Settings available in the API

This document describes the settings that the Policy API supports.

If the supported settings are missing from the Cloud Identity Policy API response, see Default field values. If the missing setting is not mentioned in Default field values, contact Cloud Customer Care.

Security Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Account Recovery	Super Admin Account Recovery	`security.super_admin_account_recovery`	Allow super admins to recover their account	enableAccountRecovery	Boolean
Account Recovery	User Account Recovery	`security.user_account_recovery`	Allow users and non-super admins to recover their account	enableAccountRecovery	Boolean
Password Management	Password Management	`security.password`	Expiration	expirationDuration	Seconds (0 seconds means Never Expire)
			Reuse	allowReuse	Boolean
			Strength and Length enforcement	enforceRequirementsAtLogin	Boolean
			Length (Maximum length)	maximumLength	Integer
			Length (Minimum length)	minimumLength	Integer
			Strength	allowedStrength	Enum: `STRONG` `WEAK`
Google Session Control	Session Control	`security.session_controls`	Web session duration	webSessionDuration	Seconds
Less secure apps	Less secure apps	`security.less_secure_apps`	Control user access to apps that use less secure sign-in technology and make accounts more vulnerable.	allowLessSecureApps	Boolean
Login challenges	Login Challenges	`security.login_challenges`	Use employee ID to keep my users more secure	enableEmployeeIdChallenge	Boolean
Advanced Protection Program	Enrollment	`security.advanced_protection_program`	Use employee ID to keep my users more secure	enableAdvancedProtectionSelfEnrollment	Boolean
Advanced Protection Program	Enrollment	`security.advanced_protection_program`	Security Codes	securityCodeOption	Enum: `ALLOWED_WITH_REMOTE_ACCESS` `ALLOWED_WITHOUT_REMOTE_ACCESS` `CODES_NOT_ALLOWED`
2-Step Verification	Authentication	`security.two_step_verification_enrollment`	Allow users to turn on 2-Step Verification	allowEnrollment	Boolean
		`security.two_step_verification_enforcement`	Enforcement	enforcedFrom	Timestamp
		`security.two_step_verification_grace_period`	New user enrollment period	enrollmentGracePeriod	Duration
		`security.two_step_verification_device_trust`	Allow user to trust the device	allowTrustingDevice	Boolean
		`security.two_step_verification_enforcement_factor`	Methods	allowedSignInFactorSet	Enum: `ALL` `PASSKEY_ONLY` `PASSKEY_PLUS_SECURITY_CODE` `PASSKEY_PLUS_IP_BOUND_SECURITY_CODE` `NO_TELEPHONY`
		`security.two_step_verification_sign_in_code`	2-Step Verification policy suspension grace period	backupCodeExceptionPeriod	Duration

UserTakeout Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Data	Data import & export > Google Takeout > User access to Takeout for Google services	`blogger.user_takeout` `books.user_takeout` `maps.user_takeout` `pay.user_takeout` `photos.user_takeout` `play.user_takeout` `play_console.user_takeout` `location_history.user_takeout` `youtube.user_takeout`	Manage user access to Takeout for Google services	takeout_status	Enum: `TAKEOUT_STATUS_UNSPECIFIED` `ENABLED` `DISABLED`

Marketplace Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Apps list	Apps list	`workspace_marketplace.apps_allowlist`	Showing apps for users in all organizational units	apps	List of apps containing application_id and access status as ALLOWED or BLOCKED.
Settings	Manage access to apps > Manage Google Workspace Marketplace allowlist access	`workspace_marketplace.apps_access_options`	Select which Marketplace apps users can run and install.	access_level	Enum: `ALLOW_ALL` `ALLOW_LISTED_APPS` `ALLOW_NONE`

The Setting workspace_marketplace.apps_allowlist in the API response exposes the Marketplace application_id instead of application_name. The following Python script can be used to convert one or more application_id that are specified on the command line to application_name.

import re
import requests
import sys

output = {}
app_ids = sys.argv[1:]

for id in app_ids:
  url = f"https://workspace.google.com/marketplace/app/_/{id}"
  response = requests.get(url, allow_redirects=False)
  final_url = response.headers['Location']
  pattern = f"^https://workspace.google.com/marketplace/app/(.*)/{id}$"
  a = re.search(pattern, final_url)
  output[id] = a.group(1)

# Output application name captured from returned URL
print(output)

Service Status Settings

The service_status setting contains a Boolean value implying a service is enabled for a certain OrgUnit or Group.

The Policy API supports service status settings for both Workspace services and Additional services listed in the Admin Console under Apps.

