Settings available in the API
This document describes the settings that the Policy API supports.
If the supported settings are missing from the Cloud Identity Policy API response, see Default field values . If the missing setting is not mentioned in Default field values , contact Cloud Customer Care .
Calendar Settings
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Calendar
Advanced settings >
Appointment schedules with payments
calendar.appointment_schedules
Allow appointment schedule users to require payment for booked appointments through their own payment provider accounts.
enable_payments
boolean
Sharing settings >
External Invitations
calendar.external_invitations
Warn users when inviting guests outside of the domain ORGANIZATION_UNIT_NAME
warn_on_invite
boolean
Calendar Interop Management >
Exchange availability in Calendar
calendar.interoperability
Allow Google Calendar to display Exchange users availability
enable_interoperability
boolean
Show event details
enable_full_event_details
boolean
Calendar Interop Management >
Exchange resource booking
calendar.interoperability
Enable Google Calendar to book Microsoft Exchange rooms
enable_exchange_room_booking
boolean
Sharing Settings >
External sharing options for primary calendars
calendar.primary_calendar_max_allowed_external_sharing
Outside ORGANIZATION_UNIT_NAME
- set user ability for primary calendars
max_allowed_external_sharing
enum:
-
EXTERNAL_FREE_BUSY_ONLY -
EXTERNAL_ALL_INFO_READ_ONLY -
EXTERNAL_ALL_INFO_READ_WRITE -
EXTERNAL_ALL_INFO_READ_WRITE_MANAGE
Sharing Settings >
External sharing options for secondary calendars
calendar.secondary_calendar_max_allowed_external_sharing
Outside <Org name> - set user ability for secondary calendars
max_allowed_external_sharing
enum:
-
EXTERNAL_FREE_BUSY_ONLY -
EXTERNAL_ALL_INFO_READ_ONLY -
EXTERNAL_ALL_INFO_READ_WRITE -
EXTERNAL_ALL_INFO_READ_WRITE_MANAGE
Chat Settings
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Google Chat
History for chats
chat.chat_history
History is ON/OFF
history_on_by_default
boolean
Allow users to change their history setting
allow_user_modification
boolean
Chat File Sharing
chat.chat_file_sharing
External filesharing
external_file_sharing
enum:
-
ALL_FILES -
IMAGES_ONLY -
NO_FILES -
FILE_SHARING_OPTION_UNSPECIFIED
internal_file_sharing
same
History for spaces
chat.space_history
Conversation history settings for spaces
history_state
enum:
-
DEFAULT_HISTORY_ON -
DEFAULT_HISTORY_OFF -
HISTORY_ALWAYS_ON -
HISTORY_ALWAYS_OFF -
HISTORY_STATE_UNSPECIFIED
External Chat Settings
chat.external_chat_restriction
Allow users to send messages outside organization in chats and spaces
allow_external_chat
boolean
external_chat_restriction
enum:
-
NO_RESTRICTION -
TRUSTED_DOMAINS -
RESTRICTION_UNSPECIFIED
Chat apps
chat.chat_apps_access
Allow users to install Chat apps
enable_apps
boolean
Allow users to add and use incoming webhooks
enable_webhooks
boolean
Third party archiving
chat.third_party_archiving
Enable third-party archiving
enabled
boolean
Specify an email address to which Chat contents should be delivered
destination_email_address
string
Specify how frequently Chat archiving messages should be sent (between 1-24 hours)
archival_frequency
Comma-separated list of any custom headers required by the destination address
custom_headers
string
External Spaces
chat.external_spaces
Allow users to create and join spaces with people outside their organization
enabled
boolean
Only allow users to add people from allowlisted domains
domain_allowlist_mode
enum:
-
DOMAIN_ALLOWLIST_MODE_UNSPECIFIED -
TRUSTED_DOMAINS -
ALL_DOMAINS
Sharing settings
>
Space access default
chat.space_access_default
Default space access when users create new spaces.
access_type
enum:
-
ACCESS_TYPE_UNSPECIFIED -
RESTRICTED -
PRIMARY_TARGET_AUDIENCE
Classroom Settings
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Classroom
General Settings >
Teacher permissions
classroom.teacher_permissions
Who can create classes
whoCanCreateClasses
enum:
-
ANYONE_IN_DOMAIN -
ALL_PENDING_AND_VERIFIED_TEACHERS -
VERIFIED_TEACHERS_ONLY
General Settings >
Guardian access
classroom.guardian_access
Allow parents and guardians to access Classroom information
allowAccess
boolean
Who can manage parents and guardians
whoCanManageGuardianAccess
enum:
-
VERIFIED_TEACHERS_AND_DOMAIN_ADMINS -
DOMAIN_ADMINS_ONLY
Class settings >
About class membership
classroom.class_membership
Who can join classes in your domain
whoCanJoinClasses
enum:
-
ANYONE_IN_DOMAIN -
ANYONE_IN_ALLOWLISTED_DOMAINS -
ANY_GOOGLE_WORKSPACE_USER -
ANYONE
Which classes can users in your domain join
whichClassesCanUsersJoin
enum:
-
CLASSES_IN_DOMAIN -
CLASSES_IN_ALLOWLISTED_DOMAINS -
ANY_GOOGLE_WORKSPACE_CLASS
Data access >
Classroom API
classroom.api_data_access
Users can authorize apps to access their Google Classroom data
enableApiAccess
boolean
Originality Reports >
School Matches
classroom.originality_reports
Enable originality reports school matches
enableOriginalityReportsSchoolMatches
boolean
Student unenrollment >
Unenrollment permissions
classroom.student_unenrollment
Who can unenroll students from classes
whoCanUnenrollStudents
enum
-
STUDENTS_AND_TEACHERS -
TEACHERS_ONLY
Roster import >
Settings
classroom.roster_import
Roster import
rosterImportOption
enum:
-
OFF -
ON_CLEVER
Data compliance settings
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Access Management
Access management
>
Access management policy
access_management.user_scoping
Choose an Access Management policy for covered data
