Settings available in the API

This document describes the settings that the Policy API supports.

If the supported settings are missing from the Cloud Identity Policy API response, see Default field values. If the missing setting is not mentioned in Default field values, contact Cloud Customer Care.

API Controls

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
API controls	Settings > Custom user message	`api_controls.custom_user_message`	No	Customize the message to show users when they can’t access an app due to access settings.	error_text	string
	Settings > Unconfigured third-party apps	`api_controls.unconfigured_third_party_apps`	No	Unconfigured third-party apps are apps that haven’t been configured with an access setting (like trusted, limited, or blocked). Select what happens when users try to access unconfigured third-party apps with their account.	access_level	enum: `ACCESS_LEVEL_UNSPECIFIED` `BLOCK_ALL` `ALLOW_SIGN_IN_ONLY`
	Settings > Unconfigured third-party apps	`api_controls.unconfigured_third_party_apps`	No	Unconfigured third-party apps are apps that haven’t been configured with an access setting (like trusted, limited, or blocked). Select what happens when users under 18 try to access unconfigured third-party apps with their account.	access_level_under18	enum: `ACCESS_LEVEL_UNSPECIFIED` `ALLOW_SIGN_IN_ONLY`
	Settings > Internal apps	`api_controls.internal_apps`	No	Internal apps owned by your organization are automatically configured with trusted access. These apps can ask for API access to all Google data for users.	trust_internal_apps	boolean
	App access control > Manage Google Services > Google services	`api_controls.google_services`	No	Select access settings for Google service APIs to control what kind of third-party apps can request access to these services.	services	Service[]

API Controls Sub-Settings

This table provides API Controls sub-settings that are referenced by other API Controls settings.

Policy API sub-setting name	Admin console caption	Policy API field name	Data type
Service	Access	scopes_group	enum: `UNSPECIFIED` `DRIVE_ALL` `DRIVE_HIGH_RISK` `GMAIL_ALL` `GMAIL_HIGH_RISK` `CALENDAR_ALL` `CONTACTS_ALL` `GSUITE_ADMIN_ALL` `VAULT_ALL` `CLOUD_PLATFORM` `CLOUD_BILLING` `CLOUD_ML` `APPS_SCRIPT_RUNTIME` `APPS_SCRIPT_API` `CLASSROOM_ALL` `CLASSROOM_HIGH_RISK` `COMMUNICATIONS` `TASKS` `GROUPS` `KEEP` `CLOUD_SEARCH` `CHAT` `SIGN_IN` `CHAT_HIGH_RISK` `MEET`
Service	Restricted/Unrestricted	is_enabled	boolean

Calendar Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Calendar	Advanced settings > Appointment schedules with payments	`calendar.appointment_schedules`	No	Allow appointment schedule users to require payment for booked appointments through their own payment provider accounts.	enable_payments	boolean
	Sharing settings > External Invitations	`calendar.external_invitations`	No	Warn users when inviting guests outside of the domain `ORGANIZATION_UNIT_NAME`	warn_on_invite	boolean
	Calendar Interop Management > Exchange availability in Calendar	`calendar.interoperability`	No	Allow Google Calendar to display Exchange users availability	enable_interoperability	boolean
		`calendar.interoperability`	No	Show event details	enable_full_event_details	boolean
	Calendar Interop Management > Exchange resource booking	`calendar.interoperability`	No	Enable Google Calendar to book Microsoft Exchange rooms	enable_exchange_room_booking	boolean
	Sharing settings > External sharing options for primary calendars	`calendar.primary_calendar_max_allowed_external_sharing`	No	Outside `ORGANIZATION_UNIT_NAME` - set user ability for primary calendars	max_allowed_external_sharing	enum: `EXTERNAL_FREE_BUSY_ONLY` `EXTERNAL_ALL_INFO_READ_ONLY` `EXTERNAL_ALL_INFO_READ_WRITE` `EXTERNAL_ALL_INFO_READ_WRITE_MANAGE`
	Sharing settings > External sharing options for secondary calendars	`calendar.secondary_calendar_max_allowed_external_sharing`	No	Outside <Org name> - set user ability for secondary calendars	max_allowed_external_sharing	enum: `EXTERNAL_FREE_BUSY_ONLY` `EXTERNAL_ALL_INFO_READ_ONLY` `EXTERNAL_ALL_INFO_READ_WRITE` `EXTERNAL_ALL_INFO_READ_WRITE_MANAGE`

Chat Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Google Chat	History for chats	`chat.chat_history`	No	History is ON/OFF	history_on_by_default	boolean
				Allow users to change their history setting	allow_user_modification	boolean
	Chat File Sharing	`chat.chat_file_sharing`	No	External filesharing	external_file_sharing	enum: `ALL_FILES` `IMAGES_ONLY` `NO_FILES` `FILE_SHARING_OPTION_UNSPECIFIED`
					internal_file_sharing	same
	History for spaces	`chat.space_history`	No	Conversation history settings for spaces	history_state	enum: `DEFAULT_HISTORY_ON` `DEFAULT_HISTORY_OFF` `HISTORY_ALWAYS_ON` `HISTORY_ALWAYS_OFF` `HISTORY_STATE_UNSPECIFIED`
	External Chat Settings	`chat.external_chat_restriction`	No	Allow users to send messages outside organization in chats and spaces	allow_external_chat	boolean
					external_chat_restriction	enum: `NO_RESTRICTION` `TRUSTED_DOMAINS` `RESTRICTION_UNSPECIFIED`
	Chat apps	`chat.chat_apps_access`	No	Allow users to install Chat apps	enable_apps	boolean
				Allow users to add and use incoming webhooks	enable_webhooks	boolean
	Third party archiving	`chat.third_party_archiving`	No	Enable third-party archiving	enabled	boolean
				Specify an email address to which Chat contents should be delivered	destination_email_address	string
				Specify how frequently Chat archiving messages should be sent (between 1-24 hours)	archival_frequency	Duration
				Comma-separated list of any custom headers required by the destination address	custom_headers	string
	External Spaces	`chat.external_spaces`	No	Allow users to create and join spaces with people outside their organization	enabled	boolean
				Only allow users to add people from allowlisted domains	domain_allowlist_mode	enum: `DOMAIN_ALLOWLIST_MODE_UNSPECIFIED` `TRUSTED_DOMAINS` `ALL_DOMAINS`
	Sharing settings > Space access default	`chat.space_access_default`	No	Default space access when users create new spaces.	access_type	enum: `ACCESS_TYPE_UNSPECIFIED` `RESTRICTED` `PRIMARY_TARGET_AUDIENCE`

