Added root as a synonnym for '/' in command line

Historically we compiled PyInstaller ourselves as a custom compile seemed to trigger the "GAM is a virus!" issue less often. Now that we are signing GAM builds on Windows and Mac this should in theory be less of an issue and we can just use the pre-compiled PyInstaller from pip.

.github/workflows/build.yml

@@ -23,7 +23,7 @@ defaults:
 
 env:
   SCRATCH_COUNTER: 14
-  OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0
+  OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0 no-docs no-ssl3 no-tls1 no-tls1_1 no-dtls no-comp no-srp no-psk no-engine no-dynamic-engine no-nextprotoneg no-weak-ssl-ciphers no-idea no-seed no-camellia no-sm2 no-sm3 no-sm4 no-rc2 no-rc4 no-rc5 no-md2 no-md4 no-cast no-des no-shared no-tests -O3
   OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl
   OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl
   PYTHON_INSTALL_PATH: ${{ github.workspace }}/bin/python
@@ -156,6 +156,7 @@ jobs:
         with:
           workload_identity_provider: projects/297925809119/locations/global/workloadIdentityPools/gha-pool/providers/gha-provider
           service_account: github-actions-testing-for-gam@gam-project-wyo-lub-ivl.iam.gserviceaccount.com
+          access_token_scopes: https://www.googleapis.com/auth/iam
 
       - name: Cache multiple paths
         if: matrix.goal == 'build'
@@ -164,7 +165,7 @@ jobs:
         with:
           path: |
             cache.tar.xz
-          key: gam-${{ matrix.jid }}-20260227
+          key: gam-${{ matrix.jid }}-20260323
 
       - name: Untar Cache archive
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -277,6 +278,8 @@ jobs:
           echo "We are running on ${RUNNER_OS}"
           LD_LIBRARY_PATH="${OPENSSL_INSTALL_PATH}/lib:${PYTHON_INSTALL_PATH}/lib:/usr/local/lib"
           if [[ "${RUNNER_OS}" == "macOS" ]]; then
+            export CFLAGS="-O3 -pipe"
+            export LDFLAGS="-Wl,-dead_strip"
             MAKE=make
             MAKEOPT="-j$(sysctl -n hw.logicalcpu)"
             PERL=perl
@@ -285,6 +288,8 @@ jobs:
             echo "We are running on and targetting MacOS ${MACOSX_DEPLOYMENT_TARGET}"
             echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV
           elif [[ "${RUNNER_OS}" == "Linux" ]]; then
+            export CFLAGS="-O3 -pipe"
+            export LDFLAGS="-Wl,--strip-all"
             MAKE=make
             MAKEOPT="-j$(nproc)"
             PERL=perl
@@ -311,6 +316,8 @@ jobs:
           echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}" >> $GITHUB_ENV
           echo "MAKE=${MAKE}" >> $GITHUB_ENV
           echo "MAKEOPT=${MAKEOPT}" >> $GITHUB_ENV
+          echo "CFLAGS=${CFLAGS}" >> $GITHUB_ENV
+          echo "LDFLAGS=${LDFLAGS}" >> $GITHUB_ENV
           echo "PERL=${PERL}" >> $GITHUB_ENV
           echo "PYEXTERNALS_PATH=${PYEXTERNALS_PATH}" >> $GITHUB_ENV
 
@@ -335,10 +342,6 @@ jobs:
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         run: |
           cd "${OPENSSL_SOURCE_PATH}"
-          #if ([ "$RUNNER_OS" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
-            # https://github.com/openssl/openssl/issues/26239
-            export CFLAGS=-DNO_INTERLOCKEDOR64
-          #fi
           # --libdir=lib is needed so Python can find OpenSSL libraries
           "${PERL}" ./Configure --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS
 
@@ -352,10 +355,6 @@ jobs:
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         run: |
           cd "${OPENSSL_SOURCE_PATH}"
-          # TODO: remove this once https://github.com/openssl/openssl/issues/26239 is fixed.
-          if ([ "$RUNNER_OS" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
-            export CFLAGS=-DNO_INTERLOCKEDOR64
-          fi
           $MAKE "$MAKEOPT"
 
       - name: Install OpenSSL
@@ -364,20 +363,23 @@ jobs:
           cd "${OPENSSL_SOURCE_PATH}"
           # install_sw saves us ages processing man pages :-)
           $MAKE install_sw
+          #if [[ "${RUNNER_OS}" != "Windows" ]]; then
+          #  echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV
+          #fi
+          #echo "CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1" >> $GITHUB_ENV
+          #case $RUNNER_ARCH in
+          #  X64)
+          #    echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
+          #    echo "ARCHFLAGS=-arch x86_64" >> $GITHUB_ENV
+          #    ;;
+          #  ARM64)
+          #    echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
+          #    echo "ARCHFLAGS=-arch arm64" >> $GITHUB_ENV
+          #    ;;
+          #esac
           if [[ "${RUNNER_OS}" != "Windows" ]]; then
-            echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV
+            strip "${OPENSSL_INSTALL_PATH}/bin/openssl"
           fi
-          echo "CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1" >> $GITHUB_ENV
-          case $RUNNER_ARCH in
-            X64)
-              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
-              echo "ARCHFLAGS=-arch x86_64" >> $GITHUB_ENV
-              ;;
-            ARM64)
-              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
-              echo "ARCHFLAGS=-arch arm64" >> $GITHUB_ENV
-              ;;
-          esac
 
       - name: Run OpenSSL
         if: matrix.goal == 'build'
@@ -405,7 +407,9 @@ jobs:
                       --enable-shared \
                       --with-ensurepip=upgrade \
                       --enable-optimizations \
-                      --with-lto || : # exit 0
+                      --with-lto \
+                      --disable-test-modules \
+                      --without-doc-strings || : # exit 0
           cat config.log
 
