Expand adminrole commands

src/GamCommands.txt

@@ -1511,15 +1511,22 @@ gam show privileges
 <RoleItem> ::= id:<String>|uid:<string>|<String>
 
 gam create adminrole <String> [description <String>]
-        privileges all|all_ou|<PrivilegesList>|(select <FileSelector>|<CSVFileSelector>)
+        privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>)|<JSONData>
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 gam update adminrole <RoleItem> [name <String>] [description <String>]
-         [privileges all|all_ou|<PrivilegesList>|(select <FileSelector>|<CSVFileSelector>)]
+        [privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>)|<JSONData>]
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 gam delete adminrole <RoleItem>
 gam info adminrole <RoleItem> [privileges]
+        [formatjson]
 gam print adminroles|roles [todrive <ToDriveAttribute>*]
         [role <RoleItem>] [privileges] [oneitemperrow]
+        [nosystemroles]
+        [formatjson [quotechar <Character>]]
 gam show adminroles|roles
         [role <RoleItem>] [privileges]
+	[nosystemroles]
+	[formatjson]
 
 gam create|add admin <EmailAddress>|<UniqueID> <RoleItem> customer|(org_unit <OrgUnitItem>)
         [condition securitygroup|nonsecuritygroup]
@@ -3436,6 +3443,13 @@ gam print guardian|guardians [todrive <ToDriveAttribute>*] [accepted|invitations
         [showstudentemails]
         [formatjson [quotechar <Character>]]
 
+# Business Profile Accounts
+
+gam show businessprofileaccounts
+        [type locationgroup|organization|personal|usergroup]
+gam print businessprofileaccounts [todrive <ToDriveAttribute>*]
+        [type locationgroup|organization|personal|usergroup]
+
 # Classroom User Profiles
 
 gam <UserTypeEntity> print classroomprofile [todrive <ToDriveAttribute>*]

src/GamUpdate.txt

@@ -1,3 +1,46 @@
+7.18.01
+
+Added option `nosystemroles` to `gam print|show adminroles` that causes GAM
+to only display non-system roles.
+
+Added option `formatjson` to `gam info|print|show adminroles`; this will be most useful
+when the `privileges` option is used.
+
+Updated `gam create|update adminrole` to allow specification of privileges with
+JSON data: `privileges <JSONData>`. These two updates make it easier to copy admin roles.
+
+Updated `gam create|update adminrole` to allow output of the created/updated
+role data in CSV format; by default, GAM displays `<RoleName>(<RoleID>) created|updated`.
+```
+csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*
+```
+
+7.18.00
+
+Added commands to display Business Profile Accounts.
+These are special purpose commands and will not generally be used.
+```
+gam show businessprofileaccounts
+gam print businessprofileaccounts [todrive <ToDriveAttribute>*]
+```
+
+7.17.03
+
+Fixed bug in `gam <UserItem> print|show chatspaces asadmin fields <ChatSpaceFieldNameList>` that caused a trap
+when `displayname` was not in `<ChatSpaceFieldNameList>`.
+
+7.17.02
+
+Updated `gam <UserTypeEntity> print|show webmastersites` to handle the following error
+that occurs if you haven't updated your project to include the Google Search Console API.
+```
+ERROR: 403: permissionDenied - Google Search Console API has not been used in project 111055363999 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/searchconsole.googleapis.com/overview?project=111055363999 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
+```
+
+7.17.01
+
+Fixed bug in `gam <UserTypeEntity> show webmastersites` that caused a trap.
+
 7.17.00
 
 Added commands to discover Sites and WebResources that managed users (previously unmanaged) may have access to for better governance and visibility.

src/gam/__init__.py

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """
 
 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.17.00'
+__version__ = '7.18.01'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 #pylint: disable=wrong-import-position
@@ -5579,7 +5579,12 @@ def buildGAPIObject(api, credentials=None):
     try:
       API_Scopes = set(list(service._rootDesc['auth']['oauth2']['scopes']))
     except KeyError:
-      API_Scopes = set(API.VAULT_SCOPES) if api == API.VAULT else set()
+      if api == API.VAULT:
+        API_Scopes = set(API.VAULT_SCOPES)
+      elif api == API.BUSINESSACCOUNTMANAGEMENT:
+        API_Scopes = {API.BUSINESSACCOUNTMANAGEMENT_SCOPE}
+      else:
+        API_Scopes = set()
     GM.Globals[GM.CURRENT_CLIENT_API] = api
     GM.Globals[GM.CURRENT_CLIENT_API_SCOPES] = API_Scopes.intersection(GM.Globals[GM.CREDENTIALS_SCOPES])
     if api not in API.SCOPELESS_APIS and not GM.Globals[GM.CURRENT_CLIENT_API_SCOPES]:
@@ -5688,19 +5693,22 @@ def getUserEmailFromID(uid, cd):
   try:
     result = callGAPI(cd.users(), 'get',
                       throwReasons=GAPI.USER_GET_THROW_REASONS,
+                      retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
                       userKey=uid, fields='primaryEmail')
     return result.get('primaryEmail')
   except (GAPI.userNotFound, GAPI.domainNotFound, GAPI.domainCannotUseApis, GAPI.forbidden,
-          GAPI.badRequest, GAPI.backendError, GAPI.systemError):
+          GAPI.badRequest, GAPI.backendError, GAPI.systemError, GAPI.serviceNotAvailable):
     return None
 
