GAM + Gemini = Security / Logging Nightmare

Ché Frederick

unread,

Oct 17, 2025, 10:50:07 AMOct 17

to GAM for Google Workspace

Hey gang!

So I was tinkering with GAM in my cloud shell, simply typed gemini and pressed enter. And wouldn't ya know it, I can now prompt for GAM commands and run actions right in the cloud IDE.

"Show me all accounts with delegation to accountnamedotdomain." returns perfectly formatted lists.

It's CRAZY powerful and REALLY REALLY good. I have no doubt someone will commit a huge sweeping change and absolutely break something. So how do I secure this? What's the best way to see logs?

Ross Scroggs

unread,

Oct 17, 2025, 10:55:52 AMOct 17

to google-ap...@googlegroups.com

Interesting, show the command it suggested.

Ross

----

Ross Scroggs

Ross.S...@gmail.com

This email and any files transmitted with it are for the use of the intended recipient(s) only. If you have received this email in error, please notify the sender immediately and then delete it. If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this email and any files transmitted with it without the sender's prior written permission. The information contained in this communication is confidential and proprietary information of Beyond Finance, LLC. and its Affiliates.

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/aa1c0b4c-af3b-45e0-b0da-d81bea222b9bn%40googlegroups.com.

Jay Lee

unread,

Oct 17, 2025, 11:00:34 AMOct 17

to google-ap...@googlegroups.com

As Uncle Ben said:

seriously. If an admin shows they don't have the common sense to not delegate their brain AND motor functions to the machine maybe they don't get to use the black box anymore or have admin rights....

Jay Lee

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/01318290-94A0-4B3E-B605-E6ACABFD478F%40gmail.com.

Ross Scroggs

unread,

Oct 17, 2025, 11:38:54 AMOct 17

to google-ap...@googlegroups.com

Here's my solution, how did I do?

gam config auto_batch_min 1 num_threads 20 show_gettings false csv_output_row_filter "delegateAddress:regex:^accou...@domain.com$" redirect csv ./Delegators.csv multiprocess all users print delegates

Ross

----

Ross Scroggs

Ross.S...@gmail.com

Ché Frederick

unread,

Oct 17, 2025, 12:33:59 PMOct 17

to GAM for Google Workspace

> show me all the delegates for rulebr...@domain.com

✦ I can do that. I'll use the gam command to show the delegates for that user.
╭───────────────────────────────────────────────────────────────────
│ ✓ Shell gam user rulebr...@domain.com show delegates (Show delegates for the user rulebr...@domain.com.) │
│ │
│ bash: line 1: gam: command not found │
╰─────────────────────────────────────────────────────────────────╯
✦ It seems that the gam command is not in your PATH. Let me try to find it and run the command again. I'll look in the bin directory first.
╭──────────────────────────────────────────────────────────────────╮
│ ? Shell /home/a_cfrederick/bin/gamadv-xtd3/gam user rulebr...@domain.com show delegates (Show delegates for the user rulebr...@domain.com using the full path to the gam executable.) ← │
│ │
│ /home/XXXX/bin/gamadv-xtd3/gam user rulebr...@domain.com show delegates │
│ │
│ Allow execution of: 'gam'? │
│ │
│ ● 1. Yes, allow once │
│ 2. Yes, allow always ... │
│ 3. No, suggest changes (esc) │
│ │
╰───────────────────────────────────────────────────────────────────
⠏ Waiting for user confirmation...

It then formats the reply in a nice list. I'm also able to do some pretty powerful drive lookups and run security audits.

Ross Scroggs

unread,

Oct 17, 2025, 3:24:46 PMOct 17

to google-ap...@googlegroups.com

The orignal question you showed was: "Show me all accounts with delegation to accountnamedotdomain."

This command does not show that: gam user rulebr...@domain.com show delegates

It shows the delegates for a single user, it does not show all the accounts with delegation to some account.