       - name: Windows Get External Python deps
@@ -452,8 +456,10 @@ jobs:
         shell: powershell
         run: |
           cd "${env:PYTHON_SOURCE_PATH}"
-          # We need out custom openssl.props which uses OpenSSL 3 DLL names
+          # We need our custom openssl.props which uses OpenSSL 3 DLL names
           Copy-Item -Path "${env:GITHUB_WORKSPACE}\src\tools\openssl.props" -Destination PCBuild\ -Verbose
+          # We need our custom _hashlib.vcxproj
+          Copy-Item -Path "${env:GITHUB_WORKSPACE}\src\tools\_hashlib.vcxproj" -Destination PCBuild\ -Verbose
           if (${env:RUNNER_ARCH} -eq "X64") {
             $env:arch = "x64"
             #PCBuild\build.bat -c Release -p $env:arch --pgo
@@ -480,6 +486,7 @@ jobs:
           cd "${PYTHON_SOURCE_PATH}"
           $MAKE altinstall
           $MAKE bininstall
+          strip "${PYTHON_INSTALL_PATH}/bin/python3"
           export PATH="${PATH}:${PYTHON_INSTALL_PATH}/bin"
           echo "PATH=${PATH}" >> $GITHUB_ENV
           echo "PATH: ${PATH}"
@@ -547,18 +554,19 @@ jobs:
       - name: Install PyInstaller
         if: matrix.goal == 'build'
         run: |
-          git clone https://github.com/pyinstaller/pyinstaller.git
+          #git clone https://github.com/pyinstaller/pyinstaller.git
-          cd pyinstaller
+          #cd pyinstaller
-          export latest_release=$(git tag --list | grep -v dev | grep -v rc | sort -Vr | head -n1)
+          #export latest_release=$(git tag --list | grep -v dev | grep -v rc | sort -Vr | head -n1)
-          git checkout "${latest_release}"
+          #git checkout "${latest_release}"
           # git checkout "v6.9.0"
           # remove pre-compiled bootloaders so we fail if bootloader compile fails
-          rm -rvf PyInstaller/bootloader/*-*/*
+          #rm -rvf PyInstaller/bootloader/*-*/*
-          cd bootloader
+          #cd bootloader
-          "${PYTHON}" ./waf all
+          #"${PYTHON}" ./waf all
-          cd ..
+          #cd ..
-          echo "---- Installing PyInstaller ----"
+          #echo "---- Installing PyInstaller ----"
-          "${PYTHON}" -m pip install .
+          #"${PYTHON}" -m pip install .
+          "$PYTHON" -m pip install --upgrade pyinstaller
 
       - name: Build GAM with PyInstaller
         if: matrix.goal != 'test'
@@ -875,7 +883,7 @@ jobs:
                exit $exit_code # Hard fail the step for unapproved errors
             fi
           }
-          
+
           export gam_user="gam-gha-${JID}@pdl.jaylee.us"
           echo "gam_user=${gam_user}" >> $GITHUB_ENV
           run_gam config customer_id "C03uzfv2s" save
@@ -937,14 +945,16 @@ jobs:
           done
           driveid=$($gam user $gam_user add shareddrive "${newbase}" returnidonly)
           echo "Created shared drive ${driveid}"
-          run_gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- ou "${newou}"
+          run_gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password uniquerandom recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- ou "$newou"
-          run_gam user $newuser add license workspaceenterpriseplus
           run_gam user $newuser update photo https://dummyimage.com/98x98/000/fff.jpg
           run_gam user $newuser get photo
           run_gam user $newuser delete photo
           run_gam create alias $newalias user $newuser
           run_gam create group $newgroup name "GHA $JID group" description "This is a description" isarchived true
           run_gam user $gam_user sendemail recipient dev-null@pdl.jaylee.us subject "test message $newbase" message "GHA test message"
+          run_gam user $newuser add license workspaceenterpriseplus
+          run_gam update user $newuser ou root # GAM synonym for / root OU 
+          run_gam update user $newuser ou "$newou"
           run_gam config enable_dasa false save
           # don't expose policy output
           run_gam show policies > policies.csv

src/GamCommands.txt

@@ -1429,6 +1429,8 @@ gam print addresses [todrive <ToDriveAttribute>*]
 
 # Authorization
 
+gam info gcporgid
+
 gam create gcpfolder <String>
 gam create gcpfolder [admin <EmailAddress>] folder <String>
 
@@ -2990,6 +2992,8 @@ gam [<UserTypeEntity>] show classificationlabelpermissions <ClassificationLabelN
         (combiningfunction <CAACombiningFunction>) |
         (condition <CAAConditionAttribute>+ endcondition)
 
+gam info gcporgid
+
 gam create caalevel <String> [description <String>] (basic <CAABasicAttribute>+)|(custom <QueryCEL>)|<JSONData>
 gam update caalevel <CAALevelName> [description <String>] (basic <CAABasicAttribute>+)|(custom <QueryCEL>)|<JSONData>
 gam delete caalevel <CAALevelName>
@@ -3544,6 +3548,10 @@ gam info customer [formatjson]
 
 gam info instance [formatjson]
 
+gam info customerid
+
+gam info gcporgid
+
 # Data Transfers
 
 gam print|show transferapps
@@ -4662,6 +4670,8 @@ gam report <ActivityApplicationName> [todrive <ToDriveAttribute>*]
         [event|events <EventNameList>] [ip <String>]
         [gmaileventtypes <NumberRangeList>]
         [groupidfilter <String>] [resourcedetailsfilter <String>]
+        [networkinfofilter <String>] [statusfilter <String>]
+        [applicationinfofilter <String>] [includesensitivedata]
         [notimesort]
         [maxactivities <Number>] [maxevents <Number>] [maxresults <Number>]
         [countsonly [bydate|summary] [eventrowfilter]]
@@ -5754,7 +5764,7 @@ gam download storagefile <StorageBucketObjectName>
         (language clear|<LanguageList>)|
         (lastname|familyname <String>)|
         (note clear|([text_html|text_plain] <UserNoteContent))|
-        (ou|org|orgunitpath <OrgUnitPath>|<OrgUnitID>)
+        (ou|org|orgunitpath <OrgUnitPath>|<OrgUnitID>|root)
         (password (random [<Integer>])|(uniquerandom [<Integer>])|
                    blocklogin|
                    prompt|uniqueprompt|
@@ -8912,6 +8922,8 @@ gam <UserTypeEntity> show sheetrange <DriveFileEntity>
 
