Console
    Contact Us Start free

    Policy API concepts

    This documentation describes Cloud Identity Policy API concepts and strategies.

    Reduction

    To list and get policies, see Setting up the Policy API and Listing and getting policies .

    Terminology

    • Setting value: setting values provided in the policy

    • Reduced Setting value: final setting values applied to a target, such as a user, an organization unit, or a group

    • Reduction: the process of reducing setting values on policies to a single setting value for a target, such as a user, an organization unit, or a group

    • Reducer: the type of rules that determine how setting values on policies are simplified down to a single setting for a user

    • Admin policies: policies created by administrators in the Admin console

    • System policies: policies provided by Google Workspace

    Reduction Process

    To reduce a given setting for a given user:

    1. Filter out all policies that don't apply to the user.

      1. Filter out policies that don't contain the setting.

      2. Filter out policies that apply to the OU that the target user isn't in.

      3. Filter out policies that apply to the Group that the target user isn't in.

      4. Filter out policies that apply to the License that the target user doesn't have. To learn more information about licenses, see Licenses section.

    2. Apply the Reducer of the given Setting

      • Max: For each field on the reduced setting, the Max reducer chooses the value from the policy with the greatest sortOrder .

      • Merge: For each field on the reduced setting, the Merge reducer chooses the value from the policy with the greatest sortOrder that has a value for that field. If the field is an array, the Merge reducer instead concatenates the values from all the policies.

      • MaxMap: The MaxMap reducer is used for settings where the array entries have a field that functions as a primary key. The MaxMap reducer doesn't concatenate the array entries with the same primary key. Instead, it updates the entry using the Max reducer on the other fields in the array entries that share the same primary key.

      • MergeMap: The MergeMap reducer is used for settings where the array entries have a field that functions as a primary key. The MergeMap reducer doesn't concatenate the array entries with the same primary key. Instead, it updates the entry using the Merge reducer on the other fields in the array entries that share the same primary key.

      • List: These settings are not reduced to a single setting. Instead, the entire sequence of settings is preserved and applied as a list.

    Reducers for settings

    Setting Name Reducer
    drive_and_docs.external_sharing Max
    drive_and_docs.general_access_default Max
    drive_and_docs.shared_drive_creation Max
    drive_and_docs.file_security_update Max
    drive_and_docs.drive_sdk Merge
    drive_and_docs.drive_for_desktop Max
    gmail.confidential_mode Max
    gmail.enhanced_smime_encryption Max
    gmail.enhanced_pre_delivery_message_scanning Max
    gmail.email_spam_filter_ip_allowlist Max
    gmail.spoofing_and_authentication Max
    gmail.links_and_external_images Max
    gmail.email_attachment_safety Max
    gmail.email_address_lists MaxMap
    gmail.blocked_sender_lists MaxMap
    gmail.spam_override_lists MaxMap
    gmail.content_compliance MaxMap
    gmail.objectionable_content MaxMap
    gmail.attachment_compliance MaxMap
    gmail.comprehensive_mail_storage Max
    gmail.rule_states MaxMap
    gmail.user_email_uploads Max
    gmail.pop_access Max
    gmail.imap_access Merge
    gmail.workspace_sync_for_outlook Max
    gmail.auto_forwarding Max
    gmail.name_format Merge
    gmail.per_user_outbound_gateway Max
    gmail.email_image_proxy_bypass Merge
    gmail.mail_delegation Merge
    chat.chat_history Merge
    chat.chat_file_sharing Max
    chat.space_history Max
    chat.external_chat_restriction Merge
    chat.chat_apps_access Max
    sites.sites_creation_and_modification Max
    groups_for_business.groups_sharing Merge
    cloud_sharing_options.cloud_data_sharing Max
    classroom.teacher_permissions Max
    classroom.guardian_access Max
    classroom.class_membership Max
    classroom.api_data_access Max
    classroom.originality_reports Max
    classroom.roster_import Max
    classroom.student_unenrollment Max
    calendar.appointment_schedules Max
    calendar.external_invitations Max
    calendar.interoperability Merge
    calendar.primary_calendar_max_allowed_external_sharing Merge
    calendar.secondary_calendar_max_allowed_external_sharing Merge
    meet.safety_domain Max
    meet.safety_access Max
    meet.safety_host_management Max
    meet.video_recording Max
    meet.safety_external_participants Max
    security.super_admin_account_recovery Merge
    security.user_account_recovery Merge
    security.password Max
    security.session_controls Max
    security.less_secure_apps Merge
    security.login_challenges Max
    security.advanced_protection_program Max
    security.two_step_verification_enrollment Max
    security.two_step_verification_enforcement Max
    security.two_step_verification_grace_period Max
    security.two_step_verification_device_trust Max
    security.two_step_verification_enforcement_factor Max
    security.two_step_verification_sign_in_code Max
    user_takeout Max
    workspace_marketplace.apps_access_options Merge
    workspace_marketplace.apps_allowlist MergeMap (primary key is: application_id)
    SERVICE_STATUS_APP_NAME .service_status Max
    rule.dlp List
    rule.system_defined_alerts List
    detector.regular_expression List
    detector.word_list List

    Licenses

    Policies apply to users based on users' Workspace licenses. The license condition is provided in PolicyQuery .

    For a full list of all Workspace Product and SKU IDs see Google Product and SKU IDs .

    The following examples demonstrate how policies can be applied to certain groups of users based on those users' licenses.