allowed_audience
enum:
-
PREFERENCE_UNSPECIFIED -
CJIS_IRS_1075_GOOGLE_STAFF -
US_GOOGLE_STAFF -
EU_GOOGLE_STAFF
Data Regions
Region
>
Data at rest
data_regions.data_at_rest_region
Region for storing data at rest
region
enum:
-
REGION_UNSPECIFIED -
ANY_REGION -
US -
EUROPE
Region
>
Data processing
data_regions.data_processing_region
Data region policy for data processing
limit_to_storage_region
boolean
Drive and Docs Settings
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Drive and Docs
Sharing settings >
Sharing options
drive_and_docs.external_sharing
Select the highest level of sharing outside of CUSTOMER_NAME
that you want to allow
external_sharing_mode
enum:
-
DISALLOWED -
ALLOWLISTED_DOMAINS -
ALLOWED
Allow users in ORGANIZATION_UNIT_NAME
to receive files from users or shared drives outside of CUSTOMER_NAME
allow_receiving_external_files
boolean
Warn when files owned by users or shared drives in ORGANIZATION_UNIT_NAME
are shared with users in allowlisted domains
warn_for_sharing_outside_allowlisted_domains
boolean
Allow users in ORGANIZATION_UNIT_NAME
to receive files from users or shared drives outside of allowlisted domains
allow_receiving_files_outside_allowlisted_domains
boolean
Allow users or shared drives in ORGANIZATION_UNIT_NAME
to share items with non-Google users in trusted domains using visitor sharing
allow_non_google_invites_in_allowlisted_domains
boolean
Warn when files owned by users or shared drives in ORGANIZATION_UNIT_NAME
are shared outside of CUSTOMER_NAME
warn_for_external_sharing
boolean
Allow users or shared drives in ORGANIZATION_UNIT_NAME
to share items with people outside CUSTOMER_NAME
who aren't using a Google Account
allow_non_google_invites
boolean
When sharing outside of CUSTOMER_NAME
is allowed, users in ORGANIZATION_UNIT_NAME
can make files and published web content visible to anyone with the link
allow_publishing_files
boolean
When a user shares a file via a Google product other than Docs or Drive (e.g. by pasting a link in Gmail), Google can check that the recipients have access. If not, when possible, Google will ask the user to pick if they want to share the file to
access_checker_suggestions
enum:
-
RECIPIENTS_OR_AUDIENCE_OR_PUBLIC -
RECIPIENTS_OR_AUDIENCE -
RECIPIENTS_ONLY
Select who should be allowed to distribute content in ORGANIZATION_UNIT_NAME
outside of CUSTOMER_NAME
. This restricts who can upload or move content to shared drives owned by another organization
allowed_parties_for_distributing_content
enum:
-
ALL_ELIGIBLE_USERS -
ELIGIBLE_INTERNAL_USERS -
NONE
Sharing settings >
General access default
drive_and_docs.general_access_default
When users in ORGANIZATION_UNIT_NAME
create items, the default access will be
default_file_access
enum:
-
PRIVATE_TO_OWNER -
PRIMARY_AUDIENCE_WITH_LINK -
PRIMARY_AUDIENCE_WITH_LINK_OR_SEARCH
Sharing settings >
Shared drive creation
drive_and_docs.shared_drive_creation
Prevent users in ORGANIZATION_UNIT_NAME
from creating new shared drives
allow_shared_drive_creation
boolean (The API response returns the opposite of the UI value)
When users in ORGANIZATION_UNIT_NAME
create a shared drive, it will be assigned to the following organizational unit
org_unit_for_new_shared_drives
enum:
-
CREATOR_ORG_UNIT -
CUSTOM_ORG_UNIT
Selected organizational unit
custom_org_unit
string
Allow members with manager access to override the settings below
allow_managers_to_override_settings
boolean
Allow users outside CUSTOMER_NAME
to access files in shared drives
allow_external_user_access
boolean
Allow people who aren't shared drive members to be added to files
allow_non_member_access
boolean
Download, print, copy is enabled for
allowed_parties_for_download_print_copy
enum:
-
ALL -
EDITORS_ONLY(Managers, contributors and content managers) -
MANAGERS_ONLY
Allow content managers to share folders
allow_content_managers_to_share_folders
boolean
Sharing settings >
Security update for files
drive_and_docs.file_security_update
Applying this update will make file links more secure. This may cause users to receive file access requests
security_update
enum:
-
APPLY_TO_IMPACTED_FILES -
REMOVE_FROM_IMPACTED_FILES
Allow users to remove/apply the security update for files they own or manage
allow_users_to_manage_update
boolean
Features and Applications >
Drive SDK
drive_and_docs.drive_sdk
Allow users to access Google Drive with the Drive SDK API
enable_drive_sdk_api_access
boolean
Google Drive for desktop >
Enable Drive for desktop
drive_and_docs.drive_for_desktop
Allow Google Drive for desktop in your organization
allow_drive_for_desktop
boolean
Only allow Google Drive for desktop on authorized devices
restrict_to_authorized_devices
boolean
Show Google Drive for desktop download link
show_download_link
boolean
Allow users to enable real-time presence in Microsoft Office from Google Drive for desktop
allow_real_time_presence
boolean
Gmail Settings
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Gmail
User Settings >
Confidential Model
gmail.confidential_mode
Enable confidential mode
enable_confidential_mode
boolean
User Settings >
S/MIME
gmail.enhanced_smime_encryption
Allow users to upload their own certificates
allow_user_to_upload_certificates
boolean
Accept these additional root certificates for specific domains:
custom_root_certificates
A list of CustomRootCertificates which contains a list of root certificates, a list of intermediate CA certificates, a list of restricted domain names, a boolean to allow address mismatch and an enum with different validation levels.