 gam <UserTypeEntity> delete tokens clientid <ClientID>
 
+gam info gcporgid
+
 gam <UserTypeEntity> print tokens|token [todrive <ToDriveAttribute>*] [clientid <ClientID>]
         [usertokencounts|(aggregateusersby|orderby clientid|id|appname|displaytext)]
         [delimiter <Character>] [gcpdetails]

src/GamUpdate.txt

@@ -1,3 +1,42 @@
+7.38.01
+
+Added `root` as a synonnym for '/' in command line arguments that specify an OU.
+This is to avoid issues where a stand-alone `/` on the command line may be mis-interpreted
+by the command line interpreter as a reference to the file system root.
+
+7.38.00
+
+Added variable `gcp_org_id` to `gam.cfg` that is used by the following commands;
+by setting the value, additional API calls are eliminated.
+```
+gam create project
+gam create gcpfolder
+gam create|update|delete caalevel
+gam print|show caalevels
+gam print|show tokens gcpdetails
+```
+You can get and set the `gam.cfg/gcp_org_id` value with these commands:
+```
+$ gam info gcporgid             
+organizations/906207637890
+$ gam config gcp_org_id organizations/906207637890 save
+```
+
+You can get and set the `gam.cfg/customer_id` value with these commands:
+```
+$ gam info customerid             
+C78abc9de
+$ gam config customer_id C78abc9de save
+```
+
+Added the following options to `gam report <ActivityApplicationName>`.
+```
+applicationinfofilter <String>
+networkinfofilter <String>
+statusfilter <String>
+includesensitivedata
+```
+
 7.37.00
 
 Added new client access scopes used by `gam print tokens`.

src/gam/__init__.py

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """
 
 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.37.00'
+__version__ = '7.38.01'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 # pylint: disable=wrong-import-position
@@ -1667,6 +1667,12 @@ def encodeOrgUnitPath(path):
 def getOrgUnitItem(pathOnly=False, absolutePath=True, cd=None):
   if Cmd.ArgumentsRemaining():
     path = Cmd.Current().strip()
+    # Some shells like Bash for Windows interpret / as the filesystem root.
+    # Let user specify "root" instead to indicate /. "/root", "Root" and "ROOT"
+    # will still work for an OU actually named "root" as we are being
+    # case-sensitive here for "root" but Google is not case sensitive about OUs
+    if path == 'root':
+      path = '/'
     if path:
       if pathOnly and (path.startswith('id:') or path.startswith('uid:')) and cd is not None:
         try:
@@ -3771,6 +3777,11 @@ def SetGlobalVariables():
       else:
         _printValueError(sectionName, itemName, api, f'{Msg.EXPECTED}: {",".join(sorted(validAPIs))}')
 
+  def _validateGCPOrgId(sectionName, itemName, gcpOrgId):
+    mg = re.match(r'organizations/\d+', gcpOrgId)
+    if not mg:
+      _printValueError(sectionName, itemName, gcpOrgId, f'{Msg.EXPECTED}: "organizations/<Number>"')
+
   def _getCfgString(sectionName, itemName):
     value = _stripStringQuotes(GM.Globals[GM.PARSER].get(sectionName, itemName))
     if itemName == GC.DOMAIN:
@@ -3781,6 +3792,8 @@ def SetGlobalVariables():
         _validateLicenseSKUs(sectionName, itemName, value)
       elif itemName == GC.DEVELOPER_PREVIEW_APIS and value:
         _validateDeveloperPreviewAPIs(sectionName, itemName, value.lower())
+      elif itemName == GC.GCP_ORG_ID and value:
+        _validateGCPOrgId(sectionName, itemName, value)
       return value
     _printValueError(sectionName, itemName, f'"{value}"', f'{Msg.EXPECTED}: {integerLimits(minLen, maxLen, Msg.STRING_LENGTH)}')
     return ''
@@ -6550,6 +6563,8 @@ def getItemsToModify(entityType, entity, memberRoles=None, isSuspended=None, isA
     qualifier = Msg.DIRECTLY_IN_THE.format(Ent.Singular(Ent.ORGANIZATIONAL_UNIT)) if directlyInOU else Msg.IN_THE.format(Ent.Singular(Ent.ORGANIZATIONAL_UNIT))
     fields = 'nextPageToken,users(primaryEmail,orgUnitPath)' if directlyInOU else 'nextPageToken,users(primaryEmail)'
     for ou in ous:
+      if ou == 'root':
+        ou = '/'
       ou = makeOrgUnitPathAbsolute(ou)
       if ou.startswith('id:'):
         try:
@@ -6731,6 +6746,8 @@ def getItemsToModify(entityType, entity, memberRoles=None, isSuspended=None, isA
     else:
       queries = [None]
     for ou in ous:
+      if ou == 'root':
+        ou = '/'
       ou = makeOrgUnitPathAbsolute(ou)
       oneQualifier = Msg.DIRECTLY_IN_THE.format(Ent.Singular(Ent.ORGANIZATIONAL_UNIT)) if not includeChildOrgunits else Msg.IN_THE.format(Ent.Singular(Ent.ORGANIZATIONAL_UNIT))
       for query in queries:
@@ -11991,20 +12008,45 @@ def _checkForExistingProjectFiles(projectFiles):
     if os.path.exists(a_file):
       systemErrorExit(JSON_ALREADY_EXISTS_RC, Msg.AUTHORIZATION_FILE_ALREADY_EXISTS.format(a_file, Act.ToPerform()))
 
