-
Notifications
You must be signed in to change notification settings - Fork 473
Permission Matches
- Python Regular Expressions Match function
- Definitions
- File Selection
- Permission Selection
- Define a Match
- File Selection Examples
- Permission Selection Examples
<DomainName> ::= <String>(.<String>)+
<DomainNameList> ::= "<DomainName>(,<DomainName>)*"
<DriveFileACLRole> ::=
commenter|
contentmanager|fileorganizer|
contributor|editor|writer|
manager|organizer|owner|
reader|viewer
<DriveFileACLRoleList> ::= "<DriveFileACLRole>(,<DriveFileACLRole>)*"
<DriveFileACLType> ::= anyone|domain|group|user
<DriveFileACLTypeList> ::= "<DriveFileACLType>(,<DriveFileACLType>)*"
<EmailAddress> ::= <String>@<DomainName>
<EmailAddressList> ::= "<EmailAddress>(,<EmailAddress>)*"
<Time> ::=
<Year>-<Month>-<Day>(<Space>|T)<Hour>:<Minute>:<Second>[.<MilliSeconds>](Z|(+|-(<Hour>:<Minute>))) |
(+|-)<Number>(m|h|d|w|y) |
never|
now|today
<PermissionMatch> ::=
pm|permissionmatch [not]
[type|nottype <DriveFileACLType>] [role|notrole <DriveFileACLRole>]
[typelist|nottypelist <DriveFileACLTypeList>] [rolelist|notrolelist <DriveFileACLRoleList>]
[allowfilediscovery|withlink <Boolean>]
[emailaddress <RegularExpression>] [emailaddressList <EmailAddressList>]
[permissionidlist <PermissionIDList>
[name|displayname <String>]
[domain|notdomain <RegularExpression>] [domainlist|notdomainlist <DomainNameList>]
[expirationstart <Time>] [expirationend <Time>]
[deleted <Boolean>] [inherited <Boolean>] [permtype member|file]
em|endmatch
<PermissionMatchMode> ::=
pmm|permissionmatchmode or|and
<PermissionMatchAction> ::=
pma|permissionmatchaction process|skip
In the print/show filecounts/filelists/filetree
commands you can limit the files counted/displayed by specifying permissions
that the file must/must not have. Permission matching is expensive on Shared Drives as retrieving the permissions requires a separate API call per file.
You can define multiple <PermissionMatches>
; each match specifies a set of required fields/values. A permission
matches if all of its fields/values match the required fields/values; you can negate the match with not
.
When you specify multiple <PermissionMatches>
, <PermissionMatchMode>
controls whether there is a permissions match
when any or all or the <PermissionMatches>
match.
-
pmm or
- If any<PermissionMatch>
matches, then there is a permissions match. This is the default. -
pmm and
- If all<PermissionMatches>
match, then there is a permissions match.
<PermissionMatchAction>
controls processing when there is a permissions match.
-
pma process
- If there is a permissions match, count/display the file. This is the default. -
pma skip
- If there is a permissions match, do not count/display the file.
In the print/show drivefileacls
and create/delete permissions
commands you can limit the permissions displayed/processed.
-
pma process
- If a permission matches, display/process the permission. This is the default. -
pma skip
- If a permission matches, do not display/process the permission.
