GAM-team
Investigate new policies write apis
https://cloud.google.com/identity/docs/reference/rest/v1beta1/policies/create
Create, patch and delete methods now exist for policy APIs. Let's investigate their usage.
There's no docs on which policies can be written yet nor are there examples I can find but it's safe to assume a policy to write should look like an existing set policy JSON format.
Will do.
Ross
Ross Scroggs @.***
On Nov 4, 2025, at 3:26 AM, Jay Lee @.***> wrote:
jay0lee created an issue (GAM-team/GAM#1849) https://github.com/GAM-team/GAM/issues/1849 https://cloud.google.com/identity/docs/reference/rest/v1beta1/policies/create
Create, patch and delete methods now exist for policy APIs. Let's investigate their usage.
There's no docs on which policies can be written yet nor are there examples I can find but it's safe to assume a policy to write should look like an existing set policy JSON format.
— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1849, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL3GNHDVAATW3FQIL7T33CEODAVCNFSM6AAAAACLCZSIQSVHI2DSMVQWIX3LMV43ASLTON2WKOZTGU4DMMJUGI4TOMY. You are receiving this because you are subscribed to this thread.
May be a little early: $ gams config debug_level 1 delete policies policies/ahv4hg7qc2t45e4jatezjp4byyksi connect: (cloudidentity.googleapis.com, 443) send: GET /$discovery/rest?version=v1beta1 HTTP/1.1 Host: cloudidentity.googleapis.com content-length: 0 user-agent: GAM 7.28.01 - https://github.com/GAM-team/GAM / GAM Team @.***> / Python 3.14.0 final / macOS-26.1-arm64-arm-64bit-Mach-O arm64 / x-goog-api-client: cred-type/u authorization: Bearer ***** accept-encoding: gzip, deflate
reply: 'HTTP/1.1 200 OK\r\n' header: Content-Type: application/json; charset=UTF-8 header: Vary: Origin header: Vary: X-Origin header: Vary: Referer header: Content-Encoding: gzip header: Date: Tue, 04 Nov 2025 22:08:44 GMT header: Server: ESF header: X-XSS-Protection: 0 header: X-Frame-Options: SAMEORIGIN header: X-Content-Type-Options: nosniff header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 header: Transfer-Encoding: chunked send: DELETE /v1beta1/policies/ahv4hg7qc2t45e4jatezjp4byyksi?prettyPrint=true&alt=json HTTP/1.1 Host: cloudidentity.googleapis.com accept: application/json accept-encoding: gzip, deflate user-agent: GAM 7.28.01 - https://github.com/GAM-team/GAM / GAM Team @.***> / Python 3.14.0 final / macOS-26.1-arm64-arm-64bit-Mach-O arm64 / (gzip) x-goog-api-client: gdcl/2.185.0 gl-python/3.14.0 cred-type/u content-length: 0 authorization: Bearer *****
reply: 'HTTP/1.1 501 Not Implemented\r\n' header: Vary: Origin header: Vary: X-Origin header: Vary: Referer header: Content-Type: application/json; charset=UTF-8 header: Content-Encoding: gzip header: Date: Tue, 04 Nov 2025 22:08:44 GMT header: Server: ESF header: X-XSS-Protection: 0 header: X-Frame-Options: SAMEORIGIN header: X-Content-Type-Options: nosniff header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 header: Transfer-Encoding: chunked ERROR: JSON: {'error': {'code': 501, 'message': 'Operation is not implemented, or supported, or enabled.', 'status': 'UNIMPLEMENTED'}}
ERROR: 501: 501 - Operation is not implemented, or supported, or enabled.
Ross Scroggs @.***
On Nov 4, 2025, at 7:19 AM, Ross Scroggs @.***> wrote:
Will do.
Ross
Ross Scroggs @.***
On Nov 4, 2025, at 3:26 AM, Jay Lee @.***> wrote:
jay0lee created an issue (GAM-team/GAM#1849) https://github.com/GAM-team/GAM/issues/1849 https://cloud.google.com/identity/docs/reference/rest/v1beta1/policies/create
Create, patch and delete methods now exist for policy APIs. Let's investigate their usage.