    Example 1: Normal clause only

    entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010020027'])

    The policy applies to a user if they have a license for at least one of the SKUs in the list.

    Example 2: Normal clause and inverted clause

    entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010020027']) && !entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010060005'])

    The policy applies to a user if they have a license for at least one of the SKUs in the first clause. However, if a user has a license for any of the SKUs in the second clause, the policy does not apply to that user at all.

    Example 3: Inverted clause only

    !entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010060005'])

    The policy applies to a user if they don't have a license for any SKUs in the list.

    Default Field Values

    When a field is not present on the Reduced Setting, its default value is as follows:

    Setting Name
    Field
    Default Field Value
    chat.chat_history
    enable_chat_history
    false
    history_on_by_default
    false
    allow_user_modification
    true
    chat.external_chat_restriction
    allow_external_chat
    false
    external_chat_restriction
    NO_RESTRICTION
    chat.chat_apps_access
    enable_apps
    true in EDU SKUs, false in non-EDU SKUs. EDU SKUs:
    • /product/Google-Apps/sku/Google-Apps-For-Education
    • /product/Google-Apps/sku/1010310002
    • /product/Google-Apps/sku/1010310003
    • /product/Google-Apps/sku/1010310005
    • /product/Google-Apps/sku/1010310006
    • /product/Google-Apps/sku/1010310007
    • /product/Google-Apps/sku/1010310008
    • /product/Google-Apps/sku/1010310009
    • /product/Google-Apps/sku/1010310010
    • /product/Google-Apps/sku/1010460001
    • /product/Google-Apps/sku/1010460002
    enable_webhooks
    true in EDU SKUs, false in non-EDU SKUs. EDU SKUs:
    • /product/Google-Apps/sku/Google-Apps-For-Education
    • /product/Google-Apps/sku/1010310002
    • /product/Google-Apps/sku/1010310003
    • /product/Google-Apps/sku/1010310005
    • /product/Google-Apps/sku/1010310006
    • /product/Google-Apps/sku/1010310007
    • /product/Google-Apps/sku/1010310008
    • /product/Google-Apps/sku/1010310009
    • /product/Google-Apps/sku/1010310010
    • /product/Google-Apps/sku/1010460001
    • /product/Google-Apps/sku/1010460002
    gmail.user_email_uploads
    enable_mail_and_contacts_import
    false
    gmail.email_image_proxy_bypass
    image_proxy_bypass_pattern
    [] empty list
    enable_image_proxy
    true
    gmail.workspace_sync_for_outlook
    enable_google_workspace_sync_for_microsoft_outlook
    true
    gmail.email_spam_filter_ip_allowlist
    allowed_ip_addresses
    [] empty list
    gmail.links_and_external_images
    apply_future_settings_automatically
    true
    enable_aggressive_warnings_on_untrusted_links
    false
    gmail.spoofing_and_authentication
    apply_future_settings_automatically
    true
    gmail.auto_forwarding
    enable_auto_forwarding
    true
    drive_and_docs.external_sharing
    external_sharing_mode
    ALLOWED
    allow_receiving_external_files
    true
    warn_for_sharing_outside_allowlisted_domains
    true
    allow_non_google_invites_in_allowlisted_domains
    false
    allow_receiving_files_outside_allowlisted_domains
    true
    warn_for_external_sharing
    true
    allow_non_google_invites
    true
    allow_publishing_files
    true
    access_checker_suggestions
    RECIPIENTS_OR_AUDIENCE_OR_PUBLIC
    allowed_parties_for_distributing_content
    ALL_ELIGIBLE_USERS
    drive_and_docs.drive_sdk
    enable_drive_sdk_api_access
    true
    drive_and_docs.general_access_default
    default_file_access
    LINK_SHARING_PRIVATE
    security.user_account_recovery
    enable_account_recovery
    false
    security.super_admin_account_recovery
    enable_account_recovery
    false
    security.less_secure_apps
    allow_less_secure_apps
    false
    security.two_sv_enrollment
    allow_enrollment
    true
    security.two_sv_device_trust
    allow_trusting_device
    true
    security.two_sv_enforcement_factor
    allowed_sign_in_factor_set
    ALL
    workspace_marketplace.apps_access_options
    access_level
    For K12 customers: ALLOW_NONE Otherwise: ALLOW_ALL
    allow_all_internal_apps
    false
    workspace_marketplace.apps_allowlist
    apps
    [] empty list
    groups_for_business.groups_sharing
    collaboration_capability
    DOMAIN_USERS_ONLY
    create_groups_access_level
    USERS_IN_DOMAIN
    view_topics_default_access_level
    DOMAIN_USERS
    owners_can_allow_external_members
    false
    owners_can_allow_incoming_mail_from_public
    true
    owners_can_hide_groups
    false
    new_groups_are_hidden
    false
    calendar.external_invitations
    warn_on_invite
    true
    calendar.primary_calendar_max_allowed_external_sharing
    max_allowed_external_sharing
    EXTERNAL_FREE_BUSY_ONLY
    calendar.secondary_calendar_max_allowed_external_sharing
    max_allowed_external_sharing
    EXTERNAL_ALL_INFO_READ_ONLY

    System Groups

    Google system groups that are not surfaced in the Directory API that can be linked from system policies.

    GroupId Description
    WORKSPACE_ALL_ADMIN_GROUP Group for Google system policy that enforces 2-step verification for all admins.
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: