWorkspacePath>)*"
+<TagManagerWorkspacePathEntity> ::=
+        <TagManagerWorkspacePathList> |
+        (select <FileSelector>|<CSVFileSelector>) |
+
+<TagManagerTagID> ::= <String>
+<TagManagerTagPath> ::= accounts/<TagManagerAccountID>/containers/<TagManagerContainerID>/workspaces/<TagManagerWorkspaceID>/tags/<TagManagerTagID>
+```
+## Display Tag Manager Accounts
+```
+gam <UserTypeEntity> show tagmanageraccounts
+        [includegoogletags [<Boolean>]]
+        [formatjson]
+```
+By default, Gam displays the accounts as an indented list of keys and values.
+* `formatjson` - Display the account in JSON format
+
+```
+gam <UserTypeEntity> print tagmanagerccounts [todrive <ToDriveAttribute>*]
+        [includegoogletags [<Boolean>]]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the accounts as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+## Display Tag Manager Containers
+```
+gam <UserTypeEntity> show tagmanagercontainers <TagManagerAccountPathEntity>
+        [formatjson]
+```
+By default, Gam displays the containers as an indented list of keys and values.
+* `formatjson` - Display the container in JSON format
+
+```
+gam <UserTypeEntity> print tagmanagercontainers <TagManagerAccountPathEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the containers as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+## Display Tag Manager Workspaces
+```
+gam <UserTypeEntity> show tagmanagerworkspaces <TagManagerContainerPathEntity>
+        [formatjson]
+```
+By default, Gam displays the workspaces as an indented list of keys and values.
+* `formatjson` - Display the workspace in JSON format
+
+```
+gam <UserTypeEntity> print tagmanagerworkspaces <TagManagerContainerPathEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the workspaces as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+## Display Tag Manager Tags
+```
+gam <UserTypeEntity> show tagmanagertags <TagManagerWorkspacePathEntity>
+        [formatjson]
+```
+By default, Gam displays the tags as an indented list of keys and values.
+* `formatjson` - Display the tag in JSON format
+
+```
+gam <UserTypeEntity> print tagmanagertags <TagManagerWorkspacePathEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the tags as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+## Display Tag Manager User Permissions
+```
+gam <UserTypeEntity> show tagmanagerpermissions <TagManagerAccountPathEntity>
+        [formatjson]
+```
+By default, Gam displays the permissions as an indented list of keys and values.
+* `formatjson` - Display the permission in JSON format
+
+```
+gam <UserTypeEntity> print tagmanagerpermissions <TagManagerAccountPathEntity> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the permissions as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+### Examples
+Single user - Get CSV data.
+```
+$ gam redirect csv ./tmaccounts.csv user taguser@domain.com print tagmanageraccounts 
+
+$ gam redirect csv ./tmcontainers.csv user taguser@domain.com print tagmanagercontainers select csvfile tmaccounts.csv:path
+
+$ gam redirect csv ./tmworkspaces.csv user taguser@domain.com print tagmanagerworkspaces select csvfile tmcontainers.csv:path
+
+$ gam redirect csv ./tmtags.csv user taguser@domain.com print tagmanagertags select csvfile tmworkspaces.csv:path
+
+$ gam redirect csv ./tmpermissions.csv user taguser@domain.com print tagmanagerpermissions select csvfile tmaccounts.csv:path
+```
+
+Single user - Get indented keys and values data from CSV data.
+```
+$ gam redirect stdout ./tmaccounts.txt user taguser@domain.com show tagmanageraccounts 
+
+$ gam redirect stdout ./tmcontainers.txt user taguser@domain.com show tagmanagercontainers select csvfile tmaccounts.csv:path
+
+$ gam redirect stdout ./tmworkspaces.txt user taguser@domain.com show tagmanagerworkspaces select csvfile tmcontainers.csv:path
+
+$ gam redirect stdout ./tmtags.txt user taguser@domain.com show tagmanagertags select csvfile tmworkspaces.csv:path
+
+$ gam redirect stdout ./tmpermissions.txt user taguser@domain.com show tagmanagerpermissions select csvfile tmaccounts.csv:path
+```
+
+Multiple  users - Get CSV data.
+```
+$ gam redirect csv ./tmaccounts.csv multiprocess redirect stderr - multiprocess csv Users.csv gam user "~User" print tagmanageraccounts 
+
+$ gam redirect csv ./tmcontainers.csv multiprocess redirect stderr - multiprocess csv tmaccounts.csv gam user "~User" print tagmanagercontainers "~path"
+
+$ gam redirect csv ./tmworkspaces.csv multiprocess redirect stderr - multiprocess csv tmcontainers.csv gam user "~User" print tagmanagerworkspaces "~path"
+
+$ gam redirect csv ./tmtags.csv multiprocess redirect stderr - multiprocess csv tmworkspaces.csv gam user "~User" print tagmanagertags "~path"
+
+$ gam redirect csv ./tmpermissions.csv multiprocess redirect stderr - multiprocess csv tmaccounts.csv gam user "~User" print tagmanagerpermissions "~path"
+```
+
+Multiple users - Get indented keys and values data from CSV data.
+```
+$ gam redirect stdout ./tmaccounts.txt multiprocess redirect stderr - multiprocess csv Users.csv gam user "~User" show tagmanageraccounts 
+
+$ gam redirect stdout ./tmcontainers.txt multiprocess redirect stderr - multiprocess csv tmaccounts.csv gam user "~User" show tagmanagercontainers "~path"
+
+$ gam redirect stdout ./tmworkspaces.txt multiprocess redirect stderr - multiprocess csv tmcontainers.csv gam user "~User" show tagmanagerworkspaces "~path"
+
+$ gam redirect stdout ./tmtags.txt multiprocess redirect stderr - multiprocess csv tmworkspaces.csv gam user "~User" show tagmanagertags "~path"
+
+$ gam redirect stdout ./tmpermissions.txt multiprocess redirect stderr - multiprocess csv tmaccounts.csv gam  user "~User" show tagmanagerpermissions "~path"
+
+```
--- a/wiki/Users-Web-Resources-and-Sites.md
+++ b/wiki/Users-Web-Resources-and-Sites.md
@@ -0,0 +1,48 @@
+# Users - Web Resources and Sites
+- [API documentation](#api-documentation)
+- [Introduction](#introduction)
+- [Definitions](#definitions)
+- [Display Web Resources](#display-web-resources)
+- [Display Web Master Sites](#display-web-master-sites)
+
+## API documentation
+* [Web Resources](https://developers.google.com/site-verification/v1/webResource/list)
+* [Web Sites](https://developers.google.com/webmaster-tools/v1/sites/list)
+
+
+## Introduction
+These features were added in version 7.17.00.
+
+To use these commands you add the 'Search Console API' to your project and update your service account authorization.
+```
+gam update project
+gam user user@domain.com update serviceaccount
+...
+[*] 39)  Search Console  API - read only
+[*] 42)  Site Verification API
+
+```
+## Definitions
+* [`<UserTypeEntity>`](Collections-of-Users)
+
+## Display Web Resources
+```
+gam <UserItem> show webresources
+```
+Gam displays the information as an indented list of keys and values.
+
+```
+gam <UserItem> print webresources [todrive <ToDriveAttribute>*]
+```
+Gam displays the information as columns of fields.
+
+## Display Web Master Sites
+```
+gam <UserItem> show webmastersites
+```
+Gam displays the information as an indented list of keys and values.
+
+```
+gam <UserItem> print webmastersites [todrive <ToDriveAttribute>*]
+```
+Gam displays the information as columns of fields.
--- a/wiki/Users.md
+++ b/wiki/Users.md
@@ -21,6 +21,7 @@
  - [Update a user's attributes with JSON data](#update-a-users-attributes-with-json-data)
  - [Update a user's OU based on group membership](#update-a-users-ou-based-on-group-membership)
  - [Do not update a user's OU if currently in a special purpose OU](#do-not-update-a-users-ou-if-currently-in-a-special-purpose-ou)
+- [Check a user's suspension status](#check-a-users-suspension-status)
 - [Delete or suspend users](#delete-or-suspend-users)
 - [Undelete or unsuspend users](#undelete-or-unsuspend-users)
 - [Display information about users](#display-information-about-users)
@@ -38,7 +39,7 @@
 - [Print user counts by OrgUnit](#print-user-counts-by-orgunit)
 - [Print user list](#print-user-list)
 - [Display user counts](#display-user-counts)
- [Verify domain membership]($verify-domain-membership)
+- [Verify domain membership](#verify-domain-membership)