Spam, phishing, and malware >
Enhanced pre-delivery message scanning
gmail.enhanced_pre_delivery_message_scanning
Enables improved detection of suspicious content prior to delivery
enable_improved_suspicious_content_detection
boolean
Spam, phishing, and malware >
Email allowlist
gmail.email_spam_filter_ip_allowlist
Enter the IP addresses for your email allowlist
allowed_ip_addresses
A list of strings
Safety >
Spoofing and authentication
gmail.spoofing_and_authentication
Protect against domain spoofing based on similar domain names
detect_domain_name_spoofing
boolean
Choose an action
domain_name_spoofing_consequence
enum:
-
WARNING -
SPAM_FOLDER -
QUARANTINE -
NO_ACTION
Choose a quarantine
domain_name_spoofing_quarantine_id
integer
Protect against spoofing of employee names
detect_employee_name_spoofing
boolean
Choose an action
employee_name_spoofing_consequence
enum:
-
WARNING -
SPAM_FOLDER -
QUARANTINE -
NO_ACTION
Choose a quarantine
employee_name_spoofing_quarantine_id
integer
Protect against inbound emails spoofing your domain
detect_domain_spoofing_from_unauthenticated_senders
boolean
Choose an action
domain_spoofing_consequence
enum:
-
WARNING -
SPAM_FOLDER -
QUARANTINE -
NO_ACTION
Choose a quarantine
domain_spoofing_quarantine_id
integer
Protect against any unauthenticated emails
detect_unauthenticated_emails
boolean
Choose an action
unauthenticated_email_consequence
enum:
-
WARNING -
SPAM_FOLDER -
QUARANTINE -
NO_ACTION
Choose a quarantine
unauthenticated_email_quarantine_id
integer
Protect your Groups from inbound emails spoofing your domain
detect_groups_spoofing
boolean
Apply this setting to
groups_spoofing_visibility_type
enum:
-
PRIVATE_GROUPS_ONLY -
ALL_GROUPS
Choose an action
groups_spoofing_consequence
enum:
-
WARNING -
SPAM_FOLDER -
QUARANTINE -
NO_ACTION
Choose a quarantine
groups_spoofing_quarantine_id
integer
Apply future recommended settings automatically
apply_future_settings_automatically
boolean
Safety >
Links and external images
gmail.links_and_external_images
Identify links behind shortened URLs
enable_shortener_scanning
boolean
Scan linked images
enable_external_image_scanning
boolean
Show warning prompt for any click on links to untrusted domains
enable_aggressive_warnings_on_untrusted_links
boolean
Apply future recommended settings automatically
apply_future_settings_automatically
boolean
Safety >
Attachments
gmail.email_attachment_safety
Protect against encrypted attachments from untrusted senders
enable_encrypted_attachment_protection
boolean
Choose an action
encrypted_attachment_protection_consequence
enum:
-
WARNING -
SPAM_FOLDER -
QUARANTINE
Choose a quarantine
encrypted_attachment_protection_quarantine_id
integer
Protect against attachments with scripts from untrusted senders
enable_attachment_with_scripts_protection
boolean
Choose an action
attachment_with_scripts_protection_consequence
enum:
-
WARNING -
SPAM_FOLDER -
QUARANTINE
Choose a quarantine
attachment_with_scripts_protection_quarantine_id
integer
Protect against anomalous attachment types in emails
enable_anomalous_attachment_protection
boolean
Choose an action
anomalous_attachment_protection_consequence
enum:
-
WARNING -
SPAM_FOLDER -
QUARANTINE
Choose a quarantine
anomalous_attachment_protection_quarantine_id
integer
Allowlist the following uncommon filetypes
allowed_anomalous_attachment_filetypes
string[]
Apply future recommended settings automatically
apply_future_recommended_settings_automatically
boolean
Routing >
Manage address lists
gmail.email_address_lists
Manage address lists
email_address_list
Spam, phishing and malware >
Blocked senders
gmail.blocked_sender_lists
Block or approve specific senders based on email address or domain
blocked_senders
Spam, phishing and malware >
Spam
gmail.spam_override_lists
Create approved senders lists that bypass the spam folder.
spam_override
SpamOverride
[]
Compliance >
Content compliance
gmail.content_compliance
Configure advanced content filters based on words, phrases or patterns
content_compliance_rules
Compliance >
Objectionable content
gmail.objectionable_content
Configure content filters based on word lists
objectionable_content_rules
Compliance >
Attachment compliance
gmail.attachment_compliance
Configure attachment filters based on file type, file name and message size
attachment_compliance_rules
Compliance >
Comprehensive mail storage
gmail.comprehensive_mail_storage
Ensure that a copy of all sent and received mail is stored in associated users' mailboxes
rule_id
string
Setup >
User email uploads
gmail.user_email_uploads
Show users the option to import mail and contacts from Yahoo!, Hotmail, AOL, or other webmail or POP3 accounts from the Gmail settings page
enable_mail_and_contacts_import
boolean
End User Access >
POP and IMAP access
gmail.pop_access
Enable POP access for all users
enable_pop_access
boolean
gmail.imap_access
Enable IMAP access for all users
enable_imap_access
boolean
Allow any mail client
imap_access_restriction.allow_all_mail_clients
boolean
Restrict which mail clients users can use (OAuth mail clients only)
imap_access_restriction.allowed_oauth_mail_client_list
End User Access >
Google Workspace Sync
gmail.workspace_sync_for_outlook
Enable Google Workspace Sync for Microsoft Outlook for my users
enable_google_workspace_sync_for_microsoft_outlook
boolean
End User Access >
Automatic forwarding
gmail.auto_forwarding
Allow users to automatically forward incoming email to another address
enable_auto_forwarding
boolean
User Settings >
Name format
gmail.name_format
Allow users to customize this setting
allow_custom_display_names
boolean
First Last or Last, First
default_display_name_format
enum:
-
FIRSTNAME_LASTNAME -
LASTNAME_COMMA_FIRSTNAME
End User Access >
Allow per-user outbound gateways
gmail.per_user_outbound_gateway
Allow users to send mail through an external SMTP server when configuring a "from" address hosted outside your email domain
allow_users_to_use_external_smtp_servers
boolean
End User Access >
Image URL proxy allowlist
gmail.email_image_proxy_bypass
Enter image URL patterns. Matching URLs bypass the image proxy.