 def getGroupEmailFromID(uid, cd):
   try:
     result = callGAPI(cd.groups(), 'get',
                       throwReasons=GAPI.GROUP_GET_THROW_REASONS,
+                      retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
                       groupKey=uid, fields='email')
     return result.get('email')
-  except (GAPI.groupNotFound, GAPI.domainNotFound, GAPI.domainCannotUseApis, GAPI.forbidden, GAPI.badRequest):
+  except (GAPI.groupNotFound, GAPI.domainNotFound, GAPI.domainCannotUseApis, GAPI.forbidden,
+          GAPI.badRequest, GAPI.serviceNotAvailable):
     return None
 
 def getServiceAccountEmailFromID(account_id, sal=None):
@@ -16613,10 +16621,14 @@ def getRoleId():
       invalidChoiceExit(role, GM.Globals[GM.MAP_ROLE_NAME_TO_ID], True)
   return (role, roleId)
 
+PRINT_ADMIN_ROLES_FIELDS = ['roleId', 'roleName', 'roleDescription', 'isSuperAdminRole', 'isSystemRole']
+
 # gam create adminrole <String> [description <String>]
-#	privileges all|all_ou|<PrivilegesList>|(select <FileSelector>|<CSVFileSelector>)
+#	privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>)|<JSONData>
+#	[csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 # gam update adminrole <RoleItem> [name <String>] [description <String>]
-#	[privileges all|all_ou|<PrivilegesList>|(select <FileSelector>|<CSVFileSelector>)]
+#	[privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>)|<JSONData>]
+#	[csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 def doCreateUpdateAdminRoles():
   def expandChildPrivileges(privilege):
     for childPrivilege in privilege.get('childPrivileges', []):
@@ -16633,6 +16645,9 @@ def doCreateUpdateAdminRoles():
   allPrivileges = {}
   ouPrivileges = {}
   childPrivileges = {}
+  csvPF = None
+  FJQC = FormatJSONQuoteChar(None)
+  addCSVData = {}
   for privilege in _listPrivileges(cd):
     allPrivileges[privilege['privilegeName']] = privilege['serviceId']
     if privilege['isOuScopable']:
@@ -16646,6 +16661,8 @@ def doCreateUpdateAdminRoles():
         body['rolePrivileges'] = [{'privilegeName': p, 'serviceId': v} for p, v in allPrivileges.items()]
       elif privs == 'ALL_OU':
         body['rolePrivileges'] = [{'privilegeName': p, 'serviceId': v} for p, v in ouPrivileges.items()]
+      elif privs == 'JSON':
+        body['rolePrivileges'] = getJSON(['roleId', 'roleName', 'isAdminRole', 'isSystemRole']).get('rolePrivileges', [])
       else:
         if privs == 'SELECT':
           privsList = [p.upper() for p in getEntityList(Cmd.OB_PRIVILEGE_LIST)]
@@ -16667,25 +16684,59 @@ def doCreateUpdateAdminRoles():
           else:
             invalidChoiceExit(p, list(allPrivileges.keys())+list(ouPrivileges.keys())+list(childPrivileges.keys()), True)
     elif myarg == 'description':
-      body['roleDescription'] = getString(Cmd.OB_STRING)
+      body['roleDescription'] = getString(Cmd.OB_STRING, minLen=0)
     elif myarg == 'name':
       body['roleName'] = getString(Cmd.OB_STRING)
+    elif myarg == 'csv':
+      csvPF = CSVPrintFile(PRINT_ADMIN_ROLES_FIELDS)
+      FJQC.SetCsvPF(csvPF)
+    elif csvPF and myarg == 'todrive':
+      csvPF.GetTodriveParameters()
+    elif csvPF and myarg == 'addcsvdata':
+      k = getString(Cmd.OB_STRING)
+      addCSVData[k] = getString(Cmd.OB_STRING, minLen=0)
     else:
-      unknownArgumentExit()
+      FJQC.GetFormatJSONQuoteChar(myarg, True)
   if not updateCmd and not body.get('rolePrivileges'):
     missingArgumentExit('privileges')
+  if csvPF:
+    if addCSVData:
+      csvPF.AddTitles(sorted(addCSVData.keys()))
+    if not FJQC.formatJSON:
+      csvPF.AddTitles('rolePrivileges')
+    else:
+      csvPF.AddJSONTitles(sorted(addCSVData.keys()))
+      csvPF.MoveJSONTitlesToEnd(['JSON'])
+    fieldsList = ','.join(PRINT_ADMIN_ROLES_FIELDS+['rolePrivileges'])
+  else:
+    fieldsList = 'roleId,roleName'
   try:
     if not updateCmd:
       result = callGAPI(cd.roles(), 'insert',
                         throwReasons=[GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND,
                                       GAPI.FORBIDDEN, GAPI.PERMISSION_DENIED]+[GAPI.DUPLICATE],
-                        customer=GC.Values[GC.CUSTOMER_ID], body=body, fields='roleId,roleName')
+                        customer=GC.Values[GC.CUSTOMER_ID], body=body, fields=fieldsList)
     else:
       result = callGAPI(cd.roles(), 'patch',
                         throwReasons=[GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND,
                                       GAPI.FORBIDDEN, GAPI.PERMISSION_DENIED]+[GAPI.NOT_FOUND, GAPI.FAILED_PRECONDITION, GAPI.CONFLICT],
-                        customer=GC.Values[GC.CUSTOMER_ID], roleId=roleId, body=body, fields='roleId,roleName')
-    entityActionPerformed([Ent.ADMIN_ROLE, f"{result['roleName']}({result['roleId']})"])
+                        customer=GC.Values[GC.CUSTOMER_ID], roleId=roleId, body=body, fields=fieldsList)
+    if not csvPF:
+      entityActionPerformed([Ent.ADMIN_ROLE, f"{result['roleName']}({result['roleId']})"])
+    else:
+      if not FJQC.formatJSON:
+        if addCSVData:
+          result.update(addCSVData)
+        csvPF.WriteRowNoFilter(result)
+      else:
+        row = {}
+        for field in PRINT_ADMIN_ROLES_FIELDS:
+          if field in result:
+            row[field] = result[field]
+        if addCSVData:
+          row.update(addCSVData)
+        row['JSON'] = json.dumps(cleanJSON(result), ensure_ascii=False, sort_keys=True)
+        csvPF.WriteRowNoFilter(row)
   except GAPI.duplicate as e:
     entityActionFailedWarning([Ent.ADMIN_ROLE, f"{body['roleName']}"], str(e))
   except (GAPI.notFound, GAPI.failedPrecondition, GAPI.conflict) as e:
@@ -16694,6 +16745,8 @@ def doCreateUpdateAdminRoles():
     accessErrorExit(cd)
   except (GAPI.forbidden, GAPI.permissionDenied) as e:
     ClientAPIAccessDeniedExit(str(e))
+  if csvPF:
+    csvPF.writeCSVfile('Admin Roles')
 
