Upgraded gam create course-studentgroups to allow specification of multiple student group titles

like this:
```
ERROR: 400: invalidArgument - Resource name has invalid email.
```

.github/workflows/build.yml

@@ -30,6 +30,7 @@ env:
   PYTHON_SOURCE_PATH: ${{ github.workspace }}/src/cpython
   CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY: 1
   CRYPTOGRAPHY_OPENSSL_NO_LEGACY: 1
+  WINDOWS_CODESIGN_CERT_HASH: 590dc5bb10dfb31dbff38c0e2f9c35ef0f6d0e9e
 
 jobs:
   build:
@@ -76,7 +77,7 @@ jobs:
             jid: 9
             goal: build
             name: Build Arm MacOS 15
-          - os: windows-2022
+          - os: windows-2025
             jid: 10
             goal: build
             name: Build Intel Windows
@@ -107,26 +108,26 @@ jobs:
 
     steps:
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - id: auth
         name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@v2
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
         with:
           workload_identity_provider: projects/297925809119/locations/global/workloadIdentityPools/gha-pool/providers/gha-provider
           service_account: github-actions-testing-for-gam@gam-project-wyo-lub-ivl.iam.gserviceaccount.com
 
       - name: Cache multiple paths
         if: matrix.goal == 'build'
-        uses: actions/cache@v4
+        uses: actions/cache@638ed79f9dc94c1de1baef91bcab5edaa19451f4 # v4.2.4
         id: cache-python-ssl
         with:
           path: |
             cache.tar.xz
-          key: gam-${{ matrix.jid }}-20250701
+          key: gam-${{ matrix.jid }}-20250814
 
       - name: Untar Cache archive
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -136,7 +137,7 @@ jobs:
 
       - name: Use pre-compiled Python for testing
         if: matrix.python != ''
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@3d1e2d2ca0a067f27da6fec484fce7f5256def85 # v5.6.0
         with:
           python-version: ${{ matrix.python }}
           allow-prereleases: true
@@ -216,14 +217,13 @@ jobs:
 
       - name: MacOS import developer certificates for signing
         if: runner.os == 'macOS'
-        uses: apple-actions/import-codesign-certs@v3
+        uses: apple-actions/import-codesign-certs@11e1bb2d3771ad8ffa8459dfe527bc26b2dd4b62 # v5.0.3
         with:
-          keychain: signing_temp
           p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
           p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
 
       - name: Windows Configure VCode
-        uses: ilammy/msvc-dev-cmd@v1
+        uses: ilammy/msvc-dev-cmd@460a772e4cf7358f9f2f23773240813e40e7a894 # v1.13.0
         if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         with:
           arch: ${{ runner.arch }}
@@ -285,7 +285,7 @@ jobs:
           echo "COMPILED_OPENSSL_VERSION=${COMPILED_OPENSSL_VERSION}" >> $GITHUB_ENV
 
       - name: Windows NASM Install
-        uses: ilammy/setup-nasm@v1
+        uses: ilammy/setup-nasm@3a5c2907aab40613bec4a2c63f5d0ef0b11fbd9f # v1.5.2
         if: matrix.goal == 'build' && runner.os == 'Windows' && runner.arch == 'X64' && steps.cache-python-ssl.outputs.cache-hit != 'true'
 
       - name: Config OpenSSL
@@ -462,13 +462,6 @@ jobs:
           curl -O -L "$latest_crypt_whl"
           "$PYTHON" -m pip install cryptography*.whl
 
-      #- uses: actions-rust-lang/setup-rust-toolchain@v1
-
-     # - name: Compile cryptography from source (no legacy)
-     #   if: runner.os != 'Windows' || runner.arch != 'ARM64'
-     #   run: |
-     #     pip install --no-binary ":all:" --force cryptography
-
       - name: Install pip requirements
         run: |
           echo "before anything..."
@@ -601,6 +594,72 @@ jobs:
           echo "GAM Version ${GAMVERSION}"
           echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV
 
+      - name: Install WinAppDriver
+        if: runner.os == 'Windows'
+        run: |
+          choco install -y winappdriver
+
+      - name: Enabled dev mode for WinAppDriver
+        if: runner.os == 'Windows'
+        shell: cmd
+        run : |
+         reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowDevelopmentWithoutDevLicense" /d "1"
+
+      - name: Install appium and totp tools
+        if: runner.os == 'Windows'
+        run: |
+          echo "Installing appium..."
+          npm install -g appium
+          echo "Installing totp-generator..."
+          npm install "totp-generator"
+          echo "Installing wdio..."
+          npm install @wdio/cli
+          echo "Installing appium win driver..."
+          appium driver install windows
+
+      - name: Install Certum MSI
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          $url = "https://files.certum.eu/software/SimplySignDesktop/Windows/9.3.2.67/SimplySignDesktop-9.3.2.67-64-bit-en.msi"
+          $file = "SimplySignDesktop-9.3.2.67-64-bit-en.msi"
+          Invoke-WebRequest $url -OutFile $file
+          $log = "install.log" 
+          $procMain = Start-Process "msiexec" "/i `"$file`" /qn /l*! `"$log`"" -NoNewWindow -PassThru
+          $procLog = Start-Process "powershell" "Get-Content -Path `"$log`" -Wait" -NoNewWindow -PassThru 
+          $procMain.WaitForExit() 
+          $procLog.Kill()
+
+      - name: Login to Certum
+        if: runner.os == 'Windows'
+        shell: pwsh
+        env:
+          TOTP_SECRET: ${{ secrets.TOTP_SECRET }}
+        run: |
+          # disable win private firewall that interferes with appium server
+          Set-NetFirewallProfile -Profile Private -Enabled False
+          $appiumCmd = Get-Command appium
+          $appiumPath = $appiumCmd.Path
+          Start-Process -Filepath "powershell.exe" -ArgumentList "-File", $appiumPath, "--address", "127.0.0.1", "--log-level", "error"
+          Start-Sleep -Seconds 10
+          write-host "appium started"
+          write-host "running SimplySignDesktop login..."
+          node tools/ssd.mjs --log-level warn
+          write-host "sleeping during login..."
+          Start-Sleep 10
+
+      - name: Sign gam.exe
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          write-Host "Signing ${env:gam}...."
+          # Always explicitely use x64 version os signtool.exe, arm64 version apparently can't
+          # see Certum certs since SimplySignDesktop is x64-only today.
+          Start-Process -Wait -NoNewWindow -ErrorAction Continue -FilePath 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe'  -ArgumentList "sign", "/sha1", "590dc5bb10dfb31dbff38c0e2f9c35ef0f6d0e9e", "/tr", "http://time.certum.pl", "/td", "SHA256", "/fd", "SHA256", "/v", "$env:gam"
+          write-Host "Verifying signature of ${env:gam}...."
+          # verify signature. If we failed to sign we should fail to verify and die.
+          & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe' verify /pa /v "$env:gam"
+
       - name: Configure user and service account auth
         id: configserviceaccount
         env:
@@ -609,36 +668,8 @@ jobs:
           ../.github/actions/decrypt.sh "${GAMCFGDIR}"
           $gam create signjwtserviceaccount
 
-      - name: Upload gam.exe Windows for signing
-        if: runner.os == 'Windows' && matrix.goal != 'test'
-        run: |
-          export folder_number=$(date +%s)
-          export folder_id=$($gam user gam-win-signer@pdl.jaylee.us add drivefile drivefilename "UPLOADING_FOR_SIGN ${folder_number}" parentid "1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp" mimetype gfolder returnidonly)
-          $gam user gam-win-signer@pdl.jaylee.us add drivefile localfile "$gam" parentid "$folder_id"
-          $gam user gam-win-signer@pdl.jaylee.us update drivefile "$folder_id" newfilename "READYTOSIGN ${folder_number}"
-          export signed_folder="SIGNED ${folder_number}"
-          zero_results="gam-win-signer@pdl.jaylee.us,0"
-          while true; do
-            result_counts=$($gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" countsonly)
-            echo "$result_counts"
-            if [[ ! "$result_counts" =~ "$zero_results" ]]; then
-              echo "looks like we have results"
-              break
-            fi
-            echo "no results, sleeping 10..."
-            sleep 10
-          done
-          # download signed gam.exe
-          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name = 'gam.exe'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$gampath" targetname "signed-gam.exe" overwrite true acknowledgeabuse true
-          # delete signed folder on drive
-          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us trash drivefile "~id"
-          # remove unsigned gam.exe and rename signed-gam.exe
-          rm -v -f "${gampath}/gam.exe"
-          mv -v -f "${gampath}/signed-gam.exe" "${gampath}/gam.exe"
-          #"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$gam"
-
       - name: Attest gam executable was generated from this Action
-        uses: actions/attest-build-provenance@v1
+        uses: actions/attest-build-provenance@0b6e9809265278d02c58acf52849a95818a5a306 # v3.0.0
         if: matrix.goal == 'build'
         with:
           subject-path: ${{ env.gam }}
@@ -689,34 +720,20 @@ jobs:
           rm -v -f *.wixobj
           echo "MSI_FILENAME=${MSI_FILENAME}" >> $GITHUB_ENV
 
-      - name: Upload gam MSI Windows for signing
-        if: runner.os == 'Windows' && matrix.goal != 'test'
+      - name: Sign GAM MSI
+        if: runner.os == 'Windows'
+        shell: pwsh
         run: |
-          export folder_number=$(date +%s)
-          export folder_id=$($gam user gam-win-signer@pdl.jaylee.us add drivefile drivefilename "UPLOADING_FOR_SIGN ${folder_number}" parentid "1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp" mimetype gfolder returnidonly)
-          $gam user gam-win-signer@pdl.jaylee.us add drivefile localfile "$MSI_FILENAME" parentid "$folder_id"
-          rm -f -v "$MSI_FILENAME"
-          $gam user gam-win-signer@pdl.jaylee.us update drivefile "$folder_id" newfilename "READYTOSIGN ${folder_number}"
-          export signed_folder="SIGNED ${folder_number}"
-          zero_results="gam-win-signer@pdl.jaylee.us,0"
-          while true; do
-            result_counts=$($gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" countsonly)
-            echo "$result_counts"
-            if [[ ! "$result_counts" =~ "$zero_results" ]]; then
-              echo "looks like we have results"
-              break
-            fi
-            echo "no results, sleeping 10..."
-            sleep 10
-          done
-          # download signed package
-          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name contains '.msi'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$GITHUB_WORKSPACE" targetname "$MSI_FILENAME" overwrite true acknowledgeabuse true
-          # delete signed folder on drive
-          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us trash drivefile "~id"
-          #"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$MSI_FILENAME"
+          write-Host "Signing ${env:MSI_FILENAME}...."
+          # Always explicitely use x64 version os signtool.exe, arm64 version apparently can't
+          # see Certum certs since SimplySignDesktop is x64-only today.
+          Start-Process -Wait -NoNewWindow -ErrorAction Continue -FilePath 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe'  -ArgumentList "sign", "/sha1", "590dc5bb10dfb31dbff38c0e2f9c35ef0f6d0e9e", "/tr", "http://time.certum.pl", "/td", "SHA256", "/fd", "SHA256", "/v", "$env:MSI_FILENAME"
+          write-Host "Verifying signature of ${env:MSI_FILENAME}...."
+          # verify signature. If we failed to sign we should fail to verify and die.
+          & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe' verify /pa /v "$env:MSI_FILENAME"
 
       - name: Attest that gam package files were generated from this Action
-        uses: actions/attest-build-provenance@v1
+        uses: actions/attest-build-provenance@0b6e9809265278d02c58acf52849a95818a5a306 # v3.0.0
         if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.goal == 'build'
         with:
           subject-path: |
@@ -725,7 +742,7 @@ jobs:
             gam*.msi
 
       - name: Archive production artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2
         if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.goal != 'test'
         with:
           name: gam-binaries-${{ env.GAMOS }}-${{ env.arch }}-${{ matrix.jid }}
@@ -973,7 +990,7 @@ jobs:
       packages: write
     steps:
       - name: Merge Artifacts
-        uses: actions/upload-artifact/merge@v4
+        uses: actions/upload-artifact/merge@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: gam-binaries
           pattern: gam-binaries-*
@@ -989,16 +1006,16 @@ jobs:
 
     steps:
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Download artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # 5.0.0
 
       - name: VirusTotal Scan
-        uses: crazy-max/ghaction-virustotal@v4
+        uses: crazy-max/ghaction-virustotal@d34968c958ae283fe976efed637081b9f9dcf74f # 4.2.0
         with:
           vt_api_key: ${{ secrets.VT_API_KEY }}
           files: |
@@ -1011,12 +1028,14 @@ jobs:
           echo "Date version: ${dateversion}"
           echo "dateversion=${dateversion}" >> $GITHUB_OUTPUT
 
-      - uses: "marvinpinto/action-automatic-releases@latest"
-        name: Publish draft release
+      - name: Publish draft release
+        uses: softprops/action-gh-release@fbadcc90e88ecface60a0a0d123795b784ceb239 # v2.3.2
         with:
-          repo_token: "${{ secrets.GITHUB_TOKEN }}"
-          automatic_release_tag: "${{ steps.dateversion.outputs.dateversion }}"
-          prerelease: false
           draft: true
+          prerelease: false
+          tag_name: "${{ steps.dateversion.outputs.dateversion }}"
+          fail_on_unmatched_files: true
           files: |
             gam-binaries/*
+
+        

.github/workflows/codeql-analysis.yml

@@ -39,9 +39,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
-
-    # Initializes the CodeQL tools for scanning.
+      uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3
       with:

.github/workflows/get-cacerts.yml

@@ -16,10 +16,10 @@ defaults:
     working-directory: src
 
 jobs:
-  check-apis:
+  check-certs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
         with:
           persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token
           fetch-depth: 0 # otherwise, you will failed to push refs to dest repo

.github/workflows/pushwiki.yml

@@ -18,7 +18,7 @@ jobs:
           git clone https://github.com/GAM-team/GAM
 
       - name: Checkout Wiki source
-        uses: actions/checkout@master
+        uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
         with:
           path: GAM.wiki
           repository: GAM-team/GAM.wiki

