diff --git a/docs/Addresses.md b/docs/Addresses.md deleted file mode 100644 index aaf9dbe0a..000000000 --- a/docs/Addresses.md +++ /dev/null @@ -1,30 +0,0 @@ -# Addresses -- [API documentation](#api-documentation) -- [Display addresses](#display-addresses) - -## API documentation -* https://developers.google.com/admin-sdk/directory/reference/rest/v1/domains -* https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups -* https://developers.google.com/admin-sdk/directory/reference/rest/v1/resources.calendars -* https://developers.google.com/admin-sdk/directory/reference/rest/v1/users - -## Display addresses -Produces a three column CSV file (headers Type, Email, Target) that displays all group and user primary -email addresses and aliases; resource calendar addresses and domain names. - -The types are: -``` -DomainPrimary, DomainSecondary, DomainAlias -Group, GroupAlias, GroupNEAlias -Resource -SuspendedUser, SuspendedUserAlias, SuspendedUserNEAlias -User, UserAlias, UserNEAlias -``` -'NE' is an abbreviation for NonEditable. -``` -gam print addresses [todrive *] - [domain ] -``` -By default, groups and users in all domains in the account are selected; this options allows selection of subsets of groups and users: -* `domain ` - Limit groups and users to those in `` - diff --git a/docs/Administrators.md b/docs/Administrators.md deleted file mode 100644 index 3b2d96d64..000000000 --- a/docs/Administrators.md +++ /dev/null @@ -1,913 +0,0 @@ -# Administrators -- [Administrator roles documentation](#administrator-roles-documentation) -- [API documentation](#api-documentation) -- [Definitions](#definitions) -- [Display administrative privileges](#display-administrative-privileges) -- [Manage administrative roles](#manage-administrative-roles) -- [Display administrative roles](#display-administrative-roles) -- [Create an administrator](#create-an-administrator) -- [Delete an administrator](#delete-an-administrator) -- [Display administrators](#display-administrators) -- [Copy roles from one administrator to another](#copy-roles-from-one-administrator-to-another) - -## Administrator roles documentation -* https://support.google.com/a/answer/33325?ref_topic=4514341 - -## API documentation -* https://developers.google.com/admin-sdk/directory/reference/rest/v1/privileges -* https://developers.google.com/admin-sdk/directory/reference/rest/v1/roles -* https://developers.google.com/admin-sdk/directory/reference/rest/v1/roleAssignments - -## Definitions -``` - ::= (.)+ - ::= @ - ::= || - ::= id: - ::= /|(/ ::= | - ::= - ::= "(, ::= - ::= id:|uid:| - ::= id: - ::= || -``` -## Display administrative privileges -``` -gam print privileges [todrive *] -gam show privileges -``` - -Here is the output from `gam show privileges`; use this to find ``. -``` -Show 91 Privileges - Privilege: MANAGE_CSE_SETTINGS (1/91) - serviceId: 02pta16n4hxgyp2 - serviceName: Unknown - isOuScopable: False - Privilege: MANAGE_PLAY_FOR_WORK_STORE (2/91) - serviceId: 00tyjcwt49hs5nq - serviceName: play_for_work - isOuScopable: False - Privilege: MANAGE_ENTERPRISE_PRIVATE_APPS (3/91) - serviceId: 00tyjcwt49hs5nq - serviceName: play_for_work - isOuScopable: False - Privilege: MANAGE_EXTERNALLY_HOSTED_APK_UPLOAD_IN_PLAY (4/91) - serviceId: 00tyjcwt49hs5nq - serviceName: play_for_work - isOuScopable: False - Privilege: MANAGE_PLAY_FOR_WORK_STORE (5/91) - serviceId: 02w5ecyt3pkeyqi - serviceName: Unknown - isOuScopable: False - Privilege: MANAGE_ENTERPRISE_PRIVATE_APPS (6/91) - serviceId: 02w5ecyt3pkeyqi - serviceName: Unknown - isOuScopable: False - Privilege: MANAGE_EXTERNALLY_HOSTED_APK_UPLOAD_IN_PLAY (7/91) - serviceId: 02w5ecyt3pkeyqi - serviceName: Unknown - isOuScopable: False - Privilege: APP_ADMIN (8/91) - serviceId: 01ci93xb43sd8me - serviceName: Unknown - isOuScopable: True - childPrivileges: 2 - Privilege: DELEGATES_READ (1/2) - serviceId: 01ci93xb43sd8me - serviceName: Unknown - isOuScopable: True - Privilege: DELEGATES_WRITE (2/2) - serviceId: 01ci93xb43sd8me - serviceName: Unknown - isOuScopable: True - Privilege: APP_ADMIN (9/91) - serviceId: 03cqmetx3hnlpuf - serviceName: gplus - isOuScopable: False - Privilege: GPLUS_SQUARE_BATCH_ADD (10/91) - serviceId: 03cqmetx3hnlpuf - serviceName: gplus - isOuScopable: False - Privilege: GPLUS_CONTENT_MANAGER_PRIVILEGE (11/91) - serviceId: 03cqmetx3hnlpuf - serviceName: gplus - isOuScopable: False - Privilege: APP_ADMIN (12/91) - serviceId: 039kk8xu49mji9t - serviceName: gmail - isOuScopable: False - Privilege: ACCESS_EMAIL_LOG_SEARCH (13/91) - serviceId: 039kk8xu49mji9t - serviceName: gmail - isOuScopable: False - Privilege: ACCESS_ADMIN_QUARANTINE (14/91) - serviceId: 039kk8xu49mji9t - serviceName: gmail - isOuScopable: False - Privilege: ACCESS_RESTRICTED_QUARANTINE (15/91) - serviceId: 039kk8xu49mji9t - serviceName: gmail - isOuScopable: False - Privilege: APP_ADMIN (16/91) - serviceId: 01tuee744837sjz - serviceName: Unknown - isOuScopable: False - Privilege: MANAGE_COURSE_SETTINGS (17/91) - serviceId: 037m2jsg4g9nirj - serviceName: Unknown - isOuScopable: True - Privilege: MANAGE_LTI_CREDENTIAL_MANAGEMENT_MODE (18/91) - serviceId: 037m2jsg4g9nirj - serviceName: Unknown - isOuScopable: True - Privilege: APP_ADMIN (19/91) - serviceId: 01baon6m1wv6b0p - serviceName: Unknown - isOuScopable: False - Privilege: APP_ADMIN (20/91) - serviceId: 01yyy98l4k9lq4l - serviceName: directory - isOuScopable: False - childPrivileges: 3 - Privilege: DIRECTORY_SETTINGS_READONLY (1/3) - serviceId: 01yyy98l4k9lq4l - serviceName: directory - isOuScopable: False - childPrivileges: 2 - Privilege: PROFILE_EDITABILITY_READONLY (1/2) - serviceId: 01yyy98l4k9lq4l - serviceName: directory - isOuScopable: False - Privilege: CUSTOM_DIRECTORY_READONLY (2/2) - serviceId: 01yyy98l4k9lq4l - serviceName: directory - isOuScopable: False - Privilege: PROFILE_EDITABILITY_READWRITE (2/3) - serviceId: 01yyy98l4k9lq4l - serviceName: directory - isOuScopable: False - Privilege: CUSTOM_DIRECTORY_READWRITE (3/3) - serviceId: 01yyy98l4k9lq4l - serviceName: directory - isOuScopable: False - Privilege: LDAP_MANAGER (21/91) - serviceId: 02lwamvv18la4iw - serviceName: ldap - isOuScopable: False - Privilege: LDAP_PASSWORD_REBIND (22/91) - serviceId: 02lwamvv18la4iw - serviceName: ldap - isOuScopable: True - childPrivileges: 1 - Privilege: LDAP_PASSWORD_REBIND_READONLY - serviceId: 02lwamvv18la4iw - serviceName: ldap - isOuScopable: True - Privilege: APP_ADMIN (23/91) - serviceId: 0319y80a15kueje - serviceName: Unknown - isOuScopable: False - Privilege: APP_ADMIN (24/91) - serviceId: 044sinio4cntx2o - serviceName: Unknown - isOuScopable: False - Privilege: APP_ADMIN (25/91) - serviceId: 01ksv4uv2d2noaq - serviceName: sites - isOuScopable: False - Privilege: ADMIN_DASHBOARD (26/91) - serviceId: 01ci93xb3tmzyin - serviceName: admin - isOuScopable: True - Privilege: SERVICES (27/91) - serviceId: 01ci93xb3tmzyin - serviceName: admin - isOuScopable: False - Privilege: SECURITY_SETTINGS (28/91) - serviceId: 01ci93xb3tmzyin - serviceName: admin - isOuScopable: False - Privilege: SUPPORT (29/91) - serviceId: 01ci93xb3tmzyin - serviceName: admin - isOuScopable: False - Privilege: ADMIN_DOMAIN_SETTINGS (30/91) - serviceId: 01ci93xb3tmzyin - serviceName: admin - isOuScopable: False - Privilege: REPORTS (31/91) - serviceId: 01ci93xb3tmzyin - serviceName: admin - isOuScopable: False - Privilege: ADMIN_DASHBOARD (32/91) - serviceId: 01ci93xb3tmzyin - serviceName: admin - isOuScopable: True - Privilege: SERVICES (33/91) - serviceId: 01ci93xb3tmzyin - serviceName: admin - isOuScopable: False - Privilege: SUPPORT (34/91) - serviceId: 01ci93xb3tmzyin - serviceName: admin - isOuScopable: False - Privilege: REPORTS (35/91) - serviceId: 01ci93xb3tmzyin - serviceName: admin - isOuScopable: False - Privilege: APP_ADMIN (36/91) - serviceId: 03fwokq01e2ht7x - serviceName: Unknown - isOuScopable: False - childPrivileges: 1 - Privilege: UDM_NETWORK_ADMIN - serviceId: 03fwokq01e2ht7x - serviceName: Unknown - isOuScopable: True - Privilege: ADMIN_MATTER (37/91) - serviceId: 03l18frh45c63dw - serviceName: vault - isOuScopable: True - Privilege: REMOVE_HOLD (38/91) - serviceId: 03l18frh45c63dw - serviceName: vault - isOuScopable: True - Privilege: MANAGE_SEARCHES (39/91) - serviceId: 03l18frh45c63dw - serviceName: vault - isOuScopable: True - Privilege: MANAGE_EXPORTS (40/91) - serviceId: 03l18frh45c63dw - serviceName: vault - isOuScopable: True - Privilege: MANAGE_RETENTION_POLICY (41/91) - serviceId: 03l18frh45c63dw - serviceName: vault - isOuScopable: False - childPrivileges: 1 - Privilege: VIEW_RETENTION_POLICY - serviceId: 03l18frh45c63dw - serviceName: vault - isOuScopable: False - Privilege: AUDIT_SYSTEM (42/91) - serviceId: 03l18frh45c63dw - serviceName: vault - isOuScopable: False - Privilege: ACCESS_ALL_MATTERS (43/91) - serviceId: 03l18frh45c63dw - serviceName: vault - isOuScopable: False - Privilege: APP_ADMIN (44/91) - serviceId: 02afmg282jiquyg - serviceName: device_management - isOuScopable: False - Privilege: APP_ADMIN (45/91) - serviceId: 037m2jsg3ckz96v - serviceName: calendar - isOuScopable: False - childPrivileges: 2 - Privilege: CALENDAR_SETTINGS (1/2) - serviceId: 037m2jsg3ckz96v - serviceName: calendar - isOuScopable: False - childPrivileges: 1 - Privilege: CALENDAR_SETTINGS_READ - serviceId: 037m2jsg3ckz96v - serviceName: calendar - isOuScopable: False - Privilege: CALENDAR_RESOURCE (2/2) - serviceId: 037m2jsg3ckz96v - serviceName: calendar - isOuScopable: False - childPrivileges: 2 - Privilege: ROOM_INSIGHTS_DASHBOARD_ACCESS (1/2) - serviceId: 037m2jsg3ckz96v - serviceName: calendar - isOuScopable: False - Privilege: CALENDAR_RESOURCE_MANAGE (2/2) - serviceId: 037m2jsg3ckz96v - serviceName: calendar - isOuScopable: False - childPrivileges: 1 - Privilege: CALENDAR_RESOURCE_READ - serviceId: 037m2jsg3ckz96v - serviceName: calendar - isOuScopable: False - Privilege: APP_ADMIN (46/91) - serviceId: 03dy6vkm2sk0pzo - serviceName: docs - isOuScopable: False - childPrivileges: 5 - Privilege: DOCS_TEMPLATE_ADMIN (1/5) - serviceId: 03dy6vkm2sk0pzo - serviceName: docs - isOuScopable: False - Privilege: MIGRATE_TO_TEAM_DRIVE (2/5) - serviceId: 03dy6vkm2sk0pzo - serviceName: docs - isOuScopable: False - Privilege: WRITE_APPS_METADATA_SCHEMAS (3/5) - serviceId: 03dy6vkm2sk0pzo - serviceName: docs - isOuScopable: False - Privilege: VIEW_SITE_DETAILS (4/5) - serviceId: 03dy6vkm2sk0pzo - serviceName: docs - isOuScopable: False - Privilege: MANAGE_CLASSIC_GOOGLE_SITES (5/5) - serviceId: 03dy6vkm2sk0pzo - serviceName: docs - isOuScopable: False - Privilege: APP_ACCESS (47/91) - serviceId: 03cqmetx1vygwki - serviceName: Unknown - isOuScopable: False - Privilege: ORGANIZATION_UNITS_ALL (48/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - childPrivileges: 4 - Privilege: ORGANIZATION_UNITS_CREATE (1/4) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: ORGANIZATION_UNITS_RETRIEVE (2/4) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: ORGANIZATION_UNITS_UPDATE (3/4) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: ORGANIZATION_UNITS_DELETE (4/4) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: USERS_ALL (49/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - childPrivileges: 5 - Privilege: USERS_CREATE (1/5) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: USERS_RETRIEVE (2/5) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: USERS_UPDATE (3/5) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - childPrivileges: 6 - Privilege: USERS_ALIAS (1/6) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: USERS_MOVE (2/6) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: USERS_RESET_PASSWORD (3/6) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: USERS_FORCE_PASSWORD_CHANGE (4/6) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: USERS_ADD_NICKNAME (5/6) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: USERS_SUSPEND (6/6) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: USERS_UPDATE_CUSTOM_ATTRIBUTES_USER_PRIVILEGE_GROUP (4/5) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: USERS_DELETE (5/5) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: GROUPS_ALL (50/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - childPrivileges: 4 - Privilege: GROUPS_CREATE (1/4) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: GROUPS_RETRIEVE (2/4) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: GROUPS_UPDATE (3/4) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: GROUPS_DELETE (4/4) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: USER_SECURITY_ALL (51/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: True - Privilege: DATATRANSFER_API_PRIVILEGE_GROUP (52/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: DOMAIN_REGISTRATION_MANAGEMENT (53/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: SCHEMA_MANAGEMENT (54/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - childPrivileges: 1 - Privilege: SCHEMA_RETRIEVE - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: LICENSING (55/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - childPrivileges: 1 - Privilege: LICENSING_READ - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: BILLING (56/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - childPrivileges: 1 - Privilege: BILLING_READ - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: SAML2_SERVICE_PROVIDER (57/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: DOMAIN_MANAGEMENT (58/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: UPGRADE_CONSUMER_CONVERSION (59/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: TRUSTED_DOMAIN_WHITELIST_WRITE (60/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - childPrivileges: 1 - Privilege: TRUSTED_DOMAIN_WHITELIST_READ - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: FULL_MIGRATION_ACCESS (61/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - childPrivileges: 1 - Privilege: EXECUTE_MIGRATION - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - childPrivileges: 1 - Privilege: MODIFY_MIGRATION - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - childPrivileges: 1 - Privilege: VIEW_MIGRATION - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: GROUPS_MANAGE_SECURITY_LABEL (62/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: GROUPS_MANAGE_LOCKED_LABEL (63/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: ADMIN_REPORTING_ACCESS (64/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - childPrivileges: 1 - Privilege: REPORTING_AUDIT_ACCESS - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: SUPPORT_PRIVILEGE_GROUP (65/91) - serviceId: 00haapch16h1ysv - serviceName: admin_apis - isOuScopable: False - Privilege: APPS_INCIDENTS_FULL_ACCESS (66/91) - serviceId: 02pta16n3efhw69 - serviceName: Unknown - isOuScopable: False - childPrivileges: 2 - Privilege: APPS_INCIDENTS_READONLY (1/2) - serviceId: 02pta16n3efhw69 - serviceName: Unknown - isOuScopable: False - Privilege: APPS_INCIDENTS_VIEW_VIRUSTOTAL_REPORTS (2/2) - serviceId: 02pta16n3efhw69 - serviceName: Unknown - isOuScopable: False - Privilege: APP_ADMIN (67/91) - serviceId: 019c6y1840fzfkt - serviceName: classroom - isOuScopable: True - Privilege: ADMIN_OVERSIGHT_MANAGE_CLASSES (68/91) - serviceId: 019c6y1840fzfkt - serviceName: classroom - isOuScopable: True - Privilege: EDU_ANALYTICS_DATA_ACCESS (69/91) - serviceId: 019c6y1840fzfkt - serviceName: classroom - isOuScopable: True - Privilege: APP_ADMIN (70/91) - serviceId: 037m2jsg46www3g - serviceName: Unknown - isOuScopable: False - Privilege: MANAGE_DYNAMITE_SETTINGS (71/91) - serviceId: 03whwml44f3n4vd - serviceName: Unknown - isOuScopable: False - Privilege: MODERATE_DYNAMITE_REPORT (72/91) - serviceId: 03whwml44f3n4vd - serviceName: Unknown - isOuScopable: False - Privilege: MANAGE_DYNAMITE_SPACES (73/91) - serviceId: 03whwml44f3n4vd - serviceName: Unknown - isOuScopable: False - Privilege: APP_ADMIN (74/91) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - childPrivileges: 6 - Privilege: MANAGE_CHROME_USER_SETTINGS (1/6) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - childPrivileges: 2 - Privilege: MANAGE_CHROME_APPLICATION_SETTINGS (1/2) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: MANAGE_CHROME_WEB_SETTINGS (2/2) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: MANAGE_CHROME_BROWSERS (2/6) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - childPrivileges: 1 - Privilege: MANAGED_CHROME_BROWSERS_READ_ONLY - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: VIEW_CHROME_REPORTS (3/6) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - childPrivileges: 4 - Privilege: VIEW_CHROME_EXTENSIONS_REPORT (1/4) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: VIEW_CHROME_VERSION_REPORT (2/4) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: VIEW_CHROME_INSIGHTS_REPORT (3/4) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: VIEW_CHROME_PRINTERS_REPORT (4/4) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: MANAGE_PRINTERS (4/6) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: MANAGE_DEVICES (5/6) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - childPrivileges: 2 - Privilege: MANAGE_DEVICES_READ_ONLY (1/2) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - childPrivileges: 1 - Privilege: TELEMETRY_API - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - childPrivileges: 19 - Privilege: TELEMETRY_API_DEVICE (1/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_USER (2/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_AUDIO_REPORT (3/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_BUS_DEVICE_INFO (4/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_OS_REPORT (5/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_CPU_INFO (6/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_CPU_REPORT (7/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_MEMORY_INFO (8/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_MEMORY_REPORT (9/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_GRAPHICS_INFO (10/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_GRAPHICS_REPORT (11/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_BATTERY_INFO (12/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_BATTERY_REPORT (13/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_STORAGE_INFO (14/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_STORAGE_REPORT (15/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_NETWORK_INFO (16/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_NETWORK_REPORT (17/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_DEVICE_ACTIVITY_REPORT (18/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: TELEMETRY_API_PERIPHERALS_REPORT (19/19) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: DEVICE_ACTION_CRD (2/2) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: MANAGE_DEVICE_SETTINGS (6/6) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: True - Privilege: SERVICE_DATA_DOWNLOADER (75/91) - serviceId: 03hv69ve4bjwe54 - serviceName: Unknown - isOuScopable: False - Privilege: MANAGE_DIRECTORY_SYNC_SETTINGS (76/91) - serviceId: 0147n2zr1ynkkmf - serviceName: Unknown - isOuScopable: False - childPrivileges: 1 - Privilege: READ_DIRECTORY_SYNC_SETTINGS - serviceId: 0147n2zr1ynkkmf - serviceName: Unknown - isOuScopable: False - Privilege: APP_ADMIN (77/91) - serviceId: 0279ka651l5iy5q - serviceName: Unknown - isOuScopable: False - childPrivileges: 1 - Privilege: ADMIN_QUALITY_DASHBOARD_ACCESS - serviceId: 0279ka651l5iy5q - serviceName: Unknown - isOuScopable: False - Privilege: SECURITY_SETTINGS (78/91) - serviceId: 00vx122734tbite - serviceName: Unknown - isOuScopable: False - childPrivileges: 1 - Privilege: INBOUND_SSO_SETTINGS - serviceId: 00vx122734tbite - serviceName: Unknown - isOuScopable: False - Privilege: VIEW_DLP_RULE (79/91) - serviceId: 02250f4o3hg8pg8 - serviceName: Unknown - isOuScopable: False - Privilege: MANAGE_DLP_RULE (80/91) - serviceId: 02250f4o3hg8pg8 - serviceName: Unknown - isOuScopable: False - Privilege: APP_ADMIN (81/91) - serviceId: 00nmf14n14wtgcf - serviceName: app_maker - isOuScopable: False - Privilege: VIEW_ALL_PROJECTS (82/91) - serviceId: 00nmf14n14wtgcf - serviceName: app_maker - isOuScopable: False - Privilege: APP_ADMIN (83/91) - serviceId: 02zbgiuw2wdxo5p - serviceName: youtube - isOuScopable: False - Privilege: APP_ADMIN (84/91) - serviceId: 03as4poj2zjehv7 - serviceName: Unknown - isOuScopable: False - Privilege: APP_ADMIN (85/91) - serviceId: 02afmg283v5nmx6 - serviceName: Unknown - isOuScopable: False - childPrivileges: 1 - Privilege: ADMIN_QUALITY_DASHBOARD_ACCESS - serviceId: 02afmg283v5nmx6 - serviceName: Unknown - isOuScopable: False - Privilege: APP_ADMIN (86/91) - serviceId: 00upglbi0qz687j - serviceName: takeout - isOuScopable: False - Privilege: CLOUD_PRINT_MANAGER (87/91) - serviceId: 02bn6wsx379ol8g - serviceName: cloud_print - isOuScopable: False - Privilege: MANAGE_AGE_BASED_ACCESS_SETTINGS_AGE_LABEL (88/91) - serviceId: 046r0co22dnadsi - serviceName: Unknown - isOuScopable: True - childPrivileges: 1 - Privilege: AGE_BASED_ACCESS_SETTINGS_AGE_LABEL_READ - serviceId: 046r0co22dnadsi - serviceName: Unknown - isOuScopable: True - Privilege: LOGO_PRIVILEGE_GROUP (89/91) - serviceId: 03j2qqm31d4j55e - serviceName: Unknown - isOuScopable: False - Privilege: APP_ADMIN (90/91) - serviceId: 04f1mdlm0ki64aw - serviceName: cros - isOuScopable: True - childPrivileges: 7 - Privilege: MANAGE_DEVICES (1/7) - serviceId: 04f1mdlm0ki64aw - serviceName: cros - isOuScopable: True - Privilege: MANAGE_USER_SETTINGS (2/7) - serviceId: 04f1mdlm0ki64aw - serviceName: cros - isOuScopable: True - childPrivileges: 1 - Privilege: MANAGE_APPLICATION_SETTINGS - serviceId: 04f1mdlm0ki64aw - serviceName: cros - isOuScopable: True - Privilege: MANAGE_DEVICE_SETTINGS (3/7) - serviceId: 04f1mdlm0ki64aw - serviceName: cros - isOuScopable: True - Privilege: MANAGE_BROWSERS (4/7) - serviceId: 04f1mdlm0ki64aw - serviceName: cros - isOuScopable: True - Privilege: VIEW_EXTENSIONS_REPORT (5/7) - serviceId: 04f1mdlm0ki64aw - serviceName: cros - isOuScopable: True - Privilege: VIEW_VERSION_REPORT (6/7) - serviceId: 04f1mdlm0ki64aw - serviceName: cros - isOuScopable: True - Privilege: MANAGE_PRINTERS (7/7) - serviceId: 04f1mdlm0ki64aw - serviceName: cros - isOuScopable: True - Privilege: APP_ADMIN (91/91) - serviceId: 02et92p02l9sq0n - serviceName: Unknown - isOuScopable: True -``` - -## Manage administrative roles -``` -gam create adminrole privileges all|all_ou| [description ] -gam update adminrole [name ] [privileges all|all_ou|] [description ] -gam delete adminrole -``` -* `privileges all` - All defined privileges -* `privileges all_ou` - All defined privileges than can be scoped to an OU -* `privileges ` - A specific list of privileges - -## Display administrative roles -``` -gam info adminrole [privileges] -gam print adminroles|roles [todrive *] - [privileges] [oneitemperrow] -gam show adminroles|roles [todrive *] [privileges] -``` -* `privileges` - Display privileges associated with each role - -By default, all privileges for a role are shown on one row as a repeating item. -When `oneitemperrow` is specified, each privilege is output on a separate row/line with the other role fields. - -## Create an administrator -Add an administrator role to an administrator. -``` -gam create admin | customer|(org_unit ) - [condition securitygroup|nonsecuritygroup] -``` -* `customer` - The administrator can manage all organization units -* `org_unit ` - The administrator can manage the specified organization unit - -The option `condition` limits the conditions for delegate admin access. This currently only works with the _GROUPS_EDITOR_ROLE and _GROUPS_READER_ROLE roles. -* `condition securitygroup` - limit the delegated admin to managing security groups -* `condition nonsecuritygroup` - limit the delegated admin to managing non-security groups - -## Delete an administrator -Remove an administrator role from an administrator. -``` -gam delete admin -``` -## Display administrators -``` -gam print admins [todrive *] - [user|group |] [role ] [condition] - [privileges] [oneitemperrow] -gam show admins - [user|group |] [role ] [condition] [privileges] -``` -By default, all administrators and roles are displayed; choose from the following -options to limit the display: -* `user ` - Display only this administrator -* `role ` - Display only administrators with this role - -* `condition` - Display any conditions associated with a role assignment -* `privileges` - Display privileges associated with each role assignment - -By default, all role privileges for an admin are shown on one row as a repeating item. -When `oneitemperrow` is specified, each role privilege is output on a separate row/line with the other admin fields. - -In versions prior to 6.07.01, specification of both `user ` -and `role ` generated no output due to an undocumented API rule that disallows both. - -## Copy roles from one administrator to another -Get roles for current admin. -``` -gam redirect csv ./CurrentAdminRoles.csv print admins user currentadmin@domain.com -``` -Add roles to new admin. -``` -gam config csv_input_row_filter "scopeType:regex:CUSTOMER" redirect stdout ./UpdateNewAdminCustomerRoles.txt multiprocess redirect stderr stdout csv CurrentAdminRoles.csv gam create admin newadmin@domain.com "id:~~roleId~~" customer -gam config csv_input_row_filter "scopeType:regex:ORG_UNIT" redirect stdout ./UpdateNewAdminOrgUnitRoles.txt multiprocess redirect stderr stdout csv CurrentAdminRoles.csv gam