 ## API documentation
 * [Directory API - Users](https://developers.google.com/admin-sdk/directory/reference/rest/v1/users)
@@ -339,7 +340,7 @@ Here is how that data is represented in GAM:
 Locations:
  type: desk
    area: desk
-    buildingId: Building-ID
+    buildingId: Building id
    buildingName: Building name
    floorName: Floor name
    floorSection: Floor section
@@ -359,13 +360,15 @@ External IDs:
 ```
 These options will set those values:
 ```
-location type desk area desk buildingid Building-ID floorname "Floor name" floorsection "Floor section" endlocation
+location type desk area desk buildingid "id:Building id" floorname "Floor name" floorsection "Floor section" endlocation
 organization customtype "" description "Type of employee" costcenter "Cost center" department "Department" title "Job Title" primary
 relation manager manageremail@domain.com
 externalid organization "Employee ID"
 ```
-When setting `location buildingid <String>` Google expects a validated building ID, you can use a non-validated
+When setting `location buildingid id:<String>` Google expects a validated building ID, you can use a non-validated
 building ID by specifying `nv:` at the beginning of `<String>`; e.g., `nv:Building X` sets the building ID to `Building X`.
+You can also use `buildingid <String>`, i.e., no `'id:` or `nv:` prefix, `<String>` is then interpreted as a building name
+and GAM validates it to get the building id that is required by the API.

 ## Passwords
 To set a user's password, you specify a `<Password>` string and a hash method that specifies how to interpret the string
@@ -896,6 +899,25 @@ gam csv SISdata.csv gam update user "~primaryEmail" suspended off firstname "~Fi
        ou "~OU" immutableous "'/Students/Lower School/Restricted,'/Students/Middle School/Restricted'"
 ```