 # gam delete adminrole <RoleItem>
 def doDeleteAdminRole():
@@ -16713,9 +16766,10 @@ def doDeleteAdminRole():
   except (GAPI.forbidden, GAPI.permissionDenied) as e:
     ClientAPIAccessDeniedExit(str(e))
 
-PRINT_ADMIN_ROLES_FIELDS = ['roleId', 'roleName', 'roleDescription', 'isSuperAdminRole', 'isSystemRole']
-
-def _showAdminRole(role, i=0, count=0):
+def _showAdminRole(role, FJQC, i=0, count=0):
+  if FJQC.formatJSON:
+    printLine(json.dumps(cleanJSON(role), ensure_ascii=False, sort_keys=True))
+    return
   printEntity([Ent.ADMIN_ROLE, role['roleName']], i, count)
   Ind.Increment()
   for field in PRINT_ADMIN_ROLES_FIELDS:
@@ -16736,15 +16790,21 @@ def _showAdminRole(role, i=0, count=0):
   Ind.Decrement()
 
 # gam info adminrole <RoleItem> [privileges]
+#	[formatjson]
 # gam print adminroles|roles [todrive <ToDriveAttribute>*]
 #	[role <RoleItem>] [privileges] [oneitemperrow]
+#	[nosystemroles]
+#	[formatjson [quotechar <Character>]]
 # gam show adminroles|roles
 #	[role <RoleItem>] [privileges]
+#	[nosystemroles]
+#	[formatjson]
 def doInfoPrintShowAdminRoles():
   cd = buildGAPIObject(API.DIRECTORY)
   fieldsList = PRINT_ADMIN_ROLES_FIELDS[:]
   csvPF = CSVPrintFile(fieldsList, PRINT_ADMIN_ROLES_FIELDS) if Act.csvFormat() else None
-  oneItemPerRow = False
+  FJQC = FormatJSONQuoteChar(csvPF)
+  noSystemRoles = oneItemPerRow = False
   if Act.Get() != Act.INFO:
     roleId = None
   else:
@@ -16759,13 +16819,17 @@ def doInfoPrintShowAdminRoles():
       fieldsList.append('rolePrivileges')
     elif myarg == 'oneitemperrow':
       oneItemPerRow = True
+    elif myarg == 'nosystemroles':
+      noSystemRoles = True
     else:
-      unknownArgumentExit()
-  if csvPF and 'rolePrivileges' in fieldsList:
-    if not oneItemPerRow:
-      csvPF.AddTitles(['rolePrivileges'])
-    else:
-      csvPF.AddTitles(['privilegeName', 'serviceId'])
+      FJQC.GetFormatJSONQuoteChar(myarg, True)
+  if csvPF:
+    if 'rolePrivileges' in fieldsList:
+      if not oneItemPerRow:
+        if not FJQC.formatJSON:
+          csvPF.AddTitles(['rolePrivileges'])
+      else:
+        csvPF.AddTitles(['privilegeName', 'serviceId'])
   try:
     if roleId is None:
       fields = getItemFieldsFromFieldsList('items', fieldsList)
@@ -16775,6 +16839,8 @@ def doInfoPrintShowAdminRoles():
                             throwReasons=[GAPI.BAD_REQUEST, GAPI.CUSTOMER_NOT_FOUND,
                                           GAPI.FORBIDDEN, GAPI.PERMISSION_DENIED],
                             customer=GC.Values[GC.CUSTOMER_ID], fields=fields)
+      if noSystemRoles:
+        roles = [role for role in roles if not role.get('isSystemRole', False)]
     else:
       fields = getFieldsFromFieldsList(fieldsList)
       roles = [callGAPI(cd.roles(), 'get',
@@ -16793,23 +16859,38 @@ def doInfoPrintShowAdminRoles():
     role.setdefault('isSystemRole', False)
   if not csvPF:
     count = len(roles)
-    performActionNumItems(count, Ent.ADMIN_ROLE)
+    if not FJQC.formatJSON:
+      performActionNumItems(count, Ent.ADMIN_ROLE)
     Ind.Increment()
     i = 0
     for role in roles:
       i += 1
-      _showAdminRole(role, i, count)
+      _showAdminRole(role, FJQC, i, count)
     Ind.Decrement()
   else:
     for role in roles:
       if not oneItemPerRow or 'rolePrivileges' not in role:
-        csvPF.WriteRowTitles(flattenJSON(role))
+        row = flattenJSON(role)
+        if not FJQC.formatJSON:
+          csvPF.WriteRowTitles(row)
+        elif csvPF.CheckRowTitles(row):
+          row = {}
+          for field in PRINT_ADMIN_ROLES_FIELDS:
+            if field in role:
+              row[field] = role[field]
+          row['JSON'] = json.dumps(cleanJSON(role), ensure_ascii=False, sort_keys=True)
+          csvPF.WriteRowNoFilter(row)
       else:
         privileges = role.pop('rolePrivileges')
         baserow = flattenJSON(role)
         for privilege in privileges:
           row = flattenJSON(privilege, flattened=baserow.copy())
-          csvPF.WriteRowTitles(row)
+          if not FJQC.formatJSON:
+            csvPF.WriteRowTitles(row)
+          elif csvPF.CheckRowTitles(row):
+            row = baserow.copy()
+            row['JSON'] = json.dumps(cleanJSON(privilege), ensure_ascii=False, sort_keys=True)
+            csvPF.WriteRowNoFilter(row)
   if csvPF:
     csvPF.writeCSVfile('Admin Roles')
 