Classroom Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Classroom	General Settings > Teacher permissions	`classroom.teacher_permissions`	No	Who can create classes	whoCanCreateClasses	enum: `ANYONE_IN_DOMAIN` `ALL_PENDING_AND_VERIFIED_TEACHERS` `VERIFIED_TEACHERS_ONLY`
	General Settings > Teacher permissions	`classroom.teacher_permissions`	No	Who can create classes	whoCanCreateClasses
	General Settings > Guardian access	`classroom.guardian_access`	No	Allow parents and guardians to access Classroom information	allowAccess	boolean
	General Settings > Guardian access	`classroom.guardian_access`	No	Who can manage parents and guardians	whoCanManageGuardianAccess	enum: `VERIFIED_TEACHERS_AND_DOMAIN_ADMINS` `DOMAIN_ADMINS_ONLY`
	Class settings > About class membership	`classroom.class_membership`	No	Who can join classes in your domain	whoCanJoinClasses	enum: `ANYONE_IN_DOMAIN` `ANYONE_IN_ALLOWLISTED_DOMAINS` `ANY_GOOGLE_WORKSPACE_USER` `ANYONE`
	Class settings > About class membership	`classroom.class_membership`	No	Which classes can users in your domain join	whichClassesCanUsersJoin	enum: `CLASSES_IN_DOMAIN` `CLASSES_IN_ALLOWLISTED_DOMAINS` `ANY_GOOGLE_WORKSPACE_CLASS`
	Data access > Classroom API	`classroom.api_data_access`	No	Users can authorize apps to access their Google Classroom data	enableApiAccess	boolean
	Originality Reports > School Matches	`classroom.originality_reports`	No	Enable originality reports school matches	enableOriginalityReportsSchoolMatches	boolean
	Student unenrollment > Unenrollment permissions	`classroom.student_unenrollment`	No	Who can unenroll students from classes	whoCanUnenrollStudents	enum `STUDENTS_AND_TEACHERS` `TEACHERS_ONLY`
	Roster import > Settings	`classroom.roster_import`	No	Roster import	rosterImportOption	enum: `OFF` `ON_CLEVER`

Data Compliance Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Access management	Access management > Access management policy	`access_management.user_scoping`	No	Choose an Access Management policy for covered data	allowed_audience	enum: `PREFERENCE_UNSPECIFIED` `CJIS_IRS_1075_GOOGLE_STAFF` `US_GOOGLE_STAFF` `EU_GOOGLE_STAFF`
Data Regions	Region > Data at rest	`data_regions.data_at_rest_region`	No	Region for storing data at rest	region	enum: `REGION_UNSPECIFIED` `ANY_REGION` `US` `EUROPE`
Data Regions	Region > Data processing	`data_regions.data_processing_region`	No	Data region policy for data processing	limit_to_storage_region	boolean
Access Approvals	Access Approvals > Access Approvals policy	`access_approval.axa_user_scoping`	No	Require Google staff to request approval before viewing data necessary for support services	requires_customer_approval	boolean

Directory Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Directory settings	Sharing settings > External Directory sharing	`directory.external_directory_sharing`	No	N/A	sharing_option	enum: `SHARING_OPTION_UNSPECIFIED` `REQUESTER_BASIC_PROFILE_ONLY` `ORGANIZATION_DIRECTORY_DATA`

Drive and Docs Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Drive and Docs	Sharing settings > Sharing options	`drive_and_docs.external_sharing`	No	Select the highest level of sharing outside of `CUSTOMER_NAME` that you want to allow	external_sharing_mode	enum: `DISALLOWED` `ALLOWLISTED_DOMAINS` `ALLOWED`
				Allow users in `ORGANIZATION_UNIT_NAME` to receive files from users or shared drives outside of `CUSTOMER_NAME`	allow_receiving_external_files	boolean
				Warn when files owned by users or shared drives in `ORGANIZATION_UNIT_NAME` are shared with users in allowlisted domains	warn_for_sharing_outside_allowlisted_domains	boolean
				Allow users in `ORGANIZATION_UNIT_NAME` to receive files from users or shared drives outside of allowlisted domains	allow_receiving_files_outside_allowlisted_domains	boolean
				Allow users or shared drives in `ORGANIZATION_UNIT_NAME` to share items with non-Google users in trusted domains using visitor sharing	allow_non_google_invites_in_allowlisted_domains	boolean
				Warn when files owned by users or shared drives in `ORGANIZATION_UNIT_NAME` are shared outside of `CUSTOMER_NAME`	warn_for_external_sharing	boolean
				Allow users or shared drives in `ORGANIZATION_UNIT_NAME` to share items with people outside `CUSTOMER_NAME` who aren't using a Google Account	allow_non_google_invites	boolean
				When sharing outside of `CUSTOMER_NAME` is allowed, users in `ORGANIZATION_UNIT_NAME` can make files and published web content visible to anyone with the link	allow_publishing_files	boolean
				When a user shares a file via a Google product other than Docs or Drive (e.g. by pasting a link in Gmail), Google can check that the recipients have access. If not, when possible, Google will ask the user to pick if they want to share the file to	access_checker_suggestions	enum: `RECIPIENTS_OR_AUDIENCE_OR_PUBLIC` `RECIPIENTS_OR_AUDIENCE` `RECIPIENTS_ONLY`
				Select who should be allowed to distribute content in `ORGANIZATION_UNIT_NAME` outside of `CUSTOMER_NAME`. This restricts who can upload or move content to shared drives owned by another organization	allowed_parties_for_distributing_content	enum: `ALL_ELIGIBLE_USERS` `ELIGIBLE_INTERNAL_USERS` `NONE`
	Sharing settings > General access default	`drive_and_docs.general_access_default`	No	When users in `ORGANIZATION_UNIT_NAME` create items, the default access will be	default_file_access	enum: `PRIVATE_TO_OWNER` `PRIMARY_AUDIENCE_WITH_LINK` `PRIMARY_AUDIENCE_WITH_LINK_OR_SEARCH`
	Sharing settings > Shared drive creation	`drive_and_docs.shared_drive_creation`	No	Prevent users in `ORGANIZATION_UNIT_NAME` from creating new shared drives	allow_shared_drive_creation	boolean (The API response returns the opposite of the UI value)
				When users in `ORGANIZATION_UNIT_NAME` create a shared drive, it will be assigned to the following organizational unit	org_unit_for_new_shared_drives	enum: `CREATOR_ORG_UNIT` `CUSTOM_ORG_UNIT`
				Selected organizational unit	custom_org_unit	string
				Allow members with manager access to override the settings below	allow_managers_to_override_settings	boolean
				Allow users outside `CUSTOMER_NAME` to access files in shared drives	allow_external_user_access	boolean
				Allow people who aren't shared drive members to be added to files	allow_non_member_access	boolean
				Download, print, copy is enabled for	allowed_parties_for_download_print_copy	enum: `ALL` `EDITORS_ONLY` (Managers, contributors and content managers) `MANAGERS_ONLY`
				Allow content managers to share folders	allow_content_managers_to_share_folders	boolean
	Sharing settings > Security update for files	`drive_and_docs.file_security_update`	No	Applying this update will make file links more secure. This may cause users to receive file access requests	security_update	enum: `APPLY_TO_IMPACTED_FILES` `REMOVE_FROM_IMPACTED_FILES`
	Sharing settings > Security update for files	`drive_and_docs.file_security_update`	No	Allow users to remove/apply the security update for files they own or manage	allow_users_to_manage_update	boolean
	Features and Applications > Drive SDK	`drive_and_docs.drive_sdk`	No	Allow users to access Google Drive with the Drive SDK API	enable_drive_sdk_api_access	boolean
	Google Drive for desktop > Enable Drive for desktop	`drive_and_docs.drive_for_desktop`	No	Allow Google Drive for desktop in your organization	allow_drive_for_desktop	boolean
				Only allow Google Drive for desktop on authorized devices	restrict_to_authorized_devices	boolean
				Show Google Drive for desktop download link	show_download_link	boolean
				Allow users to enable real-time presence in Microsoft Office from Google Drive for desktop	allow_real_time_presence	boolean
	Sharing settings > Highlight external files	`drive_and_docs.external_file_warning`	No	Mark files shared or owned externally as "external" to indicate that content may be viewable outside your organization. Applies to Drive, Docs, Sheets, Slides, Drawings, and Vids.	highlighting_enabled	boolean