-def getGCPOrg(crm, login_hint, login_domain):
+def getCRMOrgId(forceSearch=False):
-  try:
+  if not GC.Values[GC.GCP_ORG_ID] or forceSearch:
-    getorg = callGAPI(crm.organizations(), 'search',
+    setTrueCustomerId()
-                      throwReasons=[GAPI.INVALID_ARGUMENT, GAPI.PERMISSION_DENIED],
+    _, crm = buildGAPIServiceObject(API.CLOUDRESOURCEMANAGER, None)
-                      query=f'domain:{login_domain}',
+    results = callGAPI(crm.organizations(), 'search',
-                      pageSize=1, fields='organizations/name')
+                       query=f'directorycustomerid:{GC.Values[GC.CUSTOMER_ID]}',
-  except (GAPI.invalidArgument, GAPI.permissionDenied) as e:
+                       pageSize=1, fields='organizations/name')
-    entityActionFailedExit([Ent.USER, login_hint, Ent.DOMAIN, login_domain], str(e))
+    orgs = results.get('organizations')
-  try:
+    if not orgs:
-    organization = getorg['organizations'][0]['name']
+      # return nothing and let calling API deal with it
-#    sys.stdout.write(Msg.YOUR_ORGANIZATION_NAME_IS.format(organization))
+      # since caller knows what GCP role would serve best
-    return organization
+      return None
-  except (KeyError, IndexError):
+    return orgs[0].get('name')
-    systemErrorExit(3, Msg.YOU_HAVE_NO_RIGHTS_TO_CREATE_PROJECTS_AND_YOU_ARE_NOT_A_SUPER_ADMIN)
+  return GC.Values[GC.GCP_ORG_ID]
+
+# gam info customerid
+def doInfoCustomerId():
+  checkForExtraneousArguments()
+  setTrueCustomerId(cd=None, forceUpdate=True)
+  writeStdout(f'{GC.Values[GC.CUSTOMER_ID]}\n')
+
+# gam info gcporgid
+def doInfoGCPOrgId():
+  checkForExtraneousArguments()
+  writeStdout(f'{getCRMOrgId(forceSearch=True)}\n')
+
+def getGCPOrgId(crm, login_hint, login_domain):
+  if not GC.Values[GC.GCP_ORG_ID]:
+    try:
+      results = callGAPI(crm.organizations(), 'search',
+                         throwReasons=[GAPI.INVALID_ARGUMENT, GAPI.PERMISSION_DENIED],
+                         query=f'domain:{login_domain}',
+                         pageSize=1, fields='organizations/name')
+      return results['organizations'][0]['name']
+    except (GAPI.invalidArgument, GAPI.permissionDenied) as e:
+      entityActionFailedExit([Ent.USER, login_hint, Ent.DOMAIN, login_domain], str(e))
+    except (KeyError, IndexError):
+      systemErrorExit(3, Msg.YOU_HAVE_NO_RIGHTS_TO_CREATE_PROJECTS_AND_YOU_ARE_NOT_A_SUPER_ADMIN)
+  return GC.Values[GC.GCP_ORG_ID]
 
 # gam create gcpfolder <String>
 # gam create gcpfolder [admin <EmailAddress] folder <String>
@@ -12028,7 +12070,7 @@ def doCreateGCPFolder():
   login_hint = _getValidateLoginHint(login_hint)
   login_domain = getEmailAddressDomain(login_hint)
   _, crm = getCRMService(login_hint)
-  organization = getGCPOrg(crm, login_hint, login_domain)
+  organization = getGCPOrgId(crm, login_hint, login_domain)
   try:
     result = callGAPI(crm.folders(), 'create',
                       throwReasons=[GAPI.INVALID_ARGUMENT, GAPI.PERMISSION_DENIED],
@@ -12074,7 +12116,7 @@ def doCreateProject():
       if 'error' in status:
         if status['error'].get('message', '') == 'No permission to create project in organization':
           sys.stdout.write(Msg.NO_RIGHTS_GOOGLE_CLOUD_ORGANIZATION)
-          organization = getGCPOrg(crm, login_hint, login_domain)
+          organization = getGCPOrgId(crm, login_hint, login_domain)
           org_policy = callGAPI(crm.organizations(), 'getIamPolicy',
                                 resource=organization)
           if 'bindings' not in org_policy:
@@ -13854,6 +13896,14 @@ REPORT_ACTIVITIES_UPPERCASE_EVENTS = {
   'takeout',
   }
 
+REPORT_ACTIVITIES_FILTER_MAP = {
+  'applicationinfofilter': 'applicationInfoFilter',
+  'groupidfilter': 'groupIdFilter',
+  'networkinfofilter': 'networkInfoFilter',
+  'resourcedetailsfilter': 'resourceDetailsFilter',
+  'statusfilter': 'statusFilter',
+  }
+
 REPORT_ACTIVITIES_TIME_OBJECTS = {'time'}
 
 # gam report <ActivityApplictionName> [todrive <ToDriveAttribute>*]
@@ -13865,6 +13915,8 @@ REPORT_ACTIVITIES_TIME_OBJECTS = {'time'}
 #	[event|events <EventNameList>] [ip <String>]
 #	[gmaileventtypes <NumberRangeList>]
 #	[groupidfilter <String>] [resourcedetailsfilter <String>]
+#	[networkinfofilter <String>] [statusfilter <String>]
+#	[applicationinfofilter <String>] [includesensitivedata]
 #	[notimesort]
 #	[maxactivities <Number>] [maxevents <Number>] [maxresults <Number>]
 #	[countsonly [bydate|summary] [eventrowfilter]]
@@ -14143,6 +14195,12 @@ def doReport():
     else:
       events['accounts:used_quota_in_percentage'] = 0
 