@@ -26937,7 +27018,7 @@ def printShowChatSpaces(users):
     substituteQueryTimes(queries, queryTimes)
     pfilter = kwargsCS['query'] = queries[0]
     kwargsCS['useAdminAccess'] = True
-    sortName = 'displayName'
+    sortName = 'displayName' if 'displayName' in fieldsList else 'name'
   else:
     sortName = 'name'
   for user in users:
@@ -46963,8 +47044,8 @@ def doCreateSiteVerification():
   printKeyValueList(['Meta HTML Header Data', webserver_meta_record['token']])
   printBlankLine()
 
-def _showSiteVerificationInfo(site):
-  printKeyValueList(['Site', site['site']['identifier']])
+def _showSiteVerificationInfo(site, i=0, count=0):
+  printKeyValueListWithCount(['Site', site['site']['identifier']], i, count)
   Ind.Increment()
   printKeyValueList(['ID', unquote(site['id'])])
   printKeyValueList(['Type', site['site']['type']])
@@ -47066,14 +47147,62 @@ def doUpdateSiteVerification():
   _showSiteVerificationInfo(verify_result)
   printKeyValueList([Msg.YOU_CAN_ADD_DOMAIN_TO_ACCOUNT.format(a_domain, GC.Values[GC.DOMAIN])])
 
+PROFILE_ACCOUNT_TYPE_MAP = {
+  'locationgroup': 'LOCATION_GROUP',
+  'organization': 'ORGANIZATION',
+  'personal': 'PERSONAL',
+  'usergroup': 'USER_GROUP',
+  }
+
+# gam show businessprofileaccounts
+#	[type locationgroup|organization|personal|usergroup]
+# gam print businessprofileaccounts [todrive <ToDriveAttribute>*]
+#	[type locationgroup|organization|personal|usergroup]
+def doPrintShowBusinessProfileAccounts():
+  bp = buildGAPIObject(API.BUSINESSACCOUNTMANAGEMENT)
+  csvPF = CSVPrintFile(['name', 'accountName']) if Act.csvFormat() else None
+  kwargs = {}
+  while Cmd.ArgumentsRemaining():
+    myarg = getArgument()
+    if csvPF and myarg == 'todrive':
+      csvPF.GetTodriveParameters()
+    elif myarg == 'type':
+      kwargs['filter'] = f'type={getChoice(PROFILE_ACCOUNT_TYPE_MAP, mapChoice=True)}'
+    else:
+      unknownArgumentExit()
+  try:
+    accounts = callGAPIpages(bp.accounts(), 'list', 'accounts',
+                             throwReasons=[GAPI.PERMISSION_DENIED],
+                             **kwargs)
+  except GAPI.permissionDenied as e:
+    accessErrorExitNonDirectory(API.BUSINESSACCOUNTMANAGEMENT, str(e))
+  if not csvPF:
+    count = len(accounts)
+    i = 0
+    for account in sorted(accounts, key=lambda k: k['name']):
+      i += 1
+      printKeyValueListWithCount(['Account', account['name']], i, count)
+      Ind.Increment()
+      showJSON(None, account)
+      Ind.Decrement()
+  else:
+    for account in accounts:
+      row = flattenJSON(account, flattened={'name': account['name'], 'accountName': account['accountName']})
+      csvPF.WriteRowTitles(row)
+  if csvPF:
+    csvPF.writeCSVfile('Business Profile Accounts')
+
 # gam info verify|verification
 def doInfoSiteVerification():
   verif = buildGAPIObject(API.SITEVERIFICATION)
   checkForExtraneousArguments()
   sites = callGAPIitems(verif.webResource(), 'list', 'items')
   if sites:
+    count = len(sites)
+    i = 0
     for site in sorted(sites, key=lambda k: (k['site']['type'], k['site']['identifier'])):
-      _showSiteVerificationInfo(site)
+      i += 1
+      _showSiteVerificationInfo(site, i, count)
   else:
     printKeyValueList(['No Sites Verified.'])
 
@@ -47101,7 +47230,7 @@ def printShowWebResources(users):
       j = 0
       for site in sorted(sites, key=lambda k: (k['site']['type'], k['site']['identifier'])):
         j += 1
-        _showSiteVerificationInfo(site)
+        _showSiteVerificationInfo(site, j, jcount)
       Ind.Decrement()
     else:
       for site in sites:
@@ -47126,7 +47255,11 @@ def printShowWebMasterSites(users):
     user, searchconsole = buildGAPIServiceObject(API.SEARCHCONSOLE, user, i, count)
     if not searchconsole:
       continue
-    sites = callGAPIitems(searchconsole.sites(), 'list', 'siteEntry')
+    try:
+      sites = callGAPIitems(searchconsole.sites(), 'list', 'siteEntry',
+                            throwReasons=[GAPI.PERMISSION_DENIED])
+    except GAPI.permissionDenied as e:
+      accessErrorExitNonDirectory(API.SEARCHCONSOLE, str(e))
     jcount = len(sites)
     if not csvPF:
       entityPerformActionNumItems([Ent.USER, user], jcount, Ent.WEB_MASTERSITE, i, count)
@@ -47134,7 +47267,10 @@ def printShowWebMasterSites(users):
       j = 0
       for site in sorted(sites, key=lambda k: k['siteUrl']):
         j += 1
-        _showSiteVerificationInfo(site)
+        printKeyValueListWithCount(['Site', site['siteUrl']], j, jcount)
+        Ind.Increment()
+        printKeyValueList(['permissionLevel', site['permissionLevel']])
+        Ind.Decrement()
       Ind.Decrement()
     else:
       for site in sites:
@@ -77224,6 +77360,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_BROWSER:		doPrintShowBrowsers,
       Cmd.ARG_BROWSERTOKEN:	doPrintShowBrowserTokens,
       Cmd.ARG_BUILDING:		doPrintShowBuildings,
+      Cmd.ARG_BUSINESSPROFILEACCOUNT:	doPrintShowBusinessProfileAccounts,
       Cmd.ARG_CAALEVEL:		doPrintShowCAALevels,
       Cmd.ARG_CHANNELCUSTOMER:	doPrintShowChannelCustomers,
       Cmd.ARG_CHANNELCUSTOMERENTITLEMENT:	doPrintShowChannelCustomerEntitlements,
@@ -77357,6 +77494,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_BROWSER:		doPrintShowBrowsers,
       Cmd.ARG_BROWSERTOKEN:	doPrintShowBrowserTokens,
       Cmd.ARG_BUILDING:		doPrintShowBuildings,
+      Cmd.ARG_BUSINESSPROFILEACCOUNT:	doPrintShowBusinessProfileAccounts,
       Cmd.ARG_CAALEVEL:		doPrintShowCAALevels,
       Cmd.ARG_CHANNELCUSTOMER:	doPrintShowChannelCustomers,
       Cmd.ARG_CHANNELCUSTOMERENTITLEMENT:	doPrintShowChannelCustomerEntitlements,
@@ -77543,6 +77681,7 @@ MAIN_COMMANDS_OBJ_ALIASES = {
   Cmd.ARG_BUCKET:		Cmd.ARG_STORAGEBUCKET,
   Cmd.ARG_BUCKETS:		Cmd.ARG_STORAGEBUCKET,
   Cmd.ARG_BUILDINGS:		Cmd.ARG_BUILDING,
+  Cmd.ARG_BUSINESSPROFILEACCOUNTS:	Cmd.ARG_BUSINESSPROFILEACCOUNT,
   Cmd.ARG_CAALEVELS:		Cmd.ARG_CAALEVEL,
   Cmd.ARG_CHATMEMBERS:		Cmd.ARG_CHATMEMBER,
   Cmd.ARG_CHANNELCUSTOMERS:	Cmd.ARG_CHANNELCUSTOMER,

src/gam/gamlib/glapi.py

@@ -24,6 +24,7 @@ ACCESSCONTEXTMANAGER = 'accesscontextmanager'
 ALERTCENTER = 'alertcenter'
 ANALYTICS_ADMIN = 'analyticsadmin'
 CALENDAR = 'calendar'
+BUSINESSACCOUNTMANAGEMENT = 'mybusinessaccountmanagement'
 CBCM = 'cbcm'
 CHAT = 'chat'
 CHAT_CUSTOM_EMOJIS = 'chatcustomemojis'
@@ -101,6 +102,7 @@ TASKS = 'tasks'
 VAULT = 'vault'
 YOUTUBE = 'youtube'
 #
+BUSINESSACCOUNTMANAGEMENT_SCOPE = 'https://www.googleapis.com/auth/business.manage'
 CHROMEVERSIONHISTORY_URL = 'https://versionhistory.googleapis.com/v1/chrome/platforms'
 DRIVE_SCOPE = 'https://www.googleapis.com/auth/drive'
 GMAIL_SEND_SCOPE = 'https://www.googleapis.com/auth/gmail.send'
@@ -174,6 +176,7 @@ PROJECT_APIS = [
   'alertcenter.googleapis.com',
   'analyticsadmin.googleapis.com',
 #  'audit.googleapis.com',
+  'mybusinessaccountmanagement.googleapis.com',
   'calendar-json.googleapis.com',
   'chat.googleapis.com',
   'chromemanagement.googleapis.com',
@@ -213,6 +216,7 @@ _INFO = {
   ACCESSCONTEXTMANAGER: {'name': 'Access Context Manager API', 'version': 'v1', 'v2discovery': True},
   ALERTCENTER: {'name': 'AlertCenter API', 'version': 'v1beta1', 'v2discovery': True},
   ANALYTICS_ADMIN: {'name': 'Analytics Admin API', 'version': 'v1beta', 'v2discovery': True},
+  BUSINESSACCOUNTMANAGEMENT: {'name': 'Business Account Management API', 'version': 'v1', 'v2discovery': True},
   CALENDAR: {'name': 'Calendar API', 'version': 'v3', 'v2discovery': True, 'mappedAPI': 'calendar-json'},
   CBCM: {'name': 'Chrome Browser Cloud Management API', 'version': 'v1.1beta1', 'v2discovery': True, 'localjson': True},
   CHAT: {'name': 'Chat API', 'version': 'v1', 'v2discovery': True},
@@ -293,6 +297,11 @@ _INFO = {
 READONLY = ['readonly',]
 
 _CLIENT_SCOPES = [
+  {'name': 'Business Account Management API',
+   'api': BUSINESSACCOUNTMANAGEMENT,
+   'subscopes': [],
+   'offByDefault': True,
+   'scope': BUSINESSACCOUNTMANAGEMENT_SCOPE},
   {'name': 'Calendar API',
    'api': CALENDAR,
    'subscopes': READONLY,

src/gam/gamlib/glclargs.py

@@ -441,6 +441,8 @@ class GamCLArgs():
   ARG_BUCKETS = 'buckets'
   ARG_BUILDING = 'building'
   ARG_BUILDINGS = 'buildings'
+  ARG_BUSINESSPROFILEACCOUNT = 'businessprofileaccount'
+  ARG_BUSINESSPROFILEACCOUNTS = 'businessprofileaccounts'
   ARG_CAALEVEL = 'caalevel'
   ARG_CAALEVELS = 'caalevels'
   ARG_CALATTENDEES = 'calattendees'

src/gam/gamlib/glentity.py

@@ -75,6 +75,7 @@ class GamEntity():
   BACKUP_VERIFICATION_CODES = 'buvc'
   BUILDING = 'bldg'
   BUILDING_ID = 'bldi'
+  BUSINESS_PROFILE_ACCOUNT = 'bpac'
   CAA_LEVEL = 'calv'
   CALENDAR = 'cale'
   CALENDAR_ACL = 'cacl'
@@ -434,6 +435,7 @@ class GamEntity():
     BACKUP_VERIFICATION_CODES: ['Backup Verification Codes', 'Backup Verification Codes'],
     BUILDING: ['Buildings', 'Building'],
     BUILDING_ID: ['Building IDs', 'Building ID'],
+    BUSINESS_PROFILE_ACCOUNT: ['Business Profile Accounts', 'Business Profile Account'],
     CAA_LEVEL: ['CAA Levels', 'CAA Level'],
     CALENDAR: ['Calendars', 'Calendar'],
     CALENDAR_ACL: ['Calendar ACLs', 'Calendar ACL'],

wiki/Administrators.md

@@ -9,6 +9,7 @@
 - [Display administrators](#display-administrators)
 - [Copy privileges from one role to a new role](#copy-privileges-from-one-role-to-a-new-role)
 - [Copy roles from one administrator to another](#copy-roles-from-one-administrator-to-another)
+- [Copy non-system admin roles from a source workspace to a target workspace](#copy-non-system-admin-roles-from-a-source-workspace-to-a-target-workspace)
 
