Command to Print Just Security Groups

258 views
Skip to first unread message

Matt Campbell

unread,
Dec 18, 2022, 11:51:26 AM12/18/22
to GAM for Google Workspace
We use SGs to manage drive access. We're creating an audit for those security groups.

I'm trying to figure out a command to print all security groups on the domain, but can't seem to find the correct settings to query. Anyone know how to do this?

I've tried the following shooting in the dark:
gam print groups query "label:security*"
gam print groups matchsetting security TRUE
gam print groups matchsetting securityGroup TRUE

Jay Lee

unread,
Dec 18, 2022, 12:02:31 PM12/18/22
to google-ap...@googlegroups.com
Try:

gam print cigroups

note that depending on which OS you are using you may need to set the GAM_CSV_ROW_FILTER variable another way:

Jay Lee


--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/f89f0dbc-05c8-4ecc-825c-edfa7ed99da0n%40googlegroups.com.

Jay Lee

unread,
Dec 18, 2022, 12:25:18 PM12/18/22
to google-ap...@googlegroups.com
Since it's not obvious:
  • There are currently two Google APIs for managing Google Groups. The older Directory API and the newer Cloud Identity API. Each has different unique functionality. For example, the Directory API requires admin rights to manage groups while the Cloud Identity API can be used by members and owners of the group based on their group rights. Meanwhile the Directory API supports setting mail delivery for users (all, digest, none) while the Cloud Identity API does not.
  • Because the Cloud Identity API hasn't completely replaced the Directory API GAM supports both APIs today. "gam print groups" will use Directory API while "gam print cigroups" will use the Cloud Identity API. Only the Cloud Identity API supports showing the security status of a group.
Jay

Matt Campbell

unread,
Dec 19, 2022, 8:51:56 AM12/19/22
to GAM for Google Workspace
 Thanks that is great info. I set the env variable and ran `gam print cigroups` but it still just outputs a full list of all groups with no additional info.

I can see the security info fine for a specific group when I run `gam info cigroup [group]` but hoping I can get that security flag somehow when I list all groups.

Am I missing another argument for gam print cigroups?

Ross Scroggs

unread,
Dec 19, 2022, 9:04:34 AM12/19/22
to google-ap...@googlegroups.com
Matt,

What is:gam version

Ross
----
Ross Scroggs



Ross Scroggs

unread,
Dec 19, 2022, 11:52:55 AM12/19/22
to google-ap...@googlegroups.com
Matt,

If you're using Advanced GAM try this:
gam config csv_output_row_filter "'labels.cloudidentity.googleapis.com/groups.security:boolean:true'" print cigroups fields id,name,description,labels

Send me a Meet/Zoom invitation.

Ross
----
Ross Scroggs



Brian Kim

unread,
Dec 19, 2022, 1:42:42 PM12/19/22
to GAM for Google Workspace
I have noticed this behaviour recently, and I think I have an answer (which I believe would be an easy fix for you, Ross)

gam create cigroup $groupemail name $groupname description $groupdescription allowexternalmembers false archiveonly true gal off whocanadd none_can_add whocanjoin invited_can_join whocanleavegroup none_can_leave whocanpostmessage none_can_post whocanviewgroup all_owners_can_view whocanviewmembership all_owners_can_view whocandiscovergroup all_members_can_discover whocancontactowner all_managers_can_contact whocanmoderatemembers none

This does not set the name of the group (it defaults the group email address). 

When looking at it using debug_level 1, I see that it makes 2 API calls.

First call includes the correct group name (Cloud Identity Groups API)
b'{"groupKey": {"id": "Group Email"}, "parent": "customers/customer_id", "labels": {"cloudidentity.googleapis.com/groups.discussion_forum": ""}, "displayName": "Group Name", "description": "Group Description"}'

Second API call includes group email in the name field (Groups Settings API)
b'{"allowExternalMembers": "false", "archiveOnly": "true", "includeInGlobalAddressList": "false", "whoCanAdd": "NONE_CAN_ADD", "whoCanJoin": "INVITED_CAN_JOIN", "whoCanLeaveGroup": "NONE_CAN_LEAVE", "whoCanPostMessage": "NONE_CAN_POST", "whoCanViewGroup": "ALL_OWNERS_CAN_VIEW", "whoCanViewMembership": "ALL_OWNERS_CAN_VIEW", "whoCanDiscoverGroup": "ALL_MEMBERS_CAN_DISCOVER", "whoCanContactOwner": "ALL_MANAGERS_CAN_CONTACT", "whoCanModerateMembers": "NONE", "name": "Group Email"}'

Ross Scroggs

unread,
Dec 19, 2022, 3:13:13 PM12/19/22
to google-ap...@googlegroups.com
Brian,

This is fixed in 6.30.01.

In Advanced GAM you can now say the following that has Google do the filtering, not GAM. Thanks to Jay for this; it is coming in Standard GAM

gam print cigroups query "'cloudidentity.googleapis.com/groups.security' in labels"

Ross
----
Ross Scroggs



Brian Kim

unread,
Dec 20, 2022, 11:52:10 AM12/20/22
to GAM for Google Workspace
Thanks Ross, as always!

Matt Campbell

unread,
Dec 21, 2022, 8:53:42 AM12/21/22
to GAM for Google Workspace
Yes using advanced GAM and the below command you gave me worked perfectly for displaying all security groups:


gam config csv_output_row_filter "'labels.cloudidentity.googleapis.com/groups.security:boolean:true'" print cigroups fields id,name,description,labels

Thanks Ross!

Ross Scroggs

unread,
Dec 21, 2022, 10:10:38 AM12/21/22
to google-ap...@googlegroups.com
With Advanced GAM 6.30.01 this command will be faster as Google is doing the filtering.

gam print cigroups query "'cloudidentity.googleapis.com/groups.security' in labels"fields id,name,description,labels

Ross
----
Ross Scroggs



Reply all
Reply to author
Forward
0 new messages