Re: Granular/Graduated Permissions in Shared Drive...

mjadmin · 08-30-2021 06:34 PM

Hi all,

Been puzzling over this for a bit. It looks like when the shared drive folder sharing function was in beta, the feature allowed you to give narrow access at the drive level and then expand that at folder/subfolder level (1). That blog post specifies that access at the drive level sets the /minimum/ access.

But, that is not how it works now/anymore. Now access at the drive level sets the /maximum/ access. Two different support agents confirmed this for me, though the current support pages are silent on the issue (2, 3).

In our specific case, what we're trying to do is give all program staff commenter access to an all-staff shared drive, and then make the staff teams managers for their own project folders within that drive. But it turns out this is impossible.

That means it's impossible to set up a standard hierarchical file/folder structure - super frustrating!

Anyone else in this boat? Any workarounds? Have considered making separate shared drives for the different staff teams, but this will be way more complicated for the end users.

Also, I was originally trying to post this as a feature request, but getting unexpected behavior when I try there. So. Boxed in all around.

Thoughts?

Thanks!

Edited to add: we're on Google Workspace for Nonprofits, in case that matters! 🙂

KAM

@mjadmin , Google Drive only supports additive permissions. I would recommend you create a second shared drive for the editors and use the shortcut feature to add the folder with read-only access to the allstaff drive.

For example, here's an SOP I wrote for an admin at one org:

- In the Shared Drive with the resources you want to share, create a folder. We RECOMMEND HIGHLY that the folder is named clearly with "for all Staff" such as "HR Resources for All Staff" to ensure that it's understood anything in this folder is shared to prevent accidental leakages in the future.

- Share the directory, such as "HR Resources for All Staff", to the group allstaff@... with Viewer or Comment permissions.

NOTE: If allstaff is already a member of the shared drive, remove it from the shared drive first and then add it only to the "for All Staff" directory.

- Right-click on the folder you just created, and select "Add a Shortcut" and place the shortcut in the shared drive "All Staff Resources"

Users in the organization can now view the data on the shared drive "All Staff Resources" and use the shortcuts as a yellow pages to content.

-KAM

mjadmin

@KAM Thank you! I think using shortcuts will be a good-enough workaround for now, but yeesh. Am I just being too old-school in my thinking here? Seems like a lot of people would have this need. Appreciate your thoughftul response!

Edited to add: Hmmmm, this solution doesn't /quite/ do what we need it to do - appears that you can only add shortcuts for files/folders, not separate drives. In our case, we have different teams (e.g., communications, finance, other departments) and we want all departments to be able to comment on each other's work, but only manage their own. Chasing my tail a bit now...

icrew

Additive or waterfall permissions are definitely a big shift in mindset, but I personally kind of like them--by and large, they're way easier to maintain and troubleshoot. (And Google isn't the only company that's adopted this sort of permissions--Box, for example, has been using that model since day one. They do a nice job of explaining the logic at https://support.box.com/hc/en-us/articles/360043697254-Understanding-Folder-Permissions )

mjadmin

@icrew yes, I like them, too! That's why I'm upset/confused/bewildered that Google Drive *doesn't* have them (anymore)! I've managed and enjoyed Box before, but in this case we are tied to Workspace.

icrew

Shared Drives have additive permissions, MyDrive never has (more's the pity). And yes, that makes MyDrive painful. We (I work at UC Berkeley) are now actively pushing folks to use Shared Drives to store anything that needs to stick around longer-term for precisely those reasons!

KAM

@mjadmin I think you will find that in general, Google strives to be a 99.9% one size fits most model and not providing 15,000 toggles for every scenario. In the long run, it is a model that works. -KAM

mjadmin

sigh. i knew i had to be making myself crazy with this. definitely had my head on sideways, though perhaps not completely backwards. the problem is specifically that can't elevate to *manager* specifically (elevating to content manager does work). doesn't exactly solve the initial problem (want teams to be able to share and add people as needed), but the istuation nowhere near as dire as i had previously described.

smichel

If you create groups for different roles/teams and make the folks you need to be able to add managers of the *group* I think you'll have what you need (now that security groups are out of beta I think this is the intended way?) This way those folks don't have to be drive managers to add/remove/change.

dgokharu

@mjadmin I am 100% with you. I am so glad you posted the link (1) above. Any ideas how we can rejuvenate interest in that beta feature and pull it up on the totem pole?

dgokharu

@mjadmin would you consider giving this folder hierarchy idea from @samorost an upvote please?

dgokharu

@mjadmin @smichel @KAM @icrew Wouldn't we also want the ability to have nested visibility without the ability to "view" the contents. I know it is nuanced but there is a need to give some level of visibility into the structure without having to give "view" rights that basically allows the user to open the content. And the current security options available for Google Drives forces us to organize information by user groups instead of by content/subject area which is counter productive. Also please consider giving this folder hierarchy idea from @samorost and upvote if you haven't done so already.

KAM

@dgokharu Personally, I use file structures with very detailed names that I would not want this type of visibility. -KAM

dgokharu

@KAM I can understand your requirement. It would be beneficial if Google let you decide whether you wanted to make the structure visible or not.

Granular/Graduated Permissions in Shared Drive Folders