Service Name in Admin Console	Policy API service name
Calendar	calendar
Cloud Search	cloud_search
Drive and Docs	drive_and_editors
Currents	currents
Groups for Business	groups_for_business
Jamboard	jamboard
Keep	keep
Google Chat	chat
Google Meet	meet
Google Voice	voice
Google Sites	sites
Tasks	tasks
Vault	vault
Work Insights	work_insights
AppSheet	appsheet
Applied Digital Skills	applied_digital_skills
Assignments	assignments
Blogger	blogger
Brand Accounts	brand_accounts
Campaign Manager 360	campaign_manager
Chrome Canvas	chrome_canvas
Chrome Remote Desktop	chrome_remote_desktop
Chrome Web Store	chrome_web_store
Classroom	classroom
CS First	cs_first
Experimental Apps	experimental_apps
FeedBurner	feedburner
Google Ad Manager	ad_manager
Google Ads	ads
Google AdSense	adsense
Google Alerts	alerts
Google Analytics	analytics
Google Arts & Culture	arts_and_culture
Google Bookmarks	bookmarks
Google Books	books
Google Chrome Sync	chrome_sync
Google Cloud	cloud
Google Cloud Print	cloud_print
Google Colab	colab
Google Developer	developers
Google Domains	domains
Google Earth	earth
Google Fi	fi
Google Groups	groups
Google Maps	maps
Google Messages	messages
Google My Business	my_business
Google My Maps	my_maps
Google News	news
Google Pay	pay
Google Photos	photos
Google Play	play
Google Play Console	play_console
Google Public Data Explorer	public_data
Google Read Along	read_along
Google Search Console	search_console
Google Takeout	takeout
Google Translate	translate
Google Trips	trips
Location History	location_history
Looker Studio	data_studio
Managed Google Play	managed_play
Material Gallery	material_gallery
Merchant Center	merchant_center
Partner Dash	partner_dash
Pinpoint	pinpoint
Play Books Partner Center	play_books_partner_center
Programmable Search Engine	programmable_search_engine
QuestionHub	question_hub
Scholar Profiles	scholar_profiles
Search Ads 360	search_ads_360
Search and Assistant	search_and_assistant
Socratic	socratic
Studio	studio
Third-party App Backups	third_party_app_backups
Tour Creator	tour_creator
YouTube	youtube
Additional services without individual control	enterprise_service_restrictions
Gemini App	gemini
Early Access Apps	early_access_apps
AI Studio	ai_studio
Chrome Cursive	chrome_cursive
NotebookLM	notebooklm

Gmail Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Gmail	User Settings > Confidential Model	`gmail.confidential_mode`	Enable confidential mode	enable_confidential_mode	boolean
	User Settings > S/MIME	`gmail.enhanced_smime_encryption`	Allow users to upload their own certificates	allow_user_to_upload_certificates	boolean
	User Settings > S/MIME	`gmail.enhanced_smime_encryption`	Accept these additional root certificates for specific domains:	custom_root_certificates	A list of CustomRootCertificates which contains a list of root certificates, a list of intermediate CA certificates, a list of restricted domain names, a boolean to allow address mismatch and an enum with different validation levels.
	Spam, phishing, and malware > Enhanced pre-delivery message scanning	`gmail.enhanced_pre_delivery_message_scanning`	Enables improved detection of suspicious content prior to delivery	enable_improved_suspicious_content_detection	boolean
	Spam, phishing, and malware > Email allowlist	`gmail.email_spam_filter_ip_allowlist`	Enter the IP addresses for your email allowlist	allowed_ip_addresses	A list of strings
	Safety > Spoofing and authentication	`gmail.spoofing_and_authentication`	Protect against domain spoofing based on similar domain names	detect_domain_name_spoofing	boolean
			Choose an action	domain_name_spoofing_consequence	Enum: `WARNING` `SPAM_FOLDER` `QUARANTINE` `NO_ACTION`
			Choose a quarantine	domain_name_spoofing_quarantine_id	integer
			Protect against spoofing of employee names	detect_employee_name_spoofing	boolean
			Choose an action	employee_name_spoofing_consequence	Enum: `WARNING` `SPAM_FOLDER` `QUARANTINE` `NO_ACTION`
			Choose a quarantine	employee_name_spoofing_quarantine_id	integer
			Protect against inbound emails spoofing your domain	detect_domain_spoofing_from_unauthenticated_senders	boolean
			Choose an action	domain_spoofing_consequence	Enum: `WARNING` `SPAM_FOLDER` `QUARANTINE` `NO_ACTION`
			Choose a quarantine	domain_spoofing_quarantine_id	integer
			Protect against any unauthenticated emails	detect_unauthenticated_emails	boolean
			Choose an action	unauthenticated_email_consequence	Enum: `WARNING` `SPAM_FOLDER` `QUARANTINE` `NO_ACTION`
			Choose a quarantine	unauthenticated_email_quarantine_id	integer
			Protect your Groups from inbound emails spoofing your domain	detect_groups_spoofing	boolean
			Apply this setting to	groups_spoofing_visibility_type	Enum: `PRIVATE_GROUPS_ONLY` `ALL_GROUPS`
			Choose an action	groups_spoofing_consequence	Enum: `WARNING` `SPAM_FOLDER` `QUARANTINE` `NO_ACTION`
			Choose a quarantine	groups_spoofing_quarantine_id	integer
			Apply future recommended settings automatically	apply_future_settings_automatically	boolean
	Safety > Links and external images	`gmail.links_and_external_images`	Identify links behind shortened URLs	enable_shortener_scanning	boolean