+## Check a user's suspension status
+This command checks the suspension status of a single user
+and sets the return code to 0 if the user is not suspended or 26 if it is.
+```
+gam check suspended <UserItem>
+```
+Example.
+```
+$ gam check suspended testok@domain.com
+User: testok@domain.com, Account Suspended: False
+$ echo $?
+0
+
+$ gam check suspended testsusp@domain.com
+User: testsusp@domain.com, Account Suspended: True, Suspension Reason: ADMIN
+$ echo $?
+26
+```
+
 ## Delete or suspend users
 These commands operate on a single user.
 ```
--- a/wiki/Using-GAM7-with-a-delegated-admin-service-account.md
+++ b/wiki/Using-GAM7-with-a-delegated-admin-service-account.md
@@ -1,19 +1,12 @@
 # Using GAM7 with a delegated admin service account
- [Thanks](#thanks)
 - [Introduction](#introduction)
 - [Advantages](#advantages)
 - [Disadvantages](#disadvantages)
 - [Setup Steps](#setup-steps)

-## Thanks
-
-Thanks to Jay Lee for the original version of this document.
-
 ## Introduction
 Delegated admin service accounts (DASA) are regular [GCP service accounts](https://cloud.google.com/iam/docs/service-accounts#what_are_service_accounts) that are granted a Workspace [delegated admin role](https://support.google.com/a/answer/33325). Service accounts have an email address like `gam-project-xuw-sp1-c4b@gam-project-xuw-sp1-c4b.iam.gserviceaccount.com` and are not part of a Workspace or Cloud Identity domain even if they are owned by a project in the domain’s organization. Service accounts cannot login to Google web services interactively, they are only able to call Google APIs.

-GAM7 version 6.50.00 or higher is required.
-
 ## Advantages
 * DASA accounts don’t require a Workspace or Cloud Identity license.
 * DASA accounts don’t have a password login that can be phished or captured, they use [RSA private keys](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) to sign authentication requests which makes them very secure. You should however [rotate the key](https://jaylee.us/qwm) on a regular basis and keep it safe and secured!
@@ -23,7 +16,10 @@ GAM7 version 6.50.00 or higher is required.

 ## Disadvantages
 * DASA accounts can only be delegated admins. [If a task requires super admin rights to perform](https://support.google.com/a/answer/2405986#:~:text=Only%20super%20administrators%20can...), DASA accounts won’t be able to do it.
-Not all Google Admin APIs work with DASA right now. For example, Google Vault API calls will fail with a DASA account; Classroom API calls do not return data.
+Not all Google Admin APIs work with DASA right no:
+  * Google Vault API calls will fail with a DASA account
+  * Classroom API calls do not return data
+  * Cloud Identity Policies are not available
 * DASA is a delegated admin and can make Workspace / Cloud Identity admin API calls, it does not replace domain-wide delegation (DwD) when using GAM7 commands that interact with Gmail, Drive and Calendar user data.
 * GAM7 support for DASA is still experimental and some things may fail. Please report your findings to the [GAM group](https://groups.google.com/g/google-apps-manager).

--- a/wiki/Vault-Takeout.md
+++ b/wiki/Vault-Takeout.md
@@ -39,6 +39,16 @@
 [Collections of Items](Collections-of-Items)
 ```
 <AttendeeStatus> ::= accepted|declined|needsaction|tentative
+<Date> ::=
+        <Year>-<Month>-<Day> |
+        (+|-)<Number>(d|w|y) |
+        never|
+        today
+<Time> ::=
+        <Year>-<Month>-<Day>(<Space>|T)<Hour>:<Minute>:<Second>[.<MilliSeconds>](Z|(+|-(<Hour>:<Minute>))) |
+        (+|-)<Number>(m|h|d|w|y) |
+        never|
+        now|today
 <EmailItem> ::= <EmailAddress>|<UniqueID>|<String>
 <EmailItemList> ::= "<EmailItem>(,<EmailItem>)*"
 <EmailAddressList> ::= "<EmailAddess>(,<EmailAddress>)*"
--- a/wiki/Version-and-Help.md
+++ b/wiki/Version-and-Help.md
@@ -3,10 +3,10 @@
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.09.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.19.02 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.4 64-bit final
-MacOS Sequoia 15.5 x86_64
+Python 3.13.7 64-bit final
+MacOS Sequoia 15.6.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
@@ -15,10 +15,10 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.09.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.19.02 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.4 64-bit final
-MacOS Sequoia 15.5 x86_64
+Python 3.13.7 64-bit final
+MacOS Sequoia 15.6.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Your system time differs from www.googleapis.com by less than 1 second
@@ -27,15 +27,15 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.09.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.19.02 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.4 64-bit final
-MacOS Sequoia 15.5 x86_64
+Python 3.13.7 64-bit final
+MacOS Sequoia 15.6.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
 Your system time differs from admin.googleapis.com by less than 1 second
-OpenSSL 3.4.0 22 Oct Sep 2024
+OpenSSL 3.5.2 5 ASug 2025
 cryptography 43.0.3
 filelock 3.16.1
 google-api-python-client 2.149.0
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gam7
 Version Check:
  Current: 5.35.08
-   Latest: 7.09.03
+   Latest: 7.19.02
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.09.03
+7.19.02
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,10 +82,10 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.09.03 - https://github.com/GAM-team/GAM
+GAM 7.19.02 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.4 64-bit final
-MacOS Sequoia 15.5 x86_64
+Python 3.13.7 64-bit final
+MacOS Sequoia 15.6.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
--- a/wiki/_Sidebar.md
+++ b/wiki/_Sidebar.md
@@ -1,4 +1,4 @@
-oUpdate History
+Update History
 * [GAM Updates](GamUpdates)