Gmail Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Gmail	User Settings > Confidential mode	`gmail.confidential_mode`	No	Enable confidential mode	enable_confidential_mode	boolean
	User Settings > S/MIME	`gmail.smime_encryption`	No	Enable S/MIME encryption for sending and receiving emails	enable_smime_encryption	enum: `STATUS_UNSPECIFIED` `STATUS_DISABLED` `STATUS_ENABLED`
		`gmail.smime_encryption`	No	Allow SHA-1 globally (not recommended)	allow_sha1_globally_in_smime_signature	boolean
		`gmail.enhanced_smime_encryption`	No	Allow users to upload their own certificates	allow_user_to_upload_certificates	boolean
		`gmail.enhanced_smime_encryption`	No	Accept these additional root certificates for specific domains:	custom_root_certificates	A list of CustomRootCertificates that contains a list of root certificates, a list of intermediate CA certificates, a list of restricted domain names, a boolean to allow address mismatch and an enum with different validation levels.
	Spam, phishing, and malware > Enhanced pre-delivery message scanning	`gmail.enhanced_pre_delivery_message_scanning`	No	Enables improved detection of suspicious content prior to delivery	enable_improved_suspicious_content_detection	boolean
	Spam, phishing, and malware > Email allowlist	`gmail.email_spam_filter_ip_allowlist`	No	Enter the IP addresses for your email allowlist	allowed_ip_addresses	A list of strings
	Safety > Spoofing and authentication	`gmail.spoofing_and_authentication`	No	Protect against domain spoofing based on similar domain names	detect_domain_name_spoofing	boolean
				Choose an action	domain_name_spoofing_consequence	enum: `WARNING` `SPAM_FOLDER` `QUARANTINE` `NO_ACTION`
				Choose a quarantine	domain_name_spoofing_quarantine_id	integer
				Protect against spoofing of employee names	detect_employee_name_spoofing	boolean
				Choose an action	employee_name_spoofing_consequence	enum: `WARNING` `SPAM_FOLDER` `QUARANTINE` `NO_ACTION`
				Choose a quarantine	employee_name_spoofing_quarantine_id	integer
				Protect against inbound emails spoofing your domain	detect_domain_spoofing_from_unauthenticated_senders	boolean
				Choose an action	domain_spoofing_consequence	enum: `WARNING` `SPAM_FOLDER` `QUARANTINE` `NO_ACTION`
				Choose a quarantine	domain_spoofing_quarantine_id	integer
				Protect against any unauthenticated emails	detect_unauthenticated_emails	boolean
				Choose an action	unauthenticated_email_consequence	enum: `WARNING` `SPAM_FOLDER` `QUARANTINE` `NO_ACTION`
				Choose a quarantine	unauthenticated_email_quarantine_id	integer
				Protect your Groups from inbound emails spoofing your domain	detect_groups_spoofing	boolean
				Apply this setting to	groups_spoofing_visibility_type	enum: `PRIVATE_GROUPS_ONLY` `ALL_GROUPS`
				Choose an action	groups_spoofing_consequence	enum: `WARNING` `SPAM_FOLDER` `QUARANTINE` `NO_ACTION`
				Choose a quarantine	groups_spoofing_quarantine_id	integer
				Apply future recommended settings automatically	apply_future_settings_automatically	boolean
	Safety > Links and external images	`gmail.links_and_external_images`	No	Identify links behind shortened URLs	enable_shortener_scanning	boolean
				Scan linked images	enable_external_image_scanning	boolean
				Show warning prompt for any click on links to untrusted domains	enable_aggressive_warnings_on_untrusted_links	boolean
				Apply future recommended settings automatically	apply_future_settings_automatically	boolean
	Safety > Attachments	`gmail.email_attachment_safety`	No	Protect against encrypted attachments from untrusted senders	enable_encrypted_attachment_protection	boolean
				Choose an action	encrypted_attachment_protection_consequence	enum: `WARNING` `SPAM_FOLDER` `QUARANTINE`
				Choose a quarantine	encrypted_attachment_protection_quarantine_id	integer
				Protect against attachments with scripts from untrusted senders	enable_attachment_with_scripts_protection	boolean
				Choose an action	attachment_with_scripts_protection_consequence	enum: `WARNING` `SPAM_FOLDER` `QUARANTINE`
				Choose a quarantine	attachment_with_scripts_protection_quarantine_id	integer
				Protect against anomalous attachment types in emails	enable_anomalous_attachment_protection	boolean
				Choose an action	anomalous_attachment_protection_consequence	enum: `WARNING` `SPAM_FOLDER` `QUARANTINE`
				Choose a quarantine	anomalous_attachment_protection_quarantine_id	integer
				Allowlist the following uncommon file types	allowed_anomalous_attachment_filetypes	string[]
				Apply future recommended settings automatically	apply_future_recommended_settings_automatically	boolean
	Routing > Manage address lists	`gmail.email_address_lists`	No	Manage address lists	email_address_list	EmailAddressList[]
	Spam, phishing and malware > Blocked senders	`gmail.blocked_sender_lists`	No	Block or approve specific senders based on email address or domain	blocked_senders	BlockedSender[]
	Spam, phishing and malware > Spam	`gmail.spam_override_lists`	No	Create approved senders lists that bypass the spam folder.	spam_override	SpamOverride[]
	Compliance > Content compliance	`gmail.content_compliance`	No	Configure advanced content filters based on words, phrases or patterns	content_compliance_rules	ContentComplianceRule[]