			Scan linked images	enable_external_image_scanning	boolean
			Show warning prompt for any click on links to untrusted domains	enable_aggressive_warnings_on_untrusted_links	boolean
			Apply future recommended settings automatically	apply_future_settings_automatically	boolean
	Safety > Attachments	`gmail.email_attachment_safety`	Protect against encrypted attachments from untrusted senders	enable_encrypted_attachment_protection	boolean
			Choose an action	encrypted_attachment_protection_consequence	Enum: `WARNING` `SPAM_FOLDER` `QUARANTINE`
			Choose a quarantine	encrypted_attachment_protection_quarantine_id	integer
			Protect against attachments with scripts from untrusted senders	enable_attachment_with_scripts_protection	boolean
			Choose an action	attachment_with_scripts_protection_consequence	Enum: `WARNING` `SPAM_FOLDER` `QUARANTINE`
			Choose a quarantine	attachment_with_scripts_protection_quarantine_id	integer
			Protect against anomalous attachment types in emails	enable_anomalous_attachment_protection	boolean
			Choose an action	anomalous_attachment_protection_consequence	Enum: `WARNING` `SPAM_FOLDER` `QUARANTINE`
			Choose a quarantine	anomalous_attachment_protection_quarantine_id	integer
			Allowlist the following uncommon filetypes	allowed_anomalous_attachment_filetypes	string[]
			Apply future recommended settings automatically	apply_future_recommended_settings_automatically	boolean
	Routing > Manage address lists	`gmail.email_address_lists`	Manage address lists	email_address_list	EmailAddressList[]
	Spam, phishing and malware > Blocked senders	`gmail.blocked_sender_lists`	Block or approve specific senders based on email address or domain	blocked_senders	BlockedSender[]
	Spam, phishing and malware > Spam	`gmail.spam_override_lists`	Create approved senders lists that bypass the spam folder.	spam_override	SpamOverride[]
	Compliance > Content compliance	`gmail.content_compliance`	Configure advanced content filters based on words, phrases or patterns	content_compliance_rules	ContentComplianceRule[]
	Compliance > Objectionable content	`gmail.objectionable_content`	Configure content filters based on word lists	objectionable_content_rules	ObjectionableContentRule[]
	Compliance > Attachment compliance	`gmail.attachment_compliance`	Configure attachment filters based on file type, file name and message size	attachment_compliance_rules	AttachmentComplianceRule[]
	Compliance > Comprehensive mail storage	`gmail.comprehensive_mail_storage`	Ensure that a copy of all sent and received mail is stored in associated users' mailboxes	rule_id	string
	N/A (For all rules)	`gmail.rule_states`	N/A	rule_states	RuleState[]
	Setup > User email uploads	`gmail.user_email_uploads`	Show users the option to import mail and contacts from Yahoo!, Hotmail, AOL, or other webmail or POP3 accounts from the Gmail settings page	enable_mail_and_contacts_import	boolean
	End User Access > POP and IMAP access	`gmail.pop_access`	Enable POP access for all users	enable_pop_access	boolean
		`gmail.imap_access`	Enable IMAP access for all users	enable_imap_access	boolean
			Allow any mail client	imap_access_restriction.allow_all_mail_clients	boolean
			Restrict which mail clients users can use (OAuth mail clients only)	imap_access_restriction.allowed_oauth_mail_client_list	OAuthMailClientList
	End User Access > Google Workspace Sync	`gmail.workspace_sync_for_outlook`	Enable Google Workspace Sync for Microsoft Outlook for my users	enable_google_workspace_sync_for_microsoft_outlook	boolean
	End User Access > Automatic forwarding	`gmail.auto_forwarding`	Allow users to automatically forward incoming email to another address	enable_auto_forwarding	boolean
	User Settings > Name format	`gmail.name_format`	Allow users to customize this setting	allow_custom_display_names	boolean
	User Settings > Name format	`gmail.name_format`	First Last or Last, First	default_display_name_format	Enum: `FIRSTNAME_LASTNAME` `LASTNAME_COMMA_FIRSTNAME`
	End User Access > Allow per-user outbound gateways	`gmail.per_user_outbound_gateway`	Allow users to send mail through an external SMTP server when configuring a "from" address hosted outside your email domain	allow_users_to_use_external_smtp_servers	boolean
	End User Access > Image URL proxy allowlist	`gmail.email_image_proxy_bypass`	Enter image URL patterns. Matching URLs bypass the image proxy.	image_proxy_bypass_pattern	string[]
	End User Access > Image URL proxy allowlist	`gmail.email_image_proxy_bypass`	N/A	enable_image_proxy	boolean
	User Settings > Mail Delegation	`gmail.mail_delegation`	Let users delegate access to their mailbox to other users in the domain	enable_mail_delegation	boolean
			Allow users to customize this setting	allow_custom_delegate_attribution	boolean
			Show the account owner and the delegate who sent the email	enable_delegate_attribution	boolean
			Show the account owner only	enable_delegate_attribution	boolean
			Allow users to grant their mailbox access to a Google group	enable_mailbox_group_delegation	boolean