create admin newadmin@domain.com "id:~~roleId~~" org_unit "id:~~orgUnitId~~" -``` - diff --git a/docs/Alert-Center.md b/docs/Alert-Center.md deleted file mode 100644 index 1469dd689..000000000 --- a/docs/Alert-Center.md +++ /dev/null @@ -1,94 +0,0 @@ -# Alert Center -- [API documentation](#api-documentation) -- [Definitions](#definitions) -- [Introduction](#introduction) -- [Manage alerts](#manage-alerts) -- [Display alerts](#display-alerts) -- [Manage alert feedback](#manage-alert-feedback) -- [Display alert feedback](#display-alert-feedback) - -## API documentation -* https://developers.google.com/admin-sdk/alertcenter/reference/rest/ -* https://developers.google.com/admin-sdk/alertcenter/guides/query-filters -* https://developers.google.com/admin-sdk/alertcenter/reference/filter-fields - -## Definitions -``` - ::= - ::= See: https://developers.google.com/admin-sdk/alertcenter/guides/query-filters -``` -## Introduction -For an introduction, start here: https://support.google.com/a/answer/9105393 - -This API is in beta, most things seem to work although the filter queries don't all work, in particular those that -select alertId and feedbackId. - -To use these commands you must update your gam project and service account authorization. -``` -gam update project -gam user user@domain.com check serviceaccount -``` -## Manage alerts -``` -gam delete alert -gam undelete alert -``` -## Display alerts -``` -gam info alert [formatjson] -gam show alerts [filter ] [orderby createtime [ascending|descending]] - [formatjson] -``` -By default, Gam displays the information as an indented list of keys and values. -* `formatjson` - Display the fields in JSON format. -``` -gam print alerts [todrive *] [filter ] [orderby createtime [ascending|descending]] - [formatjson [quotechar ]] -``` -By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format, -* `formatjson` - Display the fields in JSON format. - -By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain -the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled. -When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output. -The `quotechar ` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output. -`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used. - -### Eliminate unwanted fields -You can use [CSV Print Filtering](CSV-Print-Filtering) to reduce the amount of output. -This command will drop all of the data.messages columns. -``` -gam config csv_output_header_drop_filter "^data.messages" redirect csv alerts.csv print alerts -``` - -## Manage alert feedback -``` -gam create alertfeedback not_useful|somewhat_useful|very_useful -``` -## Display alert feedback -``` -gam show alertfeedback [alert ] [filter ] [orderby createtime [ascending|descending]] - [formatjson] -``` -By default, Gam displays feedback for all alerts. -* `alert ` - Display feedback for the selected alert -* `filter ` - Display feebback for the filtered alerts - -By default, Gam displays the information as an indented list of keys and values. -* `formatjson` - Display the fields in JSON format. -``` -gam print alertfeedback [todrive *] [alert ] [filter ] [orderby createtime [ascending|descending]] - [formatjson [quotechar ]] -``` -By default, Gam displays feedback for all alerts. -* `alert ` - Display feedback for the selected alert -* `filter ` - Display feebback for the filtered alerts - -By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format, -* `formatjson` - Display the fields in JSON format. - -By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain -the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled. -When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output. -The `quotechar ` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output. -`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used. diff --git a/docs/Aliases.md b/docs/Aliases.md deleted file mode 100644 index d919f1007..000000000 --- a/docs/Aliases.md +++ /dev/null @@ -1,194 +0,0 @@ -# Aliases -- [API documentation](#api-documentation) -- [Query documentation](#query-documentation) -- [Python Regular Expressions](Python-Regular-Expressions) Match function -- [Definitions](#definitions) -- [Create an alias for a target](#create-an-alias-for-a-target) -- [Update an alias to point to a new target](#update-an-alias-to-point-to-a-new-target) -- [Delete an alias regardless of the target](#delete-an-alias-regardless-of-the-target) -- [Remove aliases from a specified target](#remove-aliases-from-a-specified-target) -- [Delete all of a user's aliases](#delete-all-of-a-users-aliases) -- [Display aliases](#display-aliases) -- [Bulk delete aliases](#bulk-delete-aliases) -- [Bulk reassign aliases](#bulk-reassign-aliases) -- [Determine if an address is a user, user alias, group or group alias](#determine-if-an-address-is-a-user-user-alias-group-or-group-alias) - -## API documentation -* https://developers.google.com/admin-sdk/directory/reference/rest/v1/users.aliases -* https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups.aliases - -## Query documentation -* https://developers.google.com/admin-sdk/directory/v1/guides/search-users - -## Definitions -See [Collections of Items](Collections-of-Items) -``` - ::= (.)+ - ::= "(,)*" - ::= - | | - ::= @ - ::= "(,)*" - ::= | | | - See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items - ::= id: -``` -## Create an alias for a target -``` -gam create alias|aliases user|group|target | - [verifynotinvitable] -``` -`` are the aliases, `` is the target. - -The `verifynotinvitable` option causes GAM to verify that the alias email address being created is not that of an unmanaged account; -if it is, the command is not performed. - -### Example - -To allow Robert to also receive mail as Bob: - -``` -gam create alias bob[@yourdomain.com] user robert[@yourdomain.com] -``` - -## Update an alias to point to a new target -The existing alias is deleted and a new alias is created. -``` -gam update alias|aliases user|group|target | - [notargetverify] [waitafterdelete ] -``` -`` are the aliases, `` is the target. - -By default, GAM makes additional API calls to verify that the target email address exists before updating the alias; -if you know that the target exists, you can suppress the verification with `notargetverify. - -GAM updates an alias to point to a new target by deleting the alias and then recreates the alias pointing to the new target. -Unfortunately, if these commands are executed back-to-back; Google generates the `Update Failed: Duplicate` error. -Now, GAM waits 2 seconds between the delete and the insert which seems to eliminate the problem. If the problem persists, -use the option `waitafterdelete ` to increase the wait time to a maximum of 10 seconds. - -## Delete an alias regardless of the target -``` -gam delete alias|aliases [user|group|target] -``` -`` are the aliases. - -## Remove aliases from a specified target -``` -gam remove alias|aliases user|group -``` -`` is the target, `` are the aliases. - -## Delete all of a user's aliases -``` -gam delete aliases -``` - -## Display aliases -Display a specific alias. -``` -gam info alias|aliases -``` - -Display selected aliases. -``` -gam print aliases [todrive *] - ([domain|domains ] [(query )|(queries )] - [limittoou ]) - [user|users ] [group|groups ] - [select ] - [aliasmatchpattern ] - [shownoneditable] [nogroups] [nousers] - [onerowpertarget] [delimiter ] - [suppressnoaliasrows] - (addcsvdata )* -``` -By default, group and user aliases in all domains in the account are selected; these options allow selection of subsets of aliases: -* `domain|domains ` - Limit aliases to those in the domains specified by `` - * You can predefine this list with the `print_agu_domains` variable in `gam.cfg`. -* `(query )|(queries )` - Print aliases for users/groups that match a query; each query is run against each domain -* `limittoou ` - Print aliases for users in the specified `` -* `user|users ` - Print aliases for users in `` - Print aliases for users in `` -* `group|groups ` - Print aliases for groups in `` - Print aliases that match a pattern -* `nogroups` - Print only user aliases -* `nousers` - Print only group aliases - -By default, the CSV output has three columns: `Alias,Target,TargetType`; if a target -has multiple aliases, there will be multiple rows, one per alias. - -Use `shownoneditable` to list non-editable alias email addresses; these are typically outside of the account's primary domain or subdomains. -This adds the column `NonEditableAlias`. - -Specifying `onerowpertarget` changes the three columns to: `Target,TargetType,Aliases`; all aliases for the target are listed in the -`Aliases` column. If `shownoneditable` is specified, there will be a fourth column `NonEditableAliases` with a list of non-editable aliases. - -By default, the aliases in a list are separated by the `csv_output_field_delimiter' from `gam.cfg`. -* `delimiter ` - Separate aliases in a list with `` - -Specifying both `onerowpertarget` and `suppressnoaliasrows` causes GAM to not display any targets that have no aliases. - -Add additional columns of data from the command line to the output -* `addcsvdata ` - -When multiple domains are specified and a query/queries are specified, an API call is made for each domain/query combination. -``` -$ gam print aliases domains school.org,students.school.org queries "'email:admin*','email:test*'" -Getting all Users that match query (domain=school.org, query="email:admin*"), may take some time on a large Google Workspace Account... -Got 3 Users: admin@school.org - admindirector@school.org -Getting all Users that match query (domain=school.org, query="email:test*"), may take some time on a large Google Workspace Account... -Got 20 Users: testusera@school.org - testuserx@school.org -Getting all Users that match query (domain=students.school.org, query="email:admin*"), may take some time on a large Google Workspace Account... -Got 1 User: admin@students.school.org - admin@students.school.org -Getting all Users that match query (domain=students.school.org, query="email:test*"), may take some time on a large Google Workspace Account... -Got 1 User: testuser1@students.school.org - testuser1@students.school.org -Alias,Target,TargetType -... -``` - -## Bulk delete aliases -You can bulk delete aliases as follows; use `(query )|(queries )` and -`aliasmatchpattern ` as desired. -``` -gam redirect csv ./OldDomainAliases.csv print aliases aliasmatchpattern ".*@olddomain.com" onerowpertarget suppressnoaliasrows -gam redirect stdout ./DeleteAliases.txt multiprocess redirect stderr stdout csv ./OldDomainAliases.csv gam remove aliases "~Target" "~TargetType" "~Aliases" -``` - -## Bulk reassign aliases -You can bulk reassign aliases as follows. Make a CSV file ReassignAliases.csv with two columns: OldTarget,NewTarget. -From this CSV file, all of the aliases for the users in the OldTarget column will be listed with an additional column showing the NewTarget. -``` -gam redirect stdout ./GetAliases.txt multiprocess redirect stderr stdout redirect csv ./ReassignAliases.csv gam print aliases user "~OldTarget" addcsvdata NewTarget "~NewTarget" -``` -If an OldTarget's aliases are to be reassigned to more than the one NewTarget, edit ReassignAliases.csv and make changes as required. -``` -gam redirect stdout ./ReassignAliases.txt multiprocess redirect stderr stdout csv ReassignAliases.csv gam update alias "~Alias" user "~NewTarget" -``` - -## Determine if an address is a user, user alias, group or group alias -``` -gam whatis [noinfo] [noinvitablecheck] -``` -The first line of output is: `: ` - -There is additional output based on ``: -* User - `gam info user ` -* Group - `gam info group ` -* User Alias - `gam info alias ` -* Group Alias - `gam info alias ` -* User Invitation - `gam info userinvitation ` - -The `noinfo` argument suppresses the additional output. - -The `noinvitablecheck` argument suppresses the user invitation check -to avoid exceeding quota limits when checking a large number of addresses. - -The return code is set based on ``: -* User - 20 -* User Alias - 21 -* Group - 22 -* Group Alias - 23 -* User Invitation - 24 -* Unknown - 59 - diff --git a/docs/Authorization.md b/docs/Authorization.md deleted file mode 100644 index 831c694d7..000000000 --- a/docs/Authorization.md +++ /dev/null @@ -1,1217 +0,0 @@ -# Authorization -- [Introduction](#introduction) -- [Headless computers and Cloud Shells](#headless-computers-and-cloud-shells) -- [API documentation](#api-documentation) -- [Python Regular Expressions](Python-Regular-Expressions) -- [Definitions](#definitions) -- [Manage Projects](#manage-projects) - - [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects) - - [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads) - - [Authorize