	Compliance > Restrict delivery	`gmail.restrict_delivery`	No	Restrict the domains that your users are allowed to exchange email with.	restrict_delivery_rules	RestrictDeliveryRule[]
	Compliance > Objectionable content	`gmail.objectionable_content`	No	Configure content filters based on word lists	objectionable_content_rules	ObjectionableContentRule[]
	Compliance > Attachment compliance	`gmail.attachment_compliance`	No	Configure attachment filters based on file type, file name and message size	attachment_compliance_rules	AttachmentComplianceRule[]
	Compliance > Comprehensive mail storage	`gmail.comprehensive_mail_storage`	No	Ensure that a copy of all sent and received mail is stored in associated users' mailboxes	rule_id	string
	N/A (For all rules)	`gmail.rule_states`	No	N/A	rule_states	RuleState[]
	Setup > User email uploads	`gmail.user_email_uploads`	No	Show users the option to import mail and contacts from Yahoo!, Hotmail, AOL, or other webmail or POP3 accounts from the Gmail settings page	enable_mail_and_contacts_import	boolean
	End User Access > POP and IMAP access	`gmail.pop_access`	No	Enable POP access for all users	enable_pop_access	boolean
		`gmail.imap_access`	No	Enable IMAP access for all users	enable_imap_access	boolean
				Allow any mail client	imap_access_restriction.allow_all_mail_clients	boolean
				Restrict which mail clients users can use (OAuth mail clients only)	imap_access_restriction.allowed_oauth_mail_client_list	OAuthMailClientList
	End User Access > Google Workspace Sync	`gmail.workspace_sync_for_outlook`	No	Enable Google Workspace Sync for Microsoft Outlook for my users	enable_google_workspace_sync_for_microsoft_outlook	boolean
	End User Access > Automatic forwarding	`gmail.auto_forwarding`	No	Allow users to automatically forward incoming email to another address	enable_auto_forwarding	boolean
	User Settings > Name format	`gmail.name_format`	No	Allow users to customize this setting	allow_custom_display_names	boolean
	User Settings > Name format	`gmail.name_format`	No	First Last or Last, First	default_display_name_format	enum: `FIRSTNAME_LASTNAME` `LASTNAME_COMMA_FIRSTNAME`
	End User Access > Allow per-user outbound gateways	`gmail.per_user_outbound_gateway`	No	Allow users to send mail through an external SMTP server when configuring a "from" address hosted outside your email domain	allow_users_to_use_external_smtp_servers	boolean
	End User Access > Image URL proxy allowlist	`gmail.email_image_proxy_bypass`	No	Enter image URL patterns. Matching URLs bypass the image proxy.	image_proxy_bypass_pattern	string[]
	End User Access > Image URL proxy allowlist	`gmail.email_image_proxy_bypass`	No	N/A	enable_image_proxy	boolean
	User Settings > Mail Delegation	`gmail.mail_delegation`	No	Let users delegate access to their mailbox to other users in the domain	enable_mail_delegation	boolean
				Allow users to customize this setting	allow_custom_delegate_attribution	boolean
				Show the account owner and the delegate who sent the email	enable_delegate_attribution	boolean
Show the account owner only					enable_delegate_attribution	boolean
Allow users to grant their mailbox access to a Google group				enable_mailbox_group_delegation	boolean

Gmail Sub-Settings

This table provides Gmail sub-settings that are referenced by other Gmail settings.

