Policy API concepts

This documentation describes Cloud Identity Policy API concepts and strategies.

Reduction

To list and get policies, see Setting up the Policy API and Listing and getting policies.

Terminology

Setting value: setting values provided in the policy
Reduced Setting value: final setting values applied to a target, such as a user, an organization unit, or a group
Reduction: the process of reducing setting values on policies to a single setting value for a target, such as a user, an organization unit, or a group
Reducer: the type of rules that determine how setting values on policies are simplified down to a single setting for a user
Admin policies: policies created by administrators in the Admin console
System policies: policies provided by Google Workspace

Reduction Process

To reduce a given setting for a given user:

Filter out all policies that don't apply to the user.
1. Filter out policies that don't contain the setting.
2. Filter out policies that apply to the OU that the target user isn't in.
3. Filter out policies that apply to the Group that the target user isn't in.
4. Filter out policies that apply to the License that the target user doesn't have. To learn more information about licenses, see Licenses section.
Apply the Reducer of the given Setting
- Max: For each field on the reduced setting, the Max reducer chooses the value from the policy with the greatest sortOrder.
- Merge: For each field on the reduced setting, the Merge reducer chooses the value from the policy with the greatest sortOrder that has a value for that field. If the field is an array, the Merge reducer instead concatenates the values from all the policies.
- MaxMap: The MaxMap reducer is used for settings where the array entries have a field that functions as a primary key. The MaxMap reducer doesn't concatenate the array entries with the same primary key. Instead, it updates the entry using the Max reducer on the other fields in the array entries that share the same primary key.
- MergeMap: The MergeMap reducer is used for settings where the array entries have a field that functions as a primary key. The MergeMap reducer doesn't concatenate the array entries with the same primary key. Instead, it updates the entry using the Merge reducer on the other fields in the array entries that share the same primary key.
- List: These settings are not reduced to a single setting. Instead, the entire sequence of settings is preserved and applied as a list.

Reducers for settings

Setting Name	Reducer
`drive_and_docs.external_sharing`	Max
`drive_and_docs.general_access_default`	Max
`drive_and_docs.shared_drive_creation`	Max
`drive_and_docs.file_security_update`	Max
`drive_and_docs.drive_sdk`	Merge
`drive_and_docs.drive_for_desktop`	Max
`gmail.confidential_mode`	Max
`gmail.enhanced_smime_encryption`	Max
`gmail.enhanced_pre_delivery_message_scanning`	Max
`gmail.email_spam_filter_ip_allowlist`	Max
`gmail.spoofing_and_authentication`	Max
`gmail.links_and_external_images`	Max
`gmail.email_attachment_safety`	Max
`gmail.email_address_lists`	MaxMap
`gmail.blocked_sender_lists`	MaxMap
`gmail.spam_override_lists`	MaxMap
`gmail.content_compliance`	MaxMap
`gmail.objectionable_content`	MaxMap
`gmail.attachment_compliance`	MaxMap
`gmail.comprehensive_mail_storage`	Max
`gmail.rule_states`	MaxMap
`gmail.user_email_uploads`	Max
`gmail.pop_access`	Max
`gmail.imap_access`	Merge
`gmail.workspace_sync_for_outlook`	Max
`gmail.auto_forwarding`	Max
`gmail.name_format`	Merge
`gmail.per_user_outbound_gateway`	Max
`gmail.email_image_proxy_bypass`	Merge
`gmail.mail_delegation`	Merge
`chat.chat_history`	Merge
`chat.chat_file_sharing`	Max
`chat.space_history`	Max
`chat.external_chat_restriction`	Merge
`chat.chat_apps_access`	Max
`sites.sites_creation_and_modification`	Max
`groups_for_business.groups_sharing`	Merge
`cloud_sharing_options.cloud_data_sharing`	Max
`classroom.teacher_permissions`	Max
`classroom.guardian_access`	Max
`classroom.class_membership`	Max
`classroom.api_data_access`	Max
`classroom.originality_reports`	Max
`classroom.roster_import`	Max
`classroom.student_unenrollment`	Max
`calendar.appointment_schedules`	Max
`calendar.external_invitations`	Max
`calendar.interoperability`	Merge
`calendar.primary_calendar_max_allowed_external_sharing`	Merge
`calendar.secondary_calendar_max_allowed_external_sharing`	Merge
`meet.safety_domain`	Max
`meet.safety_access`	Max
`meet.safety_host_management`	Max
`meet.video_recording`	Max
`meet.safety_external_participants`	Max
`security.super_admin_account_recovery`	Merge
`security.user_account_recovery`	Merge
`security.password`	Max
`security.session_controls`	Max
`security.less_secure_apps`	Merge
`security.login_challenges`	Max
`security.advanced_protection_program`	Max
`security.two_step_verification_enrollment`	Max
`security.two_step_verification_enforcement`	Max
`security.two_step_verification_grace_period`	Max
`security.two_step_verification_device_trust`	Max
`security.two_step_verification_enforcement_factor`	Max
`security.two_step_verification_sign_in_code`	Max
`user_takeout`	Max
`workspace_marketplace.apps_access_options`	Merge
`workspace_marketplace.apps_allowlist`	MergeMap (primary key is: application_id)
`SERVICE_STATUS_APP_NAME.service_status`	Max
`rule.dlp`	List
`rule.system_defined_alerts`	List
`detector.regular_expression`	List
`detector.word_list`	List

Licenses

Policies apply to users based on users' Workspace licenses. The license condition is provided in PolicyQuery.

