Settings available in the API

This document describes the settings that the Policy API supports.

Security Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Account Recovery	Super Admin Account Recovery	security.super_admin_account_recovery	Allow super admins to recover their account	enableAccountRecovery	Boolean
	User Account Recovery	security.user_account_recovery	Allow users and non-super admins to recover their account	enableAccountRecovery	Boolean
Password Management	Password Management	security.password	Expiration	expirationDuration	Seconds (0 seconds means Never Expire)
			Reuse	allowReuse	Boolean
			Strength and Length enforcement	enforceRequirementsAtLogin	Boolean
			Length (Maximum length)	maximumLength	Integer
			Length (Minimum length)	minimumLength	Integer
			Strength	allowedStrength	Enum: STRONG WEAK
Google Session Control	Session Control	security.session_controls	Web session duration	webSessionDuration	Seconds
Less secure apps	Less secure apps	security.less_secure_apps	Control user access to apps that use less secure sign-in technology and make accounts more vulnerable.	allowLessSecureApps	Boolean
Login challenges	Login Challenges	security.login_challenges	Use employee ID to keep my users more secure	enableEmployeeIdChallenge	Boolean
Advanced Protection Program	Enrollment	security.advanced_protection_program	Use employee ID to keep my users more secure	enableAdvancedProtectionSelfEnrollment	Boolean
			Security Codes	securityCodeOption	Enum: ALLOWED_WITH_REMOTE_ACCESS ALLOWED_WITHOUT_REMOTE_ACCESS CODES_NOT_ALLOWED

UserTakeout Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Data	Data import & export > Google Takeout > User access to Takeout for Google services	blogger.user_takeout books.user_takeout maps.user_takeout pay.user_takeout photos.user_takeout play.user_takeout play_console.user_takeout location_history.user_takeout youtube.user_takeout	Manage user access to Takeout for Google services	takeout_status	Enum: TAKEOUT_STATUS_UNSPECIFIED ENABLED DISABLED

Marketplace Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Apps list	Apps list	workspace_marketplace.apps_allowlist	Showing apps for users in all organizational units	apps	List of apps containing application_id and access status as ALLOWED or BLOCKED.
Settings	Manage access to apps > Manage Google Workspace Marketplace allowlist access	workspace_marketplace.apps_access_options	Select which Marketplace apps users can run and install.	access_level	Enum: ALLOW_ALL ALLOW_LISTED_APPS ALLOW_NONE

The Setting workspace_marketplace.apps_allowlist in the API response exposes the Marketplace application_id instead of application_name. The following Python script can be used to convert one or more application_id that are specified on the command line to application_name.

import re
import requests
import sys

output = {}
app_ids = sys.argv[1:]

for id in app_ids:
  url = f"https://workspace.google.com/marketplace/app/_/{id}"
  response = requests.get(url, allow_redirects=False)
  final_url = response.headers['Location']
  pattern = f"^https://workspace.google.com/marketplace/app/(.*)/{id}$"
  a = re.search(pattern, final_url)
  output[id] = a.group(1)

# Output application name captured from returned URL
print(output)

Service Status Settings

The service_status setting contains a Boolean value implying a service is enabled for a certain OrgUnit or Group.

The Policy API supports service status settings for both Workspace services and Additional services listed in the Admin Console under Apps.