+  def _getActivitiesFilters(myarg):
+    if myarg in REPORT_ACTIVITIES_FILTER_MAP:
+      kwargs[REPORT_ACTIVITIES_FILTER_MAP[myarg]] = getString(Cmd.OB_STRING)
+      return True
+    return False
+
   # dynamically extend our choices with other reports Google dynamically adds
   rep = buildGAPIObject(API.REPORTS)
   dyn_choices = rep._rootDesc \
@@ -14168,7 +14226,7 @@ def doReport():
   if customerId == GC.MY_CUSTOMER:
     customerId = None
   csvPF = CSVPrintFile()
-  filters = actorIpAddress = groupIdFilter = orgUnit = orgUnitId = resourceDetailsFilter = None
+  filters = actorIpAddress = orgUnit = orgUnitId = None
   showOrgUnit = False
   parameters = set()
   parameterServices = set()
@@ -14205,6 +14263,7 @@ def doReport():
   showNoActivities = False
   if usageReports:
     includeServices = set()
+  kwargs = {}
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
     if myarg == 'todrive':
@@ -14288,14 +14347,14 @@ def doReport():
       countsSummary = True
     elif activityReports and myarg == 'eventrowfilter':
       eventRowFilter = True
-    elif activityReports and myarg == 'groupidfilter':
+    elif activityReports and _getActivitiesFilters(myarg):
-      groupIdFilter = getString(Cmd.OB_STRING)
+      pass
-    elif activityReports and myarg == 'resourcedetailsfilter':
-      resourceDetailsFilter = getString(Cmd.OB_STRING)
     elif activityReports and (report == 'gmail')  and myarg == 'gmaileventtypes':
       gmailEventTypes = set(getNumberRangeList())
     elif activityReports and myarg == 'userisactor':
       mapAdminUsersToFilter = False
+    elif activityReports and myarg == 'includesensitivedata':
+      kwargs['includeSensitiveData'] = True
     elif myarg == 'addcsvdata':
       getAddCSVData(addCSVData)
     elif activityReports and myarg == 'shownoactivities':
@@ -14616,8 +14675,7 @@ def doReport():
                                applicationName=report, userKey=user, customerId=customerId,
                                actorIpAddress=actorIpAddress, orgUnitID=orgUnitId,
                                startTime=startEndTime.startTime, endTime=startEndTime.endTime,
-                               eventName=eventName, filters=pfilters, groupIdFilter=groupIdFilter,
+                               eventName=eventName, filters=pfilters, maxResults=maxResults, **kwargs)
-                               resourceDetailsFilter=resourceDetailsFilter, maxResults=maxResults)
         except GAPI.badRequest:
           if user != 'all':
             entityUnknownWarning(Ent.USER, user, i, count)
@@ -16732,8 +16790,8 @@ def _showCustomerLicenseInfo(customerInfo, FJQC):
   if not FJQC.formatJSON:
     Ind.Decrement()
 
-def setTrueCustomerId(cd=None):
+def setTrueCustomerId(cd=None, forceUpdate=False):
-  if GC.Values[GC.CUSTOMER_ID] == GC.MY_CUSTOMER:
+  if GC.Values[GC.CUSTOMER_ID] == GC.MY_CUSTOMER or forceUpdate:
     if not cd:
       cd = buildGAPIObject(API.DIRECTORY)
     try:
@@ -72458,7 +72516,7 @@ def _printShowTokens(entityType, users):
                            throwReasons=[GAPI.PERMISSION_DENIED],
                            projectId=result['project'])
         for ancestor in results.get('ancestor', []):
-          if ancestor.get('resourceId', {}).get('type') == 'organization' and ancestor.get('resourceId', {}).get('id') == org_id:
+          if ancestor.get('resourceId', {}).get('type') == 'organization' and ancestor.get('resourceId', {}).get('id') == GC.Values[GC.GCP_ORG_ID]:
             result['internal'] = True
             internal_projects.add(result['project'])
       except GAPI.permissionDenied:
@@ -72520,7 +72578,7 @@ def _printShowTokens(entityType, users):
     crm1 = buildGAPIObject('cloudresourcemanagerv1')
     admin_email = _getAdminEmail()
     admin_domain = getEmailAddressDomain(admin_email)
-    org_id = getGCPOrg(crm, admin_email, admin_domain).split('/')[1]
+    GC.Values[GC.GCP_ORG_ID] = getGCPOrgId(crm, admin_email, admin_domain).split('/')[1]
   fields = ','.join(TOKENS_FIELDS_TITLES)
   i, count, users = getEntityArgument(users)
   for user in users:
@@ -79624,30 +79682,11 @@ def printShowTagManagerTags(users):
 def printShowTagManagerPermissions(users):
   printShowTagManagerObjects(users, Ent.TAGMANAGER_PERMISSION)
 
-def getCRMOrgId():
-  setTrueCustomerId()
-  _, crm = buildGAPIServiceObject(API.CLOUDRESOURCEMANAGER, None)
-  results = callGAPI(crm.organizations(), 'search',
-                     query=f'directorycustomerid:{GC.Values[GC.CUSTOMER_ID]}',
-                     pageSize=1, fields='organizations/name')
-  orgs = results.get('organizations')
-  if not orgs:
-    # return nothing and let calling API deal with it
-    # since caller knows what GCP role would serve best
-    return None
-  return orgs[0].get('name')
-
 def CAARoleErrorExit(caa):
   sa_email = caa._http.credentials.signer_email
   systemErrorExit(NO_SA_ACCESS_CONTEXT_MANAGER_EDITOR_ROLE_RC,
                   f'Please grant service account {sa_email} the Access Context Manager Editor role in your GCP organization.')
 
-def normalizeCAALevelName(caa, name):
-  if name.startswith('accessPolicies/'):
-    return name
-  ap_name = getAccessPolicy(caa)
-  return f'{ap_name}/accessLevels/{name}'
-
 def buildCAAServiceObject():
   _, caa = buildGAPIServiceObject(API.ACCESSCONTEXTMANAGER, None)
   return caa
@@ -79671,7 +79710,13 @@ def getAccessPolicy(caa=None):
   for ap in aps:
     if ap.get('title') == 'Access policy created in Cloud Identity Console':
       return ap['name']
-  systemErrorExit(ACCESS_POLICY_ERROR_RC, ' Could not find a org level access policy. That is odd.')
+  systemErrorExit(ACCESS_POLICY_ERROR_RC, 'Could not find a org level access policy. That is odd.')
+
+def normalizeCAALevelName(caa, name):
+  if name.startswith('accessPolicies/'):
+    return name
+  ap_name = getAccessPolicy(caa)
+  return f'{ap_name}/accessLevels/{name}'
 