Ross

----

Ross Scroggs

Ross.S...@gmail.com

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/e611b7db-98bc-4d56-ba02-9b5e38604d51n%40googlegroups.com.

Temsnr

unread,

Oct 17, 2025, 4:59:58 PMOct 17

to GAM for Google Workspace

It's OK @ross .... Gemini has that covered - it says "Gemini can make mistakes, including about people, so double-check it" in the small print at the bottom of the prompt

and yes, I checked, it is correct, even here in the UK it did make a mistake with this one

buenas noches

Jesse Mulert

unread,

Oct 21, 2025, 6:07:10 PMOct 21

to GAM for Google Workspace

I've been consulting Gemini regarding GAM commands lately and my experience is that it hallucinates wildly. Lots of commands with arguments that don't exist, etc. It's good for getting started, can sometimes help you find the problem in your command, and can sometimes tell you what is/isn't possible, but...yeah...more garbage than most other Gemini-assisted things.

Ross Scroggs

unread,

Oct 21, 2025, 7:43:50 PMOct 21

to google-ap...@googlegroups.com

Someone suggested to prefix your question with: Using https://github.com/GAM-team/GAM/wiki how do do xxx?

Ross

----

Ross Scroggs

Ross.S...@gmail.com

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/59c939a7-b829-4a0a-a5d8-5859f8dba6den%40googlegroups.com.

Temsnr

unread,

Oct 23, 2025, 2:15:51 AMOct 23

to GAM for Google Workspace

Gemini for some reason couldn't give me an answer. Here's what I got from ChatGPT

give me the GAM command to Show me all accounts with delegation to accountnamedotdomain the reference for GAM is in its wiki at https://github.com/GAM-team/GAM/wiki

ChatGPT said:

Excellent — you’re referring to GAM’s Gmail delegation management feature.
You can indeed list all user accounts that have delegated access to a specific account (e.g. accoun...@domain.com) using a single GAM command.

According to the official GAM Wiki on Gmail Delegation, here’s the correct syntax:

✅ Command to find all accounts delegated to a specific user

gam all users show delegates | grep accoun...@domain.com

🔍 Explanation

gam all users show delegates
Iterates through all users in your Google Workspace domain and lists any Gmail delegation relationships, showing who has access to whom.
| grep accoun...@domain.com
Filters the output so that you only see lines where the delegate email (e.g., accoun...@domain.com) appears.
(On Windows, replace grep with findstr.)

💡 Optional: CSV Output for Easier Review

If you want to save the results to a CSV for analysis:

gam redirect csv delegates.csv multiprocess all users show delegates

Then open delegates.csv and filter the rows where the delegate column equals accoun...@domain.com.

🧩 Example Output (from gam show delegates)

Typical output lines look like this:

User: al...@domain.com Delegate: accoun...@domain.com, VerificationStatus: accepted User: b...@domain.com Delegate: sup...@domain.com, VerificationStatus: accepted

So, after filtering for accoun...@domain.com, you’ll see all users who’ve delegated access to that account.

⚙️ Notes

If your domain has many users, consider using the multiprocess flag for speed:

gam redirect csv delegates.csv multiprocess all users show delegates
If you only want to check a subset of users (e.g., in an OU):

gam print users query "orgUnitPath=/Sales" | gam csv - gam user ~primaryEmail show delegates

Would you like me to show you how to invert the query (i.e., show which accounts a given user has delegated access to)? That’s a slightly different command.

Temsnr

unread,

Oct 23, 2025, 2:17:05 AMOct 23

to GAM for Google Workspace

and this is what it said when I fed it Ross's command:

That command from Ross is indeed the correct and efficient “GAM-native” way to achieve this — much better than using shell-level grep filtering.