Service Name in Admin Console	Policy API service name
Calendar	calendar
Cloud Search	cloud_search
Drive and Docs	drive_and_editors
Currents	currents
Groups for Business	groups_for_business
Jamboard	jamboard
Keep	keep
Google Chat	chat
Google Meet	meet
Google Voice	voice
Google Sites	sites
Tasks	tasks
Vault	vault
Work Insights	work_insights
AppSheet	appsheet
Applied Digital Skills	applied_digital_skills
Assignments	assignments
Blogger	blogger
Brand Accounts	brand_accounts
Campaign Manager 360	campaign_manager
Chrome Canvas	chrome_canvas
Chrome Remote Desktop	chrome_remote_desktop
Chrome Web Store	chrome_web_store
Classroom	classroom
CS First	cs_first
Experimental Apps	experimental_apps
FeedBurner	feedburner
Google Ad Manager	ad_manager
Google Ads	ads
Google AdSense	adsense
Google Alerts	alerts
Google Analytics	analytics
Google Arts & Culture	arts_and_culture
Google Bookmarks	bookmarks
Google Books	books
Google Chrome Sync	chrome_sync
Google Cloud	cloud
Google Cloud Print	cloud_print
Google Colab	colab
Google Developer	developers
Google Domains	domains
Google Earth	earth
Google Fi	fi
Google Groups	groups
Google Maps	maps
Google Messages	messages
Google My Business	my_business
Google My Maps	my_maps
Google News	news
Google Pay	pay
Google Photos	photos
Google Play	play
Google Play Console	play_console
Google Public Data Explorer	public_data
Google Read Along	read_along
Google Search Console	search_console
Google Takeout	takeout
Google Translate	translate
Google Trips	trips
Location History	location_history
Looker Studio	data_studio
Managed Google Play	managed_play
Material Gallery	material_gallery
Merchant Center	merchant_center
Partner Dash	partner_dash
Pinpoint	pinpoint
Play Books Partner Center	play_books_partner_center
Programmable Search Engine	programmable_search_engine
QuestionHub	question_hub
Scholar Profiles	scholar_profiles
Search Ads 360	search_ads_360
Search and Assistant	search_and_assistant
Socratic	socratic
Studio	studio
Third-party App Backups	third_party_app_backups
Tour Creator	tour_creator
YouTube	youtube
Additional services without individual control	enterprise_service_restrictions

Gmail Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Gmail	User Settings > Confidential Model	gmail.confidential_mode	Enable confidential mode	enable_confidential_mode	boolean
	User Settings > S/MIME	gmail.enhanced_smime_encryption	Allow users to upload their own certificates	allow_user_to_upload_certificates	boolean
			Accept these additional root certificates for specific domains:	custom_root_certificates	A list of CustomRootCertificates which contains a list of root certificates, a list of intermediate CA certificates, a list of restricted domain names, a boolean to allow address mismatch and an enum with different validation levels.
	Spam, phishing, and malware > Enhanced pre-delivery message scanning	gmail.enhanced_pre_delivery_message_scanning	Enables improved detection of suspicious content prior to delivery	enable_improved_suspicious_content_detection	boolean
	Spam, phishing, and malware > Email allowlist	gmail.email_spam_filter_ip_allowlist	Enter the IP addresses for your email allowlist	allowed_ip_addresses	A list of strings
	Safety > Spoofing and authentication	gmail.spoofing_and_authentication	Protect against domain spoofing based on similar domain names	detect_domain_name_spoofing	boolean
			Choose an action	domain_name_spoofing_consequence	Enum: WARNING SPAM_FOLDER QUARANTINE NO_ACTION
			Protect against spoofing of employee names	detect_employee_name_spoofing	boolean
			Choose an action	employee_name_spoofing_consequences	Enum: WARNING SPAM_FOLDER QUARANTINE NO_ACTION
			Protect against inbound emails spoofing your domain	detect_domain_spoofing_from_unauthenticated_senders	boolean
			Choose an action	domain_spoofing_consequences	Enum: WARNING SPAM_FOLDER QUARANTINE NO_ACTION
			Protect against any unauthenticated emails	detect_unauthenticated_emails	boolean
			Choose an action	unauthenticated_email_consequences	Enum: WARNING SPAM_FOLDER QUARANTINE NO_ACTION
			Protect your Groups from inbound emails spoofing your domain	detect_groups_spoofing	boolean
			Apply this setting to	groups_spoofing_group_type	Enum: PRIVATE_GROUPS_ONLY ALL_GROUPS
			Choose an action	groups_spoofing_consequences	Enum: WARNING SPAM_FOLDER QUARANTINE NO_ACTION
			Apply future recommended settings automatically	apply_future_settings_automatically	boolean
	Safety > Links and external images	gmail.links_and_external_images	Identify links behind shortened URLs	enable_shortener_scanning	boolean
			Scan linked images	enable_external_image_scanning	boolean
			Show warning prompt for any click on links to untrusted domains	enable_aggressive_warnings_on_untrusted_links	boolean
			Apply future recommended settings automatically	apply_future_settings_automatically	boolean
	Safety > Attachments	gmail.email_attachment_safety	Protect against encrypted attachments from untrusted senders	enable_encrypted_attachment_protection	boolean
			Choose an action	encrypted_attachment_protection_consequence	Enum: WARNING SPAM_FOLDER QUARANTINE
			Protect against attachments with scripts from untrusted senders	enable_attachment_with_scripts_protection	boolean
			Choose an action	attachment_with_scripts_protection_consequence	Enum: WARNING SPAM_FOLDER QUARANTINE
			Protect against anomalous attachment types in emails	enable_anomalous_attachment_protection	boolean
			Choose an action	anomalous_attachment_protection_consequence	Enum: WARNING SPAM_FOLDER QUARANTINE
			Apply future recommended settings automatically	apply_future_recommended_settings_automatically	boolean