 CAA_OS_TYPE_MAP = {
   'desktopmac': 'DESKTOP_MAC',
@@ -80178,6 +80223,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_CROSTELEMETRY:	doInfoPrintShowCrOSTelemetry,
       Cmd.ARG_CURRENTPROJECTID:	doInfoCurrentProjectId,
       Cmd.ARG_CUSTOMER:		doInfoCustomer,
+      Cmd.ARG_CUSTOMERID:	doInfoCustomerId,
       Cmd.ARG_DATATRANSFER:	doInfoDataTransfer,
       Cmd.ARG_DEVICE:		doInfoCIDevice,
       Cmd.ARG_DEVICEUSER:	doInfoCIDeviceUser,
@@ -80188,6 +80234,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_DRIVEFILEACL:	doInfoDriveFileACLs,
       Cmd.ARG_DRIVELABEL:	doInfoDriveLabels,
       Cmd.ARG_INSTANCE:		doInfoInstance,
+      Cmd.ARG_GCPORGID:		doInfoGCPOrgId,
       Cmd.ARG_GROUP:		doInfoGroups,
       Cmd.ARG_GROUPMEMBERS:	doInfoGroupMembers,
       Cmd.ARG_INBOUNDSSOASSIGNMENT:	doInfoInboundSSOAssignment,

src/gam/gamlib/glcfg.py

@@ -177,6 +177,8 @@ ENFORCE_EXPANSIVE_ACCESS = 'enforce_expansive_access'
 EVENT_MAX_RESULTS = 'event_max_results'
 # Path to extra_args.txt
 EXTRA_ARGS = 'extra_args'
+# Google Cloud Project Organization ID
+GCP_ORG_ID = 'gcp_org_id'
 # Gmail CSE certificates directory
 GMAIL_CSE_INCERT_DIR = 'gmail_cse_incert_dir'
 # Gmail CSE KACL wrapped key files
@@ -403,6 +405,7 @@ Defaults = {
   ENABLE_GCLOUD_REAUTH: FALSE,
   EVENT_MAX_RESULTS: '250',
   EXTRA_ARGS: '',
+  GCP_ORG_ID: '',
   GMAIL_CSE_INCERT_DIR: '',
   GMAIL_CSE_INKEY_DIR: '',
   INPUT_DIR: '.',
@@ -577,6 +580,7 @@ VAR_INFO = {
   ENABLE_GCLOUD_REAUTH: {VAR_TYPE: TYPE_BOOLEAN},
   EVENT_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 2500)},
   EXTRA_ARGS: {VAR_TYPE: TYPE_FILE, VAR_SIGFILE: FN_EXTRA_ARGS_TXT, VAR_SFFT: ('', FN_EXTRA_ARGS_TXT), VAR_ACCESS: os.R_OK},
+  GCP_ORG_ID: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
   GMAIL_CSE_INCERT_DIR: {VAR_TYPE: TYPE_DIRECTORY},
   GMAIL_CSE_INKEY_DIR: {VAR_TYPE: TYPE_DIRECTORY},
   INPUT_DIR: {VAR_TYPE: TYPE_DIRECTORY},

src/gam/gamlib/glclargs.py

@@ -830,6 +830,7 @@ class GamCLArgs():
   ARG_CSEKEYPAIRS = 'csekeypairs'
   ARG_CURRENTPROJECTID = 'currentprojectid'
   ARG_CUSTOMER = 'customer'
+  ARG_CUSTOMERID = 'customerid'
   ARG_DATASTUDIOASSET = 'datastudioasset'
   ARG_DATASTUDIOASSETS = 'datastudioassets'
   ARG_DATASTUDIOPERMISSION = 'datastudiopermission'
@@ -913,6 +914,7 @@ class GamCLArgs():
   ARG_FORWARDINGADDRESS = 'forwardingaddress'
   ARG_FORWARDINGADDRESSES = 'forwardingaddresses'
   ARG_GCPFOLDER = 'gcpfolder'
+  ARG_GCPORGID = 'gcporgid'
   ARG_GCPSERVICEACCOUNT = 'gcpserviceaccount'
   ARG_GMAIL = 'gmail'
   ARG_GMAILPROFILE = 'gmailprofile'

src/gam/gamlib/glentity.py

@@ -242,6 +242,7 @@ class GamEntity():
   FORWARDING_ADDRESS = 'fwda'
   GCP_FOLDER = 'gcpf'
   GCP_FOLDER_NAME = 'gcpn'
+  GCP_ORG_ID = 'gcpo'
   GMAIL_PROFILE = 'gmpr'
   GROUP = 'grou'
   GROUP_ALIAS = 'gali'
@@ -613,6 +614,7 @@ class GamEntity():
     FORWARDING_ADDRESS: ['Forwarding Addresses', 'Forwarding Address'],
     GCP_FOLDER: ['GCP Folders', 'GCP Folder'],
     GCP_FOLDER_NAME: ['GCP Folder Names', 'GCP Folder Name'],
+    GCP_ORG_ID: ['GCP Organization ID', 'GCP Organization ID'],
     GMAIL_PROFILE: ['Gmail Profile', 'Gmail Profile'],
     GROUP: ['Groups', 'Group'],
     GROUP_ALIAS: ['Group Aliases', 'Group Alias'],

src/tools/_hashlib.vcxproj

@@ -0,0 +1,115 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|ARM">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM64">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGInstrument|ARM">
+      <Configuration>PGInstrument</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGInstrument|ARM64">
+      <Configuration>PGInstrument</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGInstrument|Win32">
+      <Configuration>PGInstrument</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGInstrument|x64">
+      <Configuration>PGInstrument</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGUpdate|ARM">
+      <Configuration>PGUpdate</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGUpdate|ARM64">
+      <Configuration>PGUpdate</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGUpdate|Win32">
+      <Configuration>PGUpdate</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGUpdate|x64">
+      <Configuration>PGUpdate</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM">
+      <Configuration>Release</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM64">
+      <Configuration>Release</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{447F05A8-F581-4CAC-A466-5AC7936E207E}</ProjectGuid>
+    <RootNamespace>_hashlib</RootNamespace>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="python.props" />
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>NotSet</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <PropertyGroup>
+    <TargetExt>$(PyStdlibPydExt)</TargetExt>
+  </PropertyGroup>
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+    <Import Project="pyproject.props" />
+    <Import Project="openssl.props" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
+  </PropertyGroup>
+  <ItemDefinitionGroup>
+    <Link>
+      <AdditionalDependencies>ws2_32.lib;crypt32.lib;advapi32.lib;user32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\Modules\_hashopenssl.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="..\PC\python_nt.rc" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="pythoncore.vcxproj">
+      <Project>{cf7ac3d1-e2df-41d2-bea6-1e2556cdea26}</Project>
+      <ReferenceOutputAssembly>false</ReferenceOutputAssembly>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