image_proxy_bypass_pattern
string[]
N/A
enable_image_proxy
boolean
User Settings >
Mail Delegation
gmail.mail_delegation
Let users delegate access to their mailbox to other users in the domain
enable_mail_delegation
boolean
Allow users to customize this setting
allow_custom_delegate_attribution
boolean
Show the account owner and the delegate who sent the email
enable_delegate_attribution
boolean
Show the account owner only
Allow users to grant their mailbox access to a Google group
enable_mailbox_group_delegation
boolean
Gmail Sub-Settings
This table provides Gmail sub-settings that are referenced by other Gmail settings.
Policy API Sub-Setting Name
Admin Console Caption
Policy API Field Name
Data Type
EmailAddressList
N/A
id
string
Name
name
string
AddressListEntry
Address
address
string
Authentication required (received mail only)
require_address_verification
boolean
BlockedSender
Enter a short description that will appear within the setting's summary
description
string
Add addresses or domains that you want to automatically reject messages from
sender_blocklist
StringValue
[]
Enter customized rejection notice
rejection_response
string
Bypass this setting for messages received from addresses or domains within these approved senders lists.
bypass_approved_sender
boolean
N/A
rule_id
string
SpamOverride
Enter a short description that will appear within the setting's summary
description
string
Be more aggressive when filtering spam.
enable_aggressive_filtering
boolean
Put spam in administrative quarantine
add_to_quarantine
boolean
N/A
quarantine_id
integer
Bypass spam filters for internal senders.
bypass_internal_senders
boolean
Bypass spam filters for messages from senders or domains in selected lists.
bypass_selected_senders
boolean
Bypass spam filters and hide warnings for messages from senders or domains in selected lists.
hide_warning_banner_from_selected_senders
boolean
Bypass spam filters and hide warnings for all messages from internal and external senders (not recommended).
hide_warning_banner_for_all
boolean
N/A
rule_id
string
ContentComplianceRule
Enter a short description that will appear within the setting's summary
description
string
Add expressions that describe the content you want to search for in each message
match_expressions
If ANY of the following match the message
match_any_expression
boolean
N/A
rule_id
string
ObjectionableContentRule
Enter a short description that will appear within the setting's summary
description
string
Custom objectionable words
objectionable_content_defined
boolean
Enter words
objectionable_words
string[]
N/A
rule_id
string
AttachmentComplianceRule
Enter a short description that will appear within the setting's summary
description
string
Add expressions that describe the content you want to search for in each message
match_expressions
If ANY of the following match the message
match_any_expression
boolean
N/A
rule_id
string
RuleState
N/A (For all rules)
enabled
boolean
rule_id
string
RuleConditions
Email messages to affect
Inbound
affect_inbound_messages
boolean
Outbound
affect_outbound_messages
boolean
Internal - Sending
affect_internal_sending_messages
boolean
Internal - Receiving
affect_internal_receiving_messages
boolean
Address lists
Use address lists to bypass or control application of this setting
address_list_option
enum:
-
NO_EFFECT -
EXCLUDED -
REQUIRED
Bypass this setting for specific addresses / domains
Only apply this setting for specific addresses / domains
Account types to affect
Users
account_type_user
boolean
Groups
account_type_group
boolean
Unrecognized / Catch-all
account_type_unrecognized
boolean
AddressMatcher
Only affect specific envelope senders / Only affect specific envelope recipients
enabled
boolean
Single email address
N/A
address_match_type
enum:
EXACT
Email address
exact_address_match_value
string
Pattern match
N/A
address_match_type
enum:
REGEXP
Regexp
regexp_match_value
string
Group membership (only sent mail) / Group membership (only received mail)
N/A
address_match_type
enum:
GROUP_MEMBERSHIP
Select groups
group_ids
string[]
MatchExpression
Simple content match
N/A
match_expression_type
enum:
SIMPLE_CONTENT
Content
match_content
string
Advanced content match
N/A
match_expression_type
enum:
ADVANCED_CONTENT
Content / Regex
match_content
string
Metadata match
match_expression_type
enum:
METADATA
metadata_match
Predefined content match
match_expression_type
enum:
PREDEFINED_CONTENT
predefined_content_match
File type
match_expression_type
enum:
FILE_TYPE
file_type_match
File name
N/A
match_expression_type
enum:
FILE_NAME
The attachment file name contains
file_name
string
Message size
N/A
match_expression_type
enum:
MESSAGE_SIZE
The overall message (body + attachment) is greater than the following (MB)
message_size_threshold_in_megabytes
integer
AdvancedContentMatch
Location
Headers + Body
advanced_content_match_location
enum:
HEADERS_AND_BODY
Full headers
enum:
FULL_HEADERS
Body
enum:
BODY
Subject
enum:
SUBJECT
Sender header
enum:
SENDER_HEADER
Recipients header
enum:
RECIPIENTS_HEADER
Envelope sender
enum:
ENVELOPE_SENDER
Any envelope recipient
enum:
ANY_ENVELOPE_RECIPIENT
Raw message
enum:
RAW_MESSAGE
Match type
Starts with
advanced_content_match_type
enum:
STARTS_WITH
Ends with
enum:
ENDS_WITH
Contains text
enum:
CONTAINS_TEXT
Not contains text
enum:
NOT_CONTAINS_TEXT
Equals
enum:
Is empty
enum:
IS_EMPTY
Matches regex
enum:
MATCHES_REGEXP
Not matches regex
enum:
NOT_MATCHES_REGEXP
Matches any word
enum:
MATCH_ANY_WORD
Matches all words
enum:
MATCH_ALL_WORDS
RegexpMatch
Regex Description
description
string
Minimum match count
min_match_count
integer
MetadataMatch
Attribute
Message authentication
metadata_match_attribute
enum:
MESSAGE_AUTHENTICATION
Source IP
enum:
SOURCE_IP
Secure transport (TLS)
enum:
TLS
Message size
enum:
MESSAGE_SIZE
S/MIME encrypted
enum:
SMIME_ENCRYPTED
S/MIME signed
enum:
SMIME_SIGNED
Gmail confidential mode
enum:
CONFIDENTIAL_MODE
Spam
enum:
SPAM
Match type
the following range
source_ip_range
string
the following (MB)
message_size_in_megabytes
integer
Message is authenticated
metadata_match_type
enum:
MESSAGE_AUTHENTICATED
Message is not authenticated
enum:
MESSAGE_NOT_AUTHENTICATED
Source IP is within
enum:
SOURCE_IP_IN_RANGE
Source IP is not within
enum:
SOURCE_IP_NOT_IN_RANGE
Connection is TLS encrypted
enum:
TLS_ENCRYPTED
Connection is not TLS encrypted
enum:
TLS_NOT_ENCRYPTED
Message size is greater than
enum:
MESSAGE_SIZE_GREATER_THAN
Message size is less than
enum:
MESSAGE_SIZE_LESS_THAN
Message is S/MIME encrypted
enum:
MESSAGE_IS_SMIME_ENCRYPTED
Message is not S/MIME encrypted
enum:
MESSAGE_IS_NOT_SMIME_ENCRYPTED
Message is S/MIME signed
enum:
MESSAGE_IS_SMIME_SIGNED
Message is not S/MIME signed
enum:
MESSAGE_IS_NOT_SMIME_SIGNED
Message is in Gmail confidential mode
enum:
MESSAGE_IS_IN_CONFIDENTIAL_MODE
Message is not in Gmail confidential mode
enum:
MESSAGE_IS_NOT_IN_CONFIDENTIAL_MODE
Malware detected from security sandbox
enum:
MALWARE_DETECTED_FROM_SECURITY_SANDBOX
PredefinedContentMatch
N/A (Predefined content match selector)
predefined_content_match_name
string
Minimum match count
min_match_count
integer
Confidence threshold
confidence_threshold
enum:
-
MEDIUM -
HIGH
FileTypeMatch
Office documents which are encrypted
encrypted_office_documents
boolean
Office documents which are not encrypted
unencrypted_office_documents
boolean
Video and multimedia
video
boolean
Music and sound
music
boolean
Images
image
boolean
Compressed files and archives which are encrypted
compressed_encrypted_files
boolean
Compressed files and archives which are not encrypted
compressed_unencrypted_files
boolean
Custom file types - Match files based on file name extension
custom_file_extensions
string[]
Also match files based on file format
match_file_format
boolean
RuleConsequences
Modify message
N/A
rule_consequence_type
enum:
MODIFY_MESSAGE
Add more recipients
deliver_to_additional_recipients
boolean
Delivery
Add X-Gm-Original-To header
add_x_gm_original_to_header
boolean
Add X-Gm-Spam and X-Gm-Phishy headers
add_x_gm_spam_header
boolean
Add custom headers
add_custom_headers
boolean
Custom headers
custom_headers
string[]
Prepend custom subject
prepend_custom_subject
boolean
Enter new subject prefix
custom_subject
string
Change route
change_default_route
boolean
Also reroute spam
reroute_spam
boolean
Suppress bounces from this recipient
suppress_bounces_from_recipient
boolean
N/A (Routing selector)
normal_routing
boolean
Change envelope recipient
N/A
change_envelope_recipient
boolean
Replace recipient
replace_envelope_recipient_type
enum:
REPLACE_ADDRESS
recipient_address
string
Replace username
replace_envelope_recipient_type
enum:
REPLACE_USER
recipient_user
string
Replace domain
replace_envelope_recipient_type
enum:
REPLACE_DOMAIN
recipient_domain
string
Bypass spam filter for this message
bypass_spam_filter
boolean
Remove attachments from message
remove_attachments
boolean
Append this text to notify recipients that attachments have been removed
attachment_removal_notice
string
Require secure transport (TLS)
require_tls
boolean
Encrypt message if not encrypted (S/MIME)
encrypt_outgoing_messages
boolean
Bounce message if unable to sign and encrypt
bounce_unencrypted_messages
boolean
Do not deliver spam to this recipient
do_not_deliver_spam_to_recipient
boolean
OAuthMailClientList
Restrict which mail clients users can use (OAuth mail clients only)
oauth_mail_client
OAuthMailClient
N/A
oauth_mail_client_id
string
Groups For Business Settings
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Groups For Business
Sharing settings >
Sharing options
groups_for_business.groups_sharing
Set policies for changing group sharing settings
collaborationCapability
enum:
-
ANYONE_CAN_ACCESS -
DOMAIN_USERS_ONLY
Creating groups
createGroupsAccessLevel
enum:
-
ADMIN_ONLY -
USERS_IN_DOMAIN -
ANYONE_CAN_CREATE
Group owners can allow external members
ownersCanAllowExternalMembers
boolean
Group owners can allow incoming email from outside the organization
ownersCanAllowIncomingMailFromPublic
boolean
Default for permission to view conversations
viewTopicsDefaultAccessLevel
enum:
-
OWNERS -
MANAGERS -
GROUP_MEMBERS -
DOMAIN_USERS -
ANYONE_CAN_VIEE_TOPICS
Group owners can hide groups from the directory
ownersCanHideGroups
boolean
Hide newly created groups from the directory
newGroupsAreHidden
boolean
Legal and Compliance
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Account Settings
Sharing options
cloud_sharing_options.cloud_data_sharing
Google Cloud Platform Sharing Options
sharingOptions
enum:
-
UNSUPPORTED -
ENABLED -
DISABLED
Marketplace Settings
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Apps list
Apps list
workspace_marketplace.apps_allowlist
Showing apps for users in all organizational units
apps
Settings
Manage access to apps >
Manage Google Workspace Marketplace allowlist access
workspace_marketplace.apps_access_options
Select which Marketplace apps users can run and install.