.github/workflows/pypi.yml

@@ -16,7 +16,7 @@ jobs:
       id-token: write
     steps:
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
         with:
           persist-credentials: false
           fetch-depth: 0

src/GamCommands.txt

@@ -539,6 +539,7 @@ If an item contains spaces, it should be surrounded by ".
         Must match this Python Regular Expression: [a-zA-Z0-9 '"!-]{4,30}
 <PropertyKey> ::= <String>
 <PropertyValue> ::= <String>
+<PubSubTopicName> ::= <String>
 <QueryAlert> ::= <String>
         See: https://developers.google.com/admin-sdk/alertcenter/guides/query-filters
 <QueryBrowser> ::= <String>
@@ -605,6 +606,7 @@ If an item contains spaces, it should be surrounded by ".
 <SiteItem> ::= [<DomainName>/]<SiteName>
 <S/MIMEID> ::= <String>
 <SMTPHostName> ::= <String>
+<StudentGroupID> ::= <Number>
 <StudentItem> ::= <EmailAddress>|<UniqueID>|<String>
 <SharedDriveACLRole> ::=
         commenter|
@@ -779,6 +781,7 @@ If an item contains spaces, it should be surrounded by ".
 <SharedDriveACLRoleList> ::= "<SharedDriveACLRole>(,<SharedDriveACLRole>)*"
 <SharedDriveIDList> ::= "<SharedDriveID>(,<SharedDriveID>)*"
 <StringList> ::= "<String>(,<String>)*"
+<StudentGroupIDList> ::= "<StudentGroupID>(,<StudentGroupID>)*"
 <TagManagerAccountPathList> ::= "<TagManagerAccountPath>(,<TagManagerAccountPath>)*"
 <TagManagerContainerPathList> ::= "<TagManagerContainerPath>(,<TagManagerContainerPath>)*"
 <TagManagerWorkspacePathList> ::= "<TagManagerWorkspacePath>(,<TagManagerWorkspacePath>)*"
@@ -1243,6 +1246,10 @@ Specify a collection of items by directly specifying them; the item type is dete
         <SiteACLScopeList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <SiteEntity> ::=
         <SiteList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<StringEntity> ::=
+        <StringList> | <FileSelector> | <CSVFileSelector>
+<StudentGroupEntity> ::=
+        <StudentGroupIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector>
 <TagManagerAccountPathEntity> ::=
         <TagManagerAccountPathList> |
         (select <FileSelector>|<CSVFileSelector>) |
@@ -1511,15 +1518,22 @@ gam show privileges
 <RoleItem> ::= id:<String>|uid:<string>|<String>
 
 gam create adminrole <String> [description <String>]
-        privileges all|all_ou|<PrivilegesList>|(select <FileSelector>|<CSVFileSelector>)
+        privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>)|<JSONData>
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 gam update adminrole <RoleItem> [name <String>] [description <String>]
-         [privileges all|all_ou|<PrivilegesList>|(select <FileSelector>|<CSVFileSelector>)]
+        [privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>)|<JSONData>]
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 gam delete adminrole <RoleItem>
 gam info adminrole <RoleItem> [privileges]
+        [formatjson]
 gam print adminroles|roles [todrive <ToDriveAttribute>*]
         [role <RoleItem>] [privileges] [oneitemperrow]
+        [nosystemroles]
+        [formatjson [quotechar <Character>]]
 gam show adminroles|roles
         [role <RoleItem>] [privileges]
+	[nosystemroles]
+	[formatjson]
 
 gam create|add admin <EmailAddress>|<UniqueID> <RoleItem> customer|(org_unit <OrgUnitItem>)
         [condition securitygroup|nonsecuritygroup]
@@ -1533,6 +1547,10 @@ gam show admins
 
 # Alert Center
 
+gam show alertsettings
+gam update alertsettings <PubsubTopicName>
+gam clear alertsettings
+
 gam delete alert <AlertID>
 gam undelete alert <AlertID>
 gam info alert <AlertID> [formatjson]
@@ -1984,10 +2002,10 @@ gam info chatspace <ChatSpace>
         [fields <ChatSpaceFieldNameList>]
         [formatjson]
 gam show chatspaces
-        [fields <ChatSpaceFieldNameList>]
+        [fields <ChatSpaceFieldNameList>] [showaccessssettings]
         [formatjson]
 gam print chatspaces [todrive <ToDriveAttribute>*]
-        [fields <ChatSpaceFieldNameList>]
+        [fields <ChatSpaceFieldNameList>] [showaccessssettings]
         [formatjson [quotechar <Character>]]
 
 <ChatMemberFieldName> ::=
@@ -3376,6 +3394,28 @@ gam print course-works [todrive <ToDriveAttribute>*]
         [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
         [countsonly] [formatjson [quotechar <Character>]]
 
+# Classroom - Student Groups
+
+gam create course-studentgroups
+        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
+        ((title <String>)|(select <StringEntity))+
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]]
+gam update course-studentgroups <CourseID> <StudentGroupID> title <String>
+gam delete course-studentgroups <CourseID> <StudentGroupIDEntity>
+gam clear course-studentgroups
+        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
+gam print course-studentgroups [todrive <ToDriveAttribute>*]
+        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
+        [formatjson [quotechar <Character>]]
+
+gam create course-studentgroup-members <CourseID> <StudentGroupID> <UserTypeEntity>
+gam delete course-studentgroup-members <CourseID> <StudentGroupID> <UserTypeEntity>
+gam sync course-studentgroup-members <CourseID> <StudentGroupID> <UserTypeEntity>
+gam clear course-studentgroupmembers <CourseID> <StudentGroupID>
+gam print course-studentgroup-members [todrive <ToDriveAttribute>*]
+        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
+        [showitemcountonly] [formatjson [quotechar <Character>]]
+
 # Classroom - Invitations
 
 gam <UserTypeEntity> create classroominvitation courses <CourseEntity> [role owner|student|teacher]
@@ -3436,6 +3476,13 @@ gam print guardian|guardians [todrive <ToDriveAttribute>*] [accepted|invitations
         [showstudentemails]
         [formatjson [quotechar <Character>]]
 
+# Business Profile Accounts
+
+gam show businessprofileaccounts
+        [type locationgroup|organization|personal|usergroup]
+gam print businessprofileaccounts [todrive <ToDriveAttribute>*]
+        [type locationgroup|organization|personal|usergroup]
+
 # Classroom User Profiles
 
 gam <UserTypeEntity> print classroomprofile [todrive <ToDriveAttribute>*]
@@ -3677,17 +3724,17 @@ gam print contacts [todrive <ToDriveAttribute>*] <ContactSelection>
         userdefined
 <PeopleFieldNameList> ::= "<PeopleFieldName>(,<PeopleFieldName>)*"
 
-gam info peoplecontacts <PeopleResourceNameEntity>
+gam info domaincontacts|peoplecontacts <PeopleResourceNameEntity>
         [allfields|(fields <PeopleFieldNameList>)] [showmetadata]
         [formatjson]
-gam print peoplecontacts [todrive <ToDriveAttribute>*]
+gam print domaincontacts|peoplecontacts [todrive <ToDriveAttribute>*]
         [sources <PeopleSourceName>]
         [query <String>]
         [mergesources <PeopleMergeSourceName>]
         [coountsonly]
         [allfields|(fields <PeopleFieldNameList>)] [showmetadata]
         [formatjson [quotechar <Character>]]
-gam show peoplecontacts
+gam show domaincontacts|peoplecontacts
         [sources <PeopleSourceName>]
         [query <String>]
         [mergesources <PeopleMergeSourceName>]
@@ -4263,19 +4310,19 @@ gam show policies
 <SSOProfileItem> ::= <SSOProfileDisplayName>|<SSOProfileName>
 <SSOProfileItemList> ::= "<SSOProfileItem>(,<SSOProfileItem>)*"
 
-gam create inboundssoprofile [name <SSOProfileDisplayName>]
+gam create inboundssoprofile [saml|oidc] [name <SSOProfileDisplayName>]
         [entityid <String>] [loginurl <URL>] [logouturl <URL>] [changepasswordurl <URL>]
         [returnnameonly]
-gam update inboundssoprofile <SSOProfileItem>
+gam update inboundssoprofile [saml|oidc] <SSOProfileItem>
         [entityid <String>] [loginurl <URL>] [logouturl <URL>] [changepasswordurl <URL>]
         [returnnameonly]
-gam delete inboundssoprofile <SSOProfileItem>
+gam delete inboundssoprofile [saml|oidc] <SSOProfileItem>
 
-gam info inboundssoprofile <SSOProfileItem>
+gam info inboundssoprofile [all|saml|oidc] <SSOProfileItem>
         [formatjson]
-gam show inboundssoprofiles
+gam show inboundssoprofiles [all|saml|oidc]
         [formatjson]
-gam print inboundssoprofiles [todrive <ToDriveAttribute>*]
+gam print inboundssoprofiles [all|saml|oidc] [todrive <ToDriveAttribute>*]
         [[formatjson [quotechar <Character>]]
 
 <SSOCredentialsName> ::= [id:]inboundSamlSsoProfiles/<String>/idpCredentials/<String>
@@ -4299,10 +4346,14 @@ gam print inboundssocredentials [profile|profiles <SSOProfileItemList>]
         orgunits/<String> |
         orgunit:<OrgUnitPath>
 
-gam create inboundssoassignment (group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)
-        (mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled) [neverredirect]
-gam update inboundssoassignment [(group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)]
-        [(mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled)] [neverredirect]
+gam create inboundssoassignment
+        (group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)
+        (mode sso_off)|(mode saml_sso profile <SSOProfileItem>)|(mode oidc_sso profile <SSOProfileName>}|(mode domain_wide_saml_if_enabled)
+        [neverredirect]
+gam update inboundssoassignment <SSOAssignmentName>
+        [(group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)]
+        (mode sso_off)|(mode saml_sso profile <SSOProfileItem>)|(mode oidc_sso profile <SSOProfileName>}|(mode domain_wide_saml_if_enabled)
+        [neverredirect]
 gam delete inboundssoassignment <SSOAssignmentSelector>
 
 gam info inboundssoassignment <SSOAssignmentSelector>
@@ -4526,11 +4577,12 @@ gam report usage customer [todrive <ToDriveAttribute>*]
         chrome|
         classroom|
         contextawareaccess|
-        gplus|currents|google+|
         datastudio|
         drive|doc|docs|
         gcp|cloud|
         geminiinworkspaceapps|gemini|geminiforworkspace|
+        gmail|
+        gplus|currents|google+|
         groups|group|
         groupsenterprise|enterprisegroups|
         jamboard|
@@ -6359,11 +6411,11 @@ gam <UserTypeEntity> info chatspacedm <UserItem>
         [formatjson]
 gam <UserTypeEntity> show chatspaces
         [types <ChatSpaceTypeList>]
-        [fields <ChatSpaceFieldNameList>]
+        [fields <ChatSpaceFieldNameList>] [showaccessssettings]
         [formatjson]
 gam <UserTypeEntity> print chatspaces [todrive <ToDriveAttribute>*]
         [types <ChatSpaceTypeList>]
-        [fields <ChatSpaceFieldNameList>]
+        [fields <ChatSpaceFieldNameList>] [showaccessssettings]
         [formatjson [quotechar <Character>]]
 
 gam <UserItem> info chatspace asadmin <ChatSpace>
@@ -6372,12 +6424,12 @@ gam <UserItem> info chatspace asadmin <ChatSpace>
 gam <UserItem> show chatspaces asadmin
         [query <String>] [querytime<String> <Time>]
         [orderby <ChatSpaceAdminOrderByFieldName> [ascending|descending]]
-        [fields <ChatSpaceFieldNameList>]
+        [fields <ChatSpaceFieldNameList>] [showaccessssettings]
         [formatjson]
 gam <UserItem> print chatspaces asadmin [todrive <ToDriveAttribute>*]
         [query <String>] [querytime<String> <Time>]
         [orderby <ChatSpaceAdminOrderByFieldName> [ascending|descending]]
-        [fields <ChatSpaceFieldNameList>]
+        [fields <ChatSpaceFieldNameList>] [showaccessssettings]
         [formatjson [quotechar <Character>]]
 
 gam <UserTypeEntity> create chatmember <ChatSpace>

src/GamUpdate.txt

@@ -1,3 +1,121 @@
+7.20.02
+
+Upgraded `gam create course-studentgroups` to allow specification of multiple student group titles;
+multiple student groups can be created in a single command.
+* `((title <String>)|(select <StringEntity))+`
+
+7.20.01
+
+Added option `showaccesssettings` to `gam [<UserTypeEntity>] print|show chatspaces`. When listing
+Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this field,
+add `showaccesssettings` to the command. This requires an additional Chat API call per chat space of type `SPACE`
+to get the `accessSettings` field.
+
+7.20.00
+
+Added initial support for student groups in Google Classroom. This is a work in progress and requires Developer Preview membership.
+* See: https://github.com/GAM-team/GAM/wiki/Classroom-StudentGroups#notes
+
+7.19.03
+
+Fixed bug where specifying a `<UserItem>` as `id:1234567890` could lead to errors like this:
+```
+ERROR: 400: invalidArgument - Resource name has invalid email.
+```
+
+7.19.02
+
+Update `gam info user <UserItem>` to eliminate 5 second delay when getting license info.
+
+Additional information:
+* See: https://github.com/GAM-team/GAM/wiki/Licenses#info-user-performance
+
+7.19.01
+
+Updated `gam <UserTypeEntity> print|show signature` to handle the following error
+that occurs when an alias is specified.
+```
+ERROR: 404: notFound - Requested entity was not found.
+```
+
+7.19.00
+
+Eliminated `drive_v3_beta` and `meet_v2_beta` from `gam.cfg` as the API betas are no longer used.
+
+Updated `Meet API` scopes so that GAM can read metadata about additional Meet spaces.
+```
+[*] 34)  Meet API - Manage/Display Meeting Spaces
+[*] 35)  Meet API - Read Meeting Spaces metadata
+```
+
+7.18.07
+
+Updated `gam <UserTypeEntity> print drivelastmodification` to put `addcsvdata` columns
+after `User,id,name` rather than after the last column.
+
+7.18.06
+
+Updated `gam <UserTypeEntity> delete|modify messages` to improve the handling
+of the following error.
+```
+quotaExceeded - User-rate limit exceeded
+```
+
+7.18.05
+
+Added support for Inbound SSO OIDC profiles.
+
+Currently, if you enter `gam select <SectionName>` and nothing else on the command line,
+GAM performs no action. Now, it will be treated as if you entered:
+`gam select <SectionName> save`
+
+Updated to Python 3.13.7.
+
+7.18.04
+
+Added commands to display/manage Alert Center Pub/Sub notifications.
+* See: https://github.com/GAM-team/GAM/wiki/Alert-Center#configuring-settings
+
+7.18.03
+
+Updated `gam oauth create` to give a warning if the number of selected scopes will
+probably cause Google to generate a "Something went wrong" error.
+
+7.18.02
+
+Upgraded to OpenSSL 3.5.2.
+
+7.18.01
+
+Added option `nosystemroles` to `gam print|show adminroles` that causes GAM
+to only display non-system roles.
+
+Added option `formatjson` to `gam info|print|show adminroles`; this will be most useful
+when the `privileges` option is used.
+
+Updated `gam create|update adminrole` to allow specification of privileges with
+JSON data: `privileges <JSONData>`. These two updates make it easier to copy admin roles.
+
+Updated `gam create|update adminrole` to allow output of the created/updated
+role data in CSV format; by default, GAM displays `<RoleName>(<RoleID>) created|updated`.
+```
+csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*
+```
+
+7.18.00
+
+Added commands to display Business Profile Accounts.
+These are special purpose commands and will not generally be used.
+```
+gam show businessprofileaccounts
+gam print businessprofileaccounts [todrive <ToDriveAttribute>*]
+```
+
+7.17.03
+
+Fixed bug in `gam <UserItem> print|show chatspaces asadmin fields <ChatSpaceFieldNameList>` that caused a trap
+when `displayname` was not in `<ChatSpaceFieldNameList>`.
+
 7.17.02
 
 Updated `gam <UserTypeEntity> print|show webmastersites` to handle the following error

src/cacerts.pem

@@ -433,106 +433,6 @@ pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
 mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
 -----END CERTIFICATE-----
 