Chat Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Google Chat	History for chats	chat.chat_history	History is ON/OFF	history_on_by_default	boolean
			Allow users to change their history setting	allow_user_modification	boolean
	Chat File Sharing	chat.chat_file_sharing	External filesharing	external_file_sharing	Enum: ALL_FILES IMAGES_ONLY NO_FILES FILE_SHARING_OPTION_UNSPECIFIED
				internal_file_sharing	same
	History for spaces	chat.space_history	Conversation history settings for spaces	history_state	Enum: DEFAULT_HISTORY_ON DEFAULT_HISTORY_OFF HISTORY_ALWAYS_ON HISTORY_ALWAYS_OFF HISTORY_STATE_UNSPECIFIED
	External Chat Settings	chat.external_chat_restriction	Allow users to send messages outside organization in chats and spaces	allow_external_chat	boolean
				external_chat_restriction	Enum: NO_RESTRICTION TRUSTED_DOMAINS RESTRICTION_UNSPECIFIED
	Chat apps	chat.chat_apps_access	Allow users to install Chat apps	enable_apps	boolean
			Allow users to add and use incoming webhooks	enable_webhooks	boolean

Drive and Docs Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Drive and Docs	Sharing settings > Sharing options	drive_and_docs.external_sharing	Select the highest level of sharing outside of $CUSTOMER_NAME that you want to allow	external_sharing_mode	Enum: DISALLOWED ALLOWLISTED_DOMAINS ALLOWED
			Allow users in $ORG_UNIT_NAME to receive files from users or shared drives outside of $CUSTOMER_NAME	allow_receiving_external_files	Boolean
			Warn when files owned by users or shared drives in $ORG_UNIT_NAME are shared with users in allowlisted domains	warn_for_sharing_outside_allowlisted_domains	Boolean
			Allow users in $ORG_UNIT_NAME to receive files from users or shared drives outside of allowlisted domains	allow_receiving_files_outside_allowlisted_domains	Boolean
			Allow users or shared drives in $ORG_UNIT_NAME to share items with non-Google users in trusted domains using visitor sharing	allow_non_google_invites_in_allowlisted_domains	Boolean
			Warn when files owned by users or shared drives in $ORG_UNIT_NAME are shared outside of $CUSTOMER_NAME	warn_for_external_sharing	Boolean
			Allow users or shared drives in $ORG_UNIT_NAME to share items with people outside $CUSTOMER_NAME who aren't using a Google Account	allow_non_google_invites	Boolean
			When sharing outside of $CUSTOMER_NAME is allowed, users in $ORG_UNIT_NAME can make files and published web content visible to anyone with the link	allow_publishing_files	Boolean
			When a user shares a file via a Google product other than Docs or Drive (e.g. by pasting a link in Gmail), Google can check that the recipients have access. If not, when possible, Google will ask the user to pick if they want to share the file to	access_checker_suggestions	Enum: RECIPIENTS_OR_AUDIENCE_OR_PUBLIC RECIPIENTS_OR_AUDIENCE RECIPIENTS_ONLY
			Select who should be allowed to distribute content in $ORG_UNIT_NAME outside of $CUSTOMER_NAME. This restricts who can upload or move content to shared drives owned by another organization	allowed_parties_for_distributing_content	Enum: ALL_ELIGIBLE_USERS ELIGIBLE_INTERNAL_USERS NONE
	Sharing settings > General access default	drive_and_docs.general_access_default	When users in $ORG_UNIT_NAME create items, the default access will be	default_file_access	Enum: PRIVATE_TO_OWNER PRIMARY_AUDIENCE_WITH_LINK PRIMARY_AUDIENCE_WITH_LINK_OR_SEARCH
	Sharing settings > Shared drive creation	drive_and_docs.shared_drive_creation	Prevent users in $ORG_UNIT_NAME from creating new shared drives	allow_shared_drive_creation	Boolean (The API response returns the opposite of the UI value)
			When users in $ORG_UNIT_NAME create a shared drive, it will be assigned to the following organizational unit	org_unit_for_new_shared_drives	Enum: CREATOR_ORG_UNIT CUSTOM_ORG_UNIT
			Selected organizational unit	custom_org_unit	String
			Allow members with manager access to override the settings below	allow_managers_to_override_settings	Boolean
			Allow users outside $CUSTOMER_NAME to access files in shared drives	allow_external_user_access	Boolean
			Allow people who aren't shared drive members to be added to files	allow_non_member_access	Boolean
			Allow viewers and commenters to download, print, and copy files	allowed_parties_for_download_print_copy	Enum: ALL (when the checkbox in the UI is checked) EDITORS_ONLY (when the checkbox in the UI is unchecked)
			Allow content managers to share folders	allow_content_managers_to_share_folders	Boolean
	Sharing settings > Security update for files	drive_and_docs.file_security_update	Applying this update will make file links more secure. This may cause users to receive file access requests	security_update	Enum: APPLY_TO_IMPACTED_FILES REMOVE_FROM_IMPACTED_FILES
			Allow users to remove/apply the security update for files they own or manage	allow_users_to_manage_update	Boolean
	Features and Applications > Drive SDK	drive_and_docs.drive_sdk	Allow users to access Google Drive with the Drive SDK API	enable_drive_sdk_api_access	Boolean
	Google Drive for desktop > Enable Drive for desktop	drive_and_docs.drive_for_desktop	Allow Google Drive for desktop in your organization	allow_drive_for_desktop	Boolean
			Only allow Google Drive for desktop on authorized devices	restrict_to_authorized_devices	Boolean
			Show Google Drive for desktop download link	show_download_link	Boolean
			Allow users to enable real-time presence in Microsoft Office from Google Drive for desktop	allow_real_time_presence	Boolean

