Setting up permissions for many different people can get out of hand in Google Drive. Here’s how to solve it. Over the years, we lose track of who we share documents with. We allowed edit access to this person and view access to that person. People ask for access — but never seem to ask to be un-shared. Looking back, we can’t remember what documents are even being shared in any way, much less, who specifically has access to what documents. A Refresher: Why People Use Google Drive to Share Documents Let’s say that I’m the manager of a larger group, such as a parent teacher association, a political campaign, or a regional pet rock enthusiast group. I would likely want to set up a Google Drive scheme that lets us share documents and other files with one another. However, this can get complicated if you need to give different people varying levels of access to groups and files. Imagine: The PTA of a 5th grade class runs fundraisers throughout the year. 5th grade parents need access to a spreadsheet to register for volunteer slots, or make financial pledges on a shared chart. Other people may also need access—for instance, one student’s uncle wants to join the fundraising campaign. At the same time, the 4th grade PTA does not need access to these logistic and financial details — at least not now. What about the end of the year when the 4th graders become 5th graders? The new 5th grade PTA should take over managing the PTA documents. The graduated parents should no longer have access to documents or receive mailing list emails that don’t pertain to their children. Lots of “ifs” and “buts” — it gets complicated. This may seem like a trivial example, but think about a political campaign. Allowing people who have left (or been fired) to continue accessing files and sending group emails could have security consequences. It pays to put in the leg work upfront to setup sane, easy-to-manage permissions. How to think about access controls: MAC, DAC, and RBAC There are three main access control schemes. Mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC). MAC is based on an idea of levels (e.g. administrator user, regular user, public user). Users can access everything at or below their level. For example, a regular user could access all entities that are authorized to regular or public users. While an administrator user could access all entities. Another good example of MAC is the information classification scheme used by the U.S. government: Top Secret, Secret, Confidential, Public Trust, Unclassified. If you have Secret clearance, you can access Secret data, Confidential data, etc., but you cannot access Top Secret information, unless access is granted on a discretionary per-entity basis. DAC grants permissions on a per-entity basis. This is the standard Google Drive permissions scheme. For example, in Google Drive we can give one person read access to a specific file and write access to another file. These files could even be in the same folder. Google Drive is great at DAC, but, over time, convoluted DAC permissions can get complicated. We can grant access and then forget that we did, even as the sensitivity of the file changes over time. RBAC can help us solve this problem. With RBAC, all users are placed in one or more “roles”. Then on a per-entity basis we grant permissions to specific roles. This sounds like a great solution to our problem. Let’s say we were running a political campaign, we may want to have different roles to classify information: e.g. 1) restricted to inner circle, 2) restricted to communications team, 3) publicly available information, etc. . So, if we’re willing to put in some leg work and follow a process, we can achieve similar access controls with a distributed team. This is fairly easy to set up in a G Suite environment, but G Suite’s $5/user/month can be prohibitively expensive with large groups The key steps to this process are as follows: Setting up a group administrator user Setting up multiple Google Groups Configuring a Google Drive folder structure Locking down a few items Setting up a group administrator user The first step is creating a group administrator gmail account. You can use your already established email account, but I prefer to have segmentation in my life. It keeps things simpler, and you can always make yourself a “manager” of the group. Setting up a Google Group With your admin gmail account created, . you should create a new Google Group for each of your