-# Operating CA: GoDaddy
-# Issuer: O=Starfield Technologies, Inc. OU=Starfield Class 2 Certification Authority
-# Subject: O=Starfield Technologies, Inc. OU=Starfield Class 2 Certification Authority
-# Label: "Starfield Class 2 CA"
-# Serial: 0
-# MD5 Fingerprint: 32:4a:4b:bb:c8:63:69:9b:be:74:9a:c6:dd:1d:46:24
-# SHA1 Fingerprint: ad:7e:1c:28:b0:64:ef:8f:60:03:40:20:14:c3:d0:e3:37:0e:b5:8a
-# SHA256 Fingerprint: 14:65:fa:20:53:97:b8:76:fa:a6:f0:a9:95:8e:55:90:e4:0f:cc:7f:aa:4f:b7:c2:c8:67:75:21:fb:5f:b6:58
------BEGIN CERTIFICATE-----
-MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
-MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
-U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
-NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE
-ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp
-ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
-DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf
-8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN
-+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0
-X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa
-K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA
-1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G
-A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR
-zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0
-YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD
-bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3
-L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D
-eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl
-xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp
-VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY
-WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=
------END CERTIFICATE-----
-
-# Operating CA: GoDaddy
-# Issuer: O=The Go Daddy Group, Inc. OU=Go Daddy Class 2 Certification Authority
-# Subject: O=The Go Daddy Group, Inc. OU=Go Daddy Class 2 Certification Authority
-# Label: "Go Daddy Class 2 CA"
-# Serial: 0
-# MD5 Fingerprint: 91:de:06:25:ab:da:fd:32:17:0c:bb:25:17:2a:84:67
-# SHA1 Fingerprint: 27:96:ba:e6:3f:18:01:e2:77:26:1b:a0:d7:77:70:02:8f:20:ee:e4
-# SHA256 Fingerprint: c3:84:6b:f2:4b:9e:93:ca:64:27:4c:0e:c6:7c:1e:cc:5e:02:4f:fc:ac:d2:d7:40:19:35:0e:81:fe:54:6a:e4
------BEGIN CERTIFICATE-----
-MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
-MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
-YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
-MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
-ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
-MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
-ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
-PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
-wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
-EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
-avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
-YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
-sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
-/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
-IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
-ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
-OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
-TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
-HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
-dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
-ReYNnyicsbkqWletNw+vHX/bvZ8=
------END CERTIFICATE-----
-
-# Operating CA: Sectigo
-# Issuer: CN=AAA Certificate Services O=Comodo CA Limited
-# Subject: CN=AAA Certificate Services O=Comodo CA Limited
-# Label: "Comodo AAA Services root"
-# Serial: 1
-# MD5 Fingerprint: 49:79:04:b0:eb:87:19:ac:47:b0:bc:11:51:9b:74:d0
-# SHA1 Fingerprint: d1:eb:23:a4:6d:17:d6:8f:d9:25:64:c2:f1:f1:60:17:64:d8:e3:49
-# SHA256 Fingerprint: d7:a7:a0:fb:5d:7e:27:31:d7:71:e9:48:4e:bc:de:f7:1d:5f:0c:3e:0a:29:48:78:2b:c8:3e:e0:ea:69:9e:f4
------BEGIN CERTIFICATE-----
-MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
-MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
-GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
-YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
-MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
-BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
-GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
-BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
-3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
-YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
-rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
-ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
-oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
-MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
-QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
-b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
-AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
-GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
-Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
-G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
-l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
-smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
------END CERTIFICATE-----
-
 # Operating CA: Sectigo
 # Issuer: CN=COMODO Certification Authority O=COMODO CA Limited
 # Subject: CN=COMODO Certification Authority O=COMODO CA Limited

src/gam/cacerts.pem

@@ -433,106 +433,6 @@ pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
 mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
 -----END CERTIFICATE-----
 
-# Operating CA: GoDaddy
-# Issuer: O=Starfield Technologies, Inc. OU=Starfield Class 2 Certification Authority
-# Subject: O=Starfield Technologies, Inc. OU=Starfield Class 2 Certification Authority
-# Label: "Starfield Class 2 CA"
-# Serial: 0
-# MD5 Fingerprint: 32:4a:4b:bb:c8:63:69:9b:be:74:9a:c6:dd:1d:46:24
-# SHA1 Fingerprint: ad:7e:1c:28:b0:64:ef:8f:60:03:40:20:14:c3:d0:e3:37:0e:b5:8a
-# SHA256 Fingerprint: 14:65:fa:20:53:97:b8:76:fa:a6:f0:a9:95:8e:55:90:e4:0f:cc:7f:aa:4f:b7:c2:c8:67:75:21:fb:5f:b6:58
------BEGIN CERTIFICATE-----
-MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
-MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
-U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
-NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE
-ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp
-ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
-DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf
-8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN
-+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0
-X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa
-K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA
-1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G
-A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR
-zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0
-YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD
-bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3
-L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D
-eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl
-xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp
-VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY
-WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=
------END CERTIFICATE-----
-
-# Operating CA: GoDaddy
-# Issuer: O=The Go Daddy Group, Inc. OU=Go Daddy Class 2 Certification Authority
-# Subject: O=The Go Daddy Group, Inc. OU=Go Daddy Class 2 Certification Authority
-# Label: "Go Daddy Class 2 CA"
-# Serial: 0
-# MD5 Fingerprint: 91:de:06:25:ab:da:fd:32:17:0c:bb:25:17:2a:84:67
-# SHA1 Fingerprint: 27:96:ba:e6:3f:18:01:e2:77:26:1b:a0:d7:77:70:02:8f:20:ee:e4
-# SHA256 Fingerprint: c3:84:6b:f2:4b:9e:93:ca:64:27:4c:0e:c6:7c:1e:cc:5e:02:4f:fc:ac:d2:d7:40:19:35:0e:81:fe:54:6a:e4
------BEGIN CERTIFICATE-----
-MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
-MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
-YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
-MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
-ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
-MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
-ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
-PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
-wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
-EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
-avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
-YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
-sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
-/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
-IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
-ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
-OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
-TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
-HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
-dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
-ReYNnyicsbkqWletNw+vHX/bvZ8=
------END CERTIFICATE-----
-
-# Operating CA: Sectigo
-# Issuer: CN=AAA Certificate Services O=Comodo CA Limited
-# Subject: CN=AAA Certificate Services O=Comodo CA Limited
-# Label: "Comodo AAA Services root"
-# Serial: 1
-# MD5 Fingerprint: 49:79:04:b0:eb:87:19:ac:47:b0:bc:11:51:9b:74:d0
-# SHA1 Fingerprint: d1:eb:23:a4:6d:17:d6:8f:d9:25:64:c2:f1:f1:60:17:64:d8:e3:49
-# SHA256 Fingerprint: d7:a7:a0:fb:5d:7e:27:31:d7:71:e9:48:4e:bc:de:f7:1d:5f:0c:3e:0a:29:48:78:2b:c8:3e:e0:ea:69:9e:f4
------BEGIN CERTIFICATE-----
-MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
-MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
-GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
-YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
-MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
-BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
-GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
-BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
-3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
-YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
-rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
-ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
-oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
-MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
-QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
-b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
-AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
-GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
-Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
-G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
-l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
-smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
------END CERTIFICATE-----
-
 # Operating CA: Sectigo
 # Issuer: CN=COMODO Certification Authority O=COMODO CA Limited
 # Subject: CN=COMODO Certification Authority O=COMODO CA Limited

src/gam/gamlib/glapi.py

@@ -24,6 +24,7 @@ ACCESSCONTEXTMANAGER = 'accesscontextmanager'
 ALERTCENTER = 'alertcenter'
 ANALYTICS_ADMIN = 'analyticsadmin'
 CALENDAR = 'calendar'
+BUSINESSACCOUNTMANAGEMENT = 'mybusinessaccountmanagement'
 CBCM = 'cbcm'
 CHAT = 'chat'
 CHAT_CUSTOM_EMOJIS = 'chatcustomemojis'
@@ -74,8 +75,8 @@ IAM_CREDENTIALS = 'iamcredentials'
 KEEP = 'keep'
 LICENSING = 'licensing'
 LOOKERSTUDIO = 'datastudio'
-MEET = 'meet'
-MEET_BETA = 'meetbeta'
+MEET_SPACES = 'meet'
+MEET_READONLY = 'meetreadonly'
 OAUTH2 = 'oauth2'
 ORGPOLICY = 'orgpolicy'
 PEOPLE = 'people'
@@ -101,6 +102,7 @@ TASKS = 'tasks'
 VAULT = 'vault'
 YOUTUBE = 'youtube'
 #
+BUSINESSACCOUNTMANAGEMENT_SCOPE = 'https://www.googleapis.com/auth/business.manage'
 CHROMEVERSIONHISTORY_URL = 'https://versionhistory.googleapis.com/v1/chrome/platforms'
 DRIVE_SCOPE = 'https://www.googleapis.com/auth/drive'
 GMAIL_SEND_SCOPE = 'https://www.googleapis.com/auth/gmail.send'
@@ -117,6 +119,7 @@ USERINFO_PROFILE_SCOPE = 'https://www.googleapis.com/auth/userinfo.profile' # pr
 VAULT_SCOPES = ['https://www.googleapis.com/auth/ediscovery', 'https://www.googleapis.com/auth/ediscovery.readonly']
 REQUIRED_SCOPES = [USERINFO_EMAIL_SCOPE, USERINFO_PROFILE_SCOPE]
 REQUIRED_SCOPES_SET = set(REQUIRED_SCOPES)
+NUM_CLIENT_SCOPES_ERROR_LIMIT = 48
 #
 JWT_APIS = {
   ACCESSCONTEXTMANAGER: [CLOUD_PLATFORM_SCOPE],
@@ -174,6 +177,7 @@ PROJECT_APIS = [
   'alertcenter.googleapis.com',
   'analyticsadmin.googleapis.com',
 #  'audit.googleapis.com',
+  'mybusinessaccountmanagement.googleapis.com',
   'calendar-json.googleapis.com',
   'chat.googleapis.com',
   'chromemanagement.googleapis.com',
@@ -213,6 +217,7 @@ _INFO = {
   ACCESSCONTEXTMANAGER: {'name': 'Access Context Manager API', 'version': 'v1', 'v2discovery': True},
   ALERTCENTER: {'name': 'AlertCenter API', 'version': 'v1beta1', 'v2discovery': True},
   ANALYTICS_ADMIN: {'name': 'Analytics Admin API', 'version': 'v1beta', 'v2discovery': True},
+  BUSINESSACCOUNTMANAGEMENT: {'name': 'Business Account Management API', 'version': 'v1', 'v2discovery': True},
   CALENDAR: {'name': 'Calendar API', 'version': 'v3', 'v2discovery': True, 'mappedAPI': 'calendar-json'},
   CBCM: {'name': 'Chrome Browser Cloud Management API', 'version': 'v1.1beta1', 'v2discovery': True, 'localjson': True},
   CHAT: {'name': 'Chat API', 'version': 'v1', 'v2discovery': True},
@@ -262,8 +267,8 @@ _INFO = {
   KEEP: {'name': 'Keep API', 'version': 'v1', 'v2discovery': True},
   LICENSING: {'name': 'License Manager API', 'version': 'v1', 'v2discovery': True},
   LOOKERSTUDIO: {'name': 'Looker Studio API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
-  MEET: {'name': 'Meet API', 'version': 'v2', 'v2discovery': True},
-  MEET_BETA: {'name': 'Meet API Beta', 'version': 'v2beta', 'v2discovery': True, 'localjson': True, 'mappedAPI': MEET},
+  MEET_SPACES: {'name': 'Meet API - Manage/Display Meeting Spaces', 'version': 'v2', 'v2discovery': True},
+  MEET_READONLY: {'name': 'Meet API - Read Meeting Spaces metadata', 'version': 'v2', 'v2discovery': True, 'mappedAPI': MEET_SPACES},
   OAUTH2: {'name': 'OAuth2 API', 'version': 'v2', 'v2discovery': False},
   ORGPOLICY: {'name': 'Organization Policy API', 'version': 'v2', 'v2discovery': True},
   PEOPLE: {'name': 'People API', 'version': 'v1', 'v2discovery': True},
@@ -293,6 +298,11 @@ _INFO = {
 READONLY = ['readonly',]
 
 _CLIENT_SCOPES = [
+  {'name': 'Business Account Management API',
+   'api': BUSINESSACCOUNTMANAGEMENT,
+   'subscopes': [],
+   'offByDefault': True,
+   'scope': BUSINESSACCOUNTMANAGEMENT_SCOPE},
   {'name': 'Calendar API',
    'api': CALENDAR,
    'subscopes': READONLY,
@@ -679,11 +689,15 @@ _SVCACCT_SCOPES = [
    'api': LOOKERSTUDIO,
    'subscopes': READONLY,
    'scope': 'https://www.googleapis.com/auth/datastudio'},
-  {'name': 'Meet API',
-   'api': MEET,
-   'subscopes': READONLY,
-   'scope': 'https://www.googleapis.com/auth/meetings.space.created',
-   'roscope': 'https://www.googleapis.com/auth/meetings.space.readonly'},
+  {'name': 'Meet API - Manage/Display Meeting Spaces',
+   'api': MEET_SPACES,
+   'subscopes': [],
+   'scope': ['https://www.googleapis.com/auth/meetings.space.created',
+             'https://www.googleapis.com/auth/meetings.space.settings']},
+  {'name': 'Meet API - Read Meeting Spaces metadata',
+   'api': MEET_READONLY,
+   'subscopes': [],
+   'scope': 'https://www.googleapis.com/auth/meetings.space.readonly'},
   {'name': 'OAuth2 API',
    'api': OAUTH2,
    'subscopes': [],
@@ -834,4 +848,3 @@ def findAPIforScope(scopesList):
   if not requiredAPIs:
     requiredAPIs = scopesList
   return ' or '.join(requiredAPIs)
-    