There's no docs on which policies can be written yet nor are there examples I can find but it's safe to assume a policy to write should look like an existing set policy JSON format.
— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1849, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL3GNHDVAATW3FQIL7T33CEODAVCNFSM6AAAAACLCZSIQSVHI2DSMVQWIX3LMV43ASLTON2WKOZTGU4DMMJUGI4TOMY. You are receiving this because you are subscribed to this thread.
Not too early, API is very limited. See: https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings
Search for v1beta1
Here's where thr API applies https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings#data_protection_rules_settings https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings#data_protection_detectors
Ross Scroggs @.***
On Nov 4, 2025, at 2:09 PM, Ross Scroggs @.***> wrote:
May be a little early: $ gams config debug_level 1 delete policies policies/ahv4hg7qc2t45e4jatezjp4byyksi connect: (cloudidentity.googleapis.com, 443) send: GET /$discovery/rest?version=v1beta1 HTTP/1.1 Host: cloudidentity.googleapis.com content-length: 0 user-agent: GAM 7.28.01 - https://github.com/GAM-team/GAM / GAM Team @.***> / Python 3.14.0 final / macOS-26.1-arm64-arm-64bit-Mach-O arm64 / x-goog-api-client: cred-type/u authorization: Bearer ***** accept-encoding: gzip, deflate
reply: 'HTTP/1.1 200 OK\r\n' header: Content-Type: application/json; charset=UTF-8 header: Vary: Origin header: Vary: X-Origin header: Vary: Referer header: Content-Encoding: gzip header: Date: Tue, 04 Nov 2025 22:08:44 GMT header: Server: ESF header: X-XSS-Protection: 0 header: X-Frame-Options: SAMEORIGIN header: X-Content-Type-Options: nosniff header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 header: Transfer-Encoding: chunked send: DELETE /v1beta1/policies/ahv4hg7qc2t45e4jatezjp4byyksi?prettyPrint=true&alt=json HTTP/1.1 Host: cloudidentity.googleapis.com accept: application/json accept-encoding: gzip, deflate user-agent: GAM 7.28.01 - https://github.com/GAM-team/GAM / GAM Team @.***> / Python 3.14.0 final / macOS-26.1-arm64-arm-64bit-Mach-O arm64 / (gzip) x-goog-api-client: gdcl/2.185.0 gl-python/3.14.0 cred-type/u content-length: 0 authorization: Bearer *****
reply: 'HTTP/1.1 501 Not Implemented\r\n' header: Vary: Origin header: Vary: X-Origin header: Vary: Referer header: Content-Type: application/json; charset=UTF-8 header: Content-Encoding: gzip header: Date: Tue, 04 Nov 2025 22:08:44 GMT header: Server: ESF header: X-XSS-Protection: 0 header: X-Frame-Options: SAMEORIGIN header: X-Content-Type-Options: nosniff header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 header: Transfer-Encoding: chunked ERROR: JSON: {'error': {'code': 501, 'message': 'Operation is not implemented, or supported, or enabled.', 'status': 'UNIMPLEMENTED'}}
ERROR: 501: 501 - Operation is not implemented, or supported, or enabled.
Ross Scroggs @.***
On Nov 4, 2025, at 7:19 AM, Ross Scroggs @.***> wrote:
Will do.
Ross
Ross Scroggs @.***
On Nov 4, 2025, at 3:26 AM, Jay Lee @.***> wrote:
jay0lee created an issue (GAM-team/GAM#1849) https://github.com/GAM-team/GAM/issues/1849 https://cloud.google.com/identity/docs/reference/rest/v1beta1/policies/create
Create, patch and delete methods now exist for policy APIs. Let's investigate their usage.
There's no docs on which policies can be written yet nor are there examples I can find but it's safe to assume a policy to write should look like an existing set policy JSON format.
— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1849, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL3GNHDVAATW3FQIL7T33CEODAVCNFSM6AAAAACLCZSIQSVHI2DSMVQWIX3LMV43ASLTON2WKOZTGU4DMMJUGI4TOMY. You are receiving this because you are subscribed to this thread.