Meet Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Google Meet	Meet video settings > Recording	meet.video_recording	Let people record their meetings.	enable_recording	boolean
	Meet safety settings > Domain	meet.safety_domain	Who can join meetings created by your organization.	users_allowed_to_join	Enum: SAME_ORGANIZATION_ONLY LOGGED_IN ALL
	Meet safety settings > Access	meet.safety_access	Which meetings or calls users in the organization can join. "Incoming call restrictions" can further limit the calls that users can receive.	meetings_allowed_to_join	Enum: SAME_ORGANIZATION_ONLY ANY_WORKSPACE_ORGANIZATION ALL
	Meet safety settings > Host management	meet.safety_host_management	Default host management	enable_host_management	Boolean
	Meet safety settings > Warn for external participants	meet.safety_external_participants	Indicates participants who are outside "Organization" or whose identities are unconfirmed.	enable_external_label	Boolean

Sites Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Sites	New Sites > Site creation and editing	sites.sites_creation_and_modification	Allow users to create new sites	allowSitesCreation	Boolean
			Users can/cannot edit sites	allowSitesModification	Boolean

Groups For Business Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Groups For Business	Sharing settings > Sharing options	groups_for_business.groups_sharing	Set policies for changing group sharing settings	collaborationCapability	Enum: ANYONE_CAN_ACCESS DOMAIN_USERS_ONLY
			Creating groups	createGroupsAccessLevel	Enum: ADMIN_ONLY USERS_IN_DOMAIN ANYONE_CAN_CREATE
			Group owners can allow external members	ownersCanAllowExternalMembers	Boolean
			Group owners can allow incoming email from outside the organization	ownersCanAllowIncomingMailFromPublic	Boolean
			Default for permission to view conversations	viewTopicsDefaultAccessLevel	Enum: OWNERS MANAGERS GROUP_MEMBERS DOMAIN_USERS ANYONE_CAN_VIEE_TOPICS
			Group owners can hide groups from the directory	ownersCanHideGroups	Boolean
			Hide newly created groups from the directory	newGroupsAreHidden	Boolean