Gmail Sub-Settings

This table provides Gmail sub-settings that are referenced by other Gmail settings.

Policy API Sub-Setting Name	Admin Console Caption		Policy API Field Name	Data Type
EmailAddressList	N/A		id	string
	Name		name	string
	ADD ADDRESS LIST		address_list	AddressList
	ADD BLOCKED LIST		blocked_address_list	AddressList
AddressList	Add address list		address	AddressListEntry[]
AddressListEntry	Address		address	string
AddressListEntry	Authentication required (received mail only)		require_address_verification	boolean
BlockedSender	Enter a short description that will appear within the setting's summary		description	string
	Add addresses or domains that you want to automatically reject messages from		sender_blocklist	StringValue[]
	Enter customized rejection notice		rejection_response	string
	Bypass this setting for messages received from addresses or domains within these approved senders lists.		bypass_approved_sender	boolean
	N/A		bypass_approved_sender_allowlist	StringValue[]
	N/A		rule_id	string
SpamOverride	Enter a short description that will appear within the setting's summary		description	string
	Be more aggressive when filtering spam.		enable_aggressive_filtering	boolean
	Put spam in administrative quarantine		add_to_quarantine	boolean
	N/A		quarantine_id	integer
	Bypass spam filters for internal senders.		bypass_internal_senders	boolean
	Bypass spam filters for messages from senders or domains in selected lists.		bypass_selected_senders	boolean
	N/A		bypass_sender_allowlist	StringValue[]
	Bypass spam filters and hide warnings for messages from senders or domains in selected lists.		hide_warning_banner_from_selected_senders	boolean
	N/A		hide_warning_banner_sender_allowlist	StringValue[]
	Bypass spam filters and hide warnings for all messages from internal and external senders (not recommended).		hide_warning_banner_for_all	boolean
	N/A		rule_id	string
ContentComplianceRule	Enter a short description that will appear within the setting's summary		description	string
	Email messages to affect		condition	RuleConditions
	Add expressions that describe the content you want to search for in each message		match_expressions	MatchExpression[]
	If ANY of the following match the message		match_any_expression	boolean
	If the above expressions match, do the following		consequence	RuleConsequences
	N/A		rule_id	string
ObjectionableContentRule	Enter a short description that will appear within the setting's summary		description	string
	Email messages to affect		condition	RuleConditions
	Custom objectionable words		objectionable_content_defined	boolean
	Enter words		objectionable_words	string[]
	If the above expressions match, do the following		consequence	RuleConsequences
	N/A		rule_id	string
AttachmentComplianceRule	Enter a short description that will appear within the setting's summary		description	string
	Email messages to affect		condition	RuleConditions
	Add expressions that describe the content you want to search for in each message		match_expressions	MatchExpression[]
	If ANY of the following match the message		match_any_expression	boolean
	If the above expressions match, do the following		consequence	RuleConsequences
	N/A		rule_id	string
RuleState	N/A (For all rules)		enabled	boolean
RuleState	N/A (For all rules)		rule_id	string
RuleConditions	Email messages to affect	Inbound	affect_inbound_messages	boolean
		Outbound	affect_outbound_messages	boolean
		Internal - Sending	affect_internal_sending_messages	boolean
		Internal - Receiving	affect_internal_receiving_messages	boolean
	Address lists	Use address lists to bypass or control application of this setting	address_list_option	enum: `NO_EFFECT` `EXCLUDED` `REQUIRED`
		Bypass this setting for specific addresses / domains
		Only apply this setting for specific addresses / domains
		Use existing list / Create or edit list	address_lists	StringValue[]
	Account types to affect	Users	account_type_user	boolean
		Groups	account_type_group	boolean
		Unrecognized / Catch-all	account_type_unrecognized	boolean
	Envelope filter	Only affect specific envelope senders	envelope_sender_filter	AddressMatcher
	Envelope filter	Only affect specific envelope recipients	envelope_recipient_filter	AddressMatcher
AddressMatcher	Only affect specific envelope senders / Only affect specific envelope recipients		enabled	boolean
	Single email address	N/A	address_match_type	enum: `EXACT`
	Single email address	Email address	exact_address_match_value	string
	Pattern match	N/A	address_match_type	enum: `REGEXP`
	Pattern match	Regexp	regexp_match_value	string
	Group membership (only sent mail) / Group membership (only received mail)	N/A	address_match_type	enum: `GROUP_MEMBERSHIP`
		Select groups	group_ids	string[]
MatchExpression	Simple content match	N/A	match_expression_type	enum: `SIMPLE_CONTENT`
	Simple content match	Content	match_content	string
	Advanced content match	N/A	match_expression_type	enum: `ADVANCED_CONTENT`
		Content / Regex	match_content	string
		N/A	advanced_content_match	AdvancedContentMatch
	Metadata match		match_expression_type	enum: `METADATA`
	Metadata match		metadata_match	MetadataMatch
	Predefined content match		match_expression_type	enum: `PREDEFINED_CONTENT`
	Predefined content match		predefined_content_match	PredefinedContentMatch
	File type		match_expression_type	enum: `FILE_TYPE`
	File type		file_type_match	FileTypeMatch
	File name	N/A	match_expression_type	enum: `FILE_NAME`
