deepblue/GoogleDriveManagement
1
0
Fork 0
mirror of https://github.com/GAM-team/GAM.git synced 2026-06-03 22:01:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
b400133fd6a71a5a935e01c31e575c26a6ab673f
GoogleDriveManagement/wiki/Cloud-Identity-Policies.md
Ross Scroggs b400133fd6
Some checks failed
Build and test GAM / build (false, build, 1, Build Intel Ubuntu Jammy, ubuntu-22.04) (push) Has been cancelled
Details
Build and test GAM / build (false, build, 10, Build x86_64 macOS 15, macos-15-intel) (push) Has been cancelled
Details
Build and test GAM / build (false, build, 11, Build x86_64 macOS 26, macos-26-intel) (push) Has been cancelled
Details
Build and test GAM / build (false, build, 12, Build Arm MacOS 26, macos-26) (push) Has been cancelled
Details
Build and test GAM / build (false, build, 13, Build Intel Windows, windows-2025-vs2026) (push) Has been cancelled
Details
Build and test GAM / build (false, build, 14, Build Arm Windows, windows-11-arm) (push) Has been cancelled
Details
Build and test GAM / build (false, build, 2, Build Intel Ubuntu Noble, ubuntu-24.04) (push) Has been cancelled
Details
Build and test GAM / build (false, build, 3, Build Arm Ubuntu Noble, ubuntu-24.04-arm) (push) Has been cancelled
Details
Build and test GAM / build (false, build, 4, Build Arm Ubuntu Jammy, ubuntu-22.04-arm) (push) Has been cancelled
Details
Build and test GAM / build (false, build, 5, Build Intel StaticX Legacy, ubuntu-22.04, yes) (push) Has been cancelled
Details
Build and test GAM / build (false, build, 6, Build Arm StaticX Legacy, ubuntu-22.04-arm, yes) (push) Has been cancelled
Details
Build and test GAM / build (false, build, 8, Build Arm MacOS 14, macos-14) (push) Has been cancelled
Details
Build and test GAM / build (false, build, 9, Build Arm MacOS 15, macos-15) (push) Has been cancelled
Details
Build and test GAM / build (false, test, 15, Test Python 3.10, ubuntu-24.04, 3.10) (push) Has been cancelled
Details
Build and test GAM / build (false, test, 16, Test Python 3.11, ubuntu-24.04, 3.11) (push) Has been cancelled
Details
Build and test GAM / build (false, test, 17, Test Python 3.12, ubuntu-24.04, 3.12) (push) Has been cancelled
Details
Build and test GAM / build (false, test, 18, Test Python 3.13, ubuntu-24.04, 3.13) (push) Has been cancelled
Details
Build and test GAM / build (false, test, 19, Test Python 3.15-dev, ubuntu-24.04, 3.15-dev) (push) Has been cancelled
Details
Build and test GAM / build (true, test, 20, Test Python 3.14 freethread, ubuntu-24.04, 3.14) (push) Has been cancelled
Details
Build and test GAM / publish (push) Has been cancelled
Details
CodeQL / Analyze (python) (push) Has been cancelled
Details
Push wiki / pushwiki (push) Has been cancelled
Details
Check for Google Root CA Updates / check-certs (push) Has been cancelled
Details
Update Cloud-Identity-Policies.md
2026-04-07 09:52:36 -07:00

6.9 KiB
Raw Blame History

Cloud Identity Policies

API documentation

Notes

To use these commands you must update your client access authentication. You'll enter 20r to turn on the Cloud Identity Policy scope; then continue with authentication.

gam oauth delete
gam oauth create
...
[R] 20)  Cloud Identity - Policy (supports readonly)

You must enable access to policies in the GCP cloud console.