Classroom Settings

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Classroom	General Settings > Teacher permissions	classroom.teacher_permissions	Who can create classes	whoCanCreateClasses	Enum: ANYONE_IN_DOMAIN ALL_PENDING_AND_VERIFIED_TEACHERS VERIFIED_TEACHERS_ONLY
	General Settings > Guardian access	classroom.guardian_access	Allow parents and guardians to access Classroom information	allowAccess	Boolean
			Who can manage parents and guardians	whoCanManageGuardianAccess	Enum: VERIFIED_TEACHERS_AND_DOMAIN_ADMINS DOMAIN_ADMINS_ONLY
	Class settings > About class membership	classroom.class_membership	Who can join classes in your domain	whoCanJoinClasses	Enum: ANYONE_IN_DOMAIN ANYONE_IN_ALLOWLISTED_DOMAINS ANY_GOOGLE_WORKSPACE_USER ANYONE
			Which classes can users in your domain join	whichClassesCanUsersJoin	Enum: CLASSES_IN_DOMAIN CLASSES_IN_ALLOWLISTED_DOMAINS ANY_GOOGLE_WORKSPACE_CLASS
	Data access > Classroom API	classroom.api_data_access	Users can authorize apps to access their Google Classroom data	enableApiAccess	Boolean
	Originality Reports > School Matches	classroom.originality_reports	Enable originality reports school matches	enableOriginalityReportsSchoolMatches	Boolean
	Student unenrollment > Unenrollment permissions	classroom.student_unenrollment	Who can unenroll students from classes	whoCanUnenrollStudents	Enum STUDENTS_AND_TEACHERS TEACHERS_ONLY
	Roster import > Settings	classroom.roster_import	Roster import	rosterImportOption	Enum: OFF ON_CLEVER

Data Protection Rules Settings

For an overview of data protection rules and detectors, see Create DLP for Drive rules and custom content detectors.

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Data Protection	Security > Access and data control > Data Protection > Manage Rules	rule.dlp	Name	display_name	String
			Description	description	String
			Apps	triggers	String[] - List of app specific trigger strings. The list of available app triggers is provided in the following Triggers section.
			Conditions	condition	String - Common Expression Language (CEL) expression of the data conditions the rule scans for. The CEL syntax and some common examples are provided in the following Conditions section.
			Actions	action	Struct - nested object representing app specific actions to take when the conditions are met. The available actions per app trigger are provided in the following Actions section.
			State	state	Enum: ACTIVE INACTIVE
			Created	create_time	Timestamp
			Last modified	update_time	Timestamp
			Rule type specific metadata	rule_type_metadata	Struct - nested object representing rule type specific metadata. For Data Protection rules, this contains the severity level of the triggered events.

Triggers

The list of available applications and their triggers.

• "google.workspace.chrome.file.v1.upload"
• "google.workspace.chrome.file.v1.download"
• "google.workspace.chrome.web_content.v1.upload"
• "google.workspace.chrome.page.v1.print"
• "google.workspace.chrome.url.v1.navigation"
• "google.workspace.chromeos.file.v1.transfer"
• "google.workspace.chat.message.v1.send"
• "google.workspace.chat.attachment.v1.upload"
• "google.workspace.drive.file.v1.share"
• "google.workspace.gmail.email.v1.send"

Conditions

To represent data conditions, the API uses Common Expressions Language (CEL) expressions. Each condition follows the pattern of {content type}.{content to scan for}({additional scan parameters}). For example, all_content.contains('apple') represents a data condition that matches if any of the scanned content (e.g. Drive doc, chat message, etc) contains the substring apple.

Content type

The list of available content types, corresponding to the matching configurations of the same names in the Admin Console.

• access_levels
• all_content
• all_headers
• body
• destination_type
• destination_url
• drive_enterprise_metadata
• encryption_state
• envelope_from
• file_size_in_bytes
• file_type
• from_header
• message_security_status
• request_attributes
• sender_header
• source_chrome_context
• source_url
• source_url_category
• subject
• suggestion
• target_user
• title
• to_header_recipients
• url
• url_category

Content to scan for

The list of available content to scan for, corresponding to the matching configurations of the same names in the Admin Console.