src/tools/openssl.props

@@ -15,12 +15,14 @@
     <_DLLSuffix Condition="$(Platform) == 'ARM64'">$(_DLLSuffix)-arm64</_DLLSuffix>
     <_DLLSuffix Condition="$(Platform) == 'x64'">$(_DLLSuffix)-x64</_DLLSuffix>
   </PropertyGroup>
+  <!-- GAM Static Build: Disable missing DLL/PDB copy
   <ItemGroup>
     <_SSLDLL Include="$(opensslOutDir)\libcrypto$(_DLLSuffix).dll" />
     <_SSLDLL Include="$(opensslOutDir)\libcrypto$(_DLLSuffix).pdb" />
     <_SSLDLL Include="$(opensslOutDir)\libssl$(_DLLSuffix).dll" />
     <_SSLDLL Include="$(opensslOutDir)\libssl$(_DLLSuffix).pdb" />
   </ItemGroup>
+  -->
   <Target Name="_CopySSLDLL" Inputs="@(_SSLDLL)" Outputs="@(_SSLDLL->'$(OutDir)%(Filename)%(Extension)')" AfterTargets="Build">
     <Copy SourceFiles="@(_SSLDLL)" DestinationFolder="$(OutDir)" />
   </Target>

wiki/Context-Aware-Access-Levels.md

@@ -3,6 +3,7 @@
 - [Notes](#Notes)
 - [API documentation](#api-documentation)
 - [Grant Service Account Rights to Manage CAA](#grant-service-account-rights-to-manage-caa)
+- [Get Google Cloud organization ID for your workspace](#Get Google Cloud organization ID for your workspace)
 - [Definitions](#definitions)
 - [Parameters for Basic Levels](#parameters-for-basic-levels)
 - [Create an Access Level](#create-an-access-level)
@@ -36,6 +37,15 @@ In order for GAM to manage CAA access levels, you need to grant your service acc
 10. Click `Save`. It may take 15 minutes or more for the role permissions to propagate.
 11. Confirm the role is in place by re-running `gam print caalevels`
 
+## Get Google Cloud organization ID for your workspace
+This ID is used by the caalevel commands; to eliminate additional API calls,
+you can get the value and store it in the `gam.cfg/gcp_org_id` variable.
+```
+$ gam info gcporgid
+organizations/906207637890
+$ gam config gcp_org_id organizations/906207637890 save
+```
+
 ## Definitions
 ```
 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |

wiki/Customer.md

@@ -4,6 +4,8 @@
 - [Update customer](#update-customer)
 - [Display customer](#display-customer)
 - [Display instance](#display-instance)
+- [Display Customer ID](#display-customer-id)
+- [Display GCP organization ID](#display-gcp-organization-id)
 
 ## API documentation
 * [Directory API - Customers](https://developers.google.com/admin-sdk/directory/reference/rest/v1/customers)
@@ -45,3 +47,19 @@ gam info instance [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
+
+## Display Customer ID
+You can get and set the `gam.cfg/customer_id` value with these commands:
+```
+$ gam info customerid             
+C78abc9de
+$ gam config customer_id C78abc9de save
+```
+## Display GCP organization ID
+You can get and set the `gam.cfg/gcp_org_id` value with these commands:
+```
+$ gam info gcporgid             
+organizations/906207637890
+$ gam config gcp_org_id organizations/906207637890 save
+```
+

wiki/GamUpdates.md

@@ -10,6 +10,49 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation
 
+### 7.38.00
+
+Added variable `gcp_org_id` to `gam.cfg` that is used by the following commands;
+by setting the value, additional API calls are eliminated.
+```
+gam create project
+gam create gcpfolder
+gam create|update|delete caalevel
+gam print|show caalevels
+gam print|show tokens gcpdetails
+```
+You can get and set the `gam.cfg/gcp_org_id` value with these commands:
+```
+$ gam info gcporgid             
+organizations/906207637890
+$ gam config gcp_org_id organizations/906207637890 save
+```
+
+You can get and set the `gam.cfg/customer_id` value with these commands:
+```
+$ gam info customerid             
+C78abc9de
+$ gam config customer_id C78abc9de save
+```
+
+Added the following options to `gam report <ActivityApplicationName>`.
+```
+applicationinfofilter <String>
+networkinfofilter <String>
+statusfilter <String>
+includesensitivedata
+```
+
+### 7.37.00
+
+Added new client access scopes used by `gam print tokens`.
+```
+[*] 52)  Resource Manager API - Organizations readonly
+[*] 53)  Resource Manager API - Projects readonly
+```
+
+Added option `gcpdetails` to `gam print tokens` that uses these scopes to get additional project information.
+
 ### 7.36.03
 
 Added command to send email replies that causes Gmail to recognize the message

wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md

@@ -251,7 +251,7 @@ writes the credentials into the file oauth2.txt.
 ```
 gamteam@server:/Users/gamteam$ rm -f /Users/gamteam/GAMConfig/oauth2.txt
 gamteam@server:/Users/gamteam$ gam version
-GAM 7.36.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.38.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.14.3 64-bit final
 macOS Tahoe 26.3.1 arm64
@@ -1034,7 +1034,7 @@ writes the credentials into the file oauth2.txt.
 ```
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
-GAM 7.36.03 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.38.00 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.14.3 64-bit final
 Windows 11 10.0.26200 AMD64

wiki/Reports.md

@@ -99,6 +99,8 @@ gam report <ActivityApplicationName> [todrive <ToDriveAttribute>*]
         [event|events <EventNameList>] [ip <String>]
         [gmaileventtypes <NumberRangeList>]
         [groupidfilter <String>] [resourcedetailsfilter <String>]
+        [networkinfofilter <String>] [statusfilter <String>]
+        [applicationinfofilter <String>] [includesensitivedata]
         [notimesort]
         [maxactivities <Number>] [maxevents <Number>] [maxresults <Number>]
         [countsonly [bydate|summary] [eventrowfilter]]
@@ -154,6 +156,15 @@ Limit to those users that are a member of at least one of a list of groups.
 Limit based on resource details.
 * `resourcedetailsfilter <String>` - See: https://developers.google.com/workspace/admin/reports/reference/rest/v1/activities/list#query-parameters
 
+Limit based on 'regionCode`.
+* `networkinfofilter <String>` - Format: 'regionCode="IN"'
+
+Limit based on `statusCode`.
+* `statusfilter <String>` - Format: 'statusCode="200"'
+
+Limit based on `oAuthClientId`.
+* `applicationinfofilter <String>` - Format: 'oAuthClientId="clientId"'
+
 You can use `config csv_output_row_filter` to filter the events if the API filter can't produce the results you want.
 
 Limit to a list of specific events.

wiki/Users-Chat.md

@@ -37,9 +37,6 @@ gam user user@domain.com update serviceaccount
 [*] 11)  Chat API - User Sections (supports readonly)
 
