Restrict membership of a shared drive to folder le...

chloewong · 09-08-2021 05:45 AM

Good day!

If there is any way to add people to certain folders within a shared drive, and limit the sharing of shared drive files (People aren’t shared drive members CANNOT be added to files).

The reason, we want to limit the sharing(or re-sharing) of a shared drive, and untick “People aren’t shared drive members can be added to files”. But currently, we have to add all people to the shared drive as member, they eventually get access to all folders. We want to limit it, so that even if they’ve been added to the shared drive, they can access to a certain folders only.

Many thanks,

GerhardZelenka

Hi @chloewong, Google Shared Drive doesn't allow you to remove access to files or folders if you've been given access at the Shared Drive base level. To accomplish what you're wanting I think you'd need to remove the restricted access group from full Shared Drive access, and then add them back to specific folders within the Shared Drive, preferrably using Google Groups so that you can manage access within the Groups, rather than having to track through your folder structure as it develops to add/remove individual access levels as needed.

Use a test Shared Drive with a small group of users as a trial before you start changing your live structure in case it has any undesireable outcomes!

chloewong

Hi @GerhardZelenka ,

Thank for sharing your practice. I tried that in multiple occasions, remove the restricted access group from full Shared Drive Access and add them to folders within only.

In this case, ‘People who aren’t shard drive members can be added to files’, in real case, all editors of files can re-share and the owner of a shared drive lost full visibility of people accessing files within the shared drive. So my goal is to lock the members who can access files in a shared drive (I.e., People who aren’t shard drive members cannot be added to file), and then have grant differential folder access for groups.

Another thinking is, I agree we should using groups to folder sharing, and individual access can be managed by groups. But, how can we encourage users sharing docs with Groups rather than individuals, given when user click ‘share’ button, a list of individual will be shown immediately, users have to memorize groups each individual belongs to and type the group name then.

Cheers!

GerhardZelenka

Hi @chloewong,

Sorry for the delay in getting back to you.

There is a feature in Googe Drive that allows you to disable "Editors can change permissions and share" within Shared Drives you'd have to reduce people's access to Commenter to prevent them from sharing specific files.

Getting people to switch to using Groups is difficult, but you can now add a group and then hover over it to see the membership list (if the list isn't too large)

I also have a summary view of some of our lists so people can check who the members are, but that means having to maintain it which is a hassle.

Have you found any other ways of managing access within Google? They really need a publicly available tool to run access checks without needing Admin rights so groups can check their own data!

KAM

@GerhardZelenka& @chloewong, Google focuses on an additive permission model so it's best to use multiple shared drives. And if you are on Enterprise or considering it, you might find that dynamic groups helps a ton! https://support.google.com/a/answer/10286834?product_name=UnuFlow&hl=en

-KAM

dbachega

Hi @chloewong, did you have a chance to find a solution for your problem? I have the exactly same needs! If yes, would you mind to share?

Thank you.

blahboober

I am not sure if it is helpful or not, but I was able to control access to folders using shortcuts. I created a new drive with the setting "Allow people who aren't shared drive members to access files" checked. Then created a folder that I wanted to share, made it "Restricted" and only added the users that I wanted to grant access to. I then created another drive, this was just to make mapping easier, where I added Shortcuts to the shared folders.

Hopefully this can give others a work-around.

dbachega

Hi @blahboober , thanks for you answer but I can restrict folders to specific users, even if they are not Shared Drive members (I am using groups/folder to help management). I can also avoid undesired folder sharing because this action needs to be approved by Shared Drive member. My problem is: how to avoid file sharing! This is the same situation @chloewong wrote before: "... So my goal is to lock the members who can access files in a shared drive (I.e., People who aren’t shard drive members cannot be added to file), and then have grant differential folder access for groups ..."

Epotronic

Looking for a solution too. It is a pitty that your user (on an organizational level) receives acces to an uploaded file of a folder whose settings are set to restricted. The files uploaded to the restricted folder should inherit the folders permissions and the ones of the entire drive. I dont see the point in this!

blahboober

Hi @dbachega , my mistake. I apologize. I just started learning Google Drive, but if I come across a solution to that issue, I will be sure to visit back her and post it.

waynevoogt

Hi all, the problem I experience with Shared Drives is that I wish to set it up like a directory tree of a server (old school possibly). I can do this in "My Drive" with folders, but not in Shared Drive. In My Drive, I can give "all_staff@school.com" access to the top level folder, then create a folder below like "Secondary School" and "Elementary School" then only give access to the "Sec_school_teachers" group (and same for Elem). That way the various teachers only get access to the main folder and then their folders. Super, BUT with "My Drive" it's tied to my account, or my generic account (like ict_director). So when either of those accounts are deleted all the files and fodlers are gone.....