Policy API sub-setting name	Admin console caption		Policy API field name	Data type
EmailAddressList	N/A		id	string
	Name		name	string
	ADD ADDRESS LIST		address_list	AddressList
	ADD BLOCKED LIST		blocked_address_list	AddressList
AddressList	Add address list		address	AddressListEntry[]
AddressListEntry	Address		address	string
AddressListEntry	Authentication required (received mail only)		require_address_verification	boolean
BlockedSender	Enter a short description that will appear within the setting's summary		description	string
	Add addresses or domains that you want to automatically reject messages from		sender_blocklist	StringValue[]
	Enter customized rejection notice		rejection_response	string
	Bypass this setting for messages received from addresses or domains within these approved senders lists.		bypass_approved_sender	boolean
	N/A		bypass_approved_sender_allowlist	StringValue[]
	N/A		rule_id	string
SpamOverride	Enter a short description that will appear within the setting's summary		description	string
	Be more aggressive when filtering spam.		enable_aggressive_filtering	boolean
	Put spam in administrative quarantine		add_to_quarantine	boolean
	N/A		quarantine_id	integer
	Bypass spam filters for internal senders.		bypass_internal_senders	boolean
	Bypass spam filters for messages from senders or domains in selected lists.		bypass_selected_senders	boolean
	N/A		bypass_sender_allowlist	StringValue[]
	Bypass spam filters and hide warnings for messages from senders or domains in selected lists.		hide_warning_banner_from_selected_senders	boolean
	N/A		hide_warning_banner_sender_allowlist	StringValue[]
	Bypass spam filters and hide warnings for all messages from internal and external senders (not recommended).		hide_warning_banner_for_all	boolean
	N/A		rule_id	string
ContentComplianceRule	Enter a short description that will appear within the setting's summary		description	string
	Email messages to affect		condition	RuleConditions
	Add expressions that describe the content you want to search for in each message		match_expressions	MatchExpression[]
	If ANY of the following match the message		match_any_expression	boolean
	If the above expressions match, do the following		consequence	RuleConsequences
	N/A		rule_id	string
RestrictDeliveryRule	Required: enter a short description that will appear within the setting's summary		description	string
	Add addresses or domains that you want to allow		allowed_addresses	StringValue[]
	All messages to or from other addresses and domains will be rejected. Edit the default rejection notice for these messages.		rejection_notice_message	string
	Bypass this setting for internal messages		internal_messages_rule_bypass_allowed	boolean
	N/A		rule_id	string
ObjectionableContentRule	Enter a short description that will appear within the setting's summary		description	string
	Email messages to affect		condition	RuleConditions
	Custom objectionable words		objectionable_content_defined	boolean
	Enter words		objectionable_words	string[]
	If the above expressions match, do the following		consequence	RuleConsequences
	N/A		rule_id	string
AttachmentComplianceRule	Enter a short description that will appear within the setting's summary		description	string
	Email messages to affect		condition	RuleConditions
	Add expressions that describe the content you want to search for in each message		match_expressions	MatchExpression[]
	If ANY of the following match the message		match_any_expression	boolean
	If the above expressions match, do the following		consequence	RuleConsequences
	N/A		rule_id	string
RuleState	N/A (For all rules)		enabled	boolean
RuleState	N/A (For all rules)		rule_id	string
RuleConditions	Email messages to affect	Inbound	affect_inbound_messages	boolean
		Outbound	affect_outbound_messages	boolean
		Internal - Sending	affect_internal_sending_messages	boolean
		Internal - Receiving	affect_internal_receiving_messages	boolean
	Address lists	Use address lists to bypass or control application of this setting	address_list_option	enum: `NO_EFFECT` `EXCLUDED` `REQUIRED`
		Bypass this setting for specific addresses / domains
		Only apply this setting for specific addresses / domains
		Use existing list / Create or edit list	address_lists	StringValue[]
	Account types to affect	Users	account_type_user	boolean
		Groups	account_type_group	boolean
		Unrecognized / Catch-all	account_type_unrecognized	boolean
	Envelope filter	Only affect specific envelope senders	envelope_sender_filter	AddressMatcher
	Envelope filter	Only affect specific envelope recipients	envelope_recipient_filter	AddressMatcher
AddressMatcher	Only affect specific envelope senders / Only affect specific envelope recipients		enabled	boolean
	Single email address	N/A	address_match_type	enum: `EXACT`
	Single email address	Email address	exact_address_match_value	string
	Pattern match	N/A	address_match_type	enum: `REGEXP`
	Pattern match	Regexp	regexp_match_value	string
	Group membership (only sent mail) / Group membership (only received mail)	N/A	address_match_type	enum: `GROUP_MEMBERSHIP`
		Select groups	group_ids	string[]
MatchExpression	Simple content match	N/A	match_expression_type	enum: `SIMPLE_CONTENT`
	Simple content match	Content	match_content	string
	Advanced content match	N/A	match_expression_type	enum: `ADVANCED_CONTENT`
		Content / Regex	match_content	string
		N/A	advanced_content_match	AdvancedContentMatch
	Metadata match		match_expression_type	enum: `METADATA`
	Metadata match		metadata_match	MetadataMatch
	Predefined content match		match_expression_type	enum: `PREDEFINED_CONTENT`
	Predefined content match		predefined_content_match	PredefinedContentMatch
	File type		match_expression_type	enum: `FILE_TYPE`
	File type		file_type_match	FileTypeMatch
	File name	N/A	match_expression_type	enum: `FILE_NAME`
	File name	The attachment file name contains	file_name	string
	Message size	N/A	match_expression_type	enum: `MESSAGE_SIZE`
	Message size	The overall message (body + attachment) is greater than the following (MB)	message_size_threshold_in_megabytes	integer
AdvancedContentMatch	Location	Headers + Body	advanced_content_match_location	enum: `HEADERS_AND_BODY`
		Full headers		enum: `FULL_HEADERS`
		Body		enum: `BODY`
		Subject		enum: `SUBJECT`
		Sender header		enum: `SENDER_HEADER`
		Recipients header		enum: `RECIPIENTS_HEADER`
		Envelope sender		enum: `ENVELOPE_SENDER`
		Any envelope recipient		enum: `ANY_ENVELOPE_RECIPIENT`
		Raw message		enum: `RAW_MESSAGE`
	Match type	Starts with	advanced_content_match_type	enum: `STARTS_WITH`
		Ends with		enum: `ENDS_WITH`
		Contains text		enum: `CONTAINS_TEXT`
		Not contains text		enum: `NOT_CONTAINS_TEXT`
		Equals		enum: EQUALS
		Is empty		enum: `IS_EMPTY`
		Matches regex		enum: `MATCHES_REGEXP`
		Not matches regex		enum: `NOT_MATCHES_REGEXP`
		Matches any word		enum: `MATCH_ANY_WORD`
		Matches all words		enum: `MATCH_ALL_WORDS`
	N/A		regexp_match	RegexpMatch
RegexpMatch	Regex Description		description	string
RegexpMatch	Minimum match count		min_match_count	integer
MetadataMatch	Attribute	Message authentication	metadata_match_attribute	enum: `MESSAGE_AUTHENTICATION`
		Source IP		enum: `SOURCE_IP`
		Secure transport (TLS)		enum: `TLS`
		Message size		enum: `MESSAGE_SIZE`
		S/MIME encrypted		enum: `SMIME_ENCRYPTED`
		S/MIME signed		enum: `SMIME_SIGNED`
		Gmail confidential mode		enum: `CONFIDENTIAL_MODE`
		Spam		enum: `SPAM`
	Match type	the following range	source_ip_range	string
		the following (MB)	message_size_in_megabytes	integer
		Message is authenticated	metadata_match_type	enum: `MESSAGE_AUTHENTICATED`
		Message is not authenticated		enum: `MESSAGE_NOT_AUTHENTICATED`
		Source IP is within		enum: `SOURCE_IP_IN_RANGE`
		Source IP is not within		enum: `SOURCE_IP_NOT_IN_RANGE`
		Connection is TLS encrypted		enum: `TLS_ENCRYPTED`
		Connection is not TLS encrypted		enum: `TLS_NOT_ENCRYPTED`
		Message size is greater than		enum: `MESSAGE_SIZE_GREATER_THAN`
		Message size is less than		enum: `MESSAGE_SIZE_LESS_THAN`
		Message is S/MIME encrypted		enum: `MESSAGE_IS_SMIME_ENCRYPTED`
		Message is not S/MIME encrypted		enum: `MESSAGE_IS_NOT_SMIME_ENCRYPTED`
		Message is S/MIME signed		enum: `MESSAGE_IS_SMIME_SIGNED`
		Message is not S/MIME signed		enum: `MESSAGE_IS_NOT_SMIME_SIGNED`
		Message is in Gmail confidential mode		enum: `MESSAGE_IS_IN_CONFIDENTIAL_MODE`
		Message is not in Gmail confidential mode		enum: `MESSAGE_IS_NOT_IN_CONFIDENTIAL_MODE`
		Malware detected from security sandbox		enum: `MALWARE_DETECTED_FROM_SECURITY_SANDBOX`
PredefinedContentMatch	N/A (Predefined content match selector)			predefined_content_match_name	string
	Minimum match count			min_match_count	integer
	Confidence threshold		confidence_threshold	enum: `MEDIUM` `HIGH`
FileTypeMatch	Office documents which are encrypted		encrypted_office_documents	boolean
	Office documents which are not encrypted		unencrypted_office_documents	boolean
	Video and multimedia		video	boolean
	Music and sound		music	boolean
	Images		image	boolean
	Compressed files and archives which are encrypted		compressed_encrypted_files	boolean
	Compressed files and archives which are not encrypted		compressed_unencrypted_files	boolean
	Custom file types - Match files based on file name extension		custom_file_extensions	string[]
	Also match files based on file format		match_file_format	boolean
RuleConsequences	Modify message	N/A	rule_consequence_type	enum: `MODIFY_MESSAGE`
		N/A	primary_delivery	Delivery
		Add more recipients	deliver_to_additional_recipients	boolean
		Recipients	bcc_deliveries	Delivery[]
Delivery	Add X-Gm-Original-To header		add_x_gm_original_to_header	boolean
	Add X-Gm-Spam and X-Gm-Phishy headers		add_x_gm_spam_header	boolean
	Add custom headers		add_custom_headers	boolean
	Custom headers		custom_headers	string[]
	Prepend custom subject		prepend_custom_subject	boolean
	Enter new subject prefix		custom_subject	string
	Change route		change_default_route	boolean
	Also reroute spam		reroute_spam	boolean
	Suppress bounces from this recipient		suppress_bounces_from_recipient	boolean
	N/A (Routing selector)		normal_routing	boolean
	Change envelope recipient N/A		change_envelope_recipient	boolean
	Replace recipient		replace_envelope_recipient_type	enum: `REPLACE_ADDRESS`
	Replace recipient		recipient_address	string
	Replace username		replace_envelope_recipient_type	enum: `REPLACE_USER`
	Replace username		recipient_user	string
	Replace domain		replace_envelope_recipient_type	enum: `REPLACE_DOMAIN`
	Replace domain		recipient_domain	string
	Bypass spam filter for this message		bypass_spam_filter	boolean
	Remove attachments from message		remove_attachments	boolean
	Append this text to notify recipients that attachments have been removed		attachment_removal_notice	string
	Require secure transport (TLS)		require_tls	boolean
	Encrypt message if not encrypted (S/MIME)		encrypt_outgoing_messages	boolean
	Bounce message if unable to sign and encrypt		bounce_unencrypted_messages	boolean
	Do not deliver spam to this recipient		do_not_deliver_spam_to_recipient	boolean
OAuthMailClientList	Restrict which mail clients users can use (OAuth mail clients only)		oauth_mail_client	OAuthMailClient[]
OAuthMailClient	N/A		oauth_mail_client_id	string