src/gam/gamlib/glcfg.py

@@ -145,6 +145,8 @@ CSV_OUTPUT_USERS_AUDIT = 'csv_output_users_audit'
 CUSTOMER_ID = 'customer_id'
 # If debug_level > 0: extra_args['prettyPrint'] = True, httplib2.debuglevel = gam_debug_level, appsObj.debug = True
 DEBUG_LEVEL = 'debug_level'
+# Developer Preview API Key
+DEVELOPER_PREVIEW_API_KEY = 'developer_preview_api_key'
 # When retrieving lists of ChromeOS devices from API, how many should be retrieved in each chunk
 DEVICE_MAX_RESULTS = 'device_max_results'
 # Domain obtained from gam.cfg or oauth2.txt
@@ -153,8 +155,6 @@ DOMAIN = 'domain'
 DRIVE_DIR = 'drive_dir'
 # When retrieving lists of Drive files/folders from API, how many should be retrieved in each chunk
 DRIVE_MAX_RESULTS = 'drive_max_results'
-# Use Drive V3 beta
-DRIVE_V3_BETA = 'drive_v3_beta'
 # When processing email messages in batches, how many should be processed in each batch
 EMAIL_BATCH_SIZE = 'email_batch_size'
 # Enable Delegated Admin Service Account
@@ -177,8 +177,6 @@ INTER_BATCH_WAIT = 'inter_batch_wait'
 LICENSE_MAX_RESULTS = 'license_max_results'
 # License SKUs to process
 LICENSE_SKUS = 'license_skus'
-# Use Meet V2 beta
-MEET_V2_BETA = 'meet_v2_beta'
 # When retrieving lists of Google Group members from API, how many should be retrieved in each chunk
 MEMBER_MAX_RESULTS = 'member_max_results'
 # CI API Group members max page size when view=BASIC
@@ -374,12 +372,12 @@ Defaults = {
   CSV_OUTPUT_USERS_AUDIT: FALSE,
   CUSTOMER_ID: MY_CUSTOMER,
   DEBUG_LEVEL: '0',
+  DEVELOPER_PREVIEW_API_KEY: '',
   DEVICE_MAX_RESULTS: '200',
   DOMAIN: '',
   DRIVE_DIR: '',
   ENFORCE_EXPANSIVE_ACCESS: TRUE,
   DRIVE_MAX_RESULTS: '1000',
-  DRIVE_V3_BETA: FALSE,
   EMAIL_BATCH_SIZE: '50',
   ENABLE_DASA: FALSE,
   ENABLE_GCLOUD_REAUTH: FALSE,
@@ -390,7 +388,6 @@ Defaults = {
   INTER_BATCH_WAIT: '0',
   LICENSE_MAX_RESULTS: '100',
   LICENSE_SKUS: '',
-  MEET_V2_BETA: FALSE,
   MEMBER_MAX_RESULTS: '200',
   MEMBER_MAX_RESULTS_CI_BASIC: '1000',
   MEMBER_MAX_RESULTS_CI_FULL: '500',
@@ -542,12 +539,12 @@ VAR_INFO = {
   CSV_OUTPUT_USERS_AUDIT: {VAR_TYPE: TYPE_BOOLEAN},
   CUSTOMER_ID: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'CUSTOMER_ID', VAR_LIMITS: (0, None)},
   DEBUG_LEVEL: {VAR_TYPE: TYPE_INTEGER, VAR_SIGFILE: 'debug.gam', VAR_LIMITS: (0, None), VAR_SFFT: ('0', '4')},
+  DEVELOPER_PREVIEW_API_KEY: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
   DEVICE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
   DOMAIN: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'GA_DOMAIN', VAR_LIMITS: (0, None)},
   DRIVE_DIR: {VAR_TYPE: TYPE_DIRECTORY, VAR_ENVVAR: 'GAMDRIVEDIR'},
   ENFORCE_EXPANSIVE_ACCESS: {VAR_TYPE: TYPE_BOOLEAN},
   DRIVE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
-  DRIVE_V3_BETA: {VAR_TYPE: TYPE_BOOLEAN},
   EMAIL_BATCH_SIZE: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 100)},
   ENABLE_DASA: {VAR_TYPE: TYPE_BOOLEAN, VAR_SIGFILE: 'enabledasa.txt', VAR_SFFT: (FALSE, TRUE)},
   ENABLE_GCLOUD_REAUTH: {VAR_TYPE: TYPE_BOOLEAN},
@@ -558,7 +555,6 @@ VAR_INFO = {
   INTER_BATCH_WAIT: {VAR_TYPE: TYPE_FLOAT, VAR_LIMITS: (0.0, 60.0)},
   LICENSE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (10, 1000)},
   LICENSE_SKUS: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
-  MEET_V2_BETA: {VAR_TYPE: TYPE_BOOLEAN},
   MEMBER_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
   MEMBER_MAX_RESULTS_CI_BASIC: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
   MEMBER_MAX_RESULTS_CI_FULL: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 500)},

src/gam/gamlib/glclargs.py

@@ -411,6 +411,7 @@ class GamCLArgs():
   ARG_ALERTFEEDBACK = 'alertfeedback'
   ARG_ALERTFEEDBACKS = 'alertfeedbacks'
   ARG_ALERTSFEEDBACK = 'alertsfeedback'
+  ARG_ALERTSETTINGS = 'alertsettings'
   ARG_ALIAS = 'alias'
   ARG_ALIASES = 'aliases'
   ARG_ALIASDOMAIN = 'aliasdomain'
@@ -441,6 +442,8 @@ class GamCLArgs():
   ARG_BUCKETS = 'buckets'
   ARG_BUILDING = 'building'
   ARG_BUILDINGS = 'buildings'
+  ARG_BUSINESSPROFILEACCOUNT = 'businessprofileaccount'
+  ARG_BUSINESSPROFILEACCOUNTS = 'businessprofileaccounts'
   ARG_CAALEVEL = 'caalevel'
   ARG_CAALEVELS = 'caalevels'
   ARG_CALATTENDEES = 'calattendees'
@@ -525,6 +528,9 @@ class GamCLArgs():
   ARG_COURSEANNOUNCEMENTS = 'courseannouncements'
   ARG_COURSEMATERIALS = 'coursematerials'
   ARG_COURSEPARTICIPANTS = 'courseparticipants'
+  ARG_COURSESTUDENTGROUP = 'coursestudentgroup'
+  ARG_COURSESTUDENTGROUPS = 'coursestudentgroups'
+  ARG_COURSESTUDENTGROUPMEMBERS = 'coursestudentgroupmembers'
   ARG_COURSESUBMISSIONS = 'coursesubmissions'
   ARG_COURSETOPICS = 'coursetopics'
   ARG_COURSEWORK = 'coursework'
@@ -1011,6 +1017,7 @@ class GamCLArgs():
   OB_PROJECT_ID_ENTITY = 'ProjectIDEntity'
   OB_PROPERTY_KEY = 'PropertyKey'
   OB_PROPERTY_VALUE = 'PropertyValue'
+  OB_PUBSUB_TOPIC_NAME = 'PubSubTopicName'
   OB_QUERY = 'Query'
   OB_QUERY_ITEM = 'QueryItem'
   OB_QUERY_LIST = 'QueryList'
@@ -1050,7 +1057,10 @@ class GamCLArgs():
   OB_SPREADSHEET_RANGE_LIST = 'SpreadsheetRangeList'
   OB_STATE_NAME_LIST = "StateNameList"
   OB_STRING = 'String'
+  OB_STRING_ENTITY = 'StringEntity'
   OB_STRING_LIST = 'StringList'
+  OB_STUDENTGROUP_ID = 'StudentGroupID'
+  OB_STUDENTGROUP_ID_ENTITY = 'StudentGroupIDEntity'
   OB_STUDENT_ITEM = 'StudentItem'
   OB_TAG = 'Tag'
   OB_TAGMANAGER_PATH_LIST = 'TagManagerPathList'

src/gam/gamlib/glentity.py

@@ -54,6 +54,7 @@ class GamEntity():
   ALERT_ID = 'alri'
   ALERT_FEEDBACK = 'alfb'
   ALERT_FEEDBACK_ID = 'alfi'
+  ALERT_SETTINGS = 'alrs'
   ALIAS = 'alia'
   ALIAS_EMAIL = 'alie'
   ALIAS_TARGET = 'alit'
@@ -75,6 +76,7 @@ class GamEntity():
   BACKUP_VERIFICATION_CODES = 'buvc'
   BUILDING = 'bldg'
   BUILDING_ID = 'bldi'
+  BUSINESS_PROFILE_ACCOUNT = 'bpac'
   CAA_LEVEL = 'calv'
   CALENDAR = 'cale'
   CALENDAR_ACL = 'cacl'
@@ -153,6 +155,8 @@ class GamEntity():
   COURSE_MATERIAL_STATE = 'cmst'
   COURSE_NAME = 'cona'
   COURSE_STATE = 'cost'
+  COURSE_STUDENTGROUP = 'cosg'
+  COURSE_STUDENTGROUP_MEMBER = 'csgm'
   COURSE_SUBMISSION_ID = 'csid'
   COURSE_SUBMISSION_STATE = 'csst'
   COURSE_TOPIC = 'ctop'
@@ -284,10 +288,11 @@ class GamEntity():
   MIMETYPE = 'mime'
   MOBILE_DEVICE = 'mobi'
   NAME = 'name'
+  NONEDITABLE_ALIAS = 'neal'
   NOTE = 'note'
   NOTE_ACL = 'nota'
   NOTES_ACLS = 'naac'
-  NONEDITABLE_ALIAS = 'neal'
+  NOTIFICATION = 'noti'
   OAUTH2_TXT_FILE = 'oaut'
   OAUTH2SERVICE_JSON_FILE = 'oau2'
   ORGANIZATIONAL_UNIT = 'orgu'
@@ -413,6 +418,7 @@ class GamEntity():
     ALERT_ID: ['Alert IDs', 'Alert ID'],
     ALERT_FEEDBACK: ['Alert Feedbacks', 'Alert Feedback'],
     ALERT_FEEDBACK_ID: ['Alert Feedback IDs', 'Alert Feedback ID'],
+    ALERT_SETTINGS: ['Alert Settings', 'Alert Settings'],
     ALIAS: ['Aliases', 'Alias'],
     ALIAS_EMAIL: ['Alias Emails', 'Alias Email'],
     ALIAS_TARGET: ['Alias Targets', 'Alias Target'],
@@ -434,6 +440,7 @@ class GamEntity():
     BACKUP_VERIFICATION_CODES: ['Backup Verification Codes', 'Backup Verification Codes'],
     BUILDING: ['Buildings', 'Building'],
     BUILDING_ID: ['Building IDs', 'Building ID'],
+    BUSINESS_PROFILE_ACCOUNT: ['Business Profile Accounts', 'Business Profile Account'],
     CAA_LEVEL: ['CAA Levels', 'CAA Level'],
     CALENDAR: ['Calendars', 'Calendar'],
     CALENDAR_ACL: ['Calendar ACLs', 'Calendar ACL'],
@@ -512,6 +519,8 @@ class GamEntity():
     COURSE_MATERIAL_STATE: ['Course Material States', 'Course Material State'],
     COURSE_NAME: ['Course Names', 'Course Name'],
     COURSE_STATE: ['Course States', 'Course State'],
+    COURSE_STUDENTGROUP: ['Course Student Groups', 'Course Student Group'],
+    COURSE_STUDENTGROUP_MEMBER: ['Course Student Group Members', 'Course Student Group Member'],
     COURSE_SUBMISSION_ID: ['Course Submission IDs', 'Course Submission ID'],
     COURSE_SUBMISSION_STATE: ['Course Submission States', 'Course Submission State'],
     COURSE_TOPIC: ['Course Topics', 'Course Topic'],
@@ -643,10 +652,11 @@ class GamEntity():
     MIMETYPE: ['MIME Types', 'MIME Type'],
     MOBILE_DEVICE: ['Mobile Devices', 'Mobile Device'],
     NAME: ['Names', 'Name'],
+    NONEDITABLE_ALIAS: ['Non-Editable Aliases', 'Non-Editable Alias'],
     NOTE: ['Notes', 'Note'],
     NOTE_ACL: ['Note ACLs', 'Note ACL'],
     NOTES_ACLS: ["'Note's ACLs", "Note's ACLs"],
-    NONEDITABLE_ALIAS: ['Non-Editable Aliases', 'Non-Editable Alias'],
+    NOTIFICATION: ['Notifications', 'Notification'],
     OAUTH2_TXT_FILE: ['Client OAuth2 File', 'Client OAuth2 File'],
     OAUTH2SERVICE_JSON_FILE: ['Service Account OAuth2 File', 'Service Account OAuth2 File'],
     ORGANIZATIONAL_UNIT: ['Organizational Units', 'Organizational Unit'],

src/gam/gamlib/glglobals.py

@@ -31,6 +31,8 @@ API_CALLS_RETRY_DATA = 'rtry'
 CACHE_DIR = 'gacd'
 # Reset GAM cache directory after discovery
 CACHE_DISCOVERY_ONLY = 'gcdo'
+# Classroom owner service object
+CLASSROOM_OWNER_SA = 'cosa'
 # Classroom service not available
 CLASSROOM_SERVICE_NOT_AVAILABLE = 'csna'
 # Command logging
@@ -221,6 +223,7 @@ Globals = {
   API_CALLS_RETRY_DATA: {},
   CACHE_DIR: None,
   CACHE_DISCOVERY_ONLY: True,
+  CLASSROOM_OWNER_SA: {},
   CLASSROOM_SERVICE_NOT_AVAILABLE: False,
   CMDLOG_HANDLER: None,
   CMDLOG_LOGGER: None,

src/gam/gamlib/glmsgs.py

@@ -53,7 +53,7 @@ Please go to:
  5. Click "NEXT"
  6. Under "Audience", choose INTERNAL
  7. Click "NEXT"
- 8. Under, "Contact Information", enter an email address in "Email addresses *"
+ 8. Under, "Contact Information", enter {2} or another value in "Email addresses *"
  9. Click "NEXT"
 10. Under "Finish", click "I agree to the Google API Services: User Data Policy."
 11. Click "CONTINUE"
@@ -433,6 +433,7 @@ NO_SVCACCT_ACCESS_ALLOWED = 'No Service Account Access allowed'
 NO_TRANSFER_LACK_OF_DISK_SPACE = 'Transfer not performed due to lack of target drive space.'
 NO_USAGE_PARAMETERS_DATA_AVAILABLE = 'No usage parameters data available.'
 NO_USER_COUNTS_DATA_AVAILABLE = 'No User counts data available.'
+NUM_SELECTED_CLIENT_SCOPES = '\n{0} scopes are selected, if more than {1} scopes are selected, Google will probably generate a "Something went wrong" error\n'
 OAUTH2_GO_TO_LINK_MESSAGE = """
 Go to the following link in a browser on this computer or on another computer:
 