	File name	The attachment file name contains	file_name	string
	Message size	N/A	match_expression_type	enum: `MESSAGE_SIZE`
	Message size	The overall message (body + attachment) is greater than the following (MB)	message_size_threshold_in_megabytes	integer
AdvancedContentMatch	Location	Headers + Body	advanced_content_match_location	enum: `HEADERS_AND_BODY`
		Full headers		enum: `FULL_HEADERS`
		Body		enum: `BODY`
		Subject		enum: `SUBJECT`
		Sender header		enum: `SENDER_HEADER`
		Recipients header		enum: `RECIPIENTS_HEADER`
		Envelope sender		enum: `ENVELOPE_SENDER`
		Any envelope recipient		enum: `ANY_ENVELOPE_RECIPIENT`
		Raw message		enum: `RAW_MESSAGE`
	Match type	Starts with	advanced_content_match_type	enum: `STARTS_WITH`
		Ends with		enum: `ENDS_WITH`
		Contains text		enum: `CONTAINS_TEXT`
		Not contains text		enum: `NOT_CONTAINS_TEXT`
		Equals		enum: EQUALS
		Is empty		enum: `IS_EMPTY`
		Matches regex		enum: `MATCHES_REGEXP`
		Not matches regex		enum: `NOT_MATCHES_REGEXP`
		Matches any word		enum: `MATCH_ANY_WORD`
		Matches all words		enum: `MATCH_ALL_WORDS`
	N/A		regexp_match	RegexpMatch
RegexpMatch	Regex Description		description	string
RegexpMatch	Minimum match count		min_match_count	integer
MetadataMatch	Attribute	Message authentication	metadata_match_attribute	enum: `MESSAGE_AUTHENTICATION`
		Source IP		enum: `SOURCE_IP`
		Secure transport (TLS)		enum: `TLS`
		Message size		enum: `MESSAGE_SIZE`
		S/MIME encrypted		enum: `SMIME_ENCRYPTED`
		S/MIME signed		enum: `SMIME_SIGNED`
		Gmail confidential mode		enum: `CONFIDENTIAL_MODE`
		Spam		enum: `SPAM`
	Match type	the following range	source_ip_range	string
		the following (MB)	message_size_in_megabytes	integer
		Message is authenticated	metadata_match_type	enum: `MESSAGE_AUTHENTICATED`
		Message is not authenticated		enum: `MESSAGE_NOT_AUTHENTICATED`
		Source IP is within		enum: `SOURCE_IP_IN_RANGE`
		Source IP is not within		enum: `SOURCE_IP_NOT_IN_RANGE`
		Connection is TLS encrypted		enum: `TLS_ENCRYPTED`
		Connection is not TLS encrypted		enum: `TLS_NOT_ENCRYPTED`
		Message size is greater than		enum: `MESSAGE_SIZE_GREATER_THAN`
		Message size is less than		enum: `MESSAGE_SIZE_LESS_THAN`
		Message is S/MIME encrypted		enum: `MESSAGE_IS_SMIME_ENCRYPTED`
		Message is not S/MIME encrypted		enum: `MESSAGE_IS_NOT_SMIME_ENCRYPTED`
		Message is S/MIME signed		enum: `MESSAGE_IS_SMIME_SIGNED`
		Message is not S/MIME signed		enum: `MESSAGE_IS_NOT_SMIME_SIGNED`
		Message is in Gmail confidential mode		enum: `MESSAGE_IS_IN_CONFIDENTIAL_MODE`
		Message is not in Gmail confidential mode		enum: `MESSAGE_IS_NOT_IN_CONFIDENTIAL_MODE`
		Malware detected from security sandbox		enum: `MALWARE_DETECTED_FROM_SECURITY_SANDBOX`
PredefinedContentMatch	N/A (Predefined content match selector)			predefined_content_match_name	string
	Minimum match count			min_match_count	integer
	Confidence threshold		confidence_threshold	enum: `MEDIUM` `HIGH`
FileTypeMatch	Office documents which are encrypted		encrypted_office_documents	boolean
	Office documents which are not encrypted		unencrypted_office_documents	boolean
	Video and multimedia		video	boolean
	Music and sound		music	boolean
	Images		image	boolean
	Compressed files and archives which are encrypted		compressed_encrypted_files	boolean
	Compressed files and archives which are not encrypted		compressed_unencrypted_files	boolean
	Custom file types - Match files based on file name extension		custom_file_extensions	string[]
	Also match files based on file format		match_file_format	boolean
RuleConsequences	Modify message	N/A	rule_consequence_type	enum: `MODIFY_MESSAGE`
		N/A	primary_delivery	Delivery
		Add more recipients	deliver_to_additional_recipients	boolean
		Recipients	bcc_deliveries	Delivery[]
Delivery	Add X-Gm-Original-To header		add_x_gm_original_to_header	boolean
	Add X-Gm-Spam and X-Gm-Phishy headers		add_x_gm_spam_header	boolean
	Add custom headers		add_custom_headers	boolean
	Custom headers		custom_headers	string[]
	Prepend custom subject		prepend_custom_subject	boolean
	Enter new subject prefix		custom_subject	string
	Change route		change_default_route	boolean
	Also reroute spam		reroute_spam	boolean
	Suppress bounces from this recipient		suppress_bounces_from_recipient	boolean
	N/A (Routing selector)		normal_routing	boolean
	Change envelope recipient N/A		change_envelope_recipient	boolean
	Replace recipient		replace_envelope_recipient_type	enum: `REPLACE_ADDRESS`
	Replace recipient		recipient_address	string
	Replace username		replace_envelope_recipient_type	enum: `REPLACE_USER`
	Replace username		recipient_user	string
	Replace domain		replace_envelope_recipient_type	enum: `REPLACE_DOMAIN`
	Replace domain		recipient_domain	string
	Bypass spam filter for this message		bypass_spam_filter	boolean
	Remove attachments from message		remove_attachments	boolean
	Append this text to notify recipients that attachments have been removed		attachment_removal_notice	string
	Require secure transport (TLS)		require_tls	boolean
	Encrypt message if not encrypted (S/MIME)		encrypt_outgoing_messages	boolean
	Bounce message if unable to sign and encrypt		bounce_unencrypted_messages	boolean
	Do not deliver spam to this recipient		do_not_deliver_spam_to_recipient	boolean
OAuthMailClientList	Restrict which mail clients users can use (OAuth mail clients only)		oauth_mail_client	OAuthMailClient[]
OAuthMailClient	N/A		oauth_mail_client_id	string

Chat Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Google Chat	History for chats	`chat.chat_history`	History is ON/OFF	history_on_by_default	boolean
			Allow users to change their history setting	allow_user_modification	boolean
	Chat File Sharing	`chat.chat_file_sharing`	External filesharing	external_file_sharing	Enum: `ALL_FILES` `IMAGES_ONLY` `NO_FILES` `FILE_SHARING_OPTION_UNSPECIFIED`
				internal_file_sharing	same
	History for spaces	`chat.space_history`	Conversation history settings for spaces	history_state	Enum: `DEFAULT_HISTORY_ON` `DEFAULT_HISTORY_OFF` `HISTORY_ALWAYS_ON` `HISTORY_ALWAYS_OFF` `HISTORY_STATE_UNSPECIFIED`
	External Chat Settings	`chat.external_chat_restriction`	Allow users to send messages outside organization in chats and spaces	allow_external_chat	boolean
				external_chat_restriction	Enum: `NO_RESTRICTION` `TRUSTED_DOMAINS` `RESTRICTION_UNSPECIFIED`
	Chat apps	`chat.chat_apps_access`	Allow users to install Chat apps	enable_apps	boolean
			Allow users to add and use incoming webhooks	enable_webhooks	boolean

Drive and Docs Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Drive and Docs	Sharing settings > Sharing options	`drive_and_docs.external_sharing`	Select the highest level of sharing outside of $CUSTOMER_NAME that you want to allow	external_sharing_mode	Enum: `DISALLOWED` `ALLOWLISTED_DOMAINS` `ALLOWED`
			Allow users in $ORG_UNIT_NAME to receive files from users or shared drives outside of $CUSTOMER_NAME	allow_receiving_external_files	Boolean
			Warn when files owned by users or shared drives in $ORG_UNIT_NAME are shared with users in allowlisted domains	warn_for_sharing_outside_allowlisted_domains	Boolean
			Allow users in $ORG_UNIT_NAME to receive files from users or shared drives outside of allowlisted domains	allow_receiving_files_outside_allowlisted_domains	Boolean
			Allow users or shared drives in $ORG_UNIT_NAME to share items with non-Google users in trusted domains using visitor sharing	allow_non_google_invites_in_allowlisted_domains	Boolean
			Warn when files owned by users or shared drives in $ORG_UNIT_NAME are shared outside of $CUSTOMER_NAME	warn_for_external_sharing	Boolean
			Allow users or shared drives in $ORG_UNIT_NAME to share items with people outside $CUSTOMER_NAME who aren't using a Google Account	allow_non_google_invites	Boolean
			When sharing outside of $CUSTOMER_NAME is allowed, users in $ORG_UNIT_NAME can make files and published web content visible to anyone with the link	allow_publishing_files	Boolean
			When a user shares a file via a Google product other than Docs or Drive (e.g. by pasting a link in Gmail), Google can check that the recipients have access. If not, when possible, Google will ask the user to pick if they want to share the file to	access_checker_suggestions	Enum: `RECIPIENTS_OR_AUDIENCE_OR_PUBLIC` `RECIPIENTS_OR_AUDIENCE` `RECIPIENTS_ONLY`
			Select who should be allowed to distribute content in $ORG_UNIT_NAME outside of $CUSTOMER_NAME. This restricts who can upload or move content to shared drives owned by another organization	allowed_parties_for_distributing_content	Enum: `ALL_ELIGIBLE_USERS` `ELIGIBLE_INTERNAL_USERS` `NONE`
	Sharing settings > General access default	`drive_and_docs.general_access_default`	When users in $ORG_UNIT_NAME create items, the default access will be	default_file_access	Enum: `PRIVATE_TO_OWNER` `PRIMARY_AUDIENCE_WITH_LINK` `PRIMARY_AUDIENCE_WITH_LINK_OR_SEARCH`
	Sharing settings > Shared drive creation	`drive_and_docs.shared_drive_creation`	Prevent users in $ORG_UNIT_NAME from creating new shared drives	allow_shared_drive_creation	Boolean (The API response returns the opposite of the UI value)
			When users in $ORG_UNIT_NAME create a shared drive, it will be assigned to the following organizational unit	org_unit_for_new_shared_drives	Enum: `CREATOR_ORG_UNIT` `CUSTOM_ORG_UNIT`
			Selected organizational unit	custom_org_unit	String
			Allow members with manager access to override the settings below	allow_managers_to_override_settings	Boolean
			Allow users outside $CUSTOMER_NAME to access files in shared drives	allow_external_user_access	Boolean
			Allow people who aren't shared drive members to be added to files	allow_non_member_access	Boolean
			Allow viewers and commenters to download, print, and copy files	allowed_parties_for_download_print_copy	Enum: `ALL` (when the checkbox in the UI is checked) `EDITORS_ONLY` (when the checkbox in the UI is unchecked)
			Allow content managers to share folders	allow_content_managers_to_share_folders	Boolean
	Sharing settings > Security update for files	`drive_and_docs.file_security_update`	Applying this update will make file links more secure. This may cause users to receive file access requests	security_update	Enum: `APPLY_TO_IMPACTED_FILES` `REMOVE_FROM_IMPACTED_FILES`
	Sharing settings > Security update for files	`drive_and_docs.file_security_update`	Allow users to remove/apply the security update for files they own or manage	allow_users_to_manage_update	Boolean
	Features and Applications > Drive SDK	`drive_and_docs.drive_sdk`	Allow users to access Google Drive with the Drive SDK API	enable_drive_sdk_api_access	Boolean
	Google Drive for desktop > Enable Drive for desktop	`drive_and_docs.drive_for_desktop`	Allow Google Drive for desktop in your organization	allow_drive_for_desktop	Boolean
			Only allow Google Drive for desktop on authorized devices	restrict_to_authorized_devices	Boolean
			Show Google Drive for desktop download link	show_download_link	Boolean
			Allow users to enable real-time presence in Microsoft Office from Google Drive for desktop	allow_real_time_presence	Boolean

Meet Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Google Meet	Meet video settings > Recording	`meet.video_recording`	Let people record their meetings.	enable_recording	boolean
	Meet safety settings > Domain	`meet.safety_domain`	Who can join meetings created by your organization.	users_allowed_to_join	Enum: `SAME_ORGANIZATION_ONLY` `LOGGED_IN` `ALL`
	Meet safety settings > Access	`meet.safety_access`	Which meetings or calls users in the organization can join. "Incoming call restrictions" can further limit the calls that users can receive.	meetings_allowed_to_join	Enum: `SAME_ORGANIZATION_ONLY` `ANY_WORKSPACE_ORGANIZATION` `ALL`
	Meet safety settings > Host management	`meet.safety_host_management`	Default host management	enable_host_management	Boolean
	Meet safety settings > Warn for external participants	`meet.safety_external_participants`	Indicates participants who are outside "Organization" or whose identities are unconfirmed.	enable_external_label	Boolean

Sites Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Sites	New Sites > Site creation and editing	`sites.sites_creation_and_modification`	Allow users to create new sites	allowSitesCreation	Boolean
			Users can/cannot edit sites	allowSitesModification	Boolean

Groups For Business Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Groups For Business	Sharing settings > Sharing options	`groups_for_business.groups_sharing`	Set policies for changing group sharing settings	collaborationCapability	Enum: `ANYONE_CAN_ACCESS` `DOMAIN_USERS_ONLY`
			Creating groups	createGroupsAccessLevel	Enum: `ADMIN_ONLY` `USERS_IN_DOMAIN` `ANYONE_CAN_CREATE`
			Group owners can allow external members	ownersCanAllowExternalMembers	Boolean
			Group owners can allow incoming email from outside the organization	ownersCanAllowIncomingMailFromPublic	Boolean
			Default for permission to view conversations	viewTopicsDefaultAccessLevel	Enum: `OWNERS` `MANAGERS` `GROUP_MEMBERS` `DOMAIN_USERS` `ANYONE_CAN_VIEE_TOPICS`
			Group owners can hide groups from the directory	ownersCanHideGroups	Boolean
			Hide newly created groups from the directory	newGroupsAreHidden	Boolean

Legal and Compliance

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Account Settings	Sharing options	`cloud_sharing_options.cloud_data_sharing`	Google Cloud Platform Sharing Options	sharingOptions	Enum: `UNSUPPORTED` `ENABLED` `DISABLED`

Classroom Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Classroom	General Settings > Teacher permissions	`classroom.teacher_permissions`	Who can create classes	whoCanCreateClasses	Enum: `ANYONE_IN_DOMAIN` `ALL_PENDING_AND_VERIFIED_TEACHERS` `VERIFIED_TEACHERS_ONLY`
	General Settings > Teacher permissions	`classroom.teacher_permissions`	Who can create classes	whoCanCreateClasses
	General Settings > Guardian access	`classroom.guardian_access`	Allow parents and guardians to access Classroom information	allowAccess	Boolean
	General Settings > Guardian access	`classroom.guardian_access`	Who can manage parents and guardians	whoCanManageGuardianAccess	Enum: `VERIFIED_TEACHERS_AND_DOMAIN_ADMINS` `DOMAIN_ADMINS_ONLY`
	Class settings > About class membership	`classroom.class_membership`	Who can join classes in your domain	whoCanJoinClasses	Enum: `ANYONE_IN_DOMAIN` `ANYONE_IN_ALLOWLISTED_DOMAINS` `ANY_GOOGLE_WORKSPACE_USER` `ANYONE`
	Class settings > About class membership	`classroom.class_membership`	Which classes can users in your domain join	whichClassesCanUsersJoin	Enum: `CLASSES_IN_DOMAIN` `CLASSES_IN_ALLOWLISTED_DOMAINS` `ANY_GOOGLE_WORKSPACE_CLASS`
	Data access > Classroom API	`classroom.api_data_access`	Users can authorize apps to access their Google Classroom data	enableApiAccess	Boolean
	Originality Reports > School Matches	`classroom.originality_reports`	Enable originality reports school matches	enableOriginalityReportsSchoolMatches	Boolean
	Student unenrollment > Unenrollment permissions	`classroom.student_unenrollment`	Who can unenroll students from classes	whoCanUnenrollStudents	Enum `STUDENTS_AND_TEACHERS` `TEACHERS_ONLY`
	Roster import > Settings	`classroom.roster_import`	Roster import	rosterImportOption	Enum: `OFF` `ON_CLEVER`

Calendar Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Calendar	Advanced settings > Appointment schedules with payments	`calendar.appointment_schedules`	Allow appointment schedule users to require payment for booked appointments through their own payment provider accounts.	enable_payments	boolean
	Sharing settings > External Invitations	`calendar.external_invitations`	Warn users when inviting guests outside of the domain `ORGANIZATION_UNIT_NAME`	warn_on_invite	boolean
	Calendar Interop Management > Exchange availability in Calendar	`calendar.interoperability`	Allow Google Calendar to display Exchange users availability	enable_interoperability	boolean
		`calendar.interoperability`	Show event details	enable_full_event_details	boolean
	Calendar Interop Management > Exchange resource booking	`calendar.interoperability`	Enable Google Calendar to book Microsoft Exchange rooms	enable_exchange_room_booking	boolean
	Sharing Settings > External sharing options for primary calendars	`calendar.primary_calendar_max_allowed_external_sharing`	Outside `ORGANIZATION_UNIT_NAME` - set user ability for primary calendars	max_allowed_external_sharing	Enum: `EXTERNAL_FREE_BUSY_ONLY` `EXTERNAL_ALL_INFO_READ_ONLY` `EXTERNAL_ALL_INFO_READ_WRITE` `EXTERNAL_ALL_INFO_READ_WRITE_MANAGE`
	Sharing Settings > External sharing options for secondary calendars	`calendar.secondary_calendar_max_allowed_external_sharing`	Outside <Org name> - set user ability for secondary calendars	max_allowed_external_sharing	Enum: `EXTERNAL_FREE_BUSY_ONLY` `EXTERNAL_ALL_INFO_READ_ONLY` `EXTERNAL_ALL_INFO_READ_WRITE` `EXTERNAL_ALL_INFO_READ_WRITE_MANAGE`

Data Protection Rules Settings

For an overview of data protection rules and detectors, see Create DLP for Drive rules and custom content detectors.

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Data Protection	Security > Access and data control > Data Protection > Manage Rules	`rule.dlp`	Name	display_name	String
			Description	description	String
			Apps	triggers	String[] - List of app specific trigger strings. The list of available app triggers is provided in the following Triggers section.
			Conditions	condition	String - Common Expression Language (CEL) expression of the data conditions the rule scans for. The CEL syntax and some common examples are provided in the following Conditions section.
			Actions	action	Struct - nested object representing app specific actions to take when the conditions are met. The available actions per app trigger are provided in the following Actions section.
			State	state	Enum: `ACTIVE` `INACTIVE`
			Created	create_time	Timestamp
			Last modified	update_time	Timestamp
			Rule type specific metadata	rule_type_metadata	Struct - nested object representing rule type specific metadata. For Data Protection rules, this contains the severity level of the triggered events.