access_level
enum:
-
ALLOW_ALL -
ALLOW_LISTED_APPS -
ALLOW_NONE
Marketplace Sub-Settings
Policy API Sub-Setting Name
Admin Console Caption
Policy API Field Name
Data Type
AppsAllowlistSetting
N/A
application_id
string
N/A
access
enum:
-
ALLOWED -
BLOCKED
The Setting workspace_marketplace.apps_allowlist
in the API response exposes the Marketplace application_id
instead of application_name
. The following Python script can be used to convert one or more application_id
that are specified on the command line to application_name
.
import
re
import
requests
import
sys
output
=
{}
app_ids
=
sys
.
argv
[
1
:]
for
id
in
app_ids
:
url
=
f
"https://workspace.google.com/marketplace/app/_/
{
id
}
"
response
=
requests
.
get
(
url
,
allow_redirects
=
False
)
final_url
=
response
.
headers
[
'Location'
]
pattern
=
f
"^https://workspace.google.com/marketplace/app/(.*)/
{
id
}
$"
a
=
re
.
search
(
pattern
,
final_url
)
output
[
id
]
=
a
.
group
(
1
)
# Output application name captured from returned URL
print
(
output
)
Meet Settings
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Google Meet
Meet video settings >
Recording
meet.video_recording
Let people record their meetings.
enable_recording
boolean
Meet safety settings >
Domain
meet.safety_domain
Who can join meetings created by your organization.
users_allowed_to_join
enum:
-
SAME_ORGANIZATION_ONLY -
LOGGED_IN -
ALL
Meet safety settings >
Access
meet.safety_access
Which meetings or calls users in the organization can join. "Incoming call restrictions" can further limit the calls that users can receive
meetings_allowed_to_join
enum:
-
SAME_ORGANIZATION_ONLY -
ANY_WORKSPACE_ORGANIZATION -
ALL
Meet safety settings >
Host management
meet.safety_host_management
Default host management
enable_host_management
boolean
Meet safety settings >
Warn for external participants
meet.safety_external_participants
Indicates participants who are outside "Organization" or whose identities are unconfirmed.
enable_external_label
boolean
Meet safety settings
>
Joining
meet.joining
Meeting access type (subject to restrictions set in domain)
allowed_audience
enum:
-
ALLOWED_AUDIENCE_UNSPECIFIED -
OPEN -
TRUSTED -
RESTRICTED
Meet safety settings
>
Chat
meet.messaging
Who can send in-call chat messages
enabled
boolean
Meet safety settings
>
Present
meet.presenting
Who can share their screens in calls.
enabled
boolean
Meet safety settings
>
Q&A
meet.questions
Who can participate in Q&A in calls
enabled
boolean
Meet safety settings
>
Polls
meet.polls
Who can participate in polls in calls
enabled
boolean
Rules and Detectors Settings
Data Protection Rules Settings
For an overview of data protection rules and detectors, see Create DLP for Drive rules and custom content detectors .
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Data Protection
Security > Access and data control > Data Protection > Manage Rules
rule.dlp
Name
display_name
string
Description
description
string
Apps
triggers
string[] - List of app specific trigger strings. The list of available app triggers is provided in the following Triggers section.
Conditions
condition
string - Common Expression Language (CEL) expression of the data conditions the rule scans for. The CEL syntax and some common examples are provided in the following Conditions section.
Actions
action
Struct - nested object representing app specific actions to take when the conditions are met. The available actions per app trigger are provided in the following Actions section.
State
state
enum:
-
ACTIVE -
INACTIVE
Created
create_time
Timestamp
Last modified
update_time
Timestamp
Rule type specific metadata
rule_type_metadata
Struct - nested object representing rule type specific metadata. For Data Protection rules, this contains the severity level of the triggered events.
Triggers
The list of available applications and their triggers.
- "google.workspace.chrome.file.v1.upload"
- "google.workspace.chrome.file.v1.download"
- "google.workspace.chrome.web_content.v1.upload"
- "google.workspace.chrome.page.v1.print"
- "google.workspace.chrome.url.v1.navigation"
- "google.workspace.chromeos.file.v1.transfer"
- "google.workspace.chat.message.v1.send"
- "google.workspace.chat.attachment.v1.upload"
- "google.workspace.drive.file.v1.share"
- "google.workspace.gmail.email.v1.send"
Conditions
To represent data conditions, the API uses Common Expressions Language (CEL) expressions. Each condition follows the pattern of {content type}.{content to scan for}({additional scan parameters})
. For example, all_content.contains('apple')
represents a data condition that matches if any of the scanned content (e.g. Drive doc, chat message, etc) contains the substring apple
.