@@ -464,6 +465,7 @@ PROCESSING_ITEM_N = '{0},0,Processing item {1}\n'
 PROCESSING_ITEM_N_OF_M = '{0},0,Processing item {1}/{2}\n'
 PROFILE_PHOTO_NOT_FOUND = 'Profile photo not found'
 PROFILE_PHOTO_IS_DEFAULT = 'Profile photo is default'
+QUOTA_EXCEEDED = 'Quota exceeded'
 REASON_ONLY_VALID_WITH_CONTENTRESTRICTIONS_READONLY_TRUE = 'reason only valid with contentrestrictions readonly true'
 REAUTHENTICATION_IS_NEEDED = 'Reauthentication is needed, please run\n\ngam oauth create'
 RECOMMEND_RUNNING_GAM_ROTATE_SAKEY = 'Recommend running "gam rotate sakey" to get a new key\n'

src/gam/googleapiclient/version.py

@@ -12,4 +12,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-__version__ = "2.164.0"
+__version__ = "2.179.0"

src/tools/ssd.mjs

@@ -0,0 +1,125 @@
+// Node.js script that implements an Appium client which will launch
+// Simply Sign Desktop app and log a user in. Once logged in it should
+// be possible to use tools like signtool.exe to sign Windows EXE/MSI files
+// with the Certum certificate.
+
+import { Key, remote } from 'webdriverio';
+import { exec } from 'child_process';
+import { TOTP } from 'totp-generator';
+
+async function screenshot(driver, filename) {
+  // uncomment to save .png screenshots
+  //await driver.saveScreenshot(filename);
+  return
+}
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+async function executeCommand(command) {
+  try {
+    let { stdout, stderr } = await exec(command);
+    return stdout;
+  } catch (error) {
+    console.error(`Error executing command: ${command}`);
+    console.error(`Error details: ${error}`);
+    throw error; 
+  }
+}
+
+async function runSSD() {
+    const opts = {
+        port: 4723,
+        logLevel: "silent",
+        capabilities: {
+            platformName: "Windows",
+            "appium:app": "C:\\Program Files\\Certum\\SimplySign Desktop\\SimplySignDesktop.exe",
+            "appium:automationName": "Windows",
+        },
+    };
+
+    let driver;
+    try {
+        driver = await remote(opts);
+        
+        // Github Actions Win ARM64 is stuck on a OOB screen that steals focus
+        // These enter / escapes should dismiss it.
+        const runner_arch =  process.env.RUNNER_ARCH;
+        if ( runner_arch === "ARM64" ) {
+          console.log('Running on ARM64...');
+          await sleep(3000); // Pause execution for 3 seconds
+          await screenshot(driver, 'oob1.png');
+          await driver.sendKeys([Key.Enter]);
+          await sleep(3000); // Pause execution for 3 seconds
+          await screenshot(driver, 'oob2.png');
+          await driver.sendKeys([Key.Enter]);
+          await sleep(3000); // Pause execution for 3 seconds
+          await screenshot(driver, 'oob3.png');
+          await driver.sendKeys([Key.Escape]);
+          await screenshot(driver, 'oob6.png');
+        } else {
+          console.log('NOT running on ARM64');
+        }
+
+        //  Execute SSD again to open login dialog
+        exec('"C:\\Program Files\\Certum\\SimplySign Desktop\\SimplySignDesktop.exe"', (error, stdout, stderr) => {
+          if (error) {
+            console.error(`exec error: ${error}`);
+            return;
+          }
+        });
+        await sleep(3000);
+
+        // Login
+        const windows = await driver.getWindowHandles();
+        const login_window = windows[0]
+        await driver.switchWindow(login_window);
+        await screenshot(driver, 'login01.png');
+        const id_value = 'jay0lee@gmail.com';
+        const id_arr =  [...id_value];
+        await driver.sendKeys(id_arr);
+        await screenshot(driver, 'login02.png');
+        await driver.sendKeys([Key.Tab]);
+        // We wait until the last possible second to generate
+        // our TOTP to ensure it's still valid.
+        const token_value = TOTP.generate(process.env.TOTP_SECRET, {algorithm: 'SHA-256'}).otp;
+        const token_arr =  [...token_value];
+        await driver.sendKeys(token_arr);
+        await screenshot(driver, 'login03.png');
+        await driver.sendKeys([Key.Enter]);
+
+        // TODO: it's expected that on successful login the window
+        // will close and these screenshots will error out. Figure
+        // out how to handle that gracefully.
+        await screenshot(driver, 'login04.png');
+        await sleep(500);
+        await screenshot(driver, 'login05.png');
+        await sleep(500);
+        await screenshot(driver, 'login06.png');
+        await sleep(500);
+        await screenshot(driver, 'login07.png');
+        await sleep(500);
+        await screenshot(driver, 'login08.png');
+        await sleep(500);
+        await screenshot(driver, 'login09.png');
+        await sleep(500);
+        await screenshot(driver, 'login10.png');
+        await sleep(500);
+        await screenshot(driver, 'login11.png');
+        await sleep(500);
+        await screenshot(driver, 'login12.png');
+
+    } catch (error) {
+        console.error("Error during Appium run:", error.name);
+    }
+
+    // INTENTIONAL Keep driver open so tray icon for Certum doesn't close
+    // finally {
+    //    if (driver) {
+    //        await driver.deleteSession(); // Close the Appium session
+    //    }
+    //}
+}
+
+runSSD();

wiki/Administrators.md

@@ -9,6 +9,7 @@
 - [Display administrators](#display-administrators)
 - [Copy privileges from one role to a new role](#copy-privileges-from-one-role-to-a-new-role)
 - [Copy roles from one administrator to another](#copy-roles-from-one-administrator-to-another)
+- [Copy non-system admin roles from a source workspace to a target workspace](#copy-non-system-admin-roles-from-a-source-workspace-to-a-target-workspace)
 
 ## API documentation
 * [About Administrator roles](https://support.google.com/a/answer/33325?ref_topic=4514341)
@@ -21,13 +22,16 @@
 <DomainName> ::= <String>(.<String>)+
 <EmailAddress> ::= <String>@<DomainName>
 <GroupItem> ::= <EmailAddress>|<UniqueID>|<String>
+<JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
 <OrgUnitID> ::= id:<String>
 <OrgUnitPath> ::= /|(/<String)+
 <OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
 <Privilege> ::= <String>
 <PrivilegeList> ::= "<Privilege>(,<Privilege)*"
 <RoleAssignmentID> ::= <String>
-<RoleItem> ::= id:<String>|uid:<String>|<String>
+<RoleID> ::= <String>
+<RoleName> ::= <String>
+<RoleItem> ::= id:<RoleID>|<RoleName>
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>
 ```
@@ -1383,9 +1387,11 @@ Show 111 Privileges
 ## Manage administrative roles
 ```
 gam create adminrole <String> [description <String>]
-        privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>>)
+        privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>>)|<JSONData>
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 gam update adminrole <RoleItem> [name <String>] [description <String>]
-        [privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>>)] 
+        [privileges all|all_ou|<PrivilegeList>|(select <FileSelector>|<CSVFileSelector>>)|<JSONData>] 
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*]
 gam delete adminrole <RoleItem>
 ```
 * `privileges all` - All defined privileges
@@ -1393,24 +1399,61 @@ gam delete adminrole <RoleItem>
 * `privileges <PrivilegeList>` - A specific list of privileges
 * `privileges select <FileSelector>|<CSVFileSelector>>` - A collection of privileges from a flat or CSV file
 
+By default, when an admin role is created|update, GAM displays `<RoleName>(<RoleID>) created|updated`.
+* `csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]` - Output the admin roledetails in CSV format.
+
+When `csv` is uused, Add additional columns of data from the command line to the output.
+* `addcsvdata <FieldName> <String>`
+
 ## Display administrative roles
 ```
 gam info adminrole <RoleItem> [privileges]
+        [formatjson]
 ```
 * `privileges` - Display privileges associated with role
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam show adminroles|roles
+        [role <RoleItem>] [privileges]
+	[nosystemroles]
+	[formatjson]
+```
+* `privileges` - Display privileges associated with each role
+
+By default, all roles are displayed:
+* `role <RoleItem>` - Display a specific role.
+* `nosystemroles` - Display onnly non-system roles.
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
 ```
 gam print adminroles|roles [todrive <ToDriveAttribute>*]
         [role <RoleItem>] [privileges] [oneitemperrow]
-gam show adminroles|roles
-        [role <RoleItem>] [privileges]
+        [nosystemroles]
+        [formatjson [quotechar <Character>]]
 ```
-By default, all roles are displayed, use `role <RoleItem>` to display a specific role.
-
 * `privileges` - Display privileges associated with each role
 
-By default, with `print`, all privileges for a role are shown on one row as a repeating item.
+By default, all privileges for a role are shown on one row as a repeating item.
 When `oneitemperrow` is specified, each privilege is output on a separate row/line with the other role fields.
 
+By default, all roles are displayed:
+* `role <RoleItem>` - Display a specific role.
+* `nosystemroles` - Display onnly non-system roles.
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
 ## Create an administrator
 Add an administrator role to an administrator.
 ```
@@ -1469,3 +1512,15 @@ gam config csv_input_row_filter "scopeType:regex:CUSTOMER" redirect stdout ./Upd
 gam config csv_input_row_filter "scopeType:regex:ORG_UNIT" redirect stdout ./UpdateNewAdminOrgUnitRoles.txt multiprocess redirect stderr stdout csv CurrentAdminRoles.csv gam create admin newadmin@domain.com "id:~~roleId~~" org_unit "id:~~orgUnitId~~"
 ```
 
+## Copy non-system admin roles from a source workspace to a target workspace
+This requires GAM version 7.18.01 or higher.
+
+In the source workspace to the following:
+```
+gam redirect csv ./SourceNonSystemRoles.csv print adminroles privileges nosystemroles formatjson quotechar "'"
+```
+
+In the target workspacce do the following:
+```
+gam redirect csv ./TargetNonSystemRoles.csv multiprocess quotechar "'"  redirect stderr - multiprocess csv SourceNonSystemRoles.csv quotechar "'" gam create adminrole "~roleName" description "~roleDescription" privileges json "~JSON" csv addcsvdata oldRoleId "~roleId" formatjson
+```

wiki/Alert-Center.md

@@ -7,6 +7,7 @@
 - [Display alerts](#display-alerts)
 - [Manage alert feedback](#manage-alert-feedback)
 - [Display alert feedback](#display-alert-feedback)
+- [Configuring settings](#configuring-settings)
 
 ## API documentation
 * [Alert Center API](https://developers.google.com/admin-sdk/alertcenter/reference/rest/)
@@ -18,6 +19,7 @@
 ## Definitions
 ```
 <AlertID> ::= <String>
+<PubSubTopicName> ::= <String>
 <QueryAlert> ::= <String> See: https://developers.google.com/admin-sdk/alertcenter/guides/query-filters
 ```
 ## Introduction
@@ -95,3 +97,15 @@ the quote character itself, the column delimiter (comma by default) and new-line
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+## Configuring settings
+
+Alert Center can be configured to send notifications to a Google Cloud Pub/Sub topic, but it first requires configuration.
+* See https://developers.google.com/workspace/admin/alertcenter/guides/notifications for information.
+
+Gam can be used to display or modify the settings:
+```
+gam show alertsettings
+gam update alertsettings <PubSubTopicName>
+gam clear alertsettings
+```

wiki/Basic-Items.md

@@ -436,6 +436,7 @@
         Must match this Python Regular Expression: [a-zA-Z0-9 '"!-]{4,30}
 <PropertyKey> ::= <String>
 <PropertyValue> ::= <String>
+<PubSubTopicName> ::= <String>
 <QueryAlert> ::= <String>
         See: https://developers.google.com/admin-sdk/alertcenter/guides/query-filters
 <QueryBrowser> ::= <String>
@@ -502,6 +503,7 @@
 <SiteItem> ::= [<DomainName>/]<SiteName>
 <S/MIMEID> ::= <String>
 <SMTPHostName> ::= <String>
+<StudentGroupID> ::= <Number>
 <StudentItem> ::= <EmailAddress>|<UniqueID>|<String>
 <SharedDriveACLRole> ::=
         commenter|

wiki/Business-Account-Management.md

@@ -0,0 +1,36 @@
+# Users - Business Account Management
+- [API documentation](#api-documentation)
+- [Introduction](#introduction)
+- [Definitions](#definitions)
+- [Display Business Profile Accounts](#display-business-profile-accounts)
+
+## API documentation
+* [Business Account Management](https://developers.google.com/my-business/reference/accountmanagement/rest)
+
+
+## Introduction
+These features were added in version 7.18.00.
+
+To use these commands you add the 'Business Account Management API' to your project and update client authorization.
+```
+gam update project
+gam oauth create
+...
+[*]  0)  Business Account Management API
+
+```
+## Definitions
+* [`<UserTypeEntity>`](Collections-of-Users)
+
+## Display Business Profile Accounts
+```
+gam <UserItem> show businessprofileaccounts
+        [type locationgroup|organization|personal|usergroup]
+```
+Gam displays the information as an indented list of keys and values.
+
+```
+gam <UserItem> print businessprofileaccounts [todrive <ToDriveAttribute>*]
+        [type locationgroup|organization|personal|usergroup]
+```
+Gam displays the information as columns of fields.

wiki/Chat-Bot-Setup-Use.md

@@ -1,4 +1,4 @@
-# Chat Bot
+# Chat Bot Setup and Use
 - [Introduction](#introduction)
 - [Set up a Chat Bot](#set-up-a-chat-bot)
 - [API documentation](#api-documentation)

wiki/Chrome-Policies.md

@@ -239,6 +239,10 @@ bookmarks.json
 
 gam update chromepolicy chrome.users.ManagedBookmarksSetting  json file bookmarks.json orgunit "/Students/
 ```
+Allowlist the Google Translate extension for the Students OrgUnit
+```
+gam update chromepolicy chrome.users.apps.InstallType appInstallType ALLOWED app_id chrome:aapbdbdomjkkjkaonfhkkikfgjllcleb ou "/Students"
+```
 
 ## Delete Chrome policy
 You can delete a policy for all devices/users within an OU, users with a group or for a specific printer or application within an OU.
@@ -9946,4 +9950,4 @@ chrome.users.ZstdContentEncodingEnabled: Zstd compression.
     false: Do not allow zstd-compressed web content.
 
 
-```
+```

wiki/ChromeOS-Devices.md

@@ -62,15 +62,6 @@ To use the `crostelemetry` commands you must authorize an additional scope:
 gam oauth create
 ```
 
-Many commands come in two forms:
-```
-gam <CrOSTypeEntity> <Command> ...
-gam <Command> cros <CrOSEntity> ...
-```
-The first form allows more powerful selection of devices with `<CrOSTypeEntity>`.
-
-The second form is backwards compatible with Legacy GAM and selection with `<CrOSEntity>` is limited.
-
 ## Definitions
 * [`<CrOSTypeEntity>`](Collections-of-ChromeOS-Devices)
  
@@ -332,7 +323,6 @@ gam select default config update_cros_ou_with_id true save
 
 ```
 gam <CrOSTypeEntity> update <CrOSAttribute>+ [quickcrosmove [<Boolean>]] [nobatchupdate]
-gam update cros <CrOSEntity> <CrOSAttribute>+ [quickcrosmove [<Boolean>]] [nobatchupdate]
 ```
 
 Google has introduced a new, faster method for moving CrOS devices to a new OU. The `quickcrosmove` option controls which method Gam uses.
@@ -419,8 +409,6 @@ gam update ou csvkmd cros.csv keyfield OU datafield deviceId add croscsvdata dev
 
 gam <CrOSTypeEntity> update action <CrOSAction> [acknowledge_device_touch_requirement]
         [actionbatchsize <Integer>]
-gam update cros <CrOSEntity> action <CrOSAction> [acknowledge_device_touch_requirement]
-        [actionbatchsize <Integer>]
 ```
 As of GAM version `6.67.00`, the new API function `batchChangeStatus` replaces the old API function `action`; ChromeOS devices are now processed in batches.
 The batch size defaults to 10, the `actionbatchsize <Integer>` option can be used to set a batch size between 10 and 250.
@@ -457,21 +445,18 @@ is configurable from 0 to some large number. If the status reaches `EXPIRED`, `C
         wipe_users|
         take_a_screenshot
 