For a full list of all Workspace Product and SKU IDs see Google Product and SKU IDs.

The following examples demonstrate how policies can be applied to certain groups of users based on those users' licenses.

Example 1: Normal clause only

entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010020027'])

The policy applies to a user if they have a license for at least one of the SKUs in the list.

Example 2: Normal clause and inverted clause

entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010020027']) && !entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010060005'])

The policy applies to a user if they have a license for at least one of the SKUs in the first clause. However, if a user has a license for any of the SKUs in the second clause, the policy does not apply to that user at all.

Example 3: Inverted clause only

!entity.licenses.exists(license, license in ['/product/Google-Apps/sku/1010060005'])

The policy applies to a user if they don't have a license for any SKUs in the list.

Default Field Values

When a field is not present on the Reduced Setting, its default value is as follows:

Setting Name	Field	Default Field Value
`chat.chat_history`	enable_chat_history	`false`
	history_on_by_default	`false`
	allow_user_modification	`true`
`chat.external_chat_restriction`	allow_external_chat	`false`
`chat.external_chat_restriction`	external_chat_restriction	`NO_RESTRICTION`
`chat.chat_apps_access`	enable_apps	`true` in EDU SKUs, `false` in non-EDU SKUs. EDU SKUs: `/product/Google-Apps/sku/Google-Apps-For-Education` `/product/Google-Apps/sku/1010310002` `/product/Google-Apps/sku/1010310003` `/product/Google-Apps/sku/1010310005` `/product/Google-Apps/sku/1010310006` `/product/Google-Apps/sku/1010310007` `/product/Google-Apps/sku/1010310008` `/product/Google-Apps/sku/1010310009` `/product/Google-Apps/sku/1010310010` `/product/Google-Apps/sku/1010460001` `/product/Google-Apps/sku/1010460002`
`chat.chat_apps_access`	enable_webhooks	`true` in EDU SKUs, `false` in non-EDU SKUs. EDU SKUs: `/product/Google-Apps/sku/Google-Apps-For-Education` `/product/Google-Apps/sku/1010310002` `/product/Google-Apps/sku/1010310003` `/product/Google-Apps/sku/1010310005` `/product/Google-Apps/sku/1010310006` `/product/Google-Apps/sku/1010310007` `/product/Google-Apps/sku/1010310008` `/product/Google-Apps/sku/1010310009` `/product/Google-Apps/sku/1010310010` `/product/Google-Apps/sku/1010460001` `/product/Google-Apps/sku/1010460002`
`gmail.user_email_uploads`	enable_mail_and_contacts_import	`false`
`gmail.email_image_proxy_bypass`	image_proxy_bypass_pattern	[] empty list
`gmail.email_image_proxy_bypass`	enable_image_proxy	`true`
`gmail.workspace_sync_for_outlook`	enable_google_workspace_sync_for_microsoft_outlook	`true`
`gmail.email_spam_filter_ip_allowlist`	allowed_ip_addresses	[] empty list
`drive_and_docs.external_sharing`	external_sharing_mode	`ALLOWED`
	allow_receiving_external_files	`true`
	warn_for_sharing_outside_allowlisted_domains	`true`
	allow_non_google_invites_in_allowlisted_domains	`false`
	allow_receiving_files_outside_allowlisted_domains	`true`
	warn_for_external_sharing	`true`
	allow_non_google_invites	`true`
	allow_publishing_files	`true`
	access_checker_suggestions	`RECIPIENTS_OR_AUDIENCE_OR_PUBLIC`
	allowed_parties_for_distributing_content	`ALL_ELIGIBLE_USERS`
`drive_and_docs.drive_sdk`	enable_drive_sdk_api_access	`true`
`drive_and_docs.general_access_default`	default_file_access	`LINK_SHARING_PRIVATE`
`security.user_account_recovery`	enable_account_recovery	`false`
`security.super_admin_account_recovery`	enable_account_recovery	`false`
`security.less_secure_apps`	allow_less_secure_apps	`false`
`workspace_marketplace.apps_access_options`	access_level	For K12 customers: `ALLOW_NONE` Otherwise: `ALLOW_ALL`
	access_level	For K12 customers: `ALLOW_NONE` Otherwise: `ALLOW_ALL`
	allow_all_internal_apps	`false`
`workspace_marketplace.apps_allowlist`	apps	[] empty list
`workspace_marketplace.apps_allowlist`	apps	[] empty list
`groups_for_business.groups_sharing`	collaboration_capability	`DOMAIN_USERS_ONLY`
	create_groups_access_level	`USERS_IN_DOMAIN`
	view_topics_default_access_level	`DOMAIN_USERS`
	owners_can_allow_external_members	`false`
	owners_can_allow_incoming_mail_from_public	`true`
	owners_can_hide_groups	`false`
	new_groups_are_hidden	`false`