Let’s break it down carefully so you fully understand what it’s doing and why it’s superior:

✅ Correct GAM Command

gam config auto_batch_min 1 num_threads 20 show_gettings false \ csv_output_row_filter "delegateAddress:regex:^accoun...@domain.com$" \ redirect csv ./Delegators.csv multiprocess all users print delegates

🧩 Explanation of Each Component

Section
Meaning
gam config auto_batch_min 1
Forces GAM to use batching even for small calls (improves efficiency).
num_threads 20
Runs up to 20 concurrent threads for parallel processing of users — dramatically speeds up large domains.
show_gettings false
Suppresses unnecessary “Getting user…” lines for a cleaner output.
csv_output_row_filter "delegateAddress:regex:^accoun...@domain.com$"
This is the key filter — it keeps only rows where the delegateAddress field exactly matches accoun...@domain.com. The ^ and $ anchors ensure it’s an exact match.
redirect csv ./Delegators.csv
Writes the filtered results to Delegators.csv instead of printing to stdout.

multiprocess all users print delegates

Iterates over all users in the domain, printing their Gmail delegate relationships using multiple processes for speed.

📄 Output Example

The resulting Delegators.csv will contain rows similar to:

primaryEmail,delegateAddress,verificationStatus al...@domain.com,accoun...@domain.com,accepted cha...@domain.com,accoun...@domain.com,accepted

So, from this you can immediately see which users (primaryEmail) have delegated access to accoun...@domain.com.

💡 Why This Is Better Than grep

Works natively inside GAM’s CSV output system (no external filtering needed).
Safer and faster for large domains.
Produces a clean, ready-to-use CSV file.
Avoids false positives from partial matches (thanks to the anchored regex).

🏁 In Summary

✅ Best practice:
Use the GAM-author-recommended command you quoted — it’s the most performant and accurate way to get “all accounts with delegation to accoun...@domain.com.”

Ché Frederick

unread,

Oct 23, 2025, 10:35:34 AM (14 days ago) Oct 23

to GAM for Google Workspace

I'm not just copy and pasting commands to and fro, I'm running Gemini inside my GAM GCP. I'm talking to it right inside of the IDE and I've trained my gems on the documentation available. I'm able to verbally ask it things about my GWS environment and it retrieves information.

As y'all pointed out, it's not 100% accurate, it doesn't crate the most performant scripts. But it is capable of generating some basic reports, and that's saved me loads of time by using this setup. However, I need LOGS. Where in GCP can you see line by line what you committed in GCP terminal?

Ross Scroggs

unread,

Oct 23, 2025, 10:44:33 AM (14 days ago) Oct 23

to google-ap...@googlegroups.com

GCP terminak command log: history

You can enable GAM logging:

See: https://github.com/GAM-team/GAM/wiki/gam.cfg#variables

Scroll down to cmdlog

Ross

----

Ross Scroggs

Ross.S...@gmail.com

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/1b03f325-7cf3-4c95-9791-bfb8aba15740n%40googlegroups.com.

Ché Frederick

unread,

Oct 23, 2025, 11:22:52 AM (14 days ago) Oct 23

to GAM for Google Workspace

Enabled and logging! Heck yeah! Thanks for the pointer.

Bending the topic away from Gemini and into this list of variables you shared... I'm brainstorming here, can I build a stripped down gam.cfg to only allow certain functions to be allowed for a GAM GCP? Basically guard rails around what can be ran? Would be nice to give contractors access to GAM, but I don't want them to be able to touch everything.

Ross Scroggs

unread,

Oct 23, 2025, 11:25:23 AM (14 days ago) Oct 23

to google-ap...@googlegroups.com

See: https://github.com/GAM-team/GAM/wiki/Authorization#configure-limited-access

Ross

----

Ross Scroggs

Ross.S...@gmail.com

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/81a2654a-5ba2-4620-bc72-3a60bc0f22a0n%40googlegroups.com.

Gabriel Clifton

unread,

Oct 23, 2025, 12:12:17 PM (14 days ago) Oct 23

to GAM for Google Workspace

Did you happen to notice when Gemini is thinking in that environment that at one point it says, "My other process is a Tardis"?

Reply all

Reply to author

Forward