 ```
-`Chat API - User Sections` is in Developer Preview; you must have a the following variables set in `gam.cfg` to use these commands.
-* `developer_preview_apis = chat`
-* `developer_preview_api_key = <String>`
 
 Added `use_chat_admin_access` Boolean variable to `gam.cfg`. 
 ```

wiki/Users-Tokens.md

@@ -1,5 +1,6 @@
 # Users - Tokens
 - [API documentation](#api-documentation)
+- [Get Google Cloud organization ID for your workspace](#get-google-cloud-organization-id-for-your-workspace)
 - [Definitions](#definitions)
 - [Delete a user's token](#delete-a-users-token)
 - [Display individual user's tokens](#display-individual-users-tokens)
@@ -9,6 +10,15 @@
 ## API documentation
 * [Directory API - Tokens](https://developers.google.com/admin-sdk/directory/reference/rest/v1/tokens)
 
+## Get Google Cloud organization ID for your workspace
+This ID is used by `gam print|show token gcpdetails`; to eliminate additional API calls,
+you can get the value and store it in the `gam.cfg/gcp_org_id` variable.
+```
+$ gam info gcporgid
+organizations/906207637890
+$ gam config gcp_org_id organizations/906207637890 save
+```
+
 ## Definitions
 * [`<UserTypeEntity>`](Collections-of-Users)
 
@@ -23,14 +33,18 @@ gam <UserTypeEntity> delete|del token|tokens clientid <ClientID>
 ```
 gam <UserTypeEntity> print tokens|token [todrive <ToDriveAttributes>*] [clientid <ClientID>]
         [orderby clientid|id|appname|displaytext] [delimiter <Character>]
+        [gcpdetails]
 gam <UserTypeEntity> show tokens|token|3lo|oauth [clientid <ClientID>]
         [orderby clientid|id|appname|displaytext]
+        [gcpdetails]
 gam print tokens|token [todrive <ToDriveAttributes>*] [clientid <ClientID>]
         [orderby clientid|id|appname|displaytext] [delimiter <Character>]
         [<UserTypeEntity>]
+        [gcpdetails]
 gam show tokens|token [clientid <ClientID>]
         [orderby clientid|id|appname|displaytext] [delimiter <Character>]
         [<UserTypeEntity>]
+        [gcpdetails]
 ```
 By default, all client tokens for a user are displayed, use `clientid <ClientID>` to display a specific client token.
 
@@ -38,6 +52,9 @@ For each user, select the order of token presentation:
 * `orderby clientid|id` - Display each user's tokens ordered by Client ID
 * `orderby appname|displaytext` - Display each user's tokens ordered by App Name
 
+Use `gcpdetails` to get project information about the client; you get the project number
+and whether it is an internal project. In order to accurately determine if a project is internal, your GAM admin user must have at least the `Browser` [IAM role for the entire GCP organization](https://docs.cloud.google.com/iam/docs/roles-permissions/browser) which allows them to lookup basic metadata about your organization projects. If your admin is not able to see all GCP projects in your organization results may not be accurate.
+
 For `print tokens`:
 * `delimiter <Character>` - Separate `scopes` entries with `<Character>`; the default value is `csv_output_field_delimiter` from `gam.cfg`.
 

wiki/Version-and-Help.md

@@ -3,7 +3,7 @@
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.36.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.38.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.14.3 64-bit final
 macOS Tahoe 26.3.1 arm64
@@ -15,7 +15,7 @@ Time: 2026-02-15T07:51:00-08:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.36.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.38.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.14.3 64-bit final
 macOS Tahoe 26.3.1 arm64
@@ -27,7 +27,7 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.36.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.38.00 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.14.3 64-bit final
 macOS Tahoe 26.3.1 arm64
@@ -68,7 +68,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/gamteam/bin/gam7
 Version Check:
   Current: 5.35.08
-   Latest: 7.36.03
+   Latest: 7.38.00
 echo $?
 1
 ```
@@ -76,7 +76,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.36.03
+7.38.00
 ```
 In Linux/MacOS you can do:
 ```
@@ -86,7 +86,7 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.36.03 - https://github.com/GAM-team/GAM
+GAM 7.38.00 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.14.3 64-bit final
 macOS Tahoe 26.3.1 arm64

wiki/gam.cfg.md

@@ -375,6 +375,21 @@ extra_args
         Path to extra_args.txt
         Default: Blank
         Data file: extra_args.txt
+gcp_org_id
+        The Google Cloud organization ID for your workspace.
+        Default: Blank
+        This value is used by the following commands;
+        by setting the value, additional API calls are eliminated.
+        gam create project
+        gam create gcpfolder
+        gam create|update|delete caalevel
+        gam print|show caalevels
+        gam print|show tokens gcpdetails
+
+        You can get and save the `gcp_org_id` value with these commands:
+        $ gam info gcporgid
+        organizations/906207637890
+        $ gam config gcp_org_id organizations/906207637890 save
 gmail_cse_incert_dir
         Directory for the S/MIME certificate files used by Gmail Client Side Encryption.
         Default: Blank