Setting up permissions for many different people can get out of hand in Google Drive. Here’s how to solve it.
Over the years, we lose track of who we share documents with. We allowed edit access to this person and view access to that person. People ask for access — but never seem to ask to be un-shared. Looking back, we can’t remember what documents are even being shared in any way, much less, who specifically has access to what documents.
Let’s say that I’m the manager of a larger group, such as a parent teacher association, a political campaign, or a regional pet rock enthusiast group. I would likely want to set up a Google Drive scheme that lets us share documents and other files with one another. However, this can get complicated if you need to give different people varying levels of access to groups and files.
Imagine: The PTA of a 5th grade class runs fundraisers throughout the year. 5th grade parents need access to a spreadsheet to register for volunteer slots, or make financial pledges on a shared chart. Other people may also need access—for instance, one student’s uncle wants to join the fundraising campaign. At the same time, the 4th grade PTA does not need access to these logistic and financial details — at least not now. What about the end of the year when the 4th graders become 5th graders? The new 5th grade PTA should take over managing the PTA documents. The graduated parents should no longer have access to documents or receive mailing list emails that don’t pertain to their children. Lots of “ifs” and “buts” — it gets complicated.
This may seem like a trivial example, but think about a political campaign. Allowing people who have left (or been fired) to continue accessing files and sending group emails could have security consequences. It pays to put in the leg work upfront to setup sane, easy-to-manage permissions.
There are three main access control schemes. Mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC).
MAC is based on an idea of levels (e.g. administrator user, regular user, public user). Users can access everything at or below their level. For example, a regular user could access all entities that are authorized to regular or public users. While an administrator user could access all entities. Another good example of MAC is the information classification scheme used by the U.S. government: Top Secret, Secret, Confidential, Public Trust, Unclassified. If you have Secret clearance, you can access Secret data, Confidential data, etc., but you cannot access Top Secret information, unless access is granted on a discretionary per-entity basis.
DAC grants permissions on a per-entity basis. This is the standard Google Drive permissions scheme. For example, in Google Drive we can give one person read access to a specific file and write access to another file. These files could even be in the same folder. Google Drive is great at DAC, but, over time, convoluted DAC permissions can get complicated. We can grant access and then forget that we did, even as the sensitivity of the file changes over time.
RBAC can help us solve this problem. With RBAC, all users are placed in one or more “roles”. Then on a per-entity basis we grant permissions to specific roles. This sounds like a great solution to our problem. Let’s say we were running a political campaign, we may want to have different roles to classify information: e.g. 1) restricted to inner circle, 2) restricted to communications team, 3) publicly available information, etc. This is fairly easy to set up in a G Suite environment, but G Suite’s $5/user/month can be prohibitively expensive with large groups. So, if we’re willing to put in some leg work and follow a process, we can achieve similar access controls with a distributed team.
The key steps to this process are as follows:
The first step is creating a group administrator gmail account. You can use your already established email account, but I prefer to have segmentation in my life. It keeps things simpler, and you can always make yourself a “manager” of the group.
With your admin gmail account created, you should create a new Google Group for each of your different roles.
Just go to https://groups.google.com/ and click “Create Group”. Fill out the information. I suggest using a common naming convention for each group, and setting group type to “Email list”. Configure the initial “Basic Permissions”. It’ll be one less thing to clean up later. Ensure that “All members of the group” can “View Topics”. Remove the ability for group members to post, or for non-group members to request access to the group.
With your group created, you can add new users by inviting or “direct adding” them. The added user will receive an email with an invitation, or a notification that they’ve been added to the group.
Once they’re added, you will see them in the group’s dashboard under All users
You can also remove users from the group here.
Once the groups are created for the different “roles” of your organization, you’ll want to configure a Google Drive folder structure. It may be helpful to tie your folder names to your Google Group naming conventions.
After creating folders, right click and share the respective folders with the appropriate Google Group email addresses. Use advanced options to ensure that the “Notify people” and “Prevent editors from changing access and adding new people” boxes are both checked.
The Google Group will create a new topic when it receives an invitation to collaborate.
When current or new users click the link it will appear in their Google Drives’ “Shared with me” section.
With our groups setup, our users added, and the folder structure created, there are a few last items to configure and things to think about.
First, let’s set up permissions. Go to each groups’ permissions section, beginning with “Basic Permissions”
Lock down all permissions in Basic Permissions excluding “View topics”. All group members need the ability to “View topics”. Otherwise, they will not be able to open previously shared links and add them to their shared drive items. If you reviewed these settings when you created the group, you don’t need to worry about this. Prevent anyone from posting and only allow invited users to join the group. You can even disable inviting users, if you only plan on performing direct enrollment of all members.
Also, make Posting Permissions, Moderation Permissions, and Access Permissions, the most restrictive. Be careful under Access Permissions to allow all members of the group to view topics.
In Google Drive you should ensure that your team members follow the classification of data by only sharing files in the appropriate folders, and do not set one off, per-file, DAC permissions.
Some other items to consider:
If you can afford the G Suite accounts, they are the ideal way to go. They provide you with advanced security and auditing functions. They also make handling RBAC easier. But G Suite is expensive and free is free! With free comes a bit of extra work. But if you’re willing to put in the extra work, it will help keep you sane and your documents protected.