Enter "Shared Drives" for the safety and longevity and continuity of folders and files being there even when the account (individual or generic) is deleted. Superb way to protect files and folders..... HOWEVER, using a "Shared Drive" I create a Shared Drive called "School Server" then add respective folders beneath that for the Schools, Finance, Board etc. Then at the highest level ("School Server") I add all_staff@school.com (which is a product of multiple groups) then I want to go and restrict access to the folders beneath that (within the "School Server" drive) and I cannot. Everyone who allowed "View access" to the "School Server" drive can click through each and every folder and open every file in the Shared Drive. ie. a top down permission levels setting within a Shared Drive does not work, but within "My Drive" it does.... Very frustrating.... Is my logic/thinking missing something. The very permissions structure that makes sense to me is possible within "My Drive" but not within "Shared Drives"

So then within "Shared Drives" and the "School Server" drive I did tried the opposite.... I gave no one permission to the Shared Drive called "School Server" but did give them permission to the folders within. This works HOWEVER, next problem, is that because they are not on the Shared drive, then cannot visibly see the "School Server". Now the shared folder (lets say "Secondary Schoo") needs to searched for (it doesn't even show under "Shared with me").... then, once found, needs be added as a shortcut to their My Drive....

It's driving me a bit nuts....

I did think that maybe I ought to see the "Shared Drive" (highest level) as the "School Server" Shared drive, but only those who are Sec teachers see that their is a Secondary Folder etc. I really, really want everyone in the school to see all of the folder structure (in the "Shared Drives") but only have access to the ones relevant to them.....

If anyone knows how to do this, or has a work around with shortcuts and permission settings please advise. Much appreciated.

Epotronic

All correct so far, and it works well with non-organizational users (e.g. group members), but be careful: When you or someone else adds new files to secondary school folder, everyone in your organization will be able to see/ search these files. So in my opinion you could directly create two separate shared drives and set up two organizational units.

However, for your case, a split in two organizations and then two shared drives makes more sense to me.

StephenHind

@waynevoogt
HOWEVER, using a "Shared Drive" I create a Shared Drive called "School Server" then add respective folders beneath that for the Schools, Finance, Board etc. Then at the highest level ("School Server") I add all_staff@school.com (which is a product of multiple groups) then I want to go and restrict access to the folders beneath that (within the "School Server" drive) and I cannot.

As articulated by @Epotronic the flaw in your design is making the "School Server" drive; don't make that as a Shared Drive, but make Shared Drives for the folders you would put in there, e.g. make a Shared Drives for "Secondary School" and "Elementary School" (or maybe even folders within them

So then within "Shared Drives" and the "School Server" drive I did tried the opposite.... I gave no one permission to the Shared Drive called "School Server" but did give them permission to the folders within. This works HOWEVER, next problem, is that because they are not on the Shared drive, then cannot visibly see the "School Server". Now the shared folder (lets say "Secondary Schoo") needs to searched for (it doesn't even show under "Shared with me").... then, once found, needs be added as a shortcut to their My Drive....

Another approach is to make a Shared Drive full of Shortcuts:

As you can see in the example above "Steegle Clients" is a Shared Drive with nothing in it other than Shortcuts to folders from various different Shared Drives. You can see that the user signed in does not have access to the "Clients - Steegle News" or "Clients - Steegle People" folders and needs to request access. The user signed in can access "Steegle Assets" which is a folder on another Shared Drive that the user can access fully,

The user signed in also can access "Clients - Steegle.One" which is just a folder on a Shared Drive shared with the user, the user does not have access to the Shared Drive, so it appears in Shared with me when accessing.

The key thing that you're changing when using Shared Drives is instead of clicking your way through a deep and complex folder hierarchy you are scrolling up and down a list of Shared Drives instead: you're replacing clicking with scrolling, but if you don't have access to the Shared Drive then you don't see it at all and therefore there's no clicking or scrolling in that instance as there's nothing to scroll past or click to access.

Hopefully this can give you some inspiration for a different approach.

Restrict membership of a shared drive to folder level