I can delete a DLP policy but can't update one; the error message isn't much help.
send: PATCH /v1beta1/policies/akajj264apbozmhfc4?prettyPrint=true&alt=json HTTP/1.1 Host: cloudidentity.googleapis.com accept: application/json accept-encoding: gzip, deflate user-agent: GAM 7.28.01 - https://github.com/GAM-team/GAM / GAM Team @.***> / Python 3.14.0 final / macOS-26.1-arm64-arm-64bit-Mach-O arm64 / (gzip) x-goog-api-client: gdcl/2.185.0 gl-python/3.14.0 cred-type/u content-type: application/json content-length: 2177 authorization: Bearer *****
send: {"policyQuery": {"orgUnit": "orgUnits/03ph8a2z3ugl630"}, "setting": {"type": "settings/rule.dlp", "value": {"action": {"alertCenterAction": {}, "chatAction": {"auditOnly": {"actionParams": {"applyExternalDirectMessages": true, "applyExternalGroupChats": true, "applyExternalRooms": true, "applyInternalDirectMessages": true, "applyInternalGroupChats": true, "applyInternalRooms": true}}}, "driveAction": {"warnUser": {}}, "gmailAction": {"auditOnly": {"actionParams": {"applyExternalMessages": true, "applyInternalMessages": true}}}}, "condition": {"contentCondition": "all_content.matches_dlp_detector('US_SOCIAL_SECURITY_NUMBER', google.privacy.dlp.v2.Likelihood.LIKELY, {minimum_match_count: 1, minimum_unique_match_count: 1}) || all_content.matches_dlp_detector('US_DRIVERS_LICENSE_NUMBER', google.privacy.dlp.v2.Likelihood.LIKELY, {minimum_match_count: 1, minimum_unique_match_count: 1}) || all_content.matches_dlp_detector('US_PASSPORT', google.privacy.dlp.v2.Likelihood.LIKELY, {minimum_match_count: 1, minimum_unique_match_count: 1}) || all_content.matches_dlp_detector('US_ADOPTION_TAXPAYER_IDENTIFICATION_NUMBER', google.privacy.dlp.v2.Likelihood.LIKELY, {minimum_match_count: 1, minimum_unique_match_count: 1}) || all_content.matches_dlp_detector('US_EMPLOYER_IDENTIFICATION_NUMBER', google.privacy.dlp.v2.Likelihood.LIKELY, {minimum_match_count: 1, minimum_unique_match_count: 1}) || all_content.matches_dlp_detector('US_INDIVIDUAL_TAXPAYER_IDENTIFICATION_NUMBER', google.privacy.dlp.v2.Likelihood.LIKELY, {minimum_match_count: 1, minimum_unique_match_count: 1}) || all_content.matches_dlp_detector('US_VEHICLE_IDENTIFICATION_NUMBER', google.privacy.dlp.v2.Likelihood.LIKELY, {minimum_match_count: 1, minimum_unique_match_count: 1})"}, "description": "Protect your organization from leaking PII data (US)", "displayName": "Prevent PII information sharing (US)", "ruleTypeMetadata": {"dlpRuleMetadata": {"alertSeverity": "LOW"}}, "state": "ACTIVE", "triggers": ["google.workspace.chat.message.v1.send", "google.workspace.chat.attachment.v1.upload", "google.workspace.drive.file.v1.share", "google.workspace.gmail.email.v1.send"]}}, "customer": "customers/C03pmm8ne"} reply: 'HTTP/1.1 400 Bad Request\r\n' header: Vary: Origin header: Vary: X-Origin header: Vary: Referer header: Content-Type: application/json; charset=UTF-8 header: Content-Encoding: gzip header: Date: Wed, 05 Nov 2025 19:32:14 GMT header: Server: ESF header: X-XSS-Protection: 0 header: X-Frame-Options: SAMEORIGIN header: X-Content-Type-Options: nosniff header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 header: Transfer-Encoding: chunked ERROR: JSON: {'error': {'code': 400, 'message': 'Error(7016): Request contains invalid argument(s).', 'status': 'INVALID_ARGUMENT', 'details': @.***': 'type.googleapis.com/google.rpc.BadRequest'}]}} Policy: policies/akajj264apbozmhfc4, Update Failed: Error(7016): Request contains invalid argument(s).