-gam cros <CrOSTypeEntity> issuecommand command <CrOSCommand> [times_to_check_status <Integer>] [doit]
-gam issuecommand cros <CrOSEntity> command <CrOSCommand> [times_to_check_status <Integer>] [doit]
+gam <CrOSTypeEntity> issuecommand command <CrOSCommand> [times_to_check_status <Integer>] [doit]
 ```
 If the final status is not reached before GAM exits, you can issue the following commands to continue checking the status.
 ```
-gam cros <CrOSTypeEntity> getcommand commandid <CommandID> [times_to_check_status <Integer>]
-gam getcommand cros <CrOSEntity> commandid <CommandID> [times_to_check_status <Integer>]
+gam <CrOSTypeEntity> getcommand commandid <CommandID> [times_to_check_status <Integer>]
 ```
 
 ### Action Examples
 Remove user profile data from the device; the device will remain enrolled and connected.
 User data not synced to the Cloud including Downloads, Android app data and Crostini Linux VMs will be permanently lost.
-Commands with issuecommand directly after gam will work with Legacy GAM & GAM7, whereas commands where the issuecommand is after the cros <CrOSTypeEntity> will work only with GAM7. 
 ```
-gam issuecommand cros dd1d659a-0ea4-4e94-905e-4726c7a5f1e9 command wipe_users doit
+gam cros dd1d659a-0ea4-4e94-905e-4726c7a5f1e9 issuecommand command wipe_users doit
 ```
 Remove profiles using the annotatedAssetID, which is a user editable field, in this example the device has an asset ID of CB1234.
 ```
@@ -483,14 +468,12 @@ gam cros_queries "asset_id:CB1234,asset_id:CB5678" issuecommand command wipe_use
 ```
 Powerwash the device with serial number 143040348.
 ```
-gam issuecommand cros query:id:143040348 command remote_powerwash times_to_check_status 10 doit
 gam cros_sn 143040348 issuecommand command remote_powerwash times_to_check_status 10 doit
 ```
 
 Powerwash all devices in the /StudentCarts OrgUnit. Devices will need to be manually reconnected to WiFi which may mean entering a PSK.
 Use `wipe_users` if that's going to create too much work for you.
 ```
-gam issuecommand cros "query:orgunitpath:/StudentCarts" command remote_powerwash times_to_check_status 0 doit
 gam cros_ou /StudentCarts issuecommand command remote_powerwash times_to_check_status 0 doit
 ```
 ## ChromeOS device lists
@@ -829,7 +812,6 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 
 ```
 gam <CrOSTypeEntity> info downloadfile latest|<Time> [targetfolder <FilePath>]
-gam info cros <CrOSEntity> downloadfile latest|<Time> [targetfolder <FilePath>]
 ```
 
 Select the device file to download by its timestamp.

wiki/Classroom-Membership.md

@@ -12,6 +12,7 @@
 * [Google Classroom API](https://developers.google.com/classroom/reference/rest)
 * [Google Classroom API - Courses Students](https://developers.google.com/classroom/reference/rest/v1/courses.students)
 * [Google Classroom API - Courses Teachers](https://developers.google.com/classroom/reference/rest/v1/courses.teachers)
+* [Classroom Membership Limits](https://support.google.com/edu/classroom/answer/7300976)
 
 ## Definitions
 ```

wiki/Classroom-StudentGroups.md

@@ -0,0 +1,272 @@
+# Classroom - Student Groups
+- [Notes](#notes)
+- [API documentation](#api-documentation)
+- [Definitions](#definitions)
+- [Special quoting for course aliases](#special-quoting-for-course-aliases)
+- [Special quoting for lists of titles](#special-quoting-for-lists-of-titles)
+- [Manage student groups](#manage-student-groups)
+- [Display student groups](#display-student-groups)
+- [Display student group counts](#display-student-group-counts)
+- [Manage student group membership](#manage-student-group-membership)
+- [Display student group membership](#display-student-group-membership)
+- [Display student group membership counts](#display-student-group-membership-counts)
+
+## Notes
+These commands wera added in version 7.20.00.
+
+To use these commands your project must be enrolled the Developer Preview program.
+* https://developers.google.com/workspace/preview
+
+You will need your GAM project number.
+* Login as an existing super admin at console.cloud.google.com
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click in the box to the right of Google Cloud
+* Click the three dots at the right and select Manage Resources
+* Click the three dots at the end of the line for your GAM project
+* Click Settings
+* You will see the Project number; save it
+
+You will need an API key
+* In the upper left click the three lines to the left of Google Cloud and select APIs & Services
+* Under APIs & Services select Credentials
+* If you already have an API key, click Show key at the end of the line and save the value
+* If you don't have an API key, click +Credentials and select API key
+* Save the displayed API key
+* Click close
+
+Issue the following GAM command:
+`gam config developer_preview_api_key <API Key Value> save`
+
+Once you get an email from Google saying that your project has been registered you can use these commands.
+
+## API documentation
+* [Google Classroom API](https://developers.google.com/classroom/reference/rest)
+* [Google Classroom Student Groups](https://developers.google.com/workspace/classroom/reference/rest/v1/courses.studentGroups)
+* [Google Classroom Student Group Members](https://developers.google.com/workspace/classroom/reference/rest/v1/courses.studentGroups.studentGroupMembers)
+
+## Definitions
+```
+<DomainName> ::= <String>(.<String>)+
+<EmailAddress> ::= <String>@<DomainName>
+<UniqueID> ::= id:<String>
+<UserItem> ::= <EmailAddress>|<UniqueID>|<String>
+
+<CourseAlias> ::= <String>
+<CourseID> ::= <Number>|d:<CourseAlias>
+<CourseIDList> ::= "<CourseID>(,<CourseID>)*"
+<CourseEntity> ::=
+        <CourseIDList> | <FileSelector> | <CSVFileSelector | <CSVkmdSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
+<CourseState> ::= active|archived|provisioned|declined|suspended
+<CourseStateList> ::= all|"<CourseState>(,<CourseState>)*"
+
+<StringList> ::= "<String>(,<String>)*"
+<StringEntity> ::=
+        <StringList> | <FileSelector> | <CSVFileSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
+
+<StudentGroupID> ::= <Number>
+<StudentGroupIDList> ::= "<StudentGroupID>(,<StudentGroupID>)*"
+<StudentGroupEntity> ::=
+        <StudentGroupIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector>
+```
+## Special quoting for course aliases
+As course aliases can contain spaces, some care must be used when entering `<CourseAliasList>`, `<CourseID>`, `<CourseIDList>` and `<CourseEntity>`.
+
+Suppose you have a course with the alias `Math Class`. To get information about it you enter the command: `gam info course "d:Math Class"`
+
+The shell strips the `"` leaving a single argument `d:Math Class`; gam correctly processes the argument as it is expecting a single course.
+
+Suppose you enter the command: `gam info courses "d:Math Class"`
+
+The shell strips the `"` leaving a single argument `d:Math Class`; as gam is expecting a list, it splits the argument on space leaving two items and then tries to process `d:Math` and `Class`, not what you want.
+
+You must enter: `gam info courses "'d:Math Class'"`
+
+The shell strips the `"` leaving a single argument `'d:Math Class'`; as gam is expecting a list, it splits the argument on space while honoring the `'` leaving one item `d:Math Class` and correctly processes the item.
+
+For multiple aliases you must enter: `gam info courses "'d:Math Class','d:Science Class'"`
+
+## Special quoting for lists of titles
+As student group titles can contain spaces, some care must be used when entering `selevct <StringList>`.
+
+Suppose you want to create a student group `Advanced Students`. `gam create course-studentgroups course <CourseID> title "Advanced Students"`
+
+The shell strips the `"` leaving a single argument `Advanced Math`; gam correctly processes the argument as it is expecting a single title.
+
+Suppose you enter the command: `gam create course-studentgroups course <CourseID> select "Advanced Students"`
+
+The shell strips the `"` leaving a single argument `Advanced Students`; as gam is expecting a list, it splits the argument on space leaving two items and then tries to process `Advanced` and `Students`, not what you want.
+
+You must enter: `gam create course-studentgroups course <CourseID> select "'Advanced Students'"`
+
+The shell strips the `"` leaving a single argument `'Advanced Students'`; as gam is expecting a list, it splits the argument on space while honoring the `'` leaving one item `Advanced Students` and correctly processes the item.
+
+For multiple titles you can enter either of the following:
+* `gam create course-studentgroups course <CourseID> select "'Advanced Students','Beginner Students'"`
+* `gam create course-studentgroups course <CourseID> title"Advanced Students" title "Beginner Students"`
+
+See: [Lists and Collections](Lists-and-Collections)
+
+## Manage student groups
+
+```
+gam create course-studentgroups
+        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
+        ((title <String>)|(select <StringEntity))+
+        [csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]]
+gam update course-studentgroups <CourseID> <StudentGroupID> title <String>
+gam delete course-studentgroups <CourseID> <StudentGroupIDEntity>
+gam clear course-studentgroups
+        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
+```
+
+When creating student groups, the API does not check for duplicate titles; you can have multiple student grpups
+with the same title; they will have unique `<StudentGroupID>s`.
+
+The `update|delete course-studentgroups` commands manage a specific course.
+
+By default, the `create|clear course-studentgroups` commands manage student group information about all courses.
+
+To manage student group information for a specific set of courses, use the following option; it can be repeated to select multiple courses.
+* `(course|class <CourseID>)*` - Display courses with the specified `<CourseID>`.
+
+To manage student group information for courses based on their having a particular participant, use the following options. Both options can be specified.
+* `teacher <UserItem>` - Display courses with the specified teacher.
+* `student <UserItem>` - Display courses with the specified student.
+
+To manage student group information for courses based on their state, use the following option. This option can be combined with the `teacher` and `student` options.
+By default, all course states are selected.
+* `states <CourseStateList>` - Display courses with any of the specified states.
+
+By default, when a student group is created, you will get output like this:
+```
+Course: <CourseID>, Course Student Group: <Title>(<StudentGroupId>), Added
+```
+If you use the `csv` option, you will get output like this:
+```
+courseId,courseName,studentGroupId,studentGroupTitle
+<CourseID>,<CourseName>,<StudentGroupID>,<Title>
+```
+This gives you a record the the student group IDs.
+
+### Example
+```
+$ more titles.csv
+title
+Advanced Students
+Middle Students
+Beginner Students
+
+$ gam redirect csv ./StudentGroups.csv add coursestudentgroups course <CourseID> select csvfile titles.csv:title csv
+
+$ more StudentGroups.csv 
+courseId,courseName,studentGroupId,studentGroupTitle
+<CourseID>,<CourseName>,796177544247,Advanced Students
+<CourseID>,<CourseName>,796177718666,Middle Students
+<CourseID>,<CourseName>,796177727901,Beginner Students
+```
+
+## Display student groups
+```
+gam print course-studentgroups [todrive <ToDriveAttribute>*]
+        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
+        [formatjson [quotechar <Character>]]
+```
+By default, the `print course-studentgroups` command displays student group information about all courses.
+
+To display student group information for a specific set of courses, use the following option; it can be repeated to select multiple courses.
+* `(course|class <CourseID>)*` - Display courses with the specified `<CourseID>`.
+
+To display student group information for courses based on their having a particular participant, use the following options. Both options can be specified.
+* `teacher <UserItem>` - Display courses with the specified teacher.
+* `student <UserItem>` - Display courses with the specified student.
+
+To display student group information for courses based on their state, use the following option. This option can be combined with the `teacher` and `student` options.
+By default, all course states are selected.
+* `states <CourseStateList>` - Display courses with any of the specified states.
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+## Display student group counts
+Display the number of student groups
+```
+gam print course-studentgroup [todrive <ToDriveAttribute>*]
+        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
+        showitemcountonly
+```
+
+## Manage student group membership
+```
+gam create course-studentgroup-members <CourseID> <StudentGroupID> <UserTypeEntity>
+gam delete course-studentgroup-members <CourseID> <StudentGroupID> <UserTypeEntity>
+gam sync course-studentgroup-members <CourseID> <StudentGroupID> <UserTypeEntity>
+gam clear course-studentgroupmembers <CourseID> <StudentGroupID>
+```
+
+# Display student group membership
+```
+gam print course-studentgroup-members [todrive <ToDriveAttribute>*]
+        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
+        [formatjson [quotechar <Character>]]
+```
+By default, the `print course-studentgroup-members` command displays student group member information about all courses.
+
+To display student group member information for a specific set of courses, use the following option; it can be repeated to select multiple courses.
+* `(course|class <CourseID>)*` - Display courses with the specified `<CourseID>`.
+
+To display student group member information for courses based on their having a particular participant, use the following options. Both options can be specified.
+* `teacher <UserItem>` - Display courses with the specified teacher.
+* `student <UserItem>` - Display courses with the specified student.
+
+To display student group member information for courses based on their state, use the following option. This option can be combined with the `teacher` and `student` options.
+By default, all course states are selected.
+* `states <CourseStateList>` - Display courses with any of the specified states.
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+## Display student group membership counts
+Display the number of student group members
+```
+gam print course-studentgroup-members [todrive <ToDriveAttribute>*]
+        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
+        showitemcountonly
+```
+Example
+```
+$ gam print course-participants teacher asmith states active show students showitemcountonly
+Getting all Courses that match query (Teacher: asmith@domain.com, Course State: ACTIVE), may take some time on a large Google Workspace Account...
+Got 3 Courses...
+Getting Students for Course: 636981507234 (1/3)
+Got 30 Students...
+Got 43 Students...
+Getting Students for Course: 589346784341 (2/3)
+Got 22 Students...
+Getting Students for Course: 589345535881 (3/3)
+Got 23 Students...
+88
+```
+The `Getting` and `Got` messages are written to stderr, the count is writtem to stdout.
+
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print course-participants teacher asmith states active show students showitemcountonly)
+Windows PowerShell
+count = & gam print course-participants teacher asmith states active show students showitemcountonly
+```

wiki/Collections-of-Items.md

@@ -351,6 +351,8 @@ Data fields identified in a `csvkmd` argument.
         <SiteACLScopeList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <SiteEntity> ::=
         <SiteList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<StudentGroupEntity> ::=
+        <StudentGroupIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector>
 <TagManagerAccountPathEntity> ::=
         <TagManagerAccountPathList> |
         (select <FileSelector>|<CSVFileSelector>) |