GAM to create projects](#authorize-gam-to-create-projects) - - [Create a new GCP project folder](#create-a-new-gcp-project-folder) - - [Create a new project for GAM authorization](#create-a-new-project-for-gam-authorization) - - [Use an existing project for GAM authorization](#use-an-existing-project-for-gam-authorization) - - [Update an existing project for GAM authorization](#update-an-existing-project-for-gam-authorization) - - [Delete an existing project for GAM authorization](#delete-an-existing-project-for-gam-authorization) - - [Display projects](#display-projects) -- [Manage Client credentials](#manage-client-credentials) - - [Create Client credentials](#create-client-credentials) - - [Refresh Client credentials](#refresh-client-credentials) - - [Update Client credentials](#update-client-credentials) - - [Delete Client credentials](#delete-client-credentials) - - [Verify Client credentials](#verify-client-credentials) - - [Export Client credentials](#export-client-credentials) -- [Manage Service Accounts](#manage-service-accounts) - - [Add Service Accounts to projects](#add-service-accounts-to-projects) - - [Delete Service Accounts from projects](#delete-service-accounts-from-projects) - - [Display Service Accounts for projects](#display-service-accounts-for-projects) -- [Manage Service Account keys](#manage-service-account-keys) - - [Create a new Service Account key](#create-a-new-service-account-key) - - [Update an existing Service Account key](#update-an-existing-service-account-key) - - [Replace all existing Service Account keys](#replace-all-existing-service-account-keys) - - [Delete Service Account keys](#delete-service-account-keys) - - [Upload a Service Account key to a service account with no keys](#upload-a-service-account-key-to-a-service-account-with-no-keys) - - [Display Service Account keys](#display-service-account-keys) -- [Manage Service Account access](#manage-service-account-access) - - [Full Service Account access](#full-service-account-access) - - [Selective Service Account access](#selective-service-account-access) -- [Configure Limited access](#configure-limited-access) - - [Limited Client access](#limited-client-access) - - [No Client access](#no-client-access) - - [Limited Service Account access](#limited-service-account-access) - - [todrive Service Account access](#todrive-service-account-access) - - [No Service Account access possible](#no-service-account-access-possible) - - [Test Client and Service Account access on your computer](#test-client-and-service-account-access-on-your-computer) - - [Install GAM on the limited users computer](#install-gam-on-the-limited-users-computer) - - [Test Client and Service Account access on the non-administrator computer](#test-client-and-service-account-access-on-the-non-administrator-computer) - - [Unselect limited section on your computer.](#unselect-limited-section-on-your-computer) - -## Introduction -GAM requires authorization to perform tasks on your domain; the tasks break down into two categories: -* Client - Manipulate objects in the domain; the Client acts on its own behalf to perform the tasks. Examples: add a user, update a group, delete a class, share a printer. -* Service Account - Manipulate objects that belong to users; the Service Account acts on behalf of the user to perform the tasks. Examples: view user files, calendars. - -You create projects that define these authorizations. - -Verify the following steps: -* See https://support.google.com/a/answer/9197205?hl=en -* Access the admin console and go to Apps -> Additional Google Services -* Look for the service "Google Cloud Platform", click it -* Expand "Service status" -* Select the OU in the left that contains the super admin you'll be using -* Make sure that "Service status" is ON -* If groups are used to authenticate access, make sure the super admin is in one of the groups -* Collapse "Service status" -* Expand "Cloud Resource Manager API settings" -* Make sure that "Allow users to create projects" is checked - -Verify that all scopes are available: -* Access the admin console and go to Apps -> Additional Google Services -* If this line is present: `Access to additional services without individual control for all organizational units is turned Off` -* Click "CHANGE" -* Select "ON for everyone" -* Click "SAVE" - -Verify that internal apps are trusted. -* Access the admin console and go to Security -> Access and data control -> API Controls -* Check that "Trust internal, domain-owned apps" is present in the **Settings** section -* Click "SAVE" - -If you run a Google Workspace Education SKU, verify that Classroom API is enabled if required. -* Access the admin console and go to Apps -> Google Workspace - Classroom -* Expand "Data access" -* Check "Users can authorize apps to access their Google Classroom data." -* Click "SAVE" - -If you run a Google Workspace Education SKU, verify that the super admin you'll be using is in an OU where "All users are 18 or older". -* Access the admin console and go to Accounts -> Account settings -* Expand "Age based access settings" -* Select the OU containing the super admin -* Choose "All users are 18 or older" -* Click "SAVE" - -Based on your domain policies, you may have to mark GAM as a trusted app. These steps are performed after a project is created. -* Access the admin console and go to Security -> Access and data control -> API controls -* Check Trust internal, domain-owned apps -* Click **Manage third-party app access** -* Click Add app and select **OAuth App Name Or Client ID** -* Paste client_id value from client_secrets.json -* Click Search -* Click Select at right end of line referencing GAM -* Check box to the left of the line with GAM client ID -* Click Select -* Keep the default scope domain.com (all users) or select an org unit that includes your GAM admin -* Click Next/Continue -* Click Trusted: App can request access to all Google data -* Click Next/Continue -* Click Finish - -Verify whether the super admin you'll be using is in an OU where reauthentication is required. -* Access the admin console and go to Security -> Overview -* Scroll down and open Google Cloud session control section -* Select the OU containing the super admin -* If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified -* If that sounds unappealing, check Exempt Trusted apps -* Click "OVERRIDE" -* Follow the steps below to mark GAM as a trusted app - -Additional steps may be required if errors are encountered. -* [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects) -* [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads) -* [Authorize GAM to create projects](#authorize-gam-to-create-projects) - -## Headless computers and Cloud Shells -With many thanks to Jay, `gam oauth create` now uses a new client access authentication flow -as required by Google for headless computers/cloud shells; this is required as of February 28, 2022. -* See: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html - * OAuth out-of-band (oob) flow will be deprecated - -## API documentation -* https://cloud.google.com/resource-manager/docs/creating-managing-organization#adding_an_organization_administrator -* https://cloud.google.com/service-usage/docs/reference/rest -* https://cloud.google.com/resource-manager/reference/rest/v3/projects/create -* https://cloud.google.com/resource-manager/reference/rest/v3/projects/list -* https://cloud.google.com/resource-manager/reference/rest/v3/projects/getIamPolicy -* https://cloud.google.com/iam/docs/understanding-service-accounts -* https://developers.google.com/identity/protocols/oauth2 -* https://developers.google.com/identity/protocols/googlescopes -* https://developers.google.com/admin-sdk/directory/v1/guides/delegation -* https://support.google.com/a/answer/7281227?hl=en#zippy=%2Cmanage-access-to-apps-trusted-limited-or-blocked - -## Definitions -``` - ::= - ::= "(,)*" - ::= - Must match this Python Regular Expression: [a-z][a-z0-9-]{4,28}[a-z0-9] - ::= "(,)*" - ::= - current | gam | | (filter ) | - (select | | ) - See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items - ::= - Must match this Python Regular Expression: [a-zA-Z0-9 '"!-]{4,30} - ::= - Must match this Python Regular Expression: [a-z][a-z0-9-]{4,28}[a-z0-9] - ::= - Maximum of 100 characters - ::= - Maximum of 256 characters - ::= @.iam.gserviceaccount.com - ::= - ::= -``` -## Manage Projects -In all of the project commands, the Google Workspace admin/GCP project manager `` can be omitted; you will be prompted for a value. -You must enter a full address, i.e., user@domain.com; you will be required to authenticate. - -For `print|show projects`, you can eliminate the password prompt and authentication requirement by specifying the super admin emailaddress used in `gam oauth create`. -``` -gam print projects admin admin@domain.com -``` - -## Authorize a super admin to create projects -If you try to create a project and get an error saying that the admin you specified is not authorized to create projects, -perform these steps and then retry the create project command. - -* Login as an existing super admin at console.cloud.google.com -* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin -* Under IAM & Admin select IAM -* Click the down arrow in the box to the right of Google Cloud -* Click the three dots at the right and select IAM/Permissions -* Now you should be at "Permissions for organization ..." -* Click on Grant Access -* Enter the new admin address in Principals -* Click in the Select a role box -* Type project creator in the Filter box -* Click Project Creator -* Click + Add Another Role -* Type organization policy administrator in the Filter box -* Click Orgainzation Policy Administrator -* Click Save - -## Authorize Service Account Key Uploads - -If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxxxx`, -perform these steps and then you should be able to authorize and use your project. - -* Login as an existing super admin at console.cloud.google.com -* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin -* Under IAM & Admin select IAM -* Click the down arrow in the box to the right of Google Cloud -* Click the three dots at the right and select IAM/Permissions -* Now you should be at "Permissions for organization ..." -* Click on Grant Access -* Enter the new admin address in Principals -* Click in the Select a role box -* Type organization policy administrator in the Filter box -* Click Organization Policy Administrator -* Click Save -* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin -* Under IAM & Admin select IAM -* Click the down arrow in the box to the right of Google Cloud -* Click the three dots at the right and select Manage Resources -* Click the three dots at the end of the line for the GAM project just created -* Click Settings -* Click Organization Policies in the left column -* Now you should be at "Policies for Gam Project" -* Click in the Filter box -* Enter iam.disableServiceAccountKeyUpload -* Click the three dots at the end of the Disable Service Account Key Upload -* Choose Edit policy -* Click Override parent's policy -* Click Add A Rule -* Select Enforcement/Off -* Click Done -* Click Set Policy - -Wait a couple of minutes for the policy updates to complete and then do the following to upload the service account key: -``` -gam upload sakey [admin ] -``` - -## Authorize GAM to create projects -If you try to create a project and get an error saying "This app has been blocked on your domain for either being -insecure or non-edutational"; you'll have to mark the GAM Project Creation app as trusted. -Perform these steps and then retry the create project command. - -* Access the admin console and go to Security -> Access and data control -> API controls -* Click **Manage third-party app access** -* Click Add app and select **OAuth App Name Or Client ID** -* Paste 297408095146-fug707qsjv4ikron0hugpevbrjhkmsk7.apps.googleusercontent.com -* Click Search -* Click Select at right end of line referencing GAM Project Creation -* Check box to the left of the line with GAM Project Creation client ID -* Click Select -* Keep the default scope domain.com (all users) or select an org unit that includes your GAM admin -* Click Next/Continue -* Click Trusted: App can request access to all Google data -* Click Next/Continue -* Click Finish/Confirm - -## Create a new GCP project folder -This folder can be used in a subsequent `gam create project parent ` command. -``` -gam create gcpfolder -gam create gcpfolder [admin -``` - -## Create a new project for GAM authorization -Create a new project to create and download two files: `client_secrets.json` for the Client and `oauth2service.json` for the Service Account. -On-screen instructions lead you through the process. - -An existing project, `GAM Project Creation`, is used to create your GAM project. The initial instructions tell you how to -enable this project as a trusted app as your workspace may not allow untrusted third-party apps. -This is recommended but not mandatory unless your workspace has "Google Cloud" service restricted: -* https://support.google.com/a/answer/7281227?hl=en#zippy=%2Crestrict-or-unrestrict-google-services - -If it is restricted and you complete this step it may take an hour or so to take full affect and allow you to approve GAM project creation. - -The final instructions tell you how to enable your new GAM project as a trusted app as your workspace may not allow untrusted third-party apps. -You can skip these steps if you know that untrusted third-party apps are allowed. - -### Default values -* `` - "GAM" -* `` - "gam-project-a1b2c" where "a1b2c" are randomly generated -* `` - "GAM Project" -* `` - `` -* `` - `` -* `` - `` - -### Basic -Create a project with default values for the project and service account. -``` -gam create project [] [] -``` -* `` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address -* `` - A new Google project ID; if omitted, a default value will be used - -### Advanced -Create a project with user-specified values for the project and service account. -``` -gam create project [admin ] [project ] - [appname ] [supportemail ] - [projectname ] [parent ] - [saname ] [sadisplayname ] - [sadescription ] - [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)| - (localkeysize 1024|2048|4096 [validityhours ])| - (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber )| - nokey} -``` -* `admin ` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address -* `appname ` - Application name, defaults to `GAM` -* `supportemail ` - Administrator to contact about GAM authentication, defaults to `admin ` -* `project ` - A new Google project ID; if omitted, a default value will be used -* `projectname ` - Google project name, defaults to "GAM Project" -* `parent ` - A Resource Manager folder name -* `saname ` - Service account name; combined with `` to form `` -* `sadisplayname ` - Service account display name -* `sadescription ` - Service account description - -You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys) - -Use `nokey` if you do not want a service account key created for the project. - -## Use an existing project for GAM authorization -Use an existing project to create and download two files: `client_secrets.json` for the Client and `oauth2service.json` for the Service Account. - -### Default values -* `` - `` -* `` - `` -* `` - `` - -### Basic -Use an existing uninitialized/uncredentialed project and configure it to be a GAM project; this typically used when -the GCP administrators have created a basic project because project creation is not available for most users. - -See Jay's notes about how to do this: https://github.com/GAM-team/GAM/wiki/GAM-with--minimal-GCP-rights - -``` -gam use project [] [project ] -``` -* `` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address -* `` - An existing Google project ID; if omitted, you will be prompted for the ID - -### Advanced -Use an existing project with user-specified values for the service account. If the project is already -a GAM project you must use `saname ` as the existing service account information -can not be re-downloaded. -``` -gam use project [admin ] [project ] - [saname ] [sadisplayname ] - [sadescription ] - [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)| - (localkeysize 1024|2048|4096 [validityhours ])| - (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber )] -``` -* `admin ` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address -* `project ` - An existing Google project ID; if omitted, you will be prompted for the ID -* `saname ` - Service account name; combined with `` to form `` -* `sadisplayname ` - Service account display name -* `sadescription ` - Service account description - -You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys) - -## Update an existing project for GAM authorization -This command is used when GAM has added new capabilities that require additional APIs to be added to your project. -``` -gam update project [[admin] ] [] -``` -* `` - A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address - -Use these options to select projects. -* `current` - The project referenced in `client_secrets.json`; this is the default -* `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-` -* `` - A Google API project ID -* `filter ` - A filter to select projects accessible by the administrator; see the API documentation - -## Delete an existing project for GAM authorization -``` -gam delete project [[admin] ] [] -``` -* `` - A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address - -Use these options to select projects. -* `current` - The project referenced in `client_secrets.json`; this is the default -* `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-` -* `` - A Google API project ID -* `filter ` - A filter to select projects accessible by the administrator; see the API documentation - -## Display projects -Display the current Project ID. -``` -gam info currentprojectid -``` - -Display Google API projects as an indented list of keys and values. -``` -gam show projects [[admin] ] [all|] - [states all|active|deleterequested] [showiampolicies 0|1|3] -``` -* `` - A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address - -Use these options to select projects. -* `all` - All projects accessible by the administrator; this is the default -* `current` - The project referenced in `client_secrets.json` -* `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-` -* `` - A Google API project ID -* `filter ` - A filter to select projects accessible by the administrator; see the API documentation -* `states all|active|deleterequested` - Limit display to projects based on state; the default is `active` - -Use the `showiampolicies 0|1|3` option to display IAM policy information for the project. - -Display Google API projects as columns of fields. -``` -gam print projects [[admin] ] [all|] [todrive *] - [states all|active|deleterequested] [showiampolicies 0|1|3 [onememberperrow]] - [delimiter ]] [[formatjson [quotechar ]] -``` -* `` - A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address - -Use these options to select projects. -* `all` - All projects accessible by the administrator; this is the default -* `current` - The project referenced in `client_secrets.json` -* `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-` -* `` - A Google API project ID -* `filter ` - A filter to select projects accessible by the administrator; see the API documentation -* `states all|active|deleterequested` - Limit display to projects based on state; the default is `active` - -Use the `showiampolicies 0|1|3` option to display IAM policy information for the project. Each role in the policy will be displayed on -a separate row; by default, all members will be shown on that row. By default, the members are separated by -the `csv_output_field_delimiter` from `gam.cfg`. -* `delimiter ` - Separate list items with `` - -Use the `onememberperrow` option to show separate rows for each role/member combination. - -By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format, -* `formatjson` - Display the fields in JSON format. - -By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain -the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled. -When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output. -The `quotechar ` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output. -`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used. - -## Manage Client credentials - -## Create Client credentials -``` -gam oauth|oauth2 create|request [] -gam oauth|oauth2 create|request [admin ] [scopes ] -``` -* `` - A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address -* `scopes ` - A set of specific scopes; if omitted, you will be prompted to select your desired scopes. - -You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and -writes the credentials into the file oauth2.txt. - -``` -gam oauth create - -[*] 0) Calendar API (supports readonly) -[*] 1) Chrome Browser Cloud Management API (supports readonly) -[*] 2) Chrome Management API - AppDetails read only -[*] 3) Chrome Management API - Telemetry read only -[*] 4) Chrome Management API - read only -[*] 5) Chrome Policy API (supports readonly) -[*] 6) Chrome Printer Management API (supports readonly) -[*] 7) Chrome Version History API -[*] 8) Classroom API - Course Announcements (supports readonly) -[*] 9) Classroom API - Course Topics (supports readonly) -[*] 10) Classroom API - Course Work/Materials (supports readonly) -[*] 11) Classroom API - Course Work/Submissions (supports readonly) -[*] 12) Classroom API - Courses (supports readonly) -[*] 13) Classroom API - Profile Emails -[*] 14) Classroom API - Profile Photos -[*] 15) Classroom API - Rosters (supports readonly) -[*] 16) Classroom API - Student Guardians (supports readonly) -[ ] 17) Cloud Channel API (supports readonly) -[*] 18) Cloud Identity - Inbound SSO Settings (supports readonly) -[*] 19) Cloud Identity Groups API (supports readonly) -[*] 20) Cloud Identity OrgUnits API (supports readonly) -[*] 21) Cloud Identity User Invitations API (supports readonly) -[ ] 22) Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage) -[ ] 23) Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage) -[*] 24) Contact Delegation API (supports readonly) -[*] 25) Contacts API - Domain Shared Contacts and GAL -[*] 26) Data Transfer API (supports readonly) -[*] 27) Directory API - Chrome OS Devices (supports readonly) -[*] 28) Directory API - Customers (supports readonly) -[*] 29) Directory API - Domains (supports readonly) -[*] 30) Directory API - Groups (supports readonly) -[*] 31) Directory API - Mobile Devices Directory (supports readonly and action) -[*] 32) Directory API - Organizational Units (supports readonly) -[*] 33) Directory API - Resource Calendars (supports readonly) -[*] 34) Directory API - Roles (supports readonly) -[*] 35) Directory API - User Schemas (supports readonly) -[*] 36) Directory API - User Security -[*] 37) Directory API - Users (supports readonly) -[ ] 38) Email Audit API -[*] 39) Groups Migration API -[*] 40) Groups Settings API -[*] 41) License Manager API -[*] 42) People API (supports readonly) -[*] 43) People Directory API - read only -[ ] 44) Pub / Sub API -[*] 45) Reports API - Audit Reports -[*] 46) Reports API - Usage Reports -[ ] 47) Reseller API -[*] 48) Site Verification API -[ ] 49) Sites API -[*] 50) Vault API (supports readonly) - -Select an unselected scope [ ] by entering a number; yields [*] -For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R] -For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A] -Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*] -Unselect a selected scope [*] by entering a number; yields [ ] -Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others -Unselect all scopes by entering a 'u'; yields [ ] for all scopes -Exit without changes/authorization by entering an 'e' -Continue to authorization by entering a 'c' - Note, if all scopes are selected, Google will probably generate an authorization error - -Please enter 0-50[a|r] or s|u|e|c: c - -Enter your Google Workspace admin email address? admin@domain.com - -Go to the following link in a browser on this computer or on another computer: - - https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=... - -If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you -click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required): - -Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required): - -The authentication flow has completed. -Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created -``` - -## Update Client credentials -``` -gam oauth update [] -gam oauth update [admin ] -``` -* `` - A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address - -Read API scopes from any version of `oauth2.txt` and select a list of APIs; GAM uses a browser to get final authorization from Google for these APIs and -writes the credentials into the file `oauth2.txt`. - -``` -gam oauth update - -[*] 0) Calendar API (supports readonly) -[*] 1) Chrome Browser Cloud Management API (supports readonly) -[*] 2) Chrome Management API - AppDetails read only -[*] 3) Chrome Management API - Telemetry read only -[*] 4) Chrome Management API - read only -[*] 5) Chrome Policy API (supports readonly) -[*] 6) Chrome Printer Management API (supports readonly) -[*] 7) Chrome Version History API -[*] 8) Classroom API - Course Announcements (supports readonly) -[*] 9) Classroom API - Course Topics (supports readonly) -[*] 10) Classroom API - Course Work/Materials (supports readonly) -[*] 11) Classroom API - Course Work/Submissions (supports readonly) -[*] 12) Classroom API - Courses (supports readonly) -[*] 13) Classroom API - Profile Emails -[*] 14) Classroom API - Profile Photos -[*] 15) Classroom API - Rosters (supports readonly) -[*] 16) Classroom API - Student Guardians (supports readonly) -[ ] 17) Cloud Channel API (supports readonly) -[*] 18) Cloud Identity - Inbound SSO Settings (supports readonly) -[*] 19) Cloud Identity Groups API (supports readonly) -[*] 20) Cloud Identity OrgUnits API (supports readonly) -[*] 21) Cloud Identity User Invitations API (supports readonly) -[ ] 22) Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage) -[ ] 23) Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage) -[*] 24) Contact Delegation API (supports readonly) -[*] 25) Contacts API - Domain Shared Contacts and GAL -[*] 26) Data Transfer API (supports readonly) -[*] 27) Directory API - Chrome OS Devices (supports readonly) -[*] 28) Directory API - Customers (supports readonly) -[*] 29) Directory API - Domains (supports readonly) -[*] 30) Directory API - Groups (supports readonly) -[*] 31) Directory API - Mobile Devices Directory (supports readonly and action) -[*] 32) Directory API - Organizational Units (supports readonly) -[*] 33) Directory API - Resource Calendars (supports readonly) -[*] 34) Directory API - Roles (supports readonly) -[*] 35) Directory API - User Schemas (supports readonly) -[*] 36) Directory API - User Security -[*] 37) Directory API - Users (supports readonly) -[ ] 38) Email Audit API -[*] 39) Groups Migration API -[*] 40) Groups Settings API -[*] 41) License Manager API -[*] 42) People API (supports readonly) -[*] 43) People Directory API - read only -[ ] 44) Pub / Sub API -[*] 45) Reports API - Audit Reports -[*] 46) Reports API - Usage Reports -[ ] 47) Reseller API -[*] 48) Site Verification API -[ ] 49) Sites API -[*] 50) Vault API (supports readonly) - -Select an unselected scope [ ] by entering a number; yields [*] -For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R] -For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A] -Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*] -Unselect a selected scope [*] by entering a number; yields [ ] -Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others -Unselect all scopes by entering a 'u'; yields [ ] for all scopes -Exit without changes/authorization by entering an 'e' -Continue to authorization by entering a 'c' - Note, if all scopes are selected, Google will probably generate an authorization error - -Please enter 0-50[a|r] or s|u|e|c: c - -Enter your Google Workspace admin email address? admin@domain.com - -Go to the following link in a browser on this computer or on another computer: - - https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=... - -If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you -click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required): - -Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required): - -The authentication flow has completed. -Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created -``` - -If you have multiple sections in `gam.cfg` that reference different `oauth2.txt` files, perform an update on each section: -``` -gam select aaa oauth update -gam select bbb oauth update -... -``` - -## Refresh Client credentials -If necessary, update `oauth2.txt` from versions of GAM before `5.00.00`. - -Refresh the expiration time in `oauth2.txt`. -``` -gam oauth refresh -``` - -If you have multiple sections in `gam.cfg` that reference different `oauth2.txt` files, perform a refresh on each section: -``` -gam select aaa oauth refresh -gam select bbb oauth refresh -... -``` - -## Delete Client credentials -``` -gam oauth|oauth2 delete|revoke -``` -Revoke the credentials in the file `oauth2.txt` and then delete the file. - -## Verify Client credentials -``` - ::= - ::= -gam oauth|oauth2 info|verify [showsecret] [accesstoken idtoken ] [showdetails] -``` -The Client Secret is not shown by default, user `showsecret` to have it displayed. - -These options are used for debugging: `accesstoken idtoken showdetails`. - -## Export Client credentials - -Export `oauth2.txt` in JSON form. -``` -gam oauth|oauth2 export [] -``` -For GAM version `5.00.00` and later: -* If `` is omitted, the JSON data is written to `oauth2.txt`. -* If `` is `-`, the JSON data is written to stdout. - -For GAM versions before `5.00.00`: -* If `` is omitted, the JSON data is written to stdout. - -## Manage Service Accounts -In all of the service account commands, the Google Workspace admin/GCP project manager `` can be omitted; you will be prompted for a value. -You must enter a full address, i.e., user@domain.com; you will be required to enter the password. - -## Add Service Accounts to projects -You can add additional service accounts to a project and assign it specific access APIs. This command -creates a new `oauth2service.json` file; it will not overwrite an existing file so you must rename the existing -file or define a new section in `gam.cfg` that references a different `oauth2service_json` or `config_dir`. - -### Default values -* `` - "gam-svcacct-abc-def-jki" where "abc-def-ghi" are randomly generated -* `` - `` -* `` - `` -``` -gam create|add svcacct [[admin] ] [] - [saname ] [sadisplayname ] - [sadescription ] - [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)| - (localkeysize 1024|2048|4096 [validityhours ])| - (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber )] -``` -* `` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address - -Use these options to select projects. -* `current` - The project referenced in `client_secrets.json`; this is the default -* `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-` -* `` - A Google API project ID -* `filter ` - A filter to select projects accessible by the administrator; see the API documentation - -Use these options to select user-specified values.. -* `saname ` - Service account name; combined with `` to form `` -* `sadisplayname ` - Service account display name -* `sadescription ` - Service account description - -You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys) - -After adding an additional service account, you can select specific access APIs for it. -[Selective Service Account access](#selective-service-account-access) - -## Delete Service Accounts from projects -``` -gam delete svcacct [[admin] ] [] - (saemail )|(saname )|(sauniqueid ) -``` -* `` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address - -Use these options to select projects. -* `current` - The project referenced in `client_secrets.json`; this is the default -* `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-` -* `` - A Google API project ID -* `filter ` - A filter to select projects accessible by the administrator; see the API documentation - -## Display Service Accounts for projects -Display Service Accounts as an indented list of keys and values. -``` -gam show svcaccts [[admin] ] [all|] - [showsakeys all|system|user] -``` -Display Service Accounts as columns of fields. -``` -gam print svcaccts [[admin] ] [all|] - [showsakeys all|system|user] - [todrive *] [formatjson [quotechar ]] -``` -* `` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address - -Use these options to select projects. -* `all` - All projects accessible by the administrator; this is the default -* `current` - The project referenced in `client_secrets.json` -* `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-` -* `` - A Google API project ID -* `filter ` - A filter to select projects accessible by the administrator; see the API documentation - -By default, no Service Account key information is displayed, use the following options to display keys. -* `showsakeys all` - Display system and user keys; this is the default when keys are displayed -* `showsakeys system` - Display system keys -* `showsakeys user` - Display user keys - -## Manage Service Account keys -The `oauth2service.json` file contains a private key that is used to authenticate Service Account access. -This private key will be referred to as the `current` private key. - -Each Service Account in a project typically has one private key but it can have multiple keys; this might be the -case if you have several users with Gam access where they will all access the same Service Account but with different keys. -You will distribute different `oauth2service.json` files to each user, each with its own private key. - -There are several methods for generating private keys: -* `algorithm KEY_ALG_RSA_1024` - Google generates a 1024 bit key; not recommended -* `algorithm KEY_ALG_RSA_2048` - Google generates a 2048 bit key -* `localkeysize 1024` - Gam generates a 1024 bit key; this is not recommended -* `localkeysize 2048` - Gam generates a 2048 bit key; this is the default -* `localkeysize 4096` - Gam generates a 4096 bit key -* `yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber )]` - [Using GAM7 with a YubiKey](Using-GAM7-with-a-YubiKey) - -When `localkeysize` is specified, the optional argument `validityhours ` sets the length of time during which the key will be valid and should be used when the [GCP constraints/iam.serviceAccountKeyExpiryHours organization policy](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#limit_key_expiry) is in use. Note that in order to account for system clock skew, GAM sets the key to be valid two minutes earlier than the current system time and thus it will also expire two minutes earlier. - -Here are some sample values: -``` - 1 hour - 8 hours - 24 hours ( 1 day) - 168 hours ( 7 days) - 336 hours (14 days) - 720 hours (30 days) -1440 hours (60 days) -2160 hours (90 days) -``` - -## Create a new Service Account key -Create a new Service Account private key; all existing private keys remain valid. -The `oauth2service.json` file is updated with the new private key. - -Keep a good record of where each Service Account key is used as the keys themselves do not record this information. - -The two forms of the command are equivalent; the second form is used by Legacy GAM. -``` -gam create sakey - (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)| - (localkeysize 1024|2048|4096 [validityhours ])| - (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber ) -gam rotate sakey retain_existing - (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)| - (localkeysize 1024|2048|4096 [validityhours ])| - (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber ) -``` -To distribute `oauth2service.json` files with unique private keys perform the following steps: -``` -copy oauth2service.json to oauth2service.save -repeat - gam create sakeys retain_existing - distribute updated oauth2service.json file - copy oauth2service.save to oauth2service.json -``` - -## Update an existing Service Account key -Revoke the current Service Account key and replace it with a new private key; all other private keys remain valid. -The `oauth2service.json` file is updated with the new private key. If you had previously distributed -this `oauth2service.json` file to other users, you must redistribute the updated file as the private key -in the distributed copies has been revoked. - -The two forms of the command are equivalent; the second form is used by Legacy GAM. -``` -gam update sakey - (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)| - (localkeysize 1024|2048|4096 [validityhours ])| - (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber ) -gam rotate sakey replace_current - (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)| - (localkeysize 1024|2048|4096 [validityhours ])| - (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber ) -``` -## Replace all existing Service Account keys -Create a new Service Account private key; all existing private keys are revoked. -The `oauth2service.json` file is updated with the new private key. If you had previously distributed -any `oauth2service.json` file to other users, you must redistribute the updated file as the private key -in the distributed copies has been revoked. - -This command can be used if your Service Account keys have been compromised; all existing private keys are revoked. - -The two forms of the command are equivalent; the second form is used by Legacy GAM. -``` -gam replace sakeys - (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)| - (localkeysize 1024|2048|4096 [validityhours ])| - (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber ) -gam rotate sakeys retain_none - (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)| - (localkeysize 1024|2048|4096 [validityhours ])| - (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber ) -``` -## Delete Service Account keys -You can delete Service Accounts keys thus revoking access for that key. Generally, you will -delete a service account key for a distributed copy of an `oauth2service.json` file to disable -that user's service account access. - -You can disable your current Service Account key if you specify the `doit` argument. This is your -acknowledgement that you will have to manually create a new Service Account key in the Developer's Console -or upload a new key with the `gam upload sakey` command. -``` -gam delete sakeys + [doit] -``` -## Upload a Service Account key to a service account with no keys -There are two cases where you will use this command: -* Your workspace is configured to disable service account private key uploads and you are creating a project. -* All of your service account keys have been deleted, either manually or with the `gam delete sakeys` command. - -The `oauth2service.json` file is updated with the new private key. If you had previously distributed -any `oauth2service.json` file to other users, you must redistribute the updated file with the new key. -``` -gam upload sakey [admin ] - (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)| - (localkeysize 1024|2048|4096 [validityhours ])| - (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber ) -``` -## Display Service Account keys -There are system keys and user keys; user keys are what Gam uses; GCP uses system keys. - -Display Service Account keys as an indented list of keys and values. -``` -gam show sakeys [all|system|user] -``` -* `all` - Display system and user keys; this is the default -* `system` - Display system keys -* `user` - Display user keys - -The private key currently being used in `oauth2service.json` will be marked as `usedToAuthenticateThisRequest: True`. - -## Manage Service Account access - -## Full Service Account access - -Verify that the Service Account credentials have been authorized. If they have not, you will be given instructions -as to how to perform the authorization. -By default, the following scopes are verified: -``` -https://mail.google.com/ -https://sites.google.com/feeds -https://www.googleapis.com/auth/analytics.readonly -https://www.googleapis.com/auth/apps.alerts -https://www.googleapis.com/auth/calendar -https://www.googleapis.com/auth/chat.delete -https://www.googleapis.com/auth/chat.memberships -https://www.googleapis.com/auth/chat.messages -https://www.googleapis.com/auth/chat.spaces -https://www.googleapis.com/auth/classroom.announcements -https://www.googleapis.com/auth/classroom.coursework.students -https://www.googleapis.com/auth/classroom.courseworkmaterials -https://www.googleapis.com/auth/classroom.profile.emails -https://www.googleapis.com/auth/classroom.profile.photos -https://www.googleapis.com/auth/classroom.rosters -https://www.googleapis.com/auth/classroom.topics -https://www.googleapis.com/auth/cloud-identity -https://www.googleapis.com/auth/cloud-platform -https://www.googleapis.com/auth/contacts -https://www.googleapis.com/auth/contacts.other.readonly -https://www.googleapis.com/auth/datastudio -https://www.googleapis.com/auth/directory.readonly -https://www.googleapis.com/auth/documents -https://www.googleapis.com/auth/drive -https://www.googleapis.com/auth/drive.activity -https://www.googleapis.com/auth/drive.admin.labels -https://www.googleapis.com/auth/drive.labels -https://www.googleapis.com/auth/gmail.modify -https://www.googleapis.com/auth/gmail.settings.basic -https://www.googleapis.com/auth/gmail.settings.sharing -https://www.googleapis.com/auth/keep -https://www.googleapis.com/auth/spreadsheets -https://www.googleapis.com/auth/tasks -https://www.googleapis.com/auth/userinfo.profile -``` -This scope is verified when `user_service_account_access_only = true` in `gam.cfg`. -``` -https://www.googleapis.com/auth/apps.groups.migration -``` -Verify/enable service account access for the default list of APIs. -The two forms of the command are equivalent. -``` -gam check svcacct (scope|scopes )* -gam check serviceaccount (scope|scopes )* -``` -* `` - Typically `user `, a non-Google Workspace administrator. -* `scopes ` - Verify/enable service account access for a set of specific scopes rather than the default list. - -## Selective Service Account access - -Verify/enable service account access for a selected list of APIs rather than the default list. -The two forms of the command are equivalent. - -If `scopes ` is not specified, you will be prompted to select a list of scopes. -``` -gam update svcacct (scope|scopes )* -gam update serviceaccount (scope|scopes )* -``` -* `` - Typically `user `, a non-Google Workspace administrator. -* `scopes ` - Verify/enable service account access for a set of specific scopes rather than selecting the scopes. - -``` -gam user user@domain.com update serviceaccount - -[*] 0) AlertCenter API -[*] 1) Analytics API - read only -[*] 2) Analytics Admin API - read only -[*] 3) Calendar API (supports readonly) -[*] 4) Chat API - Memberships (supports readonly) -[*] 5) Chat API - Messages (supports readonly) -[*] 6) Chat API - Spaces (supports readonly) -[*] 7) Chat API - Spaces Delete -[*] 8) Classroom API - Course Announcements (supports readonly) -[*] 9) Classroom API - Course Topics (supports readonly) -[*] 10) Classroom API - Course Work/Materials (supports readonly) -[*] 11) Classroom API - Course Work/Submissions (supports readonly) -[*] 12) Classroom API - Profile Emails -[*] 13) Classroom API - Profile Photos -[*] 14) Classroom API - Rosters (supports readonly) -[*] 15) Cloud Identity Devices API (supports readonly) -[*] 16) Cloud Resource Manager API v3 -[*] 17) Docs API (supports readonly) -[*] 18) Drive API (supports readonly) -[*] 19) Drive API - todrive -[*] 20) Drive Activity API v2 - must pair with Drive API -[*] 21) Drive Labels API - Admin (supports readonly) -[*] 22) Drive Labels API - User (supports readonly) -[*] 23) Forms API -[*] 24) Gmail API - Basic Settings (Filters,IMAP, Language, POP, Vacation) - read/write, Sharing Settings (Delegates, Forwarding, SendAs) - read -[*] 25) Gmail API - Full Access (Labels, Messages) -[*] 26) Gmail API - Full Access (Labels, Messages) except delete message -[ ] 27) Gmail API - Full Access - read only -[ ] 28) Gmail API - Send Messages - including todrive -[*] 29) Gmail API - Sharing Settings (Delegates, Forwarding, SendAs) - write -[*] 30) Identity and Access Management API -[*] 31) Keep API (supports readonly) -[*] 32) Looker Studio API (supports readonly) -[*] 33) OAuth2 API -[*] 34) People API (supports readonly) -[*] 35) People API - Other Contacts - read only -[*] 36) People Directory API - read only -[*] 37) Sheets API (supports readonly) -[*] 38) Sheets API - todrive -[*] 39) Sites API -[*] 40) Tasks API (supports readonly) -[ ] 41) Youtube API - read only - -Select an unselected scope [ ] by entering a number; yields [*] -For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R] -For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A] -Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*] -Unselect a selected scope [*] by entering a number; yields [ ] -Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others -Unselect all scopes by entering a 'u'; yields [ ] for all scopes -Exit without changes/authorization by entering an 'e' -Continue to authorization by entering a 'c' - -Please enter 0-41[a|r] or s|u|e|c: c - -System time status - Your system time differs from admin.googleapis.com by less than 1 second PASS -Service Account Private Key Authentication - Authentication PASS -Service Account Private Key age; Google recommends rotating keys on a routine basis - Service Account Private Key age: 364 days WARN -Domain-wide Delegation authentication:, User: user@domain.com, Scopes: 34 - https://mail.google.com/ PASS (1/34) - https://sites.google.com/feeds PASS (2/34) - https://www.googleapis.com/auth/analytics.readonly PASS (3/34) - https://www.googleapis.com/auth/apps.alerts PASS (4/34) - https://www.googleapis.com/auth/calendar PASS (5/34) - https://www.googleapis.com/auth/chat.delete PASS (6/34) - https://www.googleapis.com/auth/chat.memberships PASS (7/34) - https://www.googleapis.com/auth/chat.messages PASS (8/34) - https://www.googleapis.com/auth/chat.spaces PASS (9/34) - https://www.googleapis.com/auth/classroom.announcements PASS (10/34) - https://www.googleapis.com/auth/classroom.coursework.students PASS (11/34) - https://www.googleapis.com/auth/classroom.courseworkmaterials PASS (12/34) - https://www.googleapis.com/auth/classroom.profile.emails PASS (13/34) - https://www.googleapis.com/auth/classroom.profile.photos PASS (14/34) - https://www.googleapis.com/auth/classroom.rosters PASS (15/34) - https://www.googleapis.com/auth/classroom.topics PASS (16/34) - https://www.googleapis.com/auth/cloud-identity PASS (17/34) - https://www.googleapis.com/auth/cloud-platform PASS (18/34) - https://www.googleapis.com/auth/contacts PASS (19/34) - https://www.googleapis.com/auth/contacts.other.readonly PASS (20/34) - https://www.googleapis.com/auth/datastudio PASS (21/34) - https://www.googleapis.com/auth/directory.readonly PASS (22/34) - https://www.googleapis.com/auth/documents PASS (23/34) - https://www.googleapis.com/auth/drive PASS (24/34) - https://www.googleapis.com/auth/drive.activity PASS (25/34) - https://www.googleapis.com/auth/drive.admin.labels FAIL (26/34) - https://www.googleapis.com/auth/drive.labels FAIL (27/34) - https://www.googleapis.com/auth/gmail.modify PASS (28/34) - https://www.googleapis.com/auth/gmail.settings.basic PASS (29/34) - https://www.googleapis.com/auth/gmail.settings.sharing PASS (30/34) - https://www.googleapis.com/auth/keep PASS (31/34) - https://www.googleapis.com/auth/spreadsheets PASS (32/34) - https://www.googleapis.com/auth/tasks PASS (33/34) - https://www.googleapis.com/auth/userinfo.profile PASS (34/34) -Some scopes Failed! -To authorize them, please go to the following link in your browser: - - https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,... - -You will be directed to the Google Workspace admin console Security > API Controls > Domain-wide Delegation page -The "Add a new Client ID" box will open -Make sure that "Overwrite existing client ID" is checked -Click AUTHORIZE -When the box closes you're done -After authorizing it may take some time for this test to pass so wait a few moments and then try this command again. -``` - -## Configure Limited access -You can configure GAM to allow users limited access to your domain via GAM. -You can limit both client and service account access. -You can repeat these steps if you want to configure multiple limited users; -substitute a unique value for `limited` in each of the steps. - -In the Admin console, define a new Admin role with the desired privileges, -assign it to the limited user and indicate whether it is for all Org Units or a specific Org Unit. - -On your computer, perform these initial steps: - -Make a subdirectory `limited` under the directory specified in `gam.cfg config_dir` - -Create a new section at the end of your `gam.cfg` file. -``` -[limited] -config_dir = limited -``` -Copy `client_secrets.json` to the `limited` subdirectory - -Select the `limited` section -``` -gam select limited save -``` - -## Limited Client access -Perform these steps to allow limited client access: - -Configure `todrive` to allow uploading of files to the limited user's Google Drive. -``` -gam config todrive_user limited@domain.com save -``` -If it is not possible to allow the limited user any service account access (this is not common), -perform the following command so that the user can upload files with `todrive` using client access. -``` -gam config todrive_clientaccess true save -``` - -Authorize the desired client access APIs; this will create `oauth2.txt`. -If it is not possible to allow the limited user any service account access, -login as the limited user; you must have assigned Admin API Privileges to the limited user -in the Admin console under Admin roles, - -If the limited user will have service account access, login as a Google admin. - -``` -gam oauth create -``` - -## No Client access -Perform these steps to allow no client access: - -Configure `todrive` to allow uploading of files to the limited user's Google Drive. -``` -gam config todrive_user limited@domain.com todrive_clientaccess false save -``` - -Configure for service account access only. -``` -gam config user_service_account_access_only true save -``` - -Make a `oauth2.txt` file in the `limited` subdirectory with a single line as follows: -``` -{} -``` -This will prevent the limited user from having any client access. - -## Limited Service Account access -Perform these steps: - -Create a a new service account in your project that will be used for the limited user; -this will create `oauth2service.json`. -``` -gam add svcacct saname "gam-limited" sadisplayname "GAM Limited" -``` - -Authorize the desired APIs; this will update `oauth2service.json` with the list of authorized APIs. -Follow the directions to authorize the APIs; remember, you will login to the Admin console as a current -Google administrator. -``` -gam user limited@domain.com update serviceaccount -``` -If you disable a scope that was previously enabled, all of the remaining APIs will pass. -However, you should still go to the Admin console and update the client so that only the APIs -you've enabled are authorized. - -## todrive Service Account access -If the limited user is going to use `todrive`, authorize these APIs: -``` -Drive API - todrive -Gmail API - Send Messages - including todrive -Sheets API - todrive -``` -These APIs are only used to process `todrive`, they do not grant access to other user's files/sheets. -If the limited user is allowed access to other user's files/sheets, authorize these APIs: -``` -Drive API (supports readonly) -Sheets API (supports readonly) -``` -## No Service Account access possible -If it is not possible to allow the limited user any service account access (this is not common), -perform these steps: - -Make a `oauth2service.json` file in the `limited` subdirectory with a single line as follows: -``` -{} -``` - -## Test Client and Service Account access on your computer - -Issue various Gam commands to verify that the limited user has only the desired access. -Repeat previous steps as required. Once testing is complete, perform the following step -to prevent the limited user from creating/updating `oauth2.txt`. - -Edit the `client_secrets.json` file in the `limited` subdirectory to have a single line as follows: -``` -{} -``` - -## Install GAM on the limited users computer -Install GAM on the limited user's computer; it can be a different OS than your computer; -if asked by the installer, indicate: -* that you do not want to set up a project -* that you are performing an update - -Make the necessary directories. -* Make the GAM configuration directory; this can be different than on your computer. -* Set the GAMCFGDIR environment variable to point to the GAM configuration directory. -* Make a subdirectory `gamcache` under the GAM configuration directory. -* Make a subdirectory `limited` under the GAM configuration directory. - -Copy `gam.cfg` from your computer to the GAM configuration directory on the limited user's computer. -Edit `gam.cfg` -* Remove any sections other than `[DEFAULT]` and `[limited]` -* If the GAM configuration directory on the limited users computer is different than that on yours, update these values in the [DEFAULT] section: - * cache_dir - * config_dir -* You may also want to update the GAM downloads directory: - * drive_dir - -Copy `client_secrets.json`, `oauth2.txt` and `oauth2service.json` from the `limited` subdirectory on your computer to the `limited` subdirectory on the limited user's computer. - -## Test Client and Service Account access on the non-administrator computer - -Issue various Gam commands to verify that the limited user has only the desired access. -If you need to make changes, make them on your computer and then re-copy `client_secrets.json`, `oauth2.txt` and `oauth2service.json` to the limited user's computer. - -## Unselect limited section on your computer. -Once you have finished setting up authorizations for the limited user, you need to reset your `gam.cfg` to point to your default section or another section. -``` -gam select default save -gam select
save -``` diff --git a/docs/BNF-Syntax.md b/docs/BNF-Syntax.md deleted file mode 100644 index cfd47768a..000000000 --- a/docs/BNF-Syntax.md +++ /dev/null @@ -1,31 +0,0 @@ -# Syntax - -## BNF Syntax -This Wiki describes the GAM7 command line syntax in modified BNF. -* https://en.wikipedia.org/wiki/Backus-Naur_Form - -Skip the History section and start reading at Introduction. - -Items on the command line are space separated, when an actual space character is required, it will be indicated by ``````. -If an item contains spaces, it should be surrounded by ". - -Metasyntactic symbols -``` -[] optional item -() group items -* item may appear zero or more times -+ item may appear one or more times -| separates alternative items -``` -## Items -- [Basic](Basic-Items) -- [Lists](List-Items) - -## Collections -- [ChromeOS Devices](Collections-of-ChromeOS-Devices) -- [Users](Collections-of-Users) -- [Items](Collections-of-Items) -- [Verify Collections](List) - -## Python Regular Expressions -- [Python Regular Expressions](Python-Regular-Expressions) diff --git a/docs/Basic-Items.md b/docs/Basic-Items.md deleted file mode 100644 index 60c847e06..000000000 --- a/docs/Basic-Items.md +++ /dev/null @@ -1,562 +0,0 @@ -# Basic Items -- [Primitives](#primitives) -- [Items built from primitives](#items-built-from-primitives) -- [Named items](#named-items) -- [List Items](List-Items) - -## Primitives -``` - ::= a single character - ::= 0|1|2|3|4|5|6|7|8|9 - ::= + - ::= *.+ - ::= |a|b|c|d|e|f|A|B|C|D|E|F - ::= an actual space character - ::= a string of characters, surrounded by " if it contains spaces -= false|off|no|disabled|0 - ::= true|on|yes|enabled|1 - - ::= - ar-sa| # Arabic Saudi Arabia - cs-cz| # Czech Czech Republic - da-dk| # Danish Denmark - de-de| # German Germany - el-gr| # Modern Greek Greece - en-au| # English Australia - en-gb| # English United Kingdom - en-ie| # English Ireland - en-us| # English United States - en-za| # English South Africa - es-es| # Spanish Spain - es-mx| # Spanish Mexico - fi-fi| # Finnish Finland - fr-ca| # French Canada - fr-fr| # French France - he-il| # Hebrew Israel - hi-in| # Hindi India - hu-hu| # Hungarian Hungary - id-id| # Indonesian Indonesia - it-it| # Italian Italy - ja-jp| # Japanese Japan - ko-kr| # Korean Republic of Korea - nl-be| # Dutch Belgium - nl-nl| # Dutch Netherlands - no-no| # Norwegian Norway - pl-pl| # Polish Poland - pt-br| # Portuguese Brazil - pt-pt| # Portuguese Portugal - ro-ro| # Romanian Romania - ru-ru| # Russian Russian Federation - sk-sk| # Slovak Slovakia - sv-se| # Swedish Sweden - th-th| # Thai Thailand - tr-tr| # Turkish Turkey - zh-cn| # Chinese China - zh-hk| # Chinese Hong Kong - zh-tw # Chinese Taiwan - ::= ascii|latin1|mbcs|utf-8|utf-8-sig|utf-16| - ::= - ::= - amethyst|avocado|banana|basil|birch|blueberry| - cherryblossom|citron|cobalt|cocoa|eucalyptus|flamingo| - grape|graphite|lavender|mango|peacock|pistachio| - pumpkin|radicchio|sage|tangerine|tomato|wisteria| - ::= "#" - ::= - asparagus|bluevelvet|bubblegum|cardinal|chocolateicecream|denim|desertsand| - earthworm|macaroni|marsorange|mountaingray|mountaingrey|mouse|oldbrickred| - pool|purpledino|purplerain|rainysky|seafoam|slimegreen|spearmint| - toyeggplant|vernfern|wildstrawberries|yellowcab - ::= - aliceblue|antiquewhite|aqua|aquamarine|azure|beige|bisque|black|blanchedalmond| - blue|blueviolet|brown|burlywood|cadetblue|chartreuse|chocolate|coral| - cornflowerblue|cornsilk|crimson|cyan|darkblue|darkcyan|darkgoldenrod|darkgray| - darkgrey|darkgreen|darkkhaki|darkmagenta|darkolivegreen|darkorange|darkorchid| - darkred|darksalmon|darkseagreen|darkslateblue|darkslategray|darkslategrey| - darkturquoise|darkviolet|deeppink|deepskyblue|dimgray|dimgrey|dodgerblue| - firebrick|floralwhite|forestgreen|fuchsia|gainsboro|ghostwhite|gold|goldenrod| - gray|grey|green|greenyellow|honeydew|hotpink|indianred|indigo|ivory|khaki| - lavender|lavenderblush|lawngreen|lemonchiffon|lightblue|lightcoral|lightcyan| - lightgoldenrodyellow|lightgray|lightgrey|lightgreen|lightpink|lightsalmon| - lightseagreen|lightskyblue|lightslategray|lightslategrey|lightsteelblue| - lightyellow|lime|limegreen|linen|magenta|maroon|mediumaquamarine|mediumblue| - mediumorchid|mediumpurple|mediumseagreen|mediumslateblue|mediumspringgreen| - mediumturquoise|mediumvioletred|midnightblue|mintcream|mistyrose|moccasin| - navajowhite|navy|oldlace|olive|olivedrab|orange|orangered|orchid| - palegoldenrod|palegreen|paleturquoise|palevioletred|papayawhip|peachpuff| - peru|pink|plum|powderblue|purple|red|rosybrown|royalblue|saddlebrown|salmon| - sandybrown|seagreen|seashell|sienna|silver|skyblue|slateblue|slategray| - slategrey|snow|springgreen|steelblue|tan|teal|thistle|tomato|turquoise|violet| - wheat|white|whitesmoke|yellow|yellowgreen - ::= | - ::= | - ::= mon|tue|wed|thu|fri|sat|sun - ::= - ::= - banana|basil|blueberry|flamingo|graphite|grape| - lavender|peacock|sage|tangerine|tomato - ::= - csv|doc|dot|docx|dotx|epub|html|jpeg|jpg|mht|odp|ods|odt| - pdf|png|ppt|pot|potx|pptx|rtf|svg|tsv|txt|xls|xlt|xlsx|xltx|zip| - ms|microsoft|openoffice| - ::= - #000000|#076239|#0b804b|#149e60|#16a766|#1a764d|#1c4587|#285bac| - #2a9c68|#3c78d8|#3dc789|#41236d|#434343|#43d692|#44b984|#4a86e8| - #653e9b|#666666|#68dfa9|#6d9eeb|#822111|#83334c|#89d3b2|#8e63ce| - #999999|#a0eac9|#a46a21|#a479e2|#a4c2f4|#aa8831|#ac2b16|#b65775| - #b694e8|#b9e4d0|#c6f3de|#c9daf8|#cc3a21|#cccccc|#cf8933|#d0bcf1| - #d5ae49|#e07798|#e4d7f5|#e66550|#eaa041|#efa093|#efefef|#f2c960| - #f3f3f3|#f691b3|#f6c5be|#f7a7c0|#fad165|#fb4c2f|#fbc8d9|#fcda83| - #fcdee8|#fce8b3|#fef1d1|#ffad47|#ffbc6b|#ffd6a2|#ffe6c7|#ffffff - ::= - #16a765|#2da2bb|#42d692|#4986e7|#98d7e4|#a2dcc1| - #b3efd3|#b6cff5|#b99aff|#c2c2c2|#cca6ac|#e3d7ff| - #e7e7e7|#ebdbde|#f2b2a8|#f691b2|#fb4c2f|#fbd3e0| - #fbe983|#fdedc1|#ff7537|#ffad46|#ffc8af|#ffdeb5 - ::= - #04502e|#094228|#0b4f30|#0d3472|#0d3b44|#3d188e| - #464646|#594c05|#662e37|#684e07|#711a36|#7a2e0b| - #7a4706|#8a1c0a|#994a64|#ffffff - ::= - ach|af|ag|ak|am|ar|az|be|bem|bg|bn|br|bs|ca|chr|ckb|co|crs|cs|cy|da|de| - ee|el|en|en-ca|en-gb|en-us|eo|es|es-419|et|eu|fa|fi|fil|fo|fr|fr-ca|fy| - ga|gaa|gd|gl|gn|gu|ha|haw|he|hi|hr|ht|hu|hy|ia|id|ig|in|is|it|iw|ja|jw| - ka|kg|kk|km|kn|ko|kri|ku|ky|la|lg|ln|lo|loz|lt|lua|lv| - mfe|mg|mi|mk|ml|mn|mo|mr|ms|mt|my|ne|nl|nn|no|nso|ny|nyn|oc|om|or| - pa|pcm|pl|ps|pt-br|pt-pt|qu|rm|rn|ro|ru|rw| - sd|sh|si|sk|sl|sn|so|sq|sr|sr-me|st|su|sv|sw| - ta|te|tg|th|ti|tk|tl|tn|to|tr|tt|tum|tw| - ug|uk|ur|uz|vi|wo|xh|yi|yo|zh-cn|zh-hk|zh-tw|zu - ::= - [+|-]| - - ::= - ''| #Not defined - ar-eg| #Arabic, Egypt - az-az| #Azerbaijani, Azerbaijan - be-by| #Belarusian, Belarus - bg-bg| #Bulgarian, Bulgaria - bn-in| #Bengali, India - ca-es| #Catalan, Spain - cs-cz| #Czech, Czech Republic - cy-gb| #Welsh, United Kingdom - da-dk| #Danish, Denmark - de-ch| #German, Switzerland - de-de| #German, Germany - el-gr| #Greek, Greece - en-au| #English, Australia - en-ca| #English, Canada - en-gb| #English, United Kingdom - en-ie| #English, Ireland - en-us| #English, U.S.A. - es-ar| #Spanish, Argentina - es-bo| #Spanish, Bolivia - es-cl| #Spanish, Chile - es-co| #Spanish, Colombia - es-ec| #Spanish, Ecuador - es-es| #Spanish, Spain - es-mx| #Spanish, Mexico - es-py| #Spanish, Paraguay - es-uy| #Spanish, Uruguay - es-ve| #Spanish, Venezuela - fi-fi| #Finnish, Finland - fil-ph| #Filipino, Philippines - fr-ca| #French, Canada - fr-fr| #French, France - gu-in| #Gujarati, India - hi-in| #Hindi, India - hr-hr| #Croatian, Croatia - hu-hu| #Hungarian, Hungary - hy-am| #Armenian, Armenia - in-id| #Indonesian, Indonesia - it-it| #Italian, Italy - iw-il| #Hebrew, Israel - ja-jp| #Japanese, Japan - ka-ge| #Georgian, Georgia - kk-kz| #Kazakh, Kazakhstan - kn-in| #Kannada, India - ko-kr| #Korean, Korea - lt-lt| #Lithuanian, Lithuania - lv-lv| #Latvian, Latvia - ml-in| #Malayalam, India - mn-mn| #Mongolian, Mongolia - mr-in| #Marathi, India - my-mn| #Burmese, Myanmar - nl-nl| #Dutch, Netherlands - nn-no| #Nynorsk, Norway - no-no| #Bokmal, Norway - pa-in| #Punjabi, India - pl-pl| #Polish, Poland - pt-br| #Portuguese, Brazil - pt-pt| #Portuguese, Portugal - ro-ro| #Romanian, Romania - ru-ru| #Russian, Russia - sk-sk| #Slovak, Slovakia - sl-si| #Slovenian, Slovenia - sr-rs| #Serbian, Serbia - sv-se| #Swedish, Sweden - ta-in| #Tamil, India - te-in| #Telugu, India - th-th| #Thai, Thailand - tr-tr| #Turkish, Turkey - uk-ua| #Ukrainian, Ukraine - vi-vn| #Vietnamese, Vietnam - zh-cn| #Simplified Chinese, China - zh-hk| #Traditional Chinese, Hong Kong SAR China - zh-tw #Traditional Chinese, Taiwan - ::= - gdoc|gdocument| - gdrawing| - gfile| - gfolder|gdirectory| - gform| - gfusion| - gjam| - gmap| - gpresentation| - gscript| - gsheet|gspreadsheet| - gshortcut| - g3pshortcut| - gsite| - shortcut - ::= application|audio|font|image|message|model|multipart|text|video - ::= |(/) -``` -## Items built from primitives -``` - ::= | - ::= [m|k|b] - ::= .../ - ::= - ::= - ::= - ::= - ::= - ::= - ::= - ::= - -- | - (+|-)(d|w|y) | - never| - today - ::= - --(|T): | - (+|-)(m|h|d|w|y) | - never| - now|today -