GAT+ allows audit of the Domain Google Drive.
Conducting this audit an Admin can take action on Google Drive on any of its users and remove permissions to Folders and its sub-folders in bulk.
All that is needed is to find the Folder you want to remove its permissions and take the action.
Find Folders #
Navigate to GAT+ → Drive audit → Apply custom filter → Search for the Folder
When the result is found take Action.
Apply permission change – Remove #
Click on the drop-down menu on the Title of the Folder.
From the options available select – “Apply permission change to this folder [recursive]”.
A pop window called File Management will be displayed.
Click on the “Remove” tab, a few options will be available.
- Remove following users as Contributors – enter the specific emails needed
- Remove following users as Viewers – enter the specific emails needed
- Remove following users as Commenters – enter the specific emails needed
- Remove all external contributors
- Remove all external viewers
- Remove all external commenters
Note: The other options require the Unlock product
- General – allows changing the owner of Files and Folders
- Add – To add additional users to the Files and Folders
- Replace – existing permissions on the Files and Folders
When you fill in any of the Remove options click on the “Next” button.
In the “Summary” tab check if the options you selected are correct and click on the “Send request” button.
Result of the removal #
The External Shares will be removed, as selected action above.
Click on the “Refresh data” button on the right side. You should see the External users as being removed from the Folder.
Note: If they’re a lot of shares to be removed, it might take some time. Filter the Folder when the job has completed, the Shares will be removed and not visible in GAT+
If you have shared Google Drive files and documents with someone who has already left UCSC, will be retiring or graduating, or simply changing positions and leaving your department, make sure to change your sharing settings if you no longer want that person to have access to your documents in Google Drive.
As long as that person's UCSC account remains open, they will continue to have access to your documents unless you change your sharing settings.
Global Search
Find out who has access to the files you own by doing a global search in Google Drive.
- Open up Google Drive and type in the search field,
to: owner:me [replace the with the person's email address]
Remove Access from a Single File
- Select a file or folder.
- At the top, click the share icon .
- At the bottom right, click Advanced.
- Click the X next to each person you want to remove.
- Click Save changes.
- Perform a global search [instructions above]
- Select all the files by highlighting the first file, hold down your keyboard's Shift key, then move the arrow key down until all documents are highlighted.
- At the top, click the share icon .
- Click the X next to each person you want to remove.
- Click Save changes.
- This action will remove the person from the multiple files you highlighted.
For more details about Google Apps Offboarding process, visit: //its.ucsc.edu/google/offboarding.html
Page 2
Google Workspace Admin Help
Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Nonprofits; G Suite Business; Essentials. Compare your edition
As an administrator, you can apply restrictions to your entire organization. Or, set different rules for groups or departments.
You can also prevent shared drive members with Manager access from modifying settings. In the shared drive, you can restrict:
- Non-members from accessing files
- People outside your organization from accessing files
- Commenters and viewers from downloading, copying, and printing files
Control file sharing and access
Expand all | Collapse all
Moving and sharing files
If you want to allow users without a Google Account to collaborate on files as visitors, go to the steps for sharing with non-Google Accounts instead.
When a file is moved into a shared drive, it keeps its file-sharing permissions. So if an owner sets their file to prevent downloading, copying, and printing, it stays like that after it's moved to a shared drive. Moving files does not affect sharing permissions or user roles, such as Content manager or Viewer.
Users can't share files with anyone outside the shared drive’s restrictions. For example, if a shared drive restricts users outside the organization from accessing the shared drive's content, external users are removed from files in that shared drive in the future.
If you change a shared drive’s restriction settings, this does not automatically remove existing users or change a file’s sharing permissions. For example, assume a user outside the organization is added to a file. Then later on, a restriction is applied to the file's shared drive. In that case, the external user is not removed from the file. This means a user might regain access if restrictions are relaxed in the future.
Set the default access for all new shared drives
Admins can define the following options to restrict access to all new shared drives. Visit the Google Workspace Updates blog for more information.
Use the default sharing restrictions to restrict access to the content in all new shared drives. These settings must be actively enabled.
Define the default sharing restrictions
-
From the Admin console Home page, go to AppsGoogle WorkspaceDrive and Docs.
- Select Sharing settings.
- Next to Shared drive creation, select the default restrictions for all new shared drives.
- Prevent users in your organization from creating new shared drives
- Allow members with manager access to override the settings below
- Allow users outside your organization to access files in the shared drive
- Allow people who aren't shared drive members to be added to files
- Allow viewers and commenters to download, print, and copy files in the shared drive
Note: If Allow members with manager access to override the settings below is checked, managers can override any of these default restrictions for individual shared drives.
Key things to remember
- If a document is moved in to a shared drive with default sharing restrictions:
- These default settings override any document-level sharing settings, which might result in some users losing access to documents. If members will lose access, a warning is displayed before the file is moved.
- The document’s protections still apply if the shared drive has less restrictive protections.
- If a document is moved out of the shared drive to My Drive within the same organization:
- The document’s original sharing settings are used instead. This can result in users gaining or losing access.
- Document-level restrictions always stay in place unless specifically changed or removed from the document. Shared drive restrictions only apply to documents when they are in the shared drive.
- Changes to these default restrictions do not affect existing shared drives:
- If these default restrictions are changed, users are not removed from the shared drive or individual file permissions.
- If the shared drive restrictions are more restrictive than the file permissions, however, some users might lose access to the file.
- If the shared drive default restrictions are removed, some users might regain access.
-
From the Admin console Home page, go to AppsGoogle WorkspaceDrive and Docs.