wiki/GamUpdates.md

@@ -10,6 +10,126 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation
 
+### 7.20.01
+
+Added option `showaccesssettings` to `gam [<UserTypeEntity>] print|show chatspaces`. When listing
+Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this field,
+add `showaccesssettings` to the command. This requires an additional Chat API call per chat space of type `SPACE`
+to get the `accessSettings` field.
+
+### 7.20.00
+
+Added initial support for student groups in Google Classroom. This is a work in progress and requires Developer Preview membership.
+* See: https://github.com/GAM-team/GAM/wiki/Classroom-StudentGroups#notes
+
+### 7.19.03
+
+Fixed bug where specifying a `<UserItem>` as `id:1234567890` could lead to errors like this:
+```
+ERROR: 400: invalidArgument - Resource name has invalid email.
+```
+
+### 7.19.02
+
+Update `gam info user <UserItem>` to eliminate 5 second delay when getting license info.
+
+Additional information:
+* See: https://github.com/GAM-team/GAM/wiki/Licenses#info-user-performance
+
+### 7.19.01
+
+Updated `gam <UserTypeEntity> print|show signature` to handle the following error
+that occurs when an alias is specified.
+```
+ERROR: 404: notFound - Requested entity was not found.
+```
+
+### 7.19.00
+
+Eliminated `drive_v3_beta` and `meet_v2_beta` from `gam.cfg` as the API betas are no longer used.
+
+Updated `Meet API` scopes so that GAM can read metadata about additional Meet spaces.
+```
+[*] 34)  Meet API - Manage/Display Meeting Spaces
+[*] 35)  Meet API - Read Meeting Spaces metadata
+```
+
+### 7.18.07
+
+Updated `gam <UserTypeEntity> print drivelastmodification` to put `addcsvdata` columns
+after `User,id,name` rather than after the last column.
+
+### 7.18.06
+
+Updated `gam <UserTypeEntity> delete|modify messages` to improve the handling
+of the following error.
+```
+quotaExceeded - User-rate limit exceeded
+```
+
+### 7.18.05
+
+Added support for Inbound SSO OIDC profiles.
+
+Currently, if you enter `gam select <SectionName>` and nothing else on the command line,
+GAM performs no action. Now, it will be treated as if you entered:
+`gam select <SectionName> save`
+
+Updated to Python 3.13.7.
+
+### 7.18.04
+
+Added commands to display/manage Alert Center Pub/Sub notifications.
+* See: https://github.com/GAM-team/GAM/wiki/Alert-Center#configuring-settings
+
+### 7.18.03
+
+Updated `gam oauth create` to give a warning if the number of selected scopes will
+probably cause Google to generate a "Something went wrong" error.
+
+### 7.18.02
+
+Upgraded to OpenSSL 3.5.2.
+
+### 7.18.01
+
+Added option `nosystemroles` to `gam print|show adminroles` that causes GAM
+to only display non-system roles.
+
+Added option `formatjson` to `gam info|print|show adminroles`; this will be most useful
+when the `privileges` option is used.
+
+Updated `gam create|update adminrole` to allow specification of privileges with
+JSON data: `privileges <JSONData>`. These two updates make it easier to copy admin roles.
+
+Updated `gam create|update adminrole` to allow output of the created/updated
+role data in CSV format; by default, GAM displays `<RoleName>(<RoleID>) created|updated`.
+```
+csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*
+```
+
+### 7.18.00
+
+Added commands to display Business Profile Accounts.
+These are special purpose commands and will not generally be used.
+```
+gam show businessprofileaccounts
+gam print businessprofileaccounts [todrive <ToDriveAttribute>*]
+```
+
+### 7.17.03
+
+Fixed bug in `gam <UserItem> print|show chatspaces asadmin fields <ChatSpaceFieldNameList>` that caused a trap
+when `displayname` was not in `<ChatSpaceFieldNameList>`.
+
+### 7.17.02
+
+Updated `gam <UserTypeEntity> print|show webmastersites` to handle the following error
+that occurs if you haven't updated your project to include the Google Search Console API.
+```
+ERROR: 403: permissionDenied - Google Search Console API has not been used in project 111055363999 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/searchconsole.googleapis.com/overview?project=111055363999 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
+```
+
 ### 7.17.01
 
 Fixed bug in `gam <UserTypeEntity> show webmastersites` that caused a trap.

wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md

@@ -252,10 +252,10 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAM 7.17.01 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.20.01 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.5 64-bit final
-MacOS Sequoia 15.5 x86_64
+Python 3.13.7 64-bit final
+MacOS Sequoia 15.6.1 x86_64
 Path: /Users/admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 
@@ -990,9 +990,9 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM 7.17.01 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.20.01 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.5 64-bit final
+Python 3.13.7 64-bit final
 Windows-10-10.0.17134 AMD64
 Path: C:\GAM7
 Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com

wiki/Inbound-SSO.md

@@ -1,7 +1,9 @@
 # Inbound SSO
-- [Admin Console](#admin-console)
+- [Setup SSO](https://support.google.com/a/answer/12032922)
+- [Admin Console](https://admin.google.com/ac/security/sso)
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
+- [Setup SSO](#setupsso)
 - [Manage profiles](#manage-profiles)
 - [Display profiles](#display-profiles)
 - [Manage credentials](#manage-credentials)
@@ -9,12 +11,10 @@
 - [Manage assignments](#manage-assignments)
 - [Display assignments](#display-assignments)
 
-## Admin Console
-* https://admin.google.com/ac/security/sso
-
 ## API documentation
 * [Cloud Identity API - Inbound SAML SSO Profiles](https://cloud.google.com/identity/docs/reference/rest/v1beta1/inboundSamlSsoProfiles)
 * [Cloud Identity API - Inbound SAML SSO Profiles idp Credentials](https://cloud.google.com/identity/docs/reference/rest/v1beta1/inboundSamlSsoProfiles.idpCredentials)
+* [Cloud Identity API - Inbound OIDC SSO Profiles](https://cloud.google.com/identity/docs/reference/rest/v1beta1/inboundOidcSsoProfiles)
 * [Cloud Identity API - Inbound SSO Assignments](https://cloud.google.com/identity/docs/reference/rest/v1beta1/inboundSsoAssignments)
 
 ## Definitions
@@ -41,46 +41,68 @@
 ```
 ## Manage profiles
 ```
-gam create inboundssoprofile [name <SSOProfileDisplayName>]
+gam create inboundssoprofile [saml|oidc] [name <SSOProfileDisplayName>]
         [entityid <String>] [loginurl <URL>] [logouturl <URL>] [changepasswordurl <URL>]
         [returnnameonly]
-gam update inboundssoprofile <SSOProfileItem>
+gam update inboundssoprofile [saml|oidc] <SSOProfileItem>
         [entityid <String>] [loginurl <URL>] [logouturl <URL>] [changepasswordurl <URL>]
         [returnnameonly]
 ```
+Select type of profile:
+* `saml` - SAML profile; this is the default
+* `oidc` - OIDC profile
+
 By default, all fields of the created|updated profile are displayed;
 use the `returnnameonly` option to have GAM display just the profile name of the created|updated profile.
 This will be useful in scripts that create|update a profile and then want to perform subsequent GAM commands that
 reference the profile.
 
-If `returnnameonly is specified, `inProgress` is returned if the API does not return a complete result.
+If `returnnameonly` is specified, `inProgress` is returned if the API does not return a complete result.
 
 ```
-gam delete inboundssoprofile <SSOProfileItem>
+gam delete inboundssoprofile [saml|oidc] <SSOProfileItem>
 ```
+Select type of profile:
+* `saml` - SAML profile; this is the default
+* `oidc` - OIDC profile
 
 ## Display profiles
 Display a specific profile.
 ```
-gam info inboundssoprofile <SSOProfileItem>
+gam info inboundssoprofile [all|saml|oidc] <SSOProfileItem>
         [formatjson]
 ```
+Select type of profile:
+* `all` - All profiles are displayed; this is the default
+* `saml` - SAML profile
+* `oidc` - OIDC profile
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
-Display all profiles.
+Display profiles.
 ```
-gam show inboundssoprofiles
+gam show inboundssoprofiles [all|saml|oidc]
         [formatjson]
 ```
+Select profiles to display:
+* `all` - All profiles are displayed; this is the default
+* `saml` - Display SAML profiles
+* `oidc` - Display OIDC profiles
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
-Display all profiles in a CSV file.
+Display profiles in a CSV file.
 ```
-gam print inboundssoprofiles [todrive <ToDriveAttribute>*]
+gam print inboundssoprofiles [all|saml|oidc] [todrive <ToDriveAttribute>*]
         [[formatjson [quotechar <Character>]]
 ```
+Select profiles to display:
+* `all` - All profiles are displayed; this is the default
+* `saml` - Display SAML profiles
+* `oidc` - Display OIDC profiles
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -130,10 +152,14 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 
 ## Manage assignments
 ```
-gam create inboundssoassignment (group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)
-        (mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled) [neverredirect]
-gam update inboundssoassignment [(group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)]
-        [(mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled)] [neverredirect]
+gam create inboundssoassignment
+        (group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)
+        (mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled)
+        [neverredirect]
+gam update inboundssoassignment  <SSOAssignmentName>
+        [(group <GroupItem> rank <Number>)|(ou|org|orgunit <OrgUnitItem>)]
+        [(mode sso_off)|(mode saml_sso profile <SSOProfileItem>)(mode domain_wide_saml_if_enabled)]
+        [neverredirect]
 gam delete inboundssoassignment <SSOAssignmentSelector>
 ```
 

wiki/Licenses.md

@@ -3,6 +3,7 @@
 - [License Products and SKUs](#license-products-and-skus)
 - [Definitions](#definitions)
 - [Notes](#Notes)
+- [Info User Performance](#info-user-performance)
 - [Display license counts](#display-license-counts)
 - [Display licenses](#display-licenses)
 - [Add licenses](#add-licenses)
@@ -233,6 +234,42 @@ nv:<String>:<String>
 ```
 The first `<String>` is a Product and the second `<String>` is a SKU.
 
+## Info User Performance
+
+In GAM versions prior 7.18.05, when you did `gam info user`, GAM would make one attempt to get the user's licenses.
+If something went wrong, you might not get the complete list.
+
+The License Manager API doesn't have a call that returns the list of licenses that a user has; you have to ask:
+```
+Does user have license SKU 1?
+Does user have license SKU 2?
+Does user have license SKU 3?
+...
+Does user have license SKU 73?
+```
+If you do a couple of info user commands back to back, you start to run into quota issues.
+
+You can help yourself in the following way: generate a list of all of the license SKUs that exist in your workspace.
+```
+gam config csv_output_row_filter "licenses:count>0" print license countsonly allskus
+Got 0 Licenses for 1010010001 (Cloud Identity)...
+Got 0 Licenses for 1010050001 (Cloud Identity Premium)...
+...
+Got 0 Licenses for Google-Vault (Google Vault)...
+Got 0 Licenses for Google-Vault-Former-Employee (Google Vault - Former Employee)...
+productId,productDisplay,skuId,skuDisplay,licenses
+101031,Google Workspace for Education,1010310008,Google Workspace for Education Plus,410
+101031,Google Workspace for Education,1010310009,Google Workspace for Education Plus (Staff),103
+101033,Google Voice,1010330004,Google Voice Standard,3
+Google-Apps,Google Workspace,1010070001,Google Workspace for Education Fundamentals,1453
+```
+
+Then do (example, use your actual list):
+`gam config license_skus 1010310008,1010310009,1010330004,1010070001 save`
+
+Now, rather that asking 73 questions per user, GAM will only ask about the license SKUs in the list.
+It is much less likely that quota issues will occur,
+
 ## Display license counts
 ```
 gam show licenses

wiki/List-Items.md

@@ -98,6 +98,7 @@
 <SharedDriveACLRoleList> ::= "<SharedDriveACLRole>(,<SharedDriveACLRole>)*"
 <SharedDriveIDList> ::= "<SharedDriveID>(,<SharedDriveID>)*"
 <StringList> ::= "<String>(,<String>)*"
+<StudentGroupIDList> ::= "<StudentGroupID>(,<StudentGroupID>)*"
 <TagManagerAccountPathList> ::= "<TagManagerAccountPath>(,<TagManagerAccountPath>)*"
 <TagManagerContainerPathList> ::= "<TagManagerContainerPath>(,<TagManagerContainerPath>)*"
 <TagManagerWorkspacePathList> ::= "<TagManagerWorkspacePath>(,<TagManagerWorkspacePath>)*"

wiki/Meta-Commands-and-File-Redirection.md

@@ -35,6 +35,9 @@ Select a section from gam.cfg and process a GAM command using values from that s
   - Print the variable values for the selected section
   - Values are determined in this order: Selected section, DEFAULT section, Program default
 
+If you enter `gam select <SectionName>` and nothing else on the command line,
+it will be treated as if you entered: `gam select <SectionName> save`
+
 ### Display sections
 Display all of the sections in gam.cfg and mark the currently selected section with a *.
 ```

wiki/Send-Email.md

@@ -392,7 +392,7 @@ Your command line will have: `embedimage file1.jpg image1 embedimage file2.jpg i
 
 ## Send an email to users
 ```
-gam <UserTypeEntity> sendemail [from <EmailAddress>]
+gam <UserTypeEntity> sendemail from <EmailAddress>
         [replyto <EmailAddress>]
         [cc <RecipientEntity>] [bcc <RecipientEntity>] [singlemessage]
         [subject <String>]
@@ -406,8 +406,6 @@ gam <UserTypeEntity> sendemail [from <EmailAddress>]
 ```
 Emails will be sent to the users in `<UserTypeEntity>`.
 
-By default, emails will be sent from the admin user named in oauth2.txt, override this with the `from <EmailAddress>` option.
-
 When using the Gmail API/SMTP, GAM gets no/little indication as to the status of the message delivery; the from user will get a non-delivery receipt if the message
 could not be sent to the specified recipients.
 

wiki/Users-Calendars.md

@@ -125,7 +125,7 @@
         (foregroundcolor <ColorValue>)|
         (hidden <Boolean>)|
         (notification clear|(email <CalendarEmailNotificatonEventTypeList>))|
-        (reminder clear|(email|popup <Number>)|(<Number> email|popup))|
+        (reminder clear|(email|popup <Number>)|(<Number> email|popup))*|
         (selected <Boolean>)|
         (summary <String>)
 

wiki/Users-Chat.md

@@ -320,24 +320,32 @@ By default, Gam displays the information as an indented list of keys and values.
 ```
 gam <UserTypeEntity> show chatspaces
         [types <ChatSpaceTypeList>]
-        [fields <ChatSpaceFieldNameList>]
+        [fields <ChatSpaceFieldNameList>] [showaccessssettings]
         [formatjson]
 ```
 By default, chat spaces of all types are displayed.
 * `types <ChatSpaceTypeList>` - Display specific types of spaces.
 
+When listing Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this fieldf,
+add `showaccesssettings` to the command. This requires an additional Chat API call per chat space of type `SPACE`
+to get the `accessSettings` field.
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
 ```
 gam <UserTypeEntity> print chatspaces [todrive <ToDriveAttribute>*]
         [types <ChatSpaceTypeList>]
-        [fields <ChatSpaceFieldNameList>]
+        [fields <ChatSpaceFieldNameList>] [showaccessssettings]
         [formatjson [quotechar <Character>]]
 ```
 By default, chat spaces of all types are displayed.
 * `types <ChatSpaceTypeList>` - Display specific types of spaces.
 
+When listing Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this fieldf,
+add `showaccesssettings` to the command. This requires an additional Chat API call per chat space of type `SPACE`
+to get the `accessSettings` field.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -385,13 +393,17 @@ Only spaces of `<ChatSpaceType>` `space` are displayed; spaces of `<ChatSpaceTyp
 gam <UserItem> show chatspaces asadmin
         [query <String>] [querytime<String> <Time>]
         [orderby <ChatSpaceAdminOrderByFieldName> [ascending|descending]]
-        [fields <ChatSpaceFieldNameList>]
+        [fields <ChatSpaceFieldNameList>] [showaccessssettings]
         [formatjson]
 ```
 By default, all chat spaces of type SPACE are displayed.
 * `query <String> [querytime<String> <Time>]` - Display selected chat spaces
   * See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
 
+When listing Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this fieldf,
+add `showaccesssettings` to the command. This requires an additional Chat API call per chat space of type `SPACE`
+to get the `accessSettings` field.
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
@@ -399,13 +411,17 @@ By default, Gam displays the information as an indented list of keys and values.
 gam <UserItem> print chatspaces asadmin [todrive <ToDriveAttribute>*]
         [query <String>] [querytime<String> <Time>]
         [orderby <ChatSpaceAdminOrderByFieldName> [ascending|descending]]
-        [fields <ChatSpaceFieldNameList>]
+        [fields <ChatSpaceFieldNameList>] [showaccessssettings]
         [formatjson [quotechar <Character>]]
 ```
 By default, all chat spaces of type SPACE are displayed.
 * `query <String> [querytime<String> <Time>]` - Display selected chat spaces
   * See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
 
+When listing Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this fieldf,
+add `showaccesssettings` to the command. This requires an additional Chat API call per chat space of type `SPACE`
+to get the `accessSettings` field.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -464,7 +480,7 @@ gam <UserItem> delete chatmember asadmin <ChatSpace>
 
 Delete members from a chat space by specifying chatmember names, asadmin
 ```
-gam <UserItem> remove chatmember members asadmin <ChatMemberList>
+gam <UserItem> remove chatmember asadmin members <ChatMemberList>
 ```
 
 ### Update a members role in a user's chat space
@@ -975,8 +991,9 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ## Bulk Operations
 ### Display information about all chat spaces for a collection of users
 ```
-gam config auto_batch_min 1 redirect csv ./ChatSpaces.csv multiprocess [todrive <ToDriveAttribute>*] redirect stdout - multiprocess redirect stderr <UserTypeEntity> print chatspaces
+gam config auto_batch_min 1 redirect csv ./ChatSpaces.csv multiprocess [todrive <ToDriveAttribute>*] redirect stdout - multiprocess redirect stderr <UserTypeEntity> print chatsacesp
         [types <ChatSpaceTypeList>]
+        [fields <ChatSpaceFieldNameList>] [showaccessssettings]
         [formatjson [quotechar <Character>]]
 ```
 

wiki/Users-Drive-Copy-Move.md

@@ -13,6 +13,7 @@
   - [Move with ownership change](#move-with-ownership-change)
   - [Complex moves](#complex-moves)
   - [Move content of a Shared Drive to another Shared Drive](#move-content-of-a-shared-drive-to-another-shared-drive)
+  - [Move content of a Shared Drive to a My Drive](#move-content-of-a-shared-drive-to-a-my-drive)
 
 ## API documentation
 * [Drive API - Files](https://developers.google.com/drive/api/v3/reference/files)
@@ -673,8 +674,10 @@ gam user user@domain.com move drivefile teamdriveid 0AC_1AB teamdriveparentid 0A
 ```
 
 If you want the source Shared Drive with ID 0AC_1AB to be contained in a top level folder of the target Shared Drive with ID 0AE_9ZX, omit the `mergewithparent` argument.
+The folder on the target Shared Drive will have the same name as the name of the source Shared Drive; use the `newfilename <DriveFileName>` to use a different name.
 ```
 gam user user@domain.com move drivefile teamdriveid 0AC_1AB teamdriveparentid 0AE_9ZX
+gam user user@domain.com move drivefile teamdriveid 0AC_1AB teamdriveparentid 0AE_9ZX newfilename "Copy of source Shared Drive"
 ```
 
 ### Inter-workspace moves
@@ -692,3 +695,21 @@ User: user@domaina.com, Move 1 Drive File/Folder
   User: user@domaina.com, Drive Folder: Shared Drive A(<SharedDriveAID>), Retained
 ```
 To get this to work, you must check `Allow people outside of Domain A to access files` on Shared Drive A in domaina.com
+
+## Move content of a Shared Drive to a My Drive
+Suppose you have a Shared Drive with ID 0AC_1AB with multiple files and folders, and want to move all of its content to the root of a My Drive.
+
+The following command will change the parents of the top level files and folders from 0AC_1AB to the root of the My Drive; the sub files and folders will move along with their top level folder.
+
+* No permissions are processed.
+```
+gam user user@domain.com move drivefile teamdriveid 0AC_1AB parentid root mergewithparent 
+```
+
+If you want the contents of Shared Drive with ID 0AC_1AB to be contained in a top level folder of the My Drive, omit the `mergewithparent` argument.
+The folder on the My Drive will have the same name as the name of the Shared Drive; use the `newfilename <DriveFileName>` to use a different name.
+```
+gam user user@domain.com move drivefile teamdriveid 0AC_1AB parentid root
+gam user user@domain.com move drivefile teamdriveid 0AC_1AB parentid root newfilename "Copy of Shared Drive"
+```
+

wiki/Users-Drive-Permissions.md

@@ -10,6 +10,8 @@
 - [Delete all ACLs except owner from a user's My Drive](#delete-all-acls-except-owner-from-a-users-my-drive)
 - [Change shares to User1 to shares to User2](#change-shares-to-user1-to-shares-to-user2)
 - [Map All ACLs from an old domain to a new domain](#map-all-acls-from-an-old-domain-to-a-new-domain)
+- [Remove all ACLs for a specific user or group email address](#remove-all-ACLs-for-a-specific-user-or-group-email-address)
+- [Remove anyone-anyoneWithLink ACLs](#remove-anyone-anyonewithlink-acls)
 
 ## API documentation
 * [Drive API - Permissions](https://developers.google.com/drive/api/v3/reference/permissions)
@@ -385,3 +387,83 @@ gam config csv_input_row_filter "permission.type:regex:user|group" redirect stdo
 gam config csv_input_row_filter "permission.type:regex:domain" redirect stdout ./AddNewDomainACLsDomainShares.txt multiprocess redirect stderr stdout csv ./allUsersFiles.csv gam user "~Owner" create drivefileacl "~id" "~permission.type" "~permission.domain" role "~permission.role" allowfilediscovery "~permission.allowFileDiscovery" mappermissionsdomain olddomain.com newdomain.com
 ```
     
+## Remove all ACLs for a specific user or group email address
+
+### My Drives
+
+Get My Drive ACLs sharing to that email address:
+* Replace `<Type>` with user or group
+* Replace `email@domain.com` with actual email address
+```
+gam config auto_batch_min 1 num_threads 20 redirect csv ./MyDriveShares.csv multiprocess redirect stderr - multiprocess all users print filelist fields id,name,mimetype,basicpermissions query "'email@domain.com' in readers or 'email@domain.com' in writers" pm notrole owner type <Type> emailaddress email@domain.com em pmfilter oneitemperrow
+```
+
+Delete those My Drive ACLs.
+```
+gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+```
+
+Add My Drive ACLs with a different email address and the same role.
+```
+gam config num_threads 20 redirect stdout ./AddMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" add drivefleacl "~id" "~permission.type" newemail@domain.rom role "~permission.role"
+```
+
+### Shared Drives
+Get an organizer for each Shared Drive
+```
+gam redirect csv ./SharedDriveOrganizers.csv print shareddriveorganizers
+```
+
+Get Shared Drive ACLs explicitly sharing to that email address:
+* Replace `<Type>` with user or group
+* Replace `email@domain.com` with actual email address
+```
+gam config num_threads 20 csv_input_row_filter "organizers:regex:^.+$" redirect csv ./SharedDriveShares.csv multiprocess redirect stderr - multiprocess csv SharedDriveOrganizers.csv gam user "~organizers"  print filelist select shareddriveid "~id" fields id,name,mimetype,basicpermissions,driveid showdrivename query "'email@domain.com' in readers or 'email@domain.com' in writers" pm type <Type> emailaddress email@domain.com inherited false em pmfilter oneitemperrow
+```
+
+Delete those Shared Drive ACLs.
+```
+gam config num_threads 20 redirect stdout ./DeleteSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+```
+
+Add Shared Drive ACLs with a different email address and the same role.
+```
+gam config num_threads 20 redirect stdout ./ReplaceSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" add drivefleacl "~id" "~permission.type" newemail@domain.rom role "~permission.role"
+```
+
+## Remove anyone-anyoneWithLink ACLs
+
+Here are the queries that will be used in these commands:
+* anyone - query "visibility='anyoneCanFind'"
+* anyoneWithLink - query "visibility='anyoneWithLink'"
+* both - query "(visibility='anyoneCanFind' or visibility='anyoneWithLink')"
+
+### My Drives
+
+Get My Drive anyone/anyoneWithLink ACLs
+```
+gam config auto_batch_min 1 num_threads 20 redirect csv ./MyDriveShares.csv multiprocess redirect stderr - multiprocess all users print filelist fields id,name,mimetype,basicpermissions <Query> pm type anyone em pmfilter oneitemperrow
+```
+
+Delete those My Drive ACLs.
+```
+gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+```
+
+### Shared Drives
+Get an organizer for each Shared Drive
+```
+gam redirect csv ./SharedDriveOrganizers.csv print shareddriveorganizers
+```
+
+Get Shared Drive anyone/anyoneWithLink ACLs
+```
+gam config num_threads 20 csv_input_row_filter "organizers:regex:^.+$" redirect csv ./SharedDriveShares.csv multiprocess redirect stderr - multiprocess csv SharedDriveOrganizers.csv gam user "~organizers"  print filelist select shareddriveid "~id" fields id,name,mimetype,basicpermissions,driveid showdrivename <Query> pm type anyone inherited false em pmfilter oneitemperrow
+```
+
+Delete those Shared Drive ACLs.
+```
+gam config num_threads 20 redirect stdout ./DeleteSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+```
+
+

wiki/Users-Meet.md

@@ -29,9 +29,10 @@ To use these commands you must add the 'Meet API' to your project and update you
 gam update project
 gam user user@domain.com update serviceaccount
 ...
-[*] 36)  Meet API (supports readonly)
-
+[*] 34)  Meet API - Manage/Display Meeting Spaces
+[*] 35)  Meet API - Read Meeting Spaces metadata
 ```
+
 ## Definitions
 * [`<UserTypeEntity>`](Collections-of-Users)
 ```

wiki/Users-Web-Resources-and-Sites.md

@@ -3,7 +3,7 @@
 - [Introduction](#introduction)
 - [Definitions](#definitions)
 - [Display Web Resources](#display-web-resources)
-- [Display Web Sites](#display-web-sites)
+- [Display Web Master Sites](#display-web-master-sites)
 
 ## API documentation
 * [Web Resources](https://developers.google.com/site-verification/v1/webResource/list)
@@ -36,13 +36,13 @@ gam <UserItem> print webresources [todrive <ToDriveAttribute>*]
 ```
 Gam displays the information as columns of fields.
 
-## Display Web Sites
+## Display Web Master Sites
 ```
-gam <UserItem> show websites
+gam <UserItem> show webmastersites
 ```
 Gam displays the information as an indented list of keys and values.
 
 ```
-gam <UserItem> print websites [todrive <ToDriveAttribute>*]
+gam <UserItem> print webmastersites [todrive <ToDriveAttribute>*]
 ```
 Gam displays the information as columns of fields.

wiki/Using-GAM7-with-a-delegated-admin-service-account.md

@@ -16,7 +16,10 @@ Delegated admin service accounts (DASA) are regular [GCP service accounts](https
 
 ## Disadvantages
 * DASA accounts can only be delegated admins. [If a task requires super admin rights to perform](https://support.google.com/a/answer/2405986#:~:text=Only%20super%20administrators%20can...), DASA accounts won’t be able to do it.
-Not all Google Admin APIs work with DASA right now. For example, Google Vault API calls will fail with a DASA account; Classroom API calls do not return data.
+Not all Google Admin APIs work with DASA right no:
+  * Google Vault API calls will fail with a DASA account
+  * Classroom API calls do not return data
+  * Cloud Identity Policies are not available
 * DASA is a delegated admin and can make Workspace / Cloud Identity admin API calls, it does not replace domain-wide delegation (DwD) when using GAM7 commands that interact with Gmail, Drive and Calendar user data.
 * GAM7 support for DASA is still experimental and some things may fail. Please report your findings to the [GAM group](https://groups.google.com/g/google-apps-manager).
 

wiki/Vault-Takeout.md

@@ -39,6 +39,16 @@
 [Collections of Items](Collections-of-Items)
 ```
 <AttendeeStatus> ::= accepted|declined|needsaction|tentative
+<Date> ::=
+        <Year>-<Month>-<Day> |
+        (+|-)<Number>(d|w|y) |
+        never|
+        today
+<Time> ::=
+        <Year>-<Month>-<Day>(<Space>|T)<Hour>:<Minute>:<Second>[.<MilliSeconds>](Z|(+|-(<Hour>:<Minute>))) |
+        (+|-)<Number>(m|h|d|w|y) |
+        never|
+        now|today
 <EmailItem> ::= <EmailAddress>|<UniqueID>|<String>
 <EmailItemList> ::= "<EmailItem>(,<EmailItem>)*"
 <EmailAddressList> ::= "<EmailAddess>(,<EmailAddress>)*"

wiki/Version-and-Help.md

@@ -3,10 +3,10 @@
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.17.01 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.20.01 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.5 64-bit final
-MacOS Sequoia 15.5 x86_64
+Python 3.13.7 64-bit final
+MacOS Sequoia 15.6.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
@@ -15,10 +15,10 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.17.01 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.20.01 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.5 64-bit final
-MacOS Sequoia 15.5 x86_64
+Python 3.13.7 64-bit final
+MacOS Sequoia 15.6.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Your system time differs from www.googleapis.com by less than 1 second
@@ -27,15 +27,15 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.17.01 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.20.01 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.5 64-bit final
-MacOS Sequoia 15.5 x86_64
+Python 3.13.7 64-bit final
+MacOS Sequoia 15.6.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
 Your system time differs from admin.googleapis.com by less than 1 second
-OpenSSL 3.4.0 22 Oct Sep 2024
+OpenSSL 3.5.2 5 ASug 2025
 cryptography 43.0.3
 filelock 3.16.1
 google-api-python-client 2.149.0
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gam7
 Version Check:
   Current: 5.35.08
-   Latest: 7.17.01
+   Latest: 7.20.01
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.17.01
+7.20.01
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,10 +82,10 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.17.01 - https://github.com/GAM-team/GAM
+GAM 7.20.01 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.5 64-bit final
-MacOS Sequoia 15.5 x86_64
+Python 3.13.7 64-bit final
+MacOS Sequoia 15.6.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00

wiki/_Sidebar.md

@@ -66,6 +66,7 @@ Client Access
 * [Administrators](Administrators)
 * [Alert Center](Alert-Center)
 * [Aliases](Aliases)
+* [Business Account Management](Business-Account-Management)
 * [Calendars](Calendars)
 * [Calendars - Access](Calendars-Access)
 * [Calendars - Events](Calendars-Events)
@@ -83,6 +84,7 @@ Client Access
 * [Classroom - Guardians](Classroom-Guardians)
 * [Classroom - Invitations](Classroom-Invitations)
 * [Classroom - Membership](Classroom-Membership)
+* [Classroom - Student Groups](Classroom-StudentGroups)
 * [Cloud Channel](Cloud-Channel)
 * [Cloud Identity Devices](Cloud-Identity-Devices)
 * [Cloud Identity Groups](Cloud-Identity-Groups)
@@ -128,7 +130,7 @@ Client Access
 * [Version and Help](Version-and-Help)
 
 Special Service Account Access
-* [Chat Bot](Chat-Bot)
+* [Chat Bot Setup and Use](Chat-Bot-Setup-Use)
 
 Service Account Access
 * [Users - Analytics Admin](Users-Analytics-Admin)