 Installation
@@ -66,6 +66,7 @@ Client Access
 * [Administrators](Administrators)
 * [Alert Center](Alert-Center)
 * [Aliases](Aliases)
+* [Business Account Management](Business-Account-Management)
 * [Calendars](Calendars)
 * [Calendars - Access](Calendars-Access)
 * [Calendars - Events](Calendars-Events)
@@ -97,6 +98,7 @@ Client Access
 * [Domain Shared Contacts](Domain-SharedContacts)
 * [Email Audit Monitor](Email-Audit-Monitor)
 * [Find File Owner](Find-File-Owner)
+* [Global Address List](Global-Address-List)
 * [Google Data Transfers](Google-Data-Transfers)
 * [Groups](Groups)
 * [Groups - Membership](Groups-Membership)
@@ -127,7 +129,7 @@ Client Access
 * [Version and Help](Version-and-Help)

 Special Service Account Access
-* [Chat Bot](Chat-Bot)
+* [Chat Bot Setup and Use](Chat-Bot-Setup-Use)

 Service Account Access
 * [Users - Analytics Admin](Users-Analytics-Admin)
@@ -170,8 +172,10 @@ Service Account Access
 * [Users - Profile Photo](Users-Profile-Photo)
 * [Users - Shared Drives](Users-Shared-Drives)
 * [Users - Spreadsheets](Users-Spreadsheets)
+* [Users - Tag Manager](Users-Tag-Manager)
 * [Users - Tasks](Users-Tasks)
 * [Users - YouTube](Users-YouTube)
+* [Users - Web Resources and Sites](Users-Web-Resources-and-Sites)

 GAM Tutorials
 * [Account Auditing](l-ExamplesAccountAuditing)
--- a/wiki/gam.cfg.md
+++ b/wiki/gam.cfg.md
@@ -412,9 +412,8 @@ never_time
        has the value "1970-01-01T00:00:00.000Z"
        Default: Never
 no_browser
-        If no_browser is True, GAM won't open a browser if todrive is set
-        when creating CSV files and GAM prints a link and waits for
-        the verification code when oauth2.txt is being created
+        If no_browser is True, GAM won't open a browser when it prints a link
+        and waits for the verification code when oauth2.txt is being created/updated
        Signal file: OldGamPath/nobrowser.txt
 no_cache
        Disable GAM API caching
@@ -994,6 +993,7 @@ gam update project
 gam oauth create
 gam info domain
 gam config customer_id <CustomerID> save
+gam user user@xxx.com update serviceaccount
 ```

 ### New clients
@@ -1015,7 +1015,7 @@ gam create project
 gam oauth create
 gam info domain
 gam config customer_id <CustomerID> save
-gam user user@foo.com check serviceaccount
+gam user user@foo.com update serviceaccount
 ```

 To get information about a client, select a section.