Policy API concepts

This documentation describes Cloud Identity Policy API concepts and strategies.

Reduction

To list and get policies, see Setting up the Policy API and Listing and getting policies.

Terminology

  • Setting value: setting values provided in the policy
  • Reduced Setting value: final setting values applied to a target entity, like a user.
  • Reduction: the process of reducing Setting values on policies to a single setting value for an entity, like a user.
  • Reducer: the type of rules that determine how setting values on policies are simplified down to a single setting for a user.
  • Admin policies: policies created by administrators in Admin Console.
  • System policies: policies provided by Google Workspace.

Reduction Process

To reduce a given setting for a given user:

  1. Filter out all policies that don't apply to the user.
    1. Filter out policies that don't contain the setting.
    2. Filter out policies that apply to the OU that the target user is NOT in.
    3. Filter out policies that apply to the Group that the target user is NOT in.
    4. Filter out policies that apply to the License that the target user does NOT have. To learn more information about licenses, see Licenses section.
  2. Apply the Reducer of the given Setting
    1. Max: The Max Reducer chooses the value from the policy with the greatest sort_order.
    2. Merge: For each field on the Reduced Setting, the Merge Reducer chooses the value from the policy with the greatest sort_order that has a value for that field. If the field is an array, the Merge Reducer instead concatenates the values from all the policies.
    3. Map: The Map Reducer is used for settings where the array entries have a primary key. The Map Reducer won't concatenate the array entries with the same primary key. Instead it will update the entry using either the Merge Reducer or the Max Reducer on the other fields in the array entries that share the same primary key.
    4. List: These settings are not reduced to a single setting. Instead the entire sequence of settings is preserved and applied as a list.

Reducers for settings

Setting Name Reducer
drive_and_docs.external_sharing Max
drive_and_docs.general_access_default Max
drive_and_docs.shared_drive_creation Max
drive_and_docs.file_security_update Max
drive_and_docs.drive_sdk Merge
drive_and_docs.drive_for_desktop Max
gmail.confidential_mode Max
gmail.enhanced_smime_encryption Max
gmail.enhanced_pre_delivery_message_scanning Max
gmail.email_spam_filter_ip_allowlist Max
gmail.spoofing_and_authentication Max
gmail.links_and_external_images Max
gmail.email_attachment_safety Max
chat.chat_history Merge
chat.chat_file_sharing Max
chat.space_history Max
chat.external_chat_restriction Merge
chat.chat_apps_access Max
sites.sites_creation_and_modification Max
groups_for_business.groups_sharing Merge
classroom.teacher_permissions Max
classroom.guardian_access Max
classroom.class_membership Max
classroom.api_data_access Max
classroom.originality_reports Max
classroom.roster_import Max
classroom.student_unenrollment Max
meet.safety_domain Max
meet.safety_access Max
meet.safety_host_management Max
meet.video_recording Max
meet.safety_external_participants Max
security.super_admin_account_recovery Merge
security.user_account_recovery Merge
security.password Max
security.session_controls Max
security.less_secure_apps Merge
security.login_challenges Max
security.advanced_protection_program Max
user_takeout Max
workspace_marketplace.apps_access_options Merge
workspace_marketplace.apps_allowlist MergeMap (primary key is: application_id)
rule.dlp List
rule.system_defined_alerts List
detector.regular_expression List
detector.word_list List

Licenses

Policies apply to users based on users' Workspace licenses. The license condition is provided in PolicyQuery.

For a full list of all Workspace Product and SKU IDs see Google Product and SKU IDs.

The following examples demonstrate how policies can be applied to certain groups of users based on those users' licenses.

Example 1: Normal clause only

entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010020027'])

The policy applies to a user if they have a license for at least one of the SKUs in the list.

Example 2: Normal clause and inverted clause

entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010020027']) && !entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010060005'])

The policy applies to a user if they have a license for at least one of the SKUs in the first clause. However, if a user has a license for any of the SKUs in the second clause, the policy does not apply to that user at all.

Example 3: Inverted clause only

!entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010060005'])

The policy applies to a user if they don't have a license for any SKUs in the list.

Default Field Values

When a field is not present on the Reduced Setting, its default value is as follows:

Setting Name Field Default Field Value
chat.chat_history enable_chat_history false
history_on_by_default false
allow_user_modification true
chat.external_chat_restriction allow_external_chat false
external_chat_restriction NO_RESTRICTION
chat.chat_apps_access enable_apps true in EDU SKUs, false in non-EDU SKUs. EDU SKUs:
  • /product/Google-Apps/sku/Google-Apps-For-Education
  • /product/Google-Apps/sku/1010310002
  • /product/Google-Apps/sku/1010310003
  • /product/Google-Apps/sku/1010310005
  • /product/Google-Apps/sku/1010310006
  • /product/Google-Apps/sku/1010310007
  • /product/Google-Apps/sku/1010310008
  • /product/Google-Apps/sku/1010310009
  • /product/Google-Apps/sku/1010310010
  • /product/Google-Apps/sku/1010460001
  • /product/Google-Apps/sku/1010460002
enable_webhooks true in EDU SKUs, false in non-EDU SKUs. EDU SKUs:
  • /product/Google-Apps/sku/Google-Apps-For-Education
  • /product/Google-Apps/sku/1010310002
  • /product/Google-Apps/sku/1010310003
  • /product/Google-Apps/sku/1010310005
  • /product/Google-Apps/sku/1010310006
  • /product/Google-Apps/sku/1010310007
  • /product/Google-Apps/sku/1010310008
  • /product/Google-Apps/sku/1010310009
  • /product/Google-Apps/sku/1010310010
  • /product/Google-Apps/sku/1010460001
  • /product/Google-Apps/sku/1010460002
gmail.user_email_uploads enable_mail_and_contacts_import false
gmail.email_image_proxy_bypass image_proxy_bypass_pattern [] empty list
enable_image_proxy true
gmail.workspace_sync_for_outlook enable_google_workspace_sync_for_microsoft_outlook true
gmail.email_spam_filter_ip_allowlist allowed_ip_addresses [] empty list
drive_and_docs.external_sharing external_sharing_mode ALLOWED
allow_receiving_external_files true
warn_for_sharing_outside_allowlisted_domains true
allow_non_google_invites_in_allowlisted_domains false
allow_receiving_files_outside_allowlisted_domains true
warn_for_external_sharing true
allow_non_google_invites true
allow_publishing_files true
access_checker_suggestions RECIPIENTS_OR_AUDIENCE_OR_PUBLIC
allowed_parties_for_distributing_content ALL_ELIGIBLE_USERS
drive_and_docs.drive_sdk enable_drive_sdk_api_access true
drive_and_docs.general_access_default default_file_access LINK_SHARING_PRIVATE
security.user_account_recovery enable_account_recovery false
security.super_admin_account_recovery enable_account_recovery false
security.less_secure_apps allow_less_secure_apps false
workspace_marketplace.apps_access_options access_level For K12 customers: ALLOW_NONE Otherwise: ALLOW_ALL
allow_all_internal_apps false
workspace_marketplace.apps_allowlist apps [] empty list
groups_for_business.groups_sharing collaboration_capability DOMAIN_USERS_ONLY
create_groups_access_level USERS_IN_DOMAIN
view_topics_default_access_level DOMAIN_USERS
owners_can_allow_external_members false
owners_can_allow_incoming_mail_from_public true
owners_can_hide_groups false
new_groups_are_hidden false