Groups For Business Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Groups for Business	Sharing settings > Sharing options	`groups_for_business.groups_sharing`	No	Set policies for changing group sharing settings	collaborationCapability	enum: `ANYONE_CAN_ACCESS` `DOMAIN_USERS_ONLY`
				Creating groups	createGroupsAccessLevel	enum: `ADMIN_ONLY` `USERS_IN_DOMAIN` `ANYONE_CAN_CREATE`
				Group owners can allow external members	ownersCanAllowExternalMembers	boolean
				Group owners can allow incoming email from outside the organization	ownersCanAllowIncomingMailFromPublic	boolean
				Default for permission to view conversations	viewTopicsDefaultAccessLevel	enum: `OWNERS` `MANAGERS` `GROUP_MEMBERS` `DOMAIN_USERS` `ANYONE_CAN_VIEW_TOPICS`
				Group owners can hide groups from the directory	ownersCanHideGroups	boolean
				Hide newly created groups from the directory	newGroupsAreHidden	boolean

Legal and Compliance

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Account settings	Sharing options	`cloud_sharing_options.cloud_data_sharing`	No	Google Cloud Platform Sharing Options	sharingOptions	enum: `UNSUPPORTED` `ENABLED` `DISABLED`

Marketplace Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Apps list	Apps list	`workspace_marketplace.apps_allowlist`	No	Showing apps for users in all organizational units	apps	AppsAllowlistSetting[]
Settings	Manage access to apps > Manage Google Workspace Marketplace allowlist access	`workspace_marketplace.apps_access_options`	No	Select which Marketplace apps users can run and install.	access_level	enum: `ALLOW_ALL` `ALLOW_LISTED_APPS` `ALLOW_NONE`

Marketplace Sub-Settings

Policy API sub-setting name	Admin console caption	Policy API field name	Data type
AppsAllowlistSetting	N/A	application_id	string
AppsAllowlistSetting	N/A	access	enum: `ALLOWED` `BLOCKED`

The workspace_marketplace.apps_allowlist setting in the API response exposes the Marketplace application_id, instead of application_name. The following Python script can be used to convert one or more application_id that are specified on the command line to application_name.

import re
import requests
import sys

output = {}
app_ids = sys.argv[1:]

for id in app_ids:
  url = f"https://workspace.google.com/marketplace/app/_/{id}"
  response = requests.get(url, allow_redirects=False)
  final_url = response.headers['Location']
  pattern = f"^https://workspace.google.com/marketplace/app/(.*)/{id}$"
  a = re.search(pattern, final_url)
  output[id] = a.group(1)

# Output application name captured from returned URL
print(output)

Meet Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Google Meet	Meet video settings > Recording	`meet.video_recording`	No	Let people record their meetings.	enable_recording	boolean
	Meet safety settings > Domain	`meet.safety_domain`	No	Who can join meetings created by your organization.	users_allowed_to_join	enum: `SAME_ORGANIZATION_ONLY` `LOGGED_IN` `ALL`
	Meet safety settings > Access	`meet.safety_access`	No	Which meetings or calls users in the organization can join. "Incoming call restrictions" can further limit the calls that users can receive	meetings_allowed_to_join	enum: `SAME_ORGANIZATION_ONLY` `ANY_WORKSPACE_ORGANIZATION` `ALL`
	Meet safety settings > Host management	`meet.safety_host_management`	No	Default host management	enable_host_management	boolean
	Meet safety settings > Warn for external participants	`meet.safety_external_participants`	No	Indicates participants who are outside "Organization" or whose identities are unconfirmed.	enable_external_label	boolean
	Meet safety settings > Joining	`meet.joining`	No	Meeting access type (subject to restrictions set in domain)	allowed_audience	enum: `ALLOWED_AUDIENCE_UNSPECIFIED` `OPEN` `TRUSTED` `RESTRICTED`
	Meet safety settings > Chat	`meet.messaging`	No	Who can send in-call chat messages	enabled	boolean
	Meet safety settings > Present	`meet.presenting`	No	Who can share their screens in calls.	enabled	boolean
	Meet safety settings > Q&A	`meet.questions`	No	Who can participate in Q&A in calls	enabled	boolean
	Meet safety settings > Polls	`meet.polls`	No	Who can participate in polls in calls	enabled	boolean
	Meet safety settings > Incoming call restrictions	`meet.meet_incoming_call_restrictions`	No	This setting affects only Meet calling, not legacy services or calling in Google Chat. Restrictions set in "Access" can further limit the calls that users can receive.	allowed_callers	enum: `ALLOWED_CALLERS_UNSPECIFIED` `ALL` `CONTACTS_AND_ORGANIZATION_ONLY` `NONE`

Provisioning Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Account settings	Conflicting accounts management	`provisioning.conflicting_accounts_management`	No	Choose how to manage conflicting accounts	option	enum: `OPTION_UNSPECIFIED` `AUTOMATICALLY_SEND_INVITATIONS` `REPLACE_CONFLICTING_ACCOUNT` `PRESERVE_CONFLICTING_ACCOUNT`
				Send daily follow-up emails for (specified) days	automatic_invitations.invitation_count	integer
				If a user doesn't accept an invitation within the selected follow-up period	automatic_invitations.unaccepted_invitation_resolution_option	enum: `UNACCEPTED_INVITATION_RESOLUTION_OPTION_UNSPECIFIED` `REPLACE_CONFLICTING_ACCOUNT_ON_NEXT_CREATION` `PRESERVE_CONFLICTING_ACCOUNT_ON_NEXT_CREATION`

Rules and Detectors Settings

Data Protection Rules Settings

For an overview of how to create data protection rules and detectors for the supported applications, see Create data protection rules.

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Data protection	Security > Access and data control > Data Protection > Manage Rules	`rule.dlp`	Yes	Name	display_name	string
				Description	description	string
				Apps	triggers	string[] - List of app specific trigger strings. The list of available app triggers is provided in the following Triggers section.
				Conditions	condition	string - Common Expression Language (CEL) expression of the data conditions the rule scans for. The CEL syntax and some common examples are provided in the following Conditions section.
				Actions	action	Struct - nested object representing app specific actions to take when the conditions are met. The available actions per app trigger are provided in the following Actions section.
				State	state	enum: `ACTIVE` `INACTIVE`
				Created	create_time	Timestamp
				Last modified	update_time	Timestamp
				Rule type specific metadata	rule_type_metadata	Struct - nested object representing rule type specific metadata. For Data Protection rules, this contains the severity level of the triggered events.