-
pm|permissionmatch
- Start of permission match definition. -
not
- Negate the match. -
type <DriveFileACLType>
- The type of the grantee must match. -
nottype <DriveFileACLType>
- The type of the grantee must not match. -
typelist <DriveFileACLTypeList>
- The type of the grantee must match any value in the list. -
nottypelist <DriveFileACLTypeList>
- The type of the grantee must not match any value in the list. -
role <DriveFileACLRole>
- The role granted by this permission must match. -
notrole <DriveFileACLRole>
- The role granted by this permission must not match. -
rolelist <DriveFileACLRoleList>
- The role granted by this permission must match any value in the list.. -
notrolelist <DriveFileACLRoleList>
- The role granted by this permission must not match any value in the list.. -
allowfilediscovery|withlink <Boolean>
- Whether a link is required or whether the file can be discovered through search. -
emailaddress <RegularExpression>
- For types user and group, the required email address. -
emailaddresslist <EmailAddressList>
- For types user and group, a list of required email addresses; any one of which must match. -
permissionidlist <PermissionIDListList>
- A list of required permission IDs; any one of which must match. -
name|displayname <RegularExpression>
- For types domain, user and group, the displayable name. -
domain <RegularExpression>
- For type domain, the required domain name. For types user and group, the required domain name in the email address. -
notdomain <RegularExpression>
- For type domain, any domain name that doesn't match. For types user and group, any domain name that doesn't match in the email address. -
domainlist <DomainNameList>
- For type domain, the required domain name. For types user and group, the required domain name in the email address. -
notdomainlist <DomainNameList>
- For type domain, any domain name that doesn't match. For types user and group, any domain name that doesn't match in the email address. -
expirationstart <Time>
- For types user and group, will the permission expire on or after . -
expirationend <Time>
- For types user and group, will the permission expire before or on . -
deleted <Boolean>
- For types user and groups, has the user or group been deleted. -
inherited <Boolean>
- For Shared Drive files/folders, is the permission inherited -
permtype member|file
- For Shared Drive files/folders, is the permission derived from membership or explicitly granted. -
em|endmatch
- End of permission match definition
These are the permission match definitions that would be appended to a command like:
gam user [email protected] print filelist ...
Process all files with permissions type anyone:
pm type anyone em
Process all files except those with permissions type anyone:
pm type anyone em
pma skip
Process all files owned by someout outside of your domain
pm type user role owner notdomain mydomain.com em
Process all files shared to users outside of your domains
pm type user notrole owner notdomainlist mydomain1.com,mydomain2.com em
Process all files with write access for [email protected] or [email protected]:
pm role writer type group emailaddress [email protected] em
pm role writer type user emailaddress [email protected] em
Process all files with write access for [email protected] and [email protected]:
pm role writer type group emailaddress [email protected] em
pm role writer type user emailaddress [email protected] em
pmm and
Process all files where neither [email protected] or [email protected] have access:
pm type user emailaddress [email protected] em
pm type user emailaddress [email protected] em
pma skip
or you can use regular expressions
pm type user emailaddress "user[1|2]@domain.com" em
pma skip
Process all files shared with group [email protected] and not shared with user [email protected]:
pm type group emailaddress [email protected] em pm not type user [email protected] em pmm and
Process all files shared with domain.com either directly or via a user or group.
pm domain domain.com em pm emailaddress ".*@domain.com" em
Display all non-inherited permissions on a Shared Drive.
pm inherited false em
These are the permission match definitions that would be appended to a command like:
gam user [email protected] print drivefileacls ...
Display all permissions shared with domain.com either directly or via a user or group.