- Select Manage shared drives.
- Hover over a shared drive, and click the Settings button.
- Uncheck Allow managers to modify shared drive settings to keep people from overriding the default settings for the shared drive.
- Check or uncheck boxes to modify any of the following options:
- Sharing outside your organization—Allow or prevent external people from accessing files in the shared drive.
- Sharing with non-members—Allow or prevent shared drive members from giving non-members access to files in the shared drive.
- Download, copy, and print—Allow or prevent commenters and viewers from downloading, copying, and printing files in the shared drive.
Control folder sharing and access
Expand all | Collapse all
You can share a specific folder with other users. You can also upgrade member access to provide users with additional permissions on specific folders within shared drives.
How to use folder sharing
There are a number of scenarios when sharing just a folder [and not an entire shared drive] is important, including:
- For a marketing department, you can have a shared drive accessible by all internal employees, with a specific folder for advertising materials that’s also accessible to an external agency.
- For a shared drive used to prepare for a specific event, you can give all members view access to all files, while providing each specific team with edit access to the documents relevant to their part of the event.
If you assign access to a shared drive, the access level is the minimum level of access that users will have to all files and folders in the shared drive. Any folders in the shared drive can only be shared with the same or higher access level. You [and your users] can’t make the access to folders more restrictive.
For example, a user with Commenter access to a shared drive cannot have Viewer access to a folder in that shared drive. If access to a file or folder is downgraded, access to parent folders is downgraded as well.
Who can share folders?
Managers of a shared drive can share folders in the shared drive. Folders in shared drives have the same access levels as the shared drives, with the exception of the Manager access level. Learn more about Shared drives access levels.
What happens when someone moves a file or folder?
When someone moves a file or folder in, within, or between shared drives or to My Drive, inherited access to content is updated, and direct access stays the same.
For example, say you have a document in the Sales team shared drive. All members of the Sales team have Viewer access to the shared drive, and therefore, to the document as well. Five Sales team members have Editor access to the document. If the document gets moved out of the Sales team shared drive, the Sales team loses their inherited Viewer access, but the 5 users still have Editor access.
Moving folders in a shared drive can create broad changes to content access. Therefore, only users who have Manager access to the original and target locations can move folders into or between shared drives.
Note: If you share a folder in a shared drive with the option Anyone in this group with this link can view, you can't share any file or folder inside with the option Anyone with the link. To work around this limitation, do either of the following things:
- First, share the item with the option Anyone with the link, then share the parent folder with the option Anyone in this group with this link can view.
- Use the API to share the child folder after the parent [API supports this process, but the UI does not].
You can find folders from shared drives in the Shared with me section in Google Drive. If a user has Member access to the shared drive, they will also see the shared folder under the shared drive in Drive. When you share a folder, the recipient gets a notification. Anyone can organize shared folders using shortcuts.
Folders do not automatically appear in Google Drive for desktop or a shared drive unless you have Manager access. You can, instead, create a shortcut to the shared folder to access in Drive for desktop and sync the content.
Control sharing for your organization
Use the following settings to restrict sharing for your organization. These settings apply to all Drive files. For example, if your organization restricts sharing outside of the organization, shared drive content is also restricted.
Expand all | Collapse all
Restrict users from moving content outside of your organization
Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; G Suite Business; Essentials. Compare your edition
You can control who can move files and folders outside of your organization when moving content from:
- A shared drive in your organization to:
- A shared drive owned by another organization
- Someone’s My Drive in another organization
- Someone’s My Drive in your organization to a shared drive owned by another organization
-
From the Admin console Home page, go to AppsGoogle WorkspaceDrive and Docs.
- Click Sharing settingsSharing options.
- Select the desired organizational unit or group.
- In Distributing content outside of your organization, select an option:
- Anyone
- People with Manager access to a shared drive can move files from that shared drive to a Drive location in a different organization. Learn more
- People in the selected organizational unit or group can move content from their My Drive to a shared drive owned by a different organization [for example, another business, group, or school]. Learn more
- Only users in your organization
- People with Manager access to a shared drive can move files from that shared drive to a Drive location in a different organization.
- Users in the selected organizational unit or group can move content from their My Drive to a shared drive owned by a different organization.
- No one
- Files on a shared drive cannot be moved to a Drive location in a different organization.
- No one in the selected organizational unit or group can move content from My Drive to a shared drive owned by a different organization.
- No one in the selected organizational unit or group can create files on a shared drive owned by another organization.
- Anyone
- Click Save.
Important: If you select a child organizational unit or group, this setting only controls moving content from someone’s My Drive to a shared drive in a different organization [for example, another business or school]. If the top-level organizational unit permits the user to share files outside their organization, but the child organizational unit does not, the user can’t share files outside their organization.
It can take up to 24 hours to see changes. During this time, old and new settings might be intermittently enforced.
Set file-sharing permissions
Shared drives use the top-level organization settings. For example, if external sharing is disabled for a user's organizational unit but allowed at the top-level organization, the user can share documents in shared drives with people outside the company or school.
Admins can define additional restrictions for each organizational unit using the default settings for the creation of new shared drives. A shared drive’s restrictions can't be broader than the top-level organization’s restrictions. But you can use the default settings to further restrict access for shared drives created in specific organizational units.
Add members to a shared drive to grant access to files in the shared drive.
Go to Store and share files with shared drives for more information.
Share a specific file
Shared drive members can also share specific files with people who aren't members of the shared drive.
Go to Share files outside of shared drives for more information.