Content type
The list of available content types, corresponding to the matching configurations of the same names in the Admin Console.
- access_levels
- all_content
- all_headers
- body
- destination_type
- destination_url
- drive_enterprise_metadata
- encryption_state
- envelope_from
- file_size_in_bytes
- file_type
- from_header
- message_security_status
- request_attributes
- sender_header
- source_chrome_context
- source_url
- source_url_category
- subject
- suggestion
- target_user
- title
- to_header_recipients
- url
- url_category
Content to scan for
The list of available content to scan for, corresponding to the matching configurations of the same names in the Admin Console.
-
contains({string}) -
starts_with({string}) -
ends_with({string}) -
equals({string}) -
matches_dlp_detector({detector name}, {likelihood}, {minimum_match_count: {count}, minimum_unique_match_count: {count}})- Corresponds to the matches predefined data typeoption in the Admin Console.
-
{detector name}denotes the predefined data type to scan for, which can be one of the built-in infotypes supported by Cloud DLP: https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference. For example,CREDIT_CARD_NUMBERorUS_SOCIAL_SECURITY_NUMBER -
{likelihood}denotes the likelihood threshold of the match. For example, google.privacy.dlp.v2.Likelihood.LIKELYcorresponds to the Highthreshold in the Admin Console.
-
matches_regex_detector({detector name}, {minimum_match_count: {count}})- Corresponds to the matches regular expressionoption in the Admin Console.
-
{detector name}is the resource name of the policy that represents the regular expression detector. See Data Protection Detector section on how to query detector policies in the API.
-
matches_word_list({detector name}, {minimum_match_count: {count}, minimum_unique_match_count: {count}})- Corresponds to the matches words from word listoption in the Admin Console.
-
{detector name}is the resource name of the policy that represents the word list detector. See Data Protection Detector section on how to query detector policies in the API.
-
matches_web_category({category})- Corresponds to the URL category matchesoption in the Admin Console for Chrome URL visited trigger.
-
{category}denotes the URL category supported by the Admin Console configuration. For the list of available categories and their API representations, see URL categories .
Composite conditions
Multiple base conditions can be mixed with AND (&&), OR (||), or NOT (!) operators to form a composite condition. For example, "all_content.contains('apple') && all_content.contains('banana')"
represents a condition that matches if any of the scanned content contains both 'apple' and 'banana' substrings.
Actions
Each application specifies the action to take when the data condition matches in a nested message. For example, { "driveAction" { "warnUser" { } } }
represents a Drive action that warns users on external sharing. The application specific actions available are following:
Application
Action Key
Subaction
Admin Console Caption
Drive
driveAction
blockAccess
Block external sharing
warnUser
Warn on external sharing
auditOnly
no action
restrictCopyPrintDownload
Disable download, print, and copy
applyLabels
Apply Classification labels
Gmail
gmailAction
blockContent
Block message
warnUser
Warn users
auditOnly
Audit only
quarantineMessage
Quarantine message
Chat
chatAction
blockContent
Block message
warnUser
Warn users
auditOnly
Audit only
Chrome
chromeAction
blockContent
Block
warnUser
Allow with warning
Rule type specific metadata
This attribute contains the metadata specific to the rule type. For Data Protection rules, it contains the alerting event severity when the event is reported under the security dashboard and alert center. An example value of the metadata representing LOW alert severity:
fields {
key: "ruleTypeMetadata"
value {
struct_value {
fields {
key: "dlpRuleMetadata"
value {
struct_value {
fields {
key: "alertSeverity"
value {
string_value: "LOW"
}
}
}
}
}
}
}
}
Data Protection Detectors Settings
For an overview of data protection rules and detectors, see Create DLP for Drive rules and custom content detectors .
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Data Protection
Security > Access and data control > Data Protection > Manage Detectors
detector.regular_expression
detector.word_list
Name
display_name
string
Description
description
string
Regular Expression
regular_expression
Struct - contains the regular expression string. Only set if the detector type is detector.regular_expression.
Word List
word_list
string - contains the list of word strings. Only set if the detector type is
detector.word_list
. Created
create_time
Timestamp
Last modified
update_time
Timestamp
System Defined Alert Rules Settings
This section describes Google Workspace system-defined alert rules. The API returns only system-defined alerts that are modified from the default value by the administrator.
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Data Protection
Rules (for "system defined' rule type)
rule.system_defined_alerts
Name
display_name
string
Description
description
string
Actions
action
Struct - nested object representing notification settings when the system defined alert is triggered. Details are provided in the following Actions section.
State
state
enum:
-
ACTIVE -
INACTIVE
Created
create_time
Timestamp
Last modified
update_time
Timestamp
Actions
System defined alert rules have a single action that denotes the notification settings for the alert.
Action key
Subaction
Admin Console Caption
alertCenterAction
alertCenterConfig
Send to alert center
recipients
Send email notifications
Security Settings
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Account Recovery
Super Admin Account Recovery
security.super_admin_account_recovery
Allow super admins to recover their account
enableAccountRecovery
boolean
User Account Recovery
security.user_account_recovery
Allow users and non-super admins to recover their account
enableAccountRecovery
boolean
Password Management
Password Management
security.password
Expiration
expirationDuration
Seconds
(0 seconds means Never Expire)
Reuse
allowReuse
boolean
Strength and Length enforcement
enforceRequirementsAtLogin
boolean
Length (Maximum length)
maximumLength
integer
Length (Minimum length)
minimumLength
integer
Strength
allowedStrength
enum:
-
STRONG -
WEAK
Google Session Control
Session Control
security.session_controls
Web session duration
webSessionDuration
Seconds
Less secure apps
Less secure apps
security.less_secure_apps
Control user access to apps that use less secure sign-in technology and make accounts more vulnerable.