pm domain domain.com em pm emailaddress ".*@domain.com" em
Need more help? Ask on the GAM Discussion Group
Update History
Installation
- How to Install GAM7
- How to Upgrade GAMADV-XTD3 to GAM7
- How to Upgrade Legacy GAM to GAM7
- How to Update GAM7
- Verifying a GAM7 Build is Legitimate and Official
- Install GAM as Python Library
- GAM7 on Chrome OS Devices
- GAM7 on Android Devices
- Google Network Addresses
- HTTPS Proxy
- SSL Root CA Certificates
- How to Uninstall GAM7
Configuration
- Authorization
- GAM Configuration
- Running GAM7 securely on a Google Compute Engine
- Using GAM7 with a delegated admin service account
- Using GAM7 with a YubiKey
- GAM with minimal GCP rights
Notes and Information
- Upgrade Benefits
- Questions? Visit the GAM Discussion Forum
- GAM Public Chat Room
- Scripts
- Other Resources
- Drive REST API v3
- BNF Syntax
- GAM Return Codes
- Python Regular Expressions
- Rclone
Definitions
Command Processing
- Bulk Processing
- Command Line Parsing
- Command Logging and Progress
- Command data from Google Docs/Sheets/Storage
- CSV Special Characters
- CSV Input Filtering
- CSV Output Filtering
- Meta Commands and File Redirection
- Permission matches
- Tag Replace
- Todrive
Collections
Client Access
- Addresses
- Administrators
- Alert Center
- Aliases
- Calendars
- Calendars - Access
- Calendars - Events
- Chrome Auto Update Expiration Counts
- Chrome Browser Cloud Management
- Chrome Device Needs Attention Counts
- Chrome Installed Apps
- Chrome Policies
- Chrome Printers
- Chrome Profile Management
- Chrome Version Counts
- Chrome Version History
- ChromeOS Devices
- Classroom - Courses
- Classroom - Guardians
- Classroom - Invitations
- Classroom - Membership
- Cloud Channel
- Cloud Identity Devices
- Cloud Identity Groups
- Cloud Identity Groups - Membership
- Cloud Identity Policies
- Cloud Storage
- Context Aware Access Levels
- Customer
- Domains
- Domains - Verification
- Domain People - Contacts & Profiles
- Domain Shared Contacts - Global Address List
- Email Audit Monitor
- Find File Owner
- Google Data Transfers
- Groups
- Groups - Membership
- Inbound SSO
- Licenses
- Mobile Devices
- Organizational Units
- Reports
- Reseller
- Resources
- Send Email
- Schemas
- Shared Drives
- Sites
- Users
- Unmanaged Accounts
- Users - Signout and Turn off 2-Step Verification
- Vault - Takeout
- Version and Help
Special Service Account Access
Service Account Access
- Users - Analytics Admin
- Users - Application Specific Passwords
- Users - Backup Verification Codes
- Users - Calendars
- Users - Calendars - Access
- Users - Calendars - Events
- Users - Chat
- Users - Classification Labels
- Users - Classroom - Profile
- Users - Deprovision
- Users - Contacts
- Users - Contacts - Delegates
- Users - Drive - File Selection
- Users - Drive - Activity/Settings
- Users - Drive - Cleanup
- Users - Drive - Comments
- Users - Drive - Copy/Move
- Users - Drive - Files-Display
- Users - Drive - Files-Manage
- Users - Drive - Orphans
- Users - Drive - Ownership
- Users - Drive - Permissions
- Users - Drive - Query
- Users - Drive - Revisions
- Users - Drive - Shortcuts
- Users - Drive - Transfer
- Users - Forms
- Users - Gmail - Client Side Encryption
- Users - Gmail - Delegates
- Users - Gmail - Filters
- Users - Gmail - Forwarding
- Users - Gmail - Labels
- Users - Gmail - Messages/Threads
- Users - Gmail - Profile
- Users - Gmail - S/MIME
- Users - Gmail - SendAs/Signature/Vacation
- Users - Gmail - Settings
- Users - Group Membership
- Users - Keep
- Users - Looker Studio
- Users - Meet
- Users - Classroom - Profile
- Users - People - Contacts & Profiles
- Users - Photo
- Users - Profile Sharing
- Users - Shared Drives
- Users - Spreadsheets
- Users - Tasks
- Users - Tokens
- Users - YouTube
GAM Tutorials
- Account Auditing
- Calendar Settings
- Chat Bot commands
- Chrome Browser Management
- Chrome Policy Settings
- Context Aware Access levels
- Data Transfers
- Domain Verification
- Google Drive Management
- Group Settings
- Inbound SSO Settings
- Managing Admins
- Managing Classroom
- Managing Custom User Schemas
- Managing Devices
- Managing Organizations
- Managing Product Licenses
- Managing Users, Groups, Aliases, Domains, Mobile and Chrome Devices, and Resource Calendars
- OAuth Authentication Related Commands
- Print Users, Groups, Aliases, Mobile and Chrome OS devices, OUs, Licenses and Reports
- Printers
- Unmanaged Users and Invitations
- User Email Settings
- User Security Settings