• contains({string})
• starts_with({string})
• ends_with({string})
• equals({string})
• matches_dlp_detector({detector name}, {likelihood}, {minimum_match_count: {count}, minimum_unique_match_count: {count}})
  • Corresponds to the matches predefined data type option in the Admin Console.
  • {detector name} denotes the predefined data type to scan for, which can be one of the built-in infotypes supported by Cloud DLP: https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference. For example, CREDIT_CARD_NUMBER or US_SOCIAL_SECURITY_NUMBER
  • {likelihood} denotes the likelihood threshold of the match. For example, google.privacy.dlp.v2.Likelihood.LIKELY corresponds to the High threshold in the Admin Console.
• matches_regex_detector({detector name}, {minimum_match_count: {count}})
  • Corresponds to the matches regular expression option in the Admin Console.
  • {detector name} is the resource name of the policy that represents the regular expression detector. See Data Protection Detector section on how to query detector policies in the API.
• matches_word_list({detector name}, {minimum_match_count: {count}, minimum_unique_match_count: {count}})
  • Corresponds to the matches words from word list option in the Admin Console.
  • {detector name} is the resource name of the policy that represents the word list detector. See Data Protection Detector section on how to query detector policies in the API.
• matches_web_category({category})
  • Corresponds to the URL category matches option in the Admin Console for Chrome URL visited trigger.
  • {category} denotes the URL category supported by the Admin Console configuration. For example ADULT or ONLINE_COMMUNITIES__SOCIAL_NETWORKS.

Composite conditions

Multiple base conditions can be mixed with AND (&&), OR (||), or NOT (!) operators to form a composite condition. For example, "all_content.contains('apple') && all_content.contains('banana')" represents a condition that matches if any of the scanned content contains both 'apple' and 'banana' substrings.

Actions

Each application specifies the action to take when the data condition matches in a nested message. For example, { "driveAction" { "warnUser" { } } } represents a Drive action that warns users on external sharing. The application specific actions available are following:

Application	Action Key	Subaction	Admin Console Caption
Drive	driveAction	blockAccess	Block external sharing
		warnUser	Warn on external sharing
		auditOnly	no action
		restrictCopyPrintDownload	Disable download, print, and copy
		applyLabels	Apply Classification labels
Gmail	gmailAction	blockContent	Block message
		warnUser	Warn users
		auditOnly	Audit only
		quarantineMessage	Quarantine message
Chat	chatAction	blockContent	Block message
		warnUser	Warn users
		auditOnly	Audit only
Chrome	chromeAction	blockContent	Block
		warnUser	Allow with warning

Rule type specific metadata

This attribute contains the metadata specific to the rule type. For Data Protection rules, it contains the alerting event severity when the event is reported under the security dashboard and alert center. An example value of the metadata representing LOW alert severity:

fields {
  key: "ruleTypeMetadata"
  value {
    struct_value {
      fields {
        key: "dlpRuleMetadata"
        value {
          struct_value {
            fields {
              key: "alertSeverity"
              value {
                string_value: "LOW"
              }
            }
          }
        }
      }
    }
  }
}

Data Protection Detectors Settings

For an overview of data protection rules and detectors, see Create DLP for Drive rules and custom content detectors.

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Data Protection	Security > Access and data control > Data Protection > Manage Detectors	detector.regular_expression detector.word_list	Name	display_name	String
			Description	description	String
			Regular Expression	regular_expression	Struct - contains the regular expression string. Only set if the detector type is detector.regular_expression.
			Word List	word_list	String - contains the list of word strings. Only set if the detector type is detector.word_list.
			Created	create_time	Timestamp
			Last modified	update_time	Timestamp

System Defined Alert Rules Settings

This section describes Google Workspace system-defined alert rules. The API returns only system-defined alerts that are modified from the default value by the administrator.

Page in Admin Console	Specific Setting in Admin Console	Policy API setting type	Admin Console Caption	Policy API Field Name	Data Type
Data Protection	Rules (for "system defined' rule type)	rule.system_defined_alerts	Name	display_name	String
			Description	description	String
			Actions	action	Struct - nested object representing notification settings when the system defined alert is triggered. Details are provided in the following Actions section.
			State	state	Enum: ACTIVE INACTIVE
			Created	create_time	Timestamp
			Last modified	update_time	Timestamp

Actions

System defined alert rules have a single action that denotes the notification settings for the alert.

Action key	Subaction	Admin Console Caption
alertCenterAction	alertCenterConfig	Send to alert center
	recipients	Send email notifications