allowLessSecureApps
boolean
Login challenges
Login Challenges
security.login_challenges
Use employee ID to keep my users more secure
enableEmployeeIdChallenge
boolean
Advanced Protection Program
Enrollment
security.advanced_protection_program
Use employee ID to keep my users more secure
enableAdvancedProtectionSelfEnrollment
boolean
Security Codes
securityCodeOption
enum:
-
ALLOWED_WITH_REMOTE_ACCESS -
ALLOWED_WITHOUT_REMOTE_ACCESS -
CODES_NOT_ALLOWED
2-Step Verification
Authentication
security.two_step_verification_enrollment
Allow users to turn on 2-Step Verification
allowEnrollment
boolean
security.two_step_verification_enforcement
Enforcement
enforcedFrom
Timestamp
security.two_step_verification_grace_period
New user enrollment period
enrollmentGracePeriod
security.two_step_verification_device_trust
Allow user to trust the device
allowTrustingDevice
boolean
security.two_step_verification_enforcement_factor
Methods
allowedSignInFactorSet
enum:
-
ALL -
PASSKEY_ONLY -
PASSKEY_PLUS_SECURITY_CODE -
PASSKEY_PLUS_IP_BOUND_SECURITY_CODE -
NO_TELEPHONY
security.two_step_verification_sign_in_code
2-Step Verification policy suspension grace period
backupCodeExceptionPeriod
Service Status Settings
The service_status
setting contains a boolean value implying if a service is
enabled for a certain OrgUnit
or Group
.
The Policy API supports service status settings for Google Workspace, Additional Google services, and Generative AIservices that are listed in the Admin Console.
Google Workspace
| Service Name in Admin Console | Service name in Policy API |
|---|---|
| AppSheet | appsheet |
| Calendar | calendar |
| Cloud Search | cloud_search |
| Drive and Docs | drive_and_docs |
| Gmail | gmail |
| Google Chat | chat |
| Google Meet | meet |
| Google Vault | vault |
| Google Voice | voice |
| Groups for Business | groups_for_business |
| Keep | keep |
| Sites | sites |
| Tasks | tasks |
Additional Google services
| Service Name in Admin Console | Service name in Policy API |
| AI Studio | ai_studio |
| Applied Digital Skills | applied_digital_skills |
| Assignments | assignments |
| Blogger | blogger |
| Brand Accounts | brand_accounts |
| Campaign Manager 360 | campaign_manager |
| Chrome Canvas | chrome_canvas |
| Chrome Cursive | chrome_cursive |
| Chrome Remote Desktop | chrome_remote_desktop |
| Chrome Web Store | chrome_web_store |
| Classroom | classroom |
| CS First | cs_first |
| Currents | currents |
| Early Access Apps | early_access_apps |
| Experimental Apps | experimental_apps |
| FeedBurner | feedburner |
| Google Ad Manager | ad_manager |
| Google Ads | ads |
| Google AdSense | adsense |
| Google Alerts | alerts |
| Google Analytics | analytics |
| Google Arts & Culture | arts_and_culture |
| Google Bookmarks | bookmarks |
| Google Books | books |
| Google Chrome Sync | chrome_sync |
| Google Cloud | cloud |
| Google Cloud Print | cloud_print |
| Google Colab | colab |
| Google Developer | developers |
| Google Domains | domains |
| Google Earth | earth |
| Google Fi | fi |
| Google Groups | groups |
| Google Maps | maps |
| Google Messages | messages |
| Google My Business | my_business |
| Google My Maps | my_maps |
| Google News | news |
| Google Pay | pay |
| Google Photos | photos |
| Google Play | play |
| Google Play Console | play_console |
| Google Public Data Explorer | public_data |
| Google Read Along | read_along |
| Google Search Console | search_console |
| Google Takeout | takeout |
| Google Translate | translate |
| Google Trips | trips |
| Jamboard | jamboard |
| Location History | location_history |
| Looker Studio | data_studio |
| Managed Google Play | managed_play |
| Material Gallery | material_gallery |
| Merchant Center | merchant_center |
| Partner Dash | partner_dash |
| Pinpoint | pinpoint |
| Play Books Partner Center | play_books_partner_center |
| Programmable Search Engine | programmable_search_engine |
| QuestionHub | question_hub |
| Scholar Profiles | scholar_profiles |
| Search Ads 360 | search_ads_360 |
| Search and Assistant | search_and_assistant |
| Socratic | socratic |
| Studio | studio |
| Third-party App Backups | third_party_app_backups |
| Tour Creator | tour_creator |
| Work Insights | work_insights |
| YouTube | youtube |
Generative AI
| Service Name in Admin Console | Service name in Policy API |
|---|---|
| Gemini app | gemini_app |
| NotebookLM | notebooklm |
Sites Settings
| Page in Admin Console | Specific Setting in Admin Console | Policy API setting type | Admin Console Caption | Policy API Field Name | Data Type |
| Sites | New Sites > Site creation and editing | sites.sites_creation_and_modification
|
Allow users to create new sites | allowSitesCreation | boolean |
| Users can/cannot edit sites | allowSitesModification | boolean | |||
UserTakeout Settings
Page in Admin Console
Specific Setting in Admin Console
Policy API setting type
Admin Console Caption
Policy API Field Name
Data Type
Data
Data import & export >
Google Takeout >
User access to Takeout for Google services
-
blogger.user_takeout -
books.user_takeout -
maps.user_takeout -
pay.user_takeout -
photos.user_takeout -
play.user_takeout -
play_console.user_takeout -
location_history.user_takeout -
youtube.user_takeout
Manage user access to Takeout for Google services
takeout_status
enum:
-
TAKEOUT_STATUS_UNSPECIFIED -
ENABLED -
DISABLED