  • Login at console.cloud.google.com
  • In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
  • Under IAM & Admin select IAM
  • Click in the box to the right of Google Cloud
  • Click the three dots at the right and select IAM/Permissions
  • Now you should be at "Permissions for organization ..."
  • Click on Grant Access
  • Enter the GAM project creator address in Principals
  • Click in the Select a role box
  • Type orgpolicy.policyAdmin in the Filter box
  • Click Organization Policy Administrator
  • Click Save

Definitions

<CIPolicyName> ::= policies/<String>|settings/<String>|<String>
<CIPolicyNameList> ::= "<CIPolicyName>(,<CIPolicyName>)*"
<CIPolicyNameEntity> ::=
        <CIPolicyNameList> | <FileSelector> | <CSVFileSelector>

<RegularExpression> ::= <String>
        See: https://docs.python.org/3/library/re.html
<REMatchPattern> ::= <RegularExpression>
<RESearchPattern> ::= <RegularExpression>
<RESubstitution> ::= <String>>

Policies

These are the supported policies GAM can show today.

See: https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings

Display Cloud Identity Policies

Display selected policies.

gam info policies <CIPolicyEntity>
        [nowarnings] [noappnames] [noidmappimg]
        [formatjson]

Select policies::

  • polices/<String> - A policy name, policies/ahv4hg7qc24kvaghb7zihwf4riid4
  • settings/<String> - A policy setting type, settings/workspace_marketplace.apps_allowlist
  • <String> - A policy setting type, workspace_marketplace.apps_allowlist

By default, policy warnings are displayed, use the nowarnings option to suppress their display.

By default, additional API calls are made for settings/workspace_marketplace.apps_allowlist to get the application name for the application ID. Use option noappnames to suppress these calls.

By default, additional API calls are made to add the policyQuery/groupEmail and policyQuery/orgUnitPath fields that are mapped from the policyQuery/group and policyQuery/orgUnit fields. Use option `noidmapping' to suppress these calls and not add the additional fields.

By default, Gam displays the information as an indented list of keys and values.

  • formatjson - Display the fields in JSON format.

Display all or filtered policies.

gam show policies
        [filter <String>] [nowarnings] [noappnames] [noidmappimg]
        [group <REMatchPattern>] [ou|org|orgunit <REMatchPattern>]
        [formatjson]

By default, all policies are displayed.

By default, policy warnings are displayed, use the nowarnings option to suppress their display.

By default, additional API calls are made for settings/workspace_marketplace.apps_allowlist to get the application name for the application ID. Use option noappnames to suppress these calls.

By default, additional API calls are made to add the policyQuery/groupEmail and policyQuery/orgUnitPath fields that are mapped from the policyQuery/group and policyQuery/orgUnit fields. Use option `noidmapping' to suppress these calls and not add the additional fields.

By default, Gam displays the information as an indented list of keys and values.

  • formatjson - Display the fields in JSON format.
gam print policies [todrive <ToDriveAttribute>*]
        [filter <String>] [nowarnings] [noappnames] [noidmappimg]
        [group <REMatchPattern>] [ou|org|orgunit <REMatchPattern>]
        [formatjson [quotechar <Character>]]

By default, all policies are displayed:

By default, policy warnings are displayed, use the nowarnings option to suppress their display.

By default, additional API calls are made to add the policyQuery/groupEmail and policyQuery/orgUnitPath fields that are mapped from the policyQuery/group and policyQuery/orgUnit fields. Use option `noidmapping' to suppress these calls and not add the additional fields.

By default, additional API calls are made for settings/workspace_marketplace.apps_allowlist to get the application name for the application ID. Use option noappnames to suppress these calls.

By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,

  • formatjson - Display the fields in JSON format.

By default, when writing CSV files, Gam uses a quote character of double quote ". The quote character is used to enclose columns that contain the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled. When using the formatjson option, double quotes are used extensively in the data resulting in hard to read/process output. The quotechar <Character> option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output. quotechar defaults to gam.cfg/csv_output_quote_char. When uploading CSV files to Google, double quote " should be used.

Examples

Print all service status policies.

gam redirect csv ./ServiceStatusPolicies.csv print policies filter "setting.type.matches('.*service_status')"

Print Drive external sharing policies.

gam redirect csv ./DriveExternalSharingPolicies.csv print policies filter "setting.type.matches('settings/drive_and_docs.external_sharing')"

Print all polices that apply directly to the OU "/Staff".

gam redirect csv ./StaffPolicies.csv print policies ou "^/Staff$"

Print all polices that apply to the OU "/Staff" and its sub-OUs.

gam redirect csv ./StaffPolicies.csv print policies ou "^/Staff"
Reference in New Issue View Git Blame Copy Permalink