Ross Scroggs @.***
On Nov 5, 2025, at 9:21 AM, Ross Scroggs @.***> wrote:
Not too early, API is very limited. See: https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings
Search for v1beta1
Here's where thr API applies https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings#data_protection_rules_settings https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings#data_protection_rules_settingshttps://cloud.google.com/identity/docs/concepts/supported-policy-api-settings#data_protection_rules_settingshttps://cloud.google.com/identity/docs/concepts/supported-policy-api-settings#data_protection_rules_settingshttps://cloud.google.com/identity/docs/concepts/supported-policy-api-settings#data_protection_detectorshttps://cloud.google.com/identity/docs/concepts/supported-policy-api-settings#data_protection_detectors
Ross Scroggs @.***
On Nov 4, 2025, at 2:09 PM, Ross Scroggs @.***> wrote:
May be a little early: $ gams config debug_level 1 delete policies policies/ahv4hg7qc2t45e4jatezjp4byyksi connect: (cloudidentity.googleapis.com, 443) send: GET /$discovery/rest?version=v1beta1 HTTP/1.1 Host: cloudidentity.googleapis.com content-length: 0 user-agent: GAM 7.28.01 - https://github.com/GAM-team/GAM / GAM Team @.***> / Python 3.14.0 final / macOS-26.1-arm64-arm-64bit-Mach-O arm64 / x-goog-api-client: cred-type/u authorization: Bearer ***** accept-encoding: gzip, deflate
reply: 'HTTP/1.1 200 OK\r\n' header: Content-Type: application/json; charset=UTF-8 header: Vary: Origin header: Vary: X-Origin header: Vary: Referer header: Content-Encoding: gzip header: Date: Tue, 04 Nov 2025 22:08:44 GMT header: Server: ESF header: X-XSS-Protection: 0 header: X-Frame-Options: SAMEORIGIN header: X-Content-Type-Options: nosniff header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 header: Transfer-Encoding: chunked send: DELETE /v1beta1/policies/ahv4hg7qc2t45e4jatezjp4byyksi?prettyPrint=true&alt=json HTTP/1.1 Host: cloudidentity.googleapis.com accept: application/json accept-encoding: gzip, deflate user-agent: GAM 7.28.01 - https://github.com/GAM-team/GAM / GAM Team @.***> / Python 3.14.0 final / macOS-26.1-arm64-arm-64bit-Mach-O arm64 / (gzip) x-goog-api-client: gdcl/2.185.0 gl-python/3.14.0 cred-type/u content-length: 0 authorization: Bearer *****
reply: 'HTTP/1.1 501 Not Implemented\r\n' header: Vary: Origin header: Vary: X-Origin header: Vary: Referer header: Content-Type: application/json; charset=UTF-8 header: Content-Encoding: gzip header: Date: Tue, 04 Nov 2025 22:08:44 GMT header: Server: ESF header: X-XSS-Protection: 0 header: X-Frame-Options: SAMEORIGIN header: X-Content-Type-Options: nosniff header: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 header: Transfer-Encoding: chunked ERROR: JSON: {'error': {'code': 501, 'message': 'Operation is not implemented, or supported, or enabled.', 'status': 'UNIMPLEMENTED'}}
ERROR: 501: 501 - Operation is not implemented, or supported, or enabled.
Ross Scroggs @.***
On Nov 4, 2025, at 7:19 AM, Ross Scroggs @.***> wrote:
Will do.
Ross
Ross Scroggs @.***
On Nov 4, 2025, at 3:26 AM, Jay Lee @.***> wrote:
jay0lee created an issue (GAM-team/GAM#1849) https://github.com/GAM-team/GAM/issues/1849 https://cloud.google.com/identity/docs/reference/rest/v1beta1/policies/create
Create, patch and delete methods now exist for policy APIs. Let's investigate their usage.
There's no docs on which policies can be written yet nor are there examples I can find but it's safe to assume a policy to write should look like an existing set policy JSON format.
— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1849, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL3GNHDVAATW3FQIL7T33CEODAVCNFSM6AAAAACLCZSIQSVHI2DSMVQWIX3LMV43ASLTON2WKOZTGU4DMMJUGI4TOMY. You are receiving this because you are subscribed to this thread.