Policy API concepts
This documentation describes Cloud Identity Policy API concepts and strategies.
Reduction
To list and get policies, see Setting up the Policy API and Listing and getting policies.
Terminology
Setting value: setting values provided in the policy
Reduced Setting value: final setting values applied to a target, such as a user, an organization unit, or a group
Reduction: the process of reducing setting values on policies to a single setting value for a target, such as a user, an organization unit, or a group
Reducer: the type of rules that determine how setting values on policies are simplified down to a single setting for a user
Admin policies: policies created by administrators in the Admin console
System policies: policies provided by Google Workspace
Reduction Process
To reduce a given setting for a given user:
Filter out all policies that don't apply to the user.
Filter out policies that don't contain the setting.
Filter out policies that apply to the OU that the target user isn't in.
Filter out policies that apply to the Group that the target user isn't in.
Filter out policies that apply to the License that the target user doesn't have. To learn more information about licenses, see the Licenses section.
Apply the Reducer of the given Setting.
Max: For each field on the reduced setting, the Max reducer chooses the value from the policy with the greatest sortOrder.
Merge: For each field on the reduced setting, the Merge reducer chooses the value from the policy with the greatest sortOrder that has a value for that field. If the field is an array, the Merge reducer instead concatenates the values from all the policies.
MaxMap: The MaxMap reducer is used for settings where the array entries have a field that functions as a primary key. The MaxMap reducer doesn't concatenate the array entries with the same primary key. Instead, it updates the entry using the Max reducer on the other fields in the array entries that share the same primary key.
MergeMap: The MergeMap reducer is used for settings where the array entries have a field that functions as a primary key. The MergeMap reducer doesn't concatenate the array entries with the same primary key. Instead, it updates the entry using the Merge reducer on the other fields in the array entries that share the same primary key.
List: These settings are not reduced to a single setting. Instead, the entire sequence of settings is preserved and applied as a list.
Reducers for settings
| Setting Name | Reducer |
api_controls.custom_user_message
|
Max |
api_controls.google_services
|
MaxMap |
api_controls.internal_apps
|
Max |
api_controls.unconfigured_third_party_apps
|
Merge |
calendar.appointment_schedules
|
Max |
calendar.external_invitations
|
Max |
calendar.interoperability
|
Merge |
calendar.primary_calendar_max_allowed_external_sharing
|
Merge |
calendar.secondary_calendar_max_allowed_external_sharing
|
Merge |
chat.chat_apps_access
|
Max |
chat.chat_file_sharing
|
Max |
chat.chat_history
|
Merge |
chat.external_chat_restriction
|
Merge |
chat.space_history
|
Max |
classroom.api_data_access
|
Max |
classroom.class_membership
|
Max |
classroom.guardian_access
|
Max |
classroom.originality_reports
|
Max |
classroom.roster_import
|
Max |
classroom.student_unenrollment
|
Max |
classroom.teacher_permissions
|
Max |
cloud_sharing_options.cloud_data_sharing
|
Max |
detector.regular_expression
|
List |
detector.word_list
|
List |
drive_and_docs.drive_for_desktop
|
Max |
drive_and_docs.drive_sdk
|
Merge |
drive_and_docs.external_sharing
|
Max |
drive_and_docs.file_security_update
|
Max |
drive_and_docs.general_access_default
|
Max |
drive_and_docs.shared_drive_creation
|
Max |
gmail.attachment_compliance
|
MaxMap |
gmail.auto_forwarding
|
Max |
gmail.blocked_sender_lists
|
MaxMap |
gmail.comprehensive_mail_storage
|
Max |
gmail.confidential_mode
|
Max |
gmail.content_compliance
|
MaxMap |
gmail.email_address_lists
|
MaxMap |
gmail.email_attachment_safety
|
Max |
gmail.email_image_proxy_bypass
|
Merge |
gmail.email_spam_filter_ip_allowlist
|
Max |
gmail.enhanced_pre_delivery_message_scanning
|
Max |
gmail.enhanced_smime_encryption
|
Max |
gmail.imap_access
|
Merge |
gmail.links_and_external_images
|
Max |
gmail.mail_delegation
|
Merge |
gmail.name_format
|
Merge |
gmail.objectionable_content
|
MaxMap |
gmail.per_user_outbound_gateway
|
Max |
gmail.pop_access
|
Max |
gmail.rule_states
|
MaxMap |
gmail.spam_override_lists
|
MaxMap |
gmail.spoofing_and_authentication
|
Max |
gmail.user_email_uploads
|
Max |
gmail.workspace_sync_for_outlook
|
Max |
groups_for_business.groups_sharing
|
Merge |
meet.safety_access
|
Max |
meet.safety_domain
|
Max |
meet.safety_external_participants
|
Max |
meet.safety_host_management
|
Max |
meet.video_recording
|
Max |
rule.dlp
|
List |
rule.system_defined_alerts
|
List |
security.advanced_protection_program
|
Max |
security.less_secure_apps
|
Merge |
security.login_challenges
|
Max |
security.password
|
Max |
security.session_controls
|
Max |
security.super_admin_account_recovery
|
Merge |
security.two_step_verification_device_trust
|
Max |
security.two_step_verification_enforcement
|
Max |
security.two_step_verification_enforcement_factor
|
Max |
security.two_step_verification_enrollment
|
Max |
security.two_step_verification_grace_period
|
Max |
security.two_step_verification_sign_in_code
|
Max |
security.user_account_recovery
|
Merge |
SERVICE_STATUS_APP_NAME.service_status
|
Max |
sites.sites_creation_and_modification
|
Max |
user_takeout
|
Max |
workspace_marketplace.apps_access_options
|
Merge |
workspace_marketplace.apps_allowlist
|
MergeMap (primary key is: application_id) |
Licenses
Policies apply to users based on users' Workspace licenses. The license condition is provided in PolicyQuery.