 ## API documentation
 * [About Administrator roles](https://support.google.com/a/answer/33325?ref_topic=4514341)
@@ -21,13 +22,16 @@
 <DomainName> ::= <String>(.<String>)+
 <EmailAddress> ::= <String>@<DomainName>
 <GroupItem> ::= <EmailAddress>|<UniqueID>|<String>
+<JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
 <OrgUnitID> ::= id:<String>
 <OrgUnitPath> ::= /|(/<String)+
 <OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
 <Privilege> ::= <String>
 <PrivilegeList> ::= "<Privilege>(,<Privilege)*"
 <RoleAssignmentID> ::= <String>
-<RoleItem> ::= id:<String>|uid:<String>|<String>
+<RoleID> ::= <String>
+<RoleName> ::= <String>
+<RoleItem> ::= id:<RoleID>|<RoleName>
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>
 ```
@@ -1383,9 +1387,11 @@ Show 111 Privileges
 ## Manage administrative roles
 ```
 gam create adminrole <String> [description <String>]
-        privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>>)
+        privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>>)|<JSONData>
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 gam update adminrole <RoleItem> [name <String>] [description <String>]
-        [privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>>)] 
+        [privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>>)|<JSONData>] 
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 gam delete adminrole <RoleItem>
 ```
 * `privileges all` - All defined privileges
@@ -1393,24 +1399,61 @@ gam delete adminrole <RoleItem>
 * `privileges <PrivilegeList>` - A specific list of privileges
 * `privileges select <FileSelector>|<CSVFileSelector>>` - A collection of privileges from a flat or CSV file
 
+By default, when an admin role is created|update, GAM displays `<RoleName>(<RoleID>) created|updated`.
+* `csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]` - Output the admin roledetails in CSV format.
+
+When `csv` is uused, Add additional columns of data from the command line to the output.
+* `addcsvdata <FieldName> <String>`
+
 ## Display administrative roles
 ```
 gam info adminrole <RoleItem> [privileges]
+        [formatjson]
 ```
 * `privileges` - Display privileges associated with role
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam show adminroles|roles
+        [role <RoleItem>] [privileges]
+	[nosystemroles]
+	[formatjson]
+```
+* `privileges` - Display privileges associated with each role
+
+By default, all roles are displayed:
+* `role <RoleItem>` - Display a specific role.
+* `nosystemroles` - Display onnly non-system roles.
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
 ```
 gam print adminroles|roles [todrive <ToDriveAttribute>*]
         [role <RoleItem>] [privileges] [oneitemperrow]
-gam show adminroles|roles
-        [role <RoleItem>] [privileges]
+        [nosystemroles]
+        [formatjson [quotechar <Character>]]
 ```
-By default, all roles are displayed, use `role <RoleItem>` to display a specific role.
-
 * `privileges` - Display privileges associated with each role
 
-By default, with `print`, all privileges for a role are shown on one row as a repeating item.
+By default, all privileges for a role are shown on one row as a repeating item.
 When `oneitemperrow` is specified, each privilege is output on a separate row/line with the other role fields.
 
+By default, all roles are displayed:
+* `role <RoleItem>` - Display a specific role.
+* `nosystemroles` - Display onnly non-system roles.
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
 ## Create an administrator
 Add an administrator role to an administrator.
 ```
@@ -1469,3 +1512,15 @@ gam config csv_input_row_filter "scopeType:regex:CUSTOMER" redirect stdout ./Upd
 gam config csv_input_row_filter "scopeType:regex:ORG_UNIT" redirect stdout ./UpdateNewAdminOrgUnitRoles.txt multiprocess redirect stderr stdout csv CurrentAdminRoles.csv gam create admin newadmin@domain.com "id:~~roleId~~" org_unit "id:~~orgUnitId~~"
 ```
 
+## Copy non-system admin roles from a source workspace to a target workspace
+This requires GAM version 7.18.01 or higher.
+
+In the source workspace to the following:
+```
+gam redirect csv ./SourceNonSystemRoles.csv print adminroles privileges nosystemroles formatjson quotechar "'"
+```
+
+In the target workspacce do the following:
+```
+gam redirect csv ./TargetNonSystemRoles.csv multiprocess quotechar "'"  redirect stderr - multiprocess csv SourceNonSystemRoles.csv quotechar "'" gam create adminrole "~roleName" description "~roleDescription" privileges json "~JSON" csv addcsvdata oldRoleId "~roleId" formatjson
+```

wiki/Business-Account-Management.md

@@ -0,0 +1,36 @@
+# Users - Business Account Management
+- [API documentation](#api-documentation)
+- [Introduction](#introduction)
+- [Definitions](#definitions)
+- [Display Business Profile Accounts](#display-business-profile-accounts)
+
+## API documentation
+* [Business Account Management](https://developers.google.com/my-business/reference/accountmanagement/rest)
+
+
+## Introduction
+These features were added in version 7.18.00.
+
+To use these commands you add the 'Business Account Management API' to your project and update client authorization.
+```
+gam update project
+gam oauth create
+...
+[*]  0)  Business Account Management API
+
+```
+## Definitions
+* [`<UserTypeEntity>`](Collections-of-Users)
+
+## Display Business Profile Accounts
+```
+gam <UserItem> show businessprofileaccounts
+        [type locationgroup|organization|personal|usergroup]
+```
+Gam displays the information as an indented list of keys and values.
+
+```
+gam <UserItem> print businessprofileaccounts [todrive <ToDriveAttribute>*]
+        [type locationgroup|organization|personal|usergroup]
+```
+Gam displays the information as columns of fields.

wiki/Chat-Bot-Setup-Use.md

@@ -1,4 +1,4 @@
-# Chat Bot
+# Chat Bot Setup and Use
 - [Introduction](#introduction)
 - [Set up a Chat Bot](#set-up-a-chat-bot)
 - [API documentation](#api-documentation)

wiki/Classroom-Membership.md

@@ -12,6 +12,7 @@
 * [Google Classroom API](https://developers.google.com/classroom/reference/rest)
 * [Google Classroom API - Courses Students](https://developers.google.com/classroom/reference/rest/v1/courses.students)
 * [Google Classroom API - Courses Teachers](https://developers.google.com/classroom/reference/rest/v1/courses.teachers)
+* [Classroom Membership Limits](https://support.google.com/edu/classroom/answer/7300976)
 
 ## Definitions
 ```