Triggers

The list of available applications and their triggers.

"google.workspace.chrome.file.v1.upload"
"google.workspace.chrome.file.v1.download"
"google.workspace.chrome.web_content.v1.upload"
"google.workspace.chrome.page.v1.print"
"google.workspace.chrome.url.v1.navigation"
"google.workspace.chromeos.file.v1.transfer"
"google.workspace.chat.message.v1.send"
"google.workspace.chat.attachment.v1.upload"
"google.workspace.drive.file.v1.share"
"google.workspace.gmail.email.v1.send"

Conditions

To represent data conditions, the API uses Common Expressions Language (CEL) expressions. Each condition follows the pattern of {content type}.{content to scan for}({additional scan parameters}). For example, all_content.contains('apple') represents a data condition that matches if any of the scanned content (e.g. Drive doc, chat message, etc) contains the substring apple.

Content type

The list of available content types, corresponding to the matching configurations of the same names in the Admin Console.

access_levels
all_content
all_headers
body
destination_type
destination_url
drive_enterprise_metadata
encryption_state
envelope_from
file_size_in_bytes
file_type
from_header
message_security_status
request_attributes
sender_header
source_chrome_context
source_url
source_url_category
subject
suggestion
target_user
title
to_header_recipients
url
url_category

Content to scan for

The list of available content to scan for, corresponding to the matching configurations of the same names in the Admin Console.

contains({string})
starts_with({string})
ends_with({string})
equals({string})
matches_dlp_detector({detector name}, {likelihood}, {minimum_match_count: {count}, minimum_unique_match_count: {count}})
- Corresponds to the matches predefined data type option in the Admin Console.
- {detector name} denotes the predefined data type to scan for, which can be one of the built-in infotypes supported by Cloud DLP: https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference. For example, CREDIT_CARD_NUMBER or US_SOCIAL_SECURITY_NUMBER
- {likelihood} denotes the likelihood threshold of the match. For example, google.privacy.dlp.v2.Likelihood.LIKELY corresponds to the High threshold in the Admin Console.
matches_regex_detector({detector name}, {minimum_match_count: {count}})
- Corresponds to the matches regular expression option in the Admin Console.
- {detector name} is the resource name of the policy that represents the regular expression detector. See Data Protection Detector section on how to query detector policies in the API.
matches_word_list({detector name}, {minimum_match_count: {count}, minimum_unique_match_count: {count}})
- Corresponds to the matches words from word list option in the Admin Console.
- {detector name} is the resource name of the policy that represents the word list detector. See Data Protection Detector section on how to query detector policies in the API.
matches_web_category({category})
- Corresponds to the URL category matches option in the Admin Console for Chrome URL visited trigger.
- {category} denotes the URL category supported by the Admin Console configuration. For example ADULT or ONLINE_COMMUNITIES__SOCIAL_NETWORKS.

Composite conditions

Multiple base conditions can be mixed with AND (&&), OR (||), or NOT (!) operators to form a composite condition. For example, "all_content.contains('apple') && all_content.contains('banana')" represents a condition that matches if any of the scanned content contains both 'apple' and 'banana' substrings.

Actions

Each application specifies the action to take when the data condition matches in a nested message. For example, { "driveAction" { "warnUser" { } } } represents a Drive action that warns users on external sharing. The application specific actions available are following:

Application	Action Key	Subaction	Admin Console Caption
Drive	driveAction	blockAccess	Block external sharing
		warnUser	Warn on external sharing
		auditOnly	no action
		restrictCopyPrintDownload	Disable download, print, and copy
		applyLabels	Apply Classification labels
Gmail	gmailAction	blockContent	Block message
		warnUser	Warn users
		auditOnly	Audit only
		quarantineMessage	Quarantine message
Chat	chatAction	blockContent	Block message
		warnUser	Warn users
		auditOnly	Audit only
Chrome	chromeAction	blockContent	Block
Chrome	chromeAction	warnUser	Allow with warning

Rule type specific metadata

This attribute contains the metadata specific to the rule type. For Data Protection rules, it contains the alerting event severity when the event is reported under the security dashboard and alert center. An example value of the metadata representing LOW alert severity:

fields {
  key: "ruleTypeMetadata"
  value {
    struct_value {
      fields {
        key: "dlpRuleMetadata"
        value {
          struct_value {
            fields {
              key: "alertSeverity"
              value {
                string_value: "LOW"
              }
            }
          }
        }
      }
    }
  }
}

Data Protection Detectors Settings

For an overview of data protection rules and detectors, see Create DLP for Drive rules and custom content detectors.

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Data Protection	Security > Access and data control > Data Protection > Manage Detectors	detector.regular_expression detector.word_list	Name	display_name	String
			Description	description	String
			Regular Expression	regular_expression	Struct - contains the regular expression string. Only set if the detector type is detector.regular_expression.
			Word List	word_list	String - contains the list of word strings. Only set if the detector type is `detector.word_list`.
			Created	create_time	Timestamp
			Last modified	update_time	Timestamp

System Defined Alert Rules Settings

This section describes Google Workspace system-defined alert rules. The API returns only system-defined alerts that are modified from the default value by the administrator.

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Data Protection	Rules (for "system defined' rule type)	`rule.system_defined_alerts`	Name	display_name	String
			Description	description	String
			Actions	action	Struct - nested object representing notification settings when the system defined alert is triggered. Details are provided in the following Actions section.
			State	state	Enum: `ACTIVE` `INACTIVE`
			Created	create_time	Timestamp
			Last modified	update_time	Timestamp

Actions

System defined alert rules have a single action that denotes the notification settings for the alert.

Action key	Subaction	Admin Console Caption
alertCenterAction	alertCenterConfig	Send to alert center
alertCenterAction	recipients	Send email notifications