Triggers

The following table provides the list of available platforms, applications, and triggers:

Platform	Application	Trigger	API value
Google Workspace	Gmail	Message sent	`google.workspace.gmail.email.v1.send`
	Google Drive	Drive files	`google.workspace.drive.file.v1.share`
	Google Chat	Message sent	`google.workspace.chat.message.v1.send`
	Google Chat	File uploaded	`google.workspace.chat.attachment.v1.upload`
Chrome	Chrome	File uploaded	`google.workspace.chrome.file.v1.upload`
		File downloaded	`google.workspace.chrome.file.v1.download`
		Content pasted	`google.workspace.chrome.web_content.v1.upload`
		Content printed	`google.workspace.chrome.page.v1.print`
		URL visited	`google.workspace.chrome.url.v1.navigation`
ChromeOS	ChromeOS	File transfer restrictions	`google.workspace.chromeos.file.v1.transfer`

Conditions

To represent data conditions, the API uses Common Expressions Language (CEL) expressions. Each condition follows the pattern of {content type}.{content to scan for}({additional scan parameters}). For example, all_content.contains('apple') represents a data condition that matches if any of the scanned content (e.g. Drive doc, chat message, etc) contains the substring apple.

Content type

The list of available content types, corresponding to the matching configurations of the same names in the Admin Console.

access_levels
all_content
all_headers
body
destination_type
destination_url
drive_enterprise_metadata
encryption_state
envelope_from
file_size_in_bytes
file_type
from_header
message_security_status
request_attributes
sender_header
source_chrome_context
source_url
source_url_category
subject
suggestion
target_user
title
to_header_recipients
url
url_category

Content to scan for

The list of available content to scan for, corresponding to the matching configurations of the same names in the Admin Console.

contains({string})
starts_with({string})
ends_with({string})
equals({string})
matches_dlp_detector({detector name}, {likelihood}, {minimum_match_count: {count}, minimum_unique_match_count: {count}})
- Corresponds to the matches predefined data type option in the Admin Console.
- {detector name} denotes the predefined data type to scan for, which can be one of the built-in infotypes supported by Cloud DLP: https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference. For example, CREDIT_CARD_NUMBER or US_SOCIAL_SECURITY_NUMBER
- {likelihood} denotes the likelihood threshold of the match. For example, google.privacy.dlp.v2.Likelihood.LIKELY corresponds to the High threshold in the Admin Console.
matches_regex_detector({detector name}, {minimum_match_count: {count}})
- Corresponds to the matches regular expression option in the Admin Console.
- {detector name} is the resource name of the policy that represents the regular expression detector. See Data Protection Detector section on how to query detector policies in the API.
matches_word_list({detector name}, {minimum_match_count: {count}, minimum_unique_match_count: {count}})
- Corresponds to the matches words from word list option in the Admin Console.
- {detector name} is the resource name of the policy that represents the word list detector. See Data Protection Detector section on how to query detector policies in the API.
matches_web_category({category})
- Corresponds to the URL category matches option in the Admin Console for Chrome URL visited trigger.
- {category} denotes the URL category supported by the Admin Console configuration. For the list of available categories and their API representations, see URL categories.

Composite conditions

Multiple base conditions can be mixed with AND (&&), OR (||), or NOT (!) operators to form a composite condition. For example, "all_content.contains('apple') && all_content.contains('banana')" represents a condition that matches if any of the scanned content contains both 'apple' and 'banana' substrings.

Actions

Each application specifies the action to take when the data condition matches in a nested message. For example, { "driveAction" { "warnUser" { } } } represents a Drive action that warns users on external sharing. The application specific actions available are the following:

Application	Action key	Subaction	Admin console caption
Drive	driveAction	blockAccess	Block external sharing
		warnUser	Warn on external sharing
		auditOnly	no action
		restrictCopyPrintDownload	Disable download, print, and copy
		applyLabels	Apply Classification labels
Gmail	gmailAction	blockContent	Block message
		warnUser	Warn users
		auditOnly	Audit only
		quarantineMessage	Quarantine message
Chat	chatAction	blockContent	Block message
		warnUser	Warn users
		auditOnly	Audit only
Chrome	chromeAction	blockContent	Block
Chrome	chromeAction	warnUser	Allow with warning

Rule type specific metadata

This attribute contains the metadata specific to the rule type. For Data Protection rules, it contains the alerting event severity when the event is reported under the security dashboard and alert center. An example value of the metadata representing LOW alert severity:

fields {
  key: "ruleTypeMetadata"
  value {
    struct_value {
      fields {
        key: "dlpRuleMetadata"
        value {
          struct_value {
            fields {
              key: "alertSeverity"
              value {
                string_value: "LOW"
              }
            }
          }
        }
      }
    }
  }
}

Data Protection Detectors Settings

For an overview of data protection rules and detectors, see Create DLP for Drive rules and custom content detectors.

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Data protection	Security > Access and data control > Data Protection > Manage Detectors	detector.regular_expression detector.word_list	Yes	Name	display_name	string
				Description	description	string
				Regular Expression	regular_expression	Struct - contains the regular expression string. Only set if the detector type is detector.regular_expression.
				Word List	word_list	string - contains the list of word strings. Only set if the detector type is `detector.word_list`.
				Created	create_time	Timestamp
				Last modified	update_time	Timestamp

System Defined Alert Rules Settings

This section describes Google Workspace system-defined alert rules. The API returns only system-defined alerts that are modified from the default value by the administrator.

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Data protection	Rules (for "system defined' rule type)	`rule.system_defined_alerts`	No	Name	display_name	string
				Description	description	string
				Actions	action	Struct - nested object representing notification settings when the system defined alert is triggered. Details are provided in the following Actions section.
				State	state	enum: `ACTIVE` `INACTIVE`
				Created	create_time	Timestamp
				Last modified	update_time	Timestamp

Actions

System defined alert rules have a single action that denotes the notification settings for the alert.

Action key	Subaction	Admin console caption
alertCenterAction	alertCenterConfig	Send to alert center
alertCenterAction	recipients	Send email notifications

Security Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Account recovery	Super Admin Account Recovery	`security.super_admin_account_recovery`	No	Allow super admins to recover their account	enableAccountRecovery	boolean
Account recovery	User Account Recovery	`security.user_account_recovery`	No	Allow users and non-super admins to recover their account	enableAccountRecovery	boolean
Password management	Password Management	`security.password`	No	Expiration	expirationDuration	Seconds (0 seconds means Never Expire)
				Reuse	allowReuse	boolean
				Strength and Length enforcement	enforceRequirementsAtLogin	boolean
				Length (Maximum length)	maximumLength	integer
				Length (Minimum length)	minimumLength	integer
				Strength	allowedStrength	enum: `STRONG` `WEAK`
Google session control	Session Control	`security.session_controls`	No	Web session duration	webSessionDuration	Seconds
Less secure apps	Less secure apps	`security.less_secure_apps`	No	Control user access to apps that use less secure sign-in technology and make accounts more vulnerable.	allowLessSecureApps	boolean
Login challenges	Login Challenges	`security.login_challenges`	No	Use employee ID to keep my users more secure	enableEmployeeIdChallenge	boolean
Passwordless	Passkeys restriction	`security.passkeys_restriction`	No	Choose the passkey types that users can sign in with	allowed_passkeys_type	enum: `ALLOWED_PASSKEYS_TYPE_UNSPECIFIED` `HARDWARE_SECURITY_KEYS_ONLY` `ANY_DEVICE_OR_PLATFORM`
Advanced Protection program	Enrollment	`security.advanced_protection_program`	No	Use employee ID to keep my users more secure	enableAdvancedProtectionSelfEnrollment	boolean
Advanced Protection program	Enrollment	`security.advanced_protection_program`	No	Security Codes	securityCodeOption	enum: `ALLOWED_WITH_REMOTE_ACCESS` `ALLOWED_WITHOUT_REMOTE_ACCESS` `CODES_NOT_ALLOWED`
2-Step verification	Authentication	`security.two_step_verification_enrollment`	No	Allow users to turn on 2-Step Verification	allowEnrollment	boolean
		`security.two_step_verification_enforcement`		Enforcement	enforcedFrom	Timestamp
		`security.two_step_verification_grace_period`		New user enrollment period	enrollmentGracePeriod	Duration
		`security.two_step_verification_device_trust`		Allow user to trust the device	allowTrustingDevice	boolean
		`security.two_step_verification_enforcement_factor`		Methods	allowedSignInFactorSet	enum: `ALL` `PASSKEY_ONLY` `PASSKEY_PLUS_SECURITY_CODE` `PASSKEY_PLUS_IP_BOUND_SECURITY_CODE` `NO_TELEPHONY`
		`security.two_step_verification_sign_in_code`		2-Step Verification policy suspension grace period	backupCodeExceptionPeriod	Duration
Multi-party approval settings	Multi-party approval settings	`multi_party_approval.require_approvals`	No	Choose whether an admin with multi-party approval privileges needs to approve sensitive actions taken in the Admin console and Admin API	multi_party_approval_state	enum: `MULTI_PARTY_APPROVAL_STATE_UNSPECIFIED` `ENABLED` `DISABLED`
	Multi-party approval for security settings	`multi_party_approval.security_actions`	No	2-step verification	two_step_verification_multi_party_approval_state
				Account recovery	account_recovery_multi_party_approval_state
				Google session control	session_controls_multi_party_approval_state
				Advanced protection program	advanced_protection_program_multi_party_approval_state
				Login challenges	login_challenges_multi_party_approval_state
				Passwordless	passwordless_multi_party_approval_state
				Domain-wide delegation	domain_wide_delegation_multi_party_approval_state
				SSO with third-party IDPs	sso_with_third_party_idps_multi_party_approval_state
				Context-Aware Access	context_aware_access_multi_party_approval_state
	Multi-party approval for API access to security settings	`multi_party_approval.security_actions_api_access`	No	SSO with third-party IDPs	sso_with_third_party_idps_multi_party_approval_state
	Multi-party approval for calendar settings	`multi_party_approval.calendar_actions`	No	Calendar Sharing	calendar_sharing_multi_party_approval_state
				General calendar settings	general_calendar_settings_multi_party_approval_state
				Calendar third party archiving settings	third_party_archiving_settings_multi_party_approval_state
	Multi-party approval for groups settings	`multi_party_approval.groups_actions`	No	Groups sharing	groups_sharing_multi_party_approval_state
	Multi-party approval for domains admin settings	`multi_party_approval.domains_actions`	No	Domains API	domains_api_multi_party_approval_state

Service Status Settings

The service_status setting contains a boolean value implying if a service is enabled for a certain OrgUnit or Group.

The Policy API supports service status settings for Google Workspace, Additional Google services, and Generative AI services that are listed in the Admin Console.

Google Workspace

Service name in Admin console	Service name in Policy API
AppSheet	appsheet
Calendar	calendar
Cloud Search	cloud_search
Drive and Docs	drive_and_docs
Gmail	gmail
Google Chat	chat
Google Meet	meet
Google Vault	vault
Google Voice	voice
Groups for Business	groups_for_business
Keep	keep
Sites	sites
Tasks	tasks

Additional Google services

Service name in Admin console	Service name in Policy API
AI Studio	ai_studio
Applied Digital Skills	applied_digital_skills
Assignments	assignments
Blogger	blogger
Brand Accounts	brand_accounts
Campaign Manager 360	campaign_manager
Chrome Canvas	chrome_canvas
Chrome Cursive	chrome_cursive
Chrome Remote Desktop	chrome_remote_desktop
Chrome Web Store	chrome_web_store
Classroom	classroom
CS First	cs_first
Currents	currents
Early Access Apps	early_access_apps
Experimental Apps	experimental_apps
FeedBurner	feedburner
Google Ad Manager	ad_manager
Google Ads	ads
Google AdSense	adsense
Google Alerts	alerts
Google Analytics	analytics
Google Arts & Culture	arts_and_culture
Google Bookmarks	bookmarks
Google Books	books
Google Chrome Sync	chrome_sync
Google Cloud	cloud
Google Cloud Print	cloud_print
Google Colab	colab
Google Developer	developers
Google Domains	domains
Google Earth	earth
Google Fi	fi
Google Groups	groups
Google Maps	maps
Google Messages	messages
Google My Business	my_business
Google My Maps	my_maps
Google News	news
Google Pay	pay
Google Photos	photos
Google Play	play
Google Play Console	play_console
Google Public Data Explorer	public_data
Google Read Along	read_along
Google Search Console	search_console
Google Takeout	takeout
Google Translate	translate
Google Trips	trips
Jamboard	jamboard
Location History	location_history
Data Studio	data_studio
Managed Google Play	managed_play
Material Gallery	material_gallery
Merchant Center	merchant_center
Partner Dash	partner_dash
Pinpoint	pinpoint
Play Books Partner Center	play_books_partner_center
Programmable Search Engine	programmable_search_engine
QuestionHub	question_hub
Scholar Profiles	scholar_profiles
Search Ads 360	search_ads_360
Search and Assistant	search_and_assistant
Socratic	socratic
Studio	studio
Third-party App Backups	third_party_app_backups
Tour Creator	tour_creator
Work Insights	work_insights
YouTube	youtube

Generative AI

Service name in Admin console	Service name in Policy API
Gemini app	gemini_app
NotebookLM	notebooklm

Sites Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Sites	New Sites > Site creation and editing	`sites.sites_creation_and_modification`	No	Allow users to create new sites	allowSitesCreation	boolean
				Users can/cannot edit sites	allowSitesModification	boolean

UserTakeout Settings

Page in Admin console	Specific setting in Admin console	Policy API setting type	Mutate supported in v1beta1	Admin console caption	Policy API field name	Data type
Data	Data import & export > Google Takeout > User access to Takeout for Google services	`blogger.user_takeout` `books.user_takeout` `maps.user_takeout` `pay.user_takeout` `photos.user_takeout` `play.user_takeout` `play_console.user_takeout` `location_history.user_takeout` `youtube.user_takeout`	No	Manage user access to Takeout for Google services	takeout_status	enum: `TAKEOUT_STATUS_UNSPECIFIED` `ENABLED` `DISABLED`