Showing apps for users in all organizational units
apps
List of apps containing application_id and access status as ALLOWED or BLOCKED.
Settings
Manage access to apps > Manage Google Workspace Marketplace allowlist access
workspace_marketplace.apps_access_options
Select which Marketplace apps users can run and install.
access_level
Enum:
ALLOW_ALL,
ALLOW_LISTED_APPS,
ALLOW_NONE
The Setting workspace_marketplace.apps_allowlist in the API response exposes the Marketplace application_id instead of application_name. The following Python script can be used to convert one or more application_id that are specified on the command line to application_name.
importreimportrequestsimportsysoutput={}app_ids=sys.argv[1:]foridinapp_ids:url=f"https://workspace.google.com/marketplace/app/_/{id}"response=requests.get(url,allow_redirects=False)final_url=response.headers['Location']pattern=f"^https://workspace.google.com/marketplace/app/(.*)/{id}$"a=re.search(pattern,final_url)output[id]=a.group(1)# Output application name captured from returned URLprint(output)
Service Status Settings
The service_status setting contains a Boolean value implying a service is enabled for a certain OrgUnit or Group.
The Policy API supports service status settings for both Workspace services and Additional services listed in the Admin Console under Apps.
Service Name in Admin Console
Policy API service name
Calendar
calendar
Cloud Search
cloud_search
Drive and Docs
drive_and_editors
Currents
currents
Groups for Business
groups_for_business
Jamboard
jamboard
Keep
keep
Google Chat
chat
Google Meet
meet
Google Voice
voice
Google Sites
sites
Tasks
tasks
Vault
vault
Work Insights
work_insights
AppSheet
appsheet
Applied Digital Skills
applied_digital_skills
Assignments
assignments
Blogger
blogger
Brand Accounts
brand_accounts
Campaign Manager 360
campaign_manager
Chrome Canvas
chrome_canvas
Chrome Remote Desktop
chrome_remote_desktop
Chrome Web Store
chrome_web_store
Classroom
classroom
CS First
cs_first
Experimental Apps
experimental_apps
FeedBurner
feedburner
Google Ad Manager
ad_manager
Google Ads
ads
Google AdSense
adsense
Google Alerts
alerts
Google Analytics
analytics
Google Arts & Culture
arts_and_culture
Google Bookmarks
bookmarks
Google Books
books
Google Chrome Sync
chrome_sync
Google Cloud
cloud
Google Cloud Print
cloud_print
Google Colab
colab
Google Developer
developers
Google Domains
domains
Google Earth
earth
Google Fi
fi
Google Groups
groups
Google Maps
maps
Google Messages
messages
Google My Business
my_business
Google My Maps
my_maps
Google News
news
Google Pay
pay
Google Photos
photos
Google Play
play
Google Play Console
play_console
Google Public Data Explorer
public_data
Google Read Along
read_along
Google Search Console
search_console
Google Takeout
takeout
Google Translate
translate
Google Trips
trips
Location History
location_history
Looker Studio
data_studio
Managed Google Play
managed_play
Material Gallery
material_gallery
Merchant Center
merchant_center
Partner Dash
partner_dash
Pinpoint
pinpoint
Play Books Partner Center
play_books_partner_center
Programmable Search Engine
programmable_search_engine
QuestionHub
question_hub
Scholar Profiles
scholar_profiles
Search Ads 360
search_ads_360
Search and Assistant
search_and_assistant
Socratic
socratic
Studio
studio
Third-party App Backups
third_party_app_backups
Tour Creator
tour_creator
YouTube
youtube
Additional services without individual control
enterprise_service_restrictions
Gmail Settings
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Gmail
User Settings > Confidential Model
gmail.confidential_mode
Enable confidential mode
enable_confidential_mode
boolean
User Settings > S/MIME
gmail.enhanced_smime_encryption
Allow users to upload their own certificates
allow_user_to_upload_certificates
boolean
Accept these additional root certificates for specific domains:
custom_root_certificates
A list of CustomRootCertificates which contains a list of root certificates, a list of intermediate CA certificates, a list of restricted domain names, a boolean to allow address mismatch and an enum with different validation levels.
Spam, phishing, and malware > Enhanced pre-delivery message scanning
gmail.enhanced_pre_delivery_message_scanning
Enables improved detection of suspicious content prior to delivery
enable_improved_suspicious_content_detection
boolean
Spam, phishing, and malware > Email allowlist
gmail.email_spam_filter_ip_allowlist
Enter the IP addresses for your email allowlist
allowed_ip_addresses
A list of strings
Safety > Spoofing and authentication
gmail.spoofing_and_authentication
Protect against domain spoofing based on similar domain names
detect_domain_name_spoofing
boolean
Choose an action
domain_name_spoofing_consequence
Enum:
WARNING,
SPAM_FOLDER,
QUARANTINE,
NO_ACTION
Protect against spoofing of employee names
detect_employee_name_spoofing
boolean
Choose an action
employee_name_spoofing_consequences
Enum:
WARNING,
SPAM_FOLDER,
QUARANTINE,
NO_ACTION
Protect against inbound emails spoofing your domain
Select the highest level of sharing outside of $CUSTOMER_NAME that you want to allow
external_sharing_mode
Enum:
DISALLOWED,
ALLOWLISTED_DOMAINS,
ALLOWED
Allow users in $ORG_UNIT_NAME to receive files from users or shared drives outside of $CUSTOMER_NAME
allow_receiving_external_files
Boolean
Warn when files owned by users or shared drives in $ORG_UNIT_NAME are shared with users in allowlisted domains
warn_for_sharing_outside_allowlisted_domains
Boolean
Allow users in $ORG_UNIT_NAME to receive files from users or shared drives outside of allowlisted domains
allow_receiving_files_outside_allowlisted_domains
Boolean
Allow users or shared drives in $ORG_UNIT_NAME to share items with non-Google users in trusted domains using visitor sharing
allow_non_google_invites_in_allowlisted_domains
Boolean
Warn when files owned by users or shared drives in $ORG_UNIT_NAME are shared outside of $CUSTOMER_NAME
warn_for_external_sharing
Boolean
Allow users or shared drives in $ORG_UNIT_NAME to share items with people outside $CUSTOMER_NAME who aren't using a Google Account
allow_non_google_invites
Boolean
When sharing outside of $CUSTOMER_NAME is allowed, users in $ORG_UNIT_NAME can make files and published web content visible to anyone with the link
allow_publishing_files
Boolean
When a user shares a file via a Google product other than Docs or Drive (e.g. by pasting a link in Gmail), Google can check that the recipients have access. If not, when possible, Google will ask the user to pick if they want to share the file to
Select who should be allowed to distribute content in $ORG_UNIT_NAME outside of $CUSTOMER_NAME. This restricts who can upload or move content to shared drives owned by another organization
Security > Access and data control > Data Protection > Manage Rules
rule.dlp
Name
display_name
String
Description
description
String
Apps
triggers
String[] - List of app specific trigger strings. The list of available app triggers is provided in the following Triggers section.
Conditions
condition
String - Common Expression Language (CEL) expression of the data conditions the rule scans for. The CEL syntax and some common examples are provided in the following Conditions section.
Actions
action
Struct - nested object representing app specific actions to take when the conditions are met. The available actions per app trigger are provided in the following Actions section.
State
state
Enum:
ACTIVE,
INACTIVE
Created
create_time
Timestamp
Last modified
update_time
Timestamp
Rule type specific metadata
rule_type_metadata
Struct - nested object representing rule type specific metadata. For Data Protection rules, this contains the severity level of the triggered events.
Triggers
The list of available applications and their triggers.
"google.workspace.chrome.file.v1.upload"
"google.workspace.chrome.file.v1.download"
"google.workspace.chrome.web_content.v1.upload"
"google.workspace.chrome.page.v1.print"
"google.workspace.chrome.url.v1.navigation"
"google.workspace.chromeos.file.v1.transfer"
"google.workspace.chat.message.v1.send"
"google.workspace.chat.attachment.v1.upload"
"google.workspace.drive.file.v1.share"
"google.workspace.gmail.email.v1.send"
Conditions
To represent data conditions, the API uses Common Expressions Language (CEL) expressions. Each condition follows the pattern of {content type}.{content to scan for}({additional scan parameters}). For example, all_content.contains('apple') represents a data condition that matches if any of the scanned content (e.g. Drive doc, chat message, etc) contains the substring apple.
Content type
The list of available content types, corresponding to the matching configurations of the same names in the Admin Console.
access_levels
all_content
all_headers
body
destination_type
destination_url
drive_enterprise_metadata
encryption_state
envelope_from
file_size_in_bytes
file_type
from_header
message_security_status
request_attributes
sender_header
source_chrome_context
source_url
source_url_category
subject
suggestion
target_user
title
to_header_recipients
url
url_category
Content to scan for
The list of available content to scan for, corresponding to the matching configurations of the same names in the Admin Console.
Corresponds to the matches predefined data type option in the Admin Console.
{detector name} denotes the predefined data type to scan for, which can be one of the built-in infotypes supported by Cloud DLP: https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference. For example, CREDIT_CARD_NUMBER or US_SOCIAL_SECURITY_NUMBER
{likelihood} denotes the likelihood threshold of the match. For example, google.privacy.dlp.v2.Likelihood.LIKELY corresponds to the High threshold in the Admin Console.
Corresponds to the matches regular expression option in the Admin Console.
{detector name} is the resource name of the policy that represents the regular expression detector. See Data Protection Detector section on how to query detector policies in the API.
Corresponds to the matches words from word list option in the Admin Console.
{detector name} is the resource name of the policy that represents the word list detector. See Data Protection Detector section on how to query detector policies in the API.
matches_web_category({category})
Corresponds to the URL category matches option in the Admin Console for Chrome URL visited trigger.
{category} denotes the URL category supported by the Admin Console configuration. For example ADULT or ONLINE_COMMUNITIES__SOCIAL_NETWORKS.
Composite conditions
Multiple base conditions can be mixed with AND (&&), OR (||), or NOT (!) operators to form a composite condition. For example, "all_content.contains('apple') && all_content.contains('banana')" represents a condition that matches if any of the scanned content contains both 'apple' and 'banana' substrings.
Actions
Each application specifies the action to take when the data condition matches in a nested message. For example, { "driveAction" { "warnUser" { } } } represents a Drive action that warns users on external sharing. The application specific actions available are following:
Application
Action Key
Subaction
Admin Console Caption
Drive
driveAction
blockAccess
Block external sharing
warnUser
Warn on external sharing
auditOnly
no action
restrictCopyPrintDownload
Disable download, print, and copy
applyLabels
Apply Classification labels
Gmail
gmailAction
blockContent
Block message
warnUser
Warn users
auditOnly
Audit only
quarantineMessage
Quarantine message
Chat
chatAction
blockContent
Block message
warnUser
Warn users
auditOnly
Audit only
Chrome
chromeAction
blockContent
Block
warnUser
Allow with warning
Rule type specific metadata
This attribute contains the metadata specific to the rule type. For Data Protection rules, it contains the alerting event severity when the event is reported under the security dashboard and alert center. An example value of the metadata representing LOW alert severity:
Security > Access and data control > Data Protection > Manage Detectors
detector.regular_expressiondetector.word_list
Name
display_name
String
Description
description
String
Regular Expression
regular_expression
Struct - contains the regular expression string. Only set if the detector type is detector.regular_expression.
Word List
word_list
String - contains the list of word strings. Only set if the detector type is detector.word_list.
Created
create_time
Timestamp
Last modified
update_time
Timestamp
System Defined Alert Rules Settings
This section describes Google Workspace system-defined alert rules.
The API returns only system-defined alerts that are modified from the default
value by the administrator.
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Data Protection
Rules (for "system defined' rule type)
rule.system_defined_alerts
Name
display_name
String
Description
description
String
Actions
action
Struct - nested object representing notification settings when the system defined alert is triggered. Details are provided in the following Actions section.
State
state
Enum:
ACTIVE,
INACTIVE
Created
create_time
Timestamp
Last modified
update_time
Timestamp
Actions
System defined alert rules have a single action that denotes the notification settings for the alert.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-20 UTC."],[],[]]