wiki/GamUpdates.md

@@ -10,6 +10,43 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation
 
+### 7.18.00
+
+Added commands to display Business Profile Accounts.
+These are special purpose commands and will not generally be used.
+```
+gam show businessprofileaccounts
+gam print businessprofileaccounts [todrive <ToDriveAttribute>*]
+```
+
+### 7.17.03
+
+Fixed bug in `gam <UserItem> print|show chatspaces asadmin fields <ChatSpaceFieldNameList>` that caused a trap
+when `displayname` was not in `<ChatSpaceFieldNameList>`.
+
+### 7.17.02
+
+Updated `gam <UserTypeEntity> print|show webmastersites` to handle the following error
+that occurs if you haven't updated your project to include the Google Search Console API.
+```
+ERROR: 403: permissionDenied - Google Search Console API has not been used in project 111055363999 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/searchconsole.googleapis.com/overview?project=111055363999 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
+```
+
+### 7.17.01
+
+Fixed bug in `gam <UserTypeEntity> show webmastersites` that caused a trap.
+
+### 7.17.00
+
+Added commands to discover Sites and WebResources that managed users (previously unmanaged) may have access to for better governance and visibility.
+These are special purpose commands and will not generally be used.
+```
+gam <UserTypeEntity> show webresources
+gam <UserTypeEntity> print webresources [todrive <ToDriveAttribute>*]
+gam <UserTypeEntity> show webmastersites
+gam <UserTypeEntity> print webmastersites [todrive <ToDriveAttribute>*]
+```
+
 ### 7.16.01
 
 The Drive API now supports setting download restrictions on individual files.

wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md

@@ -252,7 +252,7 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAM 7.16.01 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.18.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64
@@ -990,7 +990,7 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM 7.16.01 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.18.00 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 Windows-10-10.0.17134 AMD64

wiki/Users-Drive-Files-Manage.md

@@ -125,7 +125,7 @@
         (folderColorRgb <ColorValue>)|
         (indexabletext <String>)|
         (inheritedpermissionsdisabled [<Boolean>])|
-        (itemdownloadrestriction (restrictedforreaders [<Boolean>]) (restrictedforwriters [<Boolean>]))|
+        (itemdownloadrestriction restrictedforreaders|restrictedforwriters [<Boolean>])|
         (keeprevisionforever|pinned)|
         (lastviewedbyme <Time>)|
         (mimetype <MimeType>)|

wiki/Users-Web-Resources-and-Sites.md

@@ -0,0 +1,48 @@
+# Users - Web Resources and Sites
+- [API documentation](#api-documentation)
+- [Introduction](#introduction)
+- [Definitions](#definitions)
+- [Display Web Resources](#display-web-resources)
+- [Display Web Master Sites](#display-web-master-sites)
+
+## API documentation
+* [Web Resources](https://developers.google.com/site-verification/v1/webResource/list)
+* [Web Sites](https://developers.google.com/webmaster-tools/v1/sites/list)
+
+
+## Introduction
+These features were added in version 7.17.00.
+
+To use these commands you add the 'Search Console API' to your project and update your service account authorization.
+```
+gam update project
+gam user user@domain.com update serviceaccount
+...
+[*] 39)  Search Console  API - read only
+[*] 42)  Site Verification API
+
+```
+## Definitions
+* [`<UserTypeEntity>`](Collections-of-Users)
+
+## Display Web Resources
+```
+gam <UserItem> show webresources
+```
+Gam displays the information as an indented list of keys and values.
+
+```
+gam <UserItem> print webresources [todrive <ToDriveAttribute>*]
+```
+Gam displays the information as columns of fields.
+
+## Display Web Master Sites
+```
+gam <UserItem> show webmastersites
+```
+Gam displays the information as an indented list of keys and values.
+
+```
+gam <UserItem> print webmastersites [todrive <ToDriveAttribute>*]
+```
+Gam displays the information as columns of fields.

wiki/Version-and-Help.md

@@ -3,7 +3,7 @@
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.16.01 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.18.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64
@@ -15,7 +15,7 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.16.01 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.18.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64
@@ -27,7 +27,7 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.16.01 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.18.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gam7
 Version Check:
   Current: 5.35.08
-   Latest: 7.16.01
+   Latest: 7.18.00
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.16.01
+7.18.00
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,7 +82,7 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.16.01 - https://github.com/GAM-team/GAM
+GAM 7.18.00 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.5 64-bit final
 MacOS Sequoia 15.5 x86_64

wiki/_Sidebar.md

@@ -66,6 +66,7 @@ Client Access
 * [Administrators](Administrators)
 * [Alert Center](Alert-Center)
 * [Aliases](Aliases)
+* [Business Account Management](Business-Account-Management)
 * [Calendars](Calendars)
 * [Calendars - Access](Calendars-Access)
 * [Calendars - Events](Calendars-Events)
@@ -128,7 +129,7 @@ Client Access
 * [Version and Help](Version-and-Help)
 
 Special Service Account Access
-* [Chat Bot](Chat-Bot)
+* [Chat Bot Setup and Use](Chat-Bot-Setup-Use)
 
 Service Account Access
 * [Users - Analytics Admin](Users-Analytics-Admin)
@@ -174,6 +175,7 @@ Service Account Access
 * [Users - Tag Manager](Users-Tag-Manager)
 * [Users - Tasks](Users-Tasks)
 * [Users - YouTube](Users-YouTube)
+* [Users - Web Resources and Sites](Users-Web-Resources-and-Sites)
 
 GAM Tutorials
 * [Account Auditing](l-ExamplesAccountAuditing)