For a full list of all Workspace Product and SKU IDs, see Google Product and SKU IDs.
The following examples demonstrate how policies can be applied to certain groups of users based on those users' licenses.
Example 1: Normal clause only
entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010020027'])
The policy applies to a user if they have a license for at least one of the SKUs in the list.
Example 2: Normal clause and inverted clause
entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010020027']) && !entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010060005'])
The policy applies to a user if they have a license for at least one of the SKUs in the first clause. However, if a user has a license for any of the SKUs in the second clause, the policy does not apply to that user at all.
Example 3: Inverted clause only
!entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010060005'])
The policy applies to a user if they don't have a license for any SKUs in the list.
Default Field Values
When a field is not present on the Reduced Setting, its default value is as follows:
| Setting Name | Field | Default Field Value |
api_controls.google_services
|
services | [] (empty list)
|
calendar.external_invitations
|
warn_on_invite | true
|
calendar.primary_calendar_max_allowed_external_sharing
|
max_allowed_external_sharing | EXTERNAL_FREE_BUSY_ONLY
|
calendar.secondary_calendar_max_allowed_external_sharing
|
max_allowed_external_sharing | EXTERNAL_ALL_INFO_READ_ONLY
|
chat.chat_apps_access
|
enable_apps | true in EDU SKUs, false in non-EDU SKUs. EDU SKUs:
|
| enable_webhooks | true in EDU SKUs, false in non-EDU SKUs. EDU SKUs:
|
|
chat.chat_history
|
enable_chat_history | false
|
| history_on_by_default | false
|
|
| allow_user_modification | true
|
|
chat.external_chat_restriction
|
allow_external_chat | false
|
| external_chat_restriction | NO_RESTRICTION
|
|
drive_and_docs.drive_sdk
|
enable_drive_sdk_api_access | true
|
drive_and_docs.external_sharing
|
external_sharing_mode | ALLOWED
|
| allow_receiving_external_files | true
|
|
| warn_for_sharing_outside_allowlisted_domains | true
|
|
| allow_non_google_invites_in_allowlisted_domains | false
|
|
| allow_receiving_files_outside_allowlisted_domains | true
|
|
| warn_for_external_sharing | true
|
|
| allow_non_google_invites | true
|
|
| allow_publishing_files | true
|
|
| access_checker_suggestions | RECIPIENTS_OR_AUDIENCE_OR_PUBLIC
|
|
| allowed_parties_for_distributing_content | ALL_ELIGIBLE_USERS
|
|
drive_and_docs.general_access_default
|
default_file_access | LINK_SHARING_PRIVATE
|
gmail.auto_forwarding
|
enable_auto_forwarding | true
|
gmail.email_image_proxy_bypass
|
image_proxy_bypass_pattern | [] (empty list)
|
| enable_image_proxy | true
|
|
gmail.email_spam_filter_ip_allowlist
|
allowed_ip_addresses | [] (empty list)
|
gmail.links_and_external_images
|
apply_future_settings_automatically | true
|
| enable_aggressive_warnings_on_untrusted_links | false
|
|
gmail.spoofing_and_authentication
|
apply_future_settings_automatically | true
|
gmail.user_email_uploads
|
enable_mail_and_contacts_import | false
|
gmail.workspace_sync_for_outlook
|
enable_google_workspace_sync_for_microsoft_outlook | true
|
groups_for_business.groups_sharing
|
collaboration_capability | DOMAIN_USERS_ONLY
|
| create_groups_access_level | USERS_IN_DOMAIN
|
|
| view_topics_default_access_level | DOMAIN_USERS
|
|
| owners_can_allow_external_members | false
|
|
| owners_can_allow_incoming_mail_from_public | true
|
|
| owners_can_hide_groups | false
|
|
| new_groups_are_hidden | false
|
|
security.less_secure_apps
|
allow_less_secure_apps | false
|
security.super_admin_account_recovery
|
enable_account_recovery | false
|
security.two_sv_device_trust
|
allow_trusting_device | true
|
security.two_sv_enforcement_factor
|
allowed_sign_in_factor_set | ALL
|
security.two_sv_enrollment
|
allow_enrollment | true
|
security.user_account_recovery
|
enable_account_recovery | false
|
workspace_marketplace.apps_access_options
|
access_level | For K12 customers: ALLOW_NONE
Otherwise: ALLOW_ALL
|
| allow_all_internal_apps | false
|
|
workspace_marketplace.apps_allowlist
|
apps | [] (empty list)
|
System Groups
Google system groups are groups that aren't surfaced in the Groups API and are linked to system policies. Their group IDs aren't prefixed with groups/, unlike other group IDs.
| GroupId | Description |
WORKSPACE_ALL_ADMIN_GROUP
|
Group for Google system policy that enforces 2-step verification for all admins. |