Policy API concepts
This documentation describes Cloud Identity Policy API concepts and strategies.
Reduction
To list and get policies, see Setting up the Policy API and Listing and getting policies.
Terminology
- Setting value: setting values provided in the policy
- Reduced Setting value: final setting values applied to a target entity, like a user.
- Reduction: the process of reducing Setting values on policies to a single setting value for an entity, like a user.
- Reducer: the type of rules that determine how setting values on policies are simplified down to a single setting for a user.
- Admin policies: policies created by administrators in Admin Console.
- System policies: policies provided by Google Workspace.
Reduction Process
To reduce a given setting for a given user:
- Filter out all policies that don't apply to the user.
- Filter out policies that don't contain the setting.
- Filter out policies that apply to the OU that the target user is NOT in.
- Filter out policies that apply to the Group that the target user is NOT in.
- Filter out policies that apply to the License that the target user does NOT have. To learn more information about licenses, see Licenses section.
- Apply the Reducer of the given Setting
- Max: The Max Reducer chooses the value from the policy with the greatest sort_order.
- Merge: For each field on the Reduced Setting, the Merge Reducer chooses the value from the policy with the greatest sort_order that has a value for that field. If the field is an array, the Merge Reducer instead concatenates the values from all the policies.
- Map: The Map Reducer is used for settings where the array entries have a primary key. The Map Reducer won't concatenate the array entries with the same primary key. Instead it will update the entry using either the Merge Reducer or the Max Reducer on the other fields in the array entries that share the same primary key.
- List: These settings are not reduced to a single setting. Instead the entire sequence of settings is preserved and applied as a list.
Reducers for settings
Setting Name | Reducer |
drive_and_docs.external_sharing
|
Max |
drive_and_docs.general_access_default
|
Max |
drive_and_docs.shared_drive_creation
|
Max |
drive_and_docs.file_security_update
|
Max |
drive_and_docs.drive_sdk
|
Merge |
drive_and_docs.drive_for_desktop
|
Max |
gmail.confidential_mode
|
Max |
gmail.enhanced_smime_encryption
|
Max |
gmail.enhanced_pre_delivery_message_scanning
|
Max |
gmail.email_spam_filter_ip_allowlist
|
Max |
gmail.spoofing_and_authentication
|
Max |
gmail.links_and_external_images
|
Max |
gmail.email_attachment_safety
|
Max |
chat.chat_history
|
Merge |
chat.chat_file_sharing
|
Max |
chat.space_history
|
Max |
chat.external_chat_restriction
|
Merge |
chat.chat_apps_access
|
Max |
sites.sites_creation_and_modification
|
Max |
groups_for_business.groups_sharing
|
Merge |
classroom.teacher_permissions
|
Max |
classroom.guardian_access
|
Max |
classroom.class_membership
|
Max |
classroom.api_data_access
|
Max |
classroom.originality_reports
|
Max |
classroom.roster_import
|
Max |
classroom.student_unenrollment
|
Max |
meet.safety_domain
|
Max |
meet.safety_access
|
Max |
meet.safety_host_management
|
Max |
meet.video_recording
|
Max |
meet.safety_external_participants
|
Max |
security.super_admin_account_recovery
|
Merge |
security.user_account_recovery
|
Merge |
security.password
|
Max |
security.session_controls
|
Max |
security.less_secure_apps
|
Merge |
security.login_challenges
|
Max |
security.advanced_protection_program
|
Max |
user_takeout
|
Max |
workspace_marketplace.apps_access_options
|
Merge |
workspace_marketplace.apps_allowlist
|
MergeMap (primary key is: application_id) |
rule.dlp
|
List |
rule.system_defined_alerts
|
List |
detector.regular_expression
|
List |
detector.word_list
|
List |
Licenses
Policies apply to users based on users' Workspace licenses. The license condition is provided in PolicyQuery
.
For a full list of all Workspace Product and SKU IDs see Google Product and SKU IDs.
The following examples demonstrate how policies can be applied to certain groups of users based on those users' licenses.
Example 1: Normal clause only
entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010020027'])
The policy applies to a user if they have a license for at least one of the SKUs in the list.
Example 2: Normal clause and inverted clause
entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010020027']) && !entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010060005'])
The policy applies to a user if they have a license for at least one of the SKUs in the first clause. However, if a user has a license for any of the SKUs in the second clause, the policy does not apply to that user at all.
Example 3: Inverted clause only
!entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010060005'])
The policy applies to a user if they don't have a license for any SKUs in the list.
Default Field Values
When a field is not present on the Reduced Setting, its default value is as follows:
Setting Name | Field | Default Field Value |
chat.chat_history
|
enable_chat_history | false
|
history_on_by_default | false
|
|
allow_user_modification | true
|
|
chat.external_chat_restriction
|
allow_external_chat | false
|
external_chat_restriction | NO_RESTRICTION
|
|
chat.chat_apps_access
|
enable_apps | true in EDU SKUs, false in non-EDU SKUs. EDU SKUs:
|
enable_webhooks | true in EDU SKUs, false in non-EDU SKUs. EDU SKUs:
|
|
gmail.user_email_uploads
|
enable_mail_and_contacts_import | false
|
gmail.email_image_proxy_bypass
|
image_proxy_bypass_pattern | [] empty list |
enable_image_proxy | true
|
|
gmail.workspace_sync_for_outlook
|
enable_google_workspace_sync_for_microsoft_outlook | true
|
gmail.email_spam_filter_ip_allowlist
|
allowed_ip_addresses | [] empty list |
drive_and_docs.external_sharing
|
external_sharing_mode | ALLOWED
|
allow_receiving_external_files | true
|
|
warn_for_sharing_outside_allowlisted_domains | true
|
|
allow_non_google_invites_in_allowlisted_domains | false
|
|
allow_receiving_files_outside_allowlisted_domains | true
|
|
warn_for_external_sharing | true
|
|
allow_non_google_invites | true
|
|
allow_publishing_files | true
|
|
access_checker_suggestions | RECIPIENTS_OR_AUDIENCE_OR_PUBLIC
|
|
allowed_parties_for_distributing_content | ALL_ELIGIBLE_USERS
|
|
drive_and_docs.drive_sdk
|
enable_drive_sdk_api_access | true
|
drive_and_docs.general_access_default
|
default_file_access | LINK_SHARING_PRIVATE
|
security.user_account_recovery
|
enable_account_recovery | false
|
security.super_admin_account_recovery
|
enable_account_recovery | false
|
security.less_secure_apps
|
allow_less_secure_apps | false
|
workspace_marketplace.apps_access_options
|
access_level | For K12 customers: ALLOW_NONE
Otherwise: ALLOW_ALL
|
allow_all_internal_apps | false
|
|
workspace_marketplace.apps_allowlist
|
apps | [] empty list |
groups_for_business.groups_sharing
|
collaboration_capability | DOMAIN_USERS_ONLY
|
create_groups_access_level | USERS_IN_DOMAIN
|
|
view_topics_default_access_level | DOMAIN_USERS
|
|
owners_can_allow_external_members | false
|
|
owners_can_allow_incoming_mail_from_public | true
|
|
owners_can_hide_groups | false
|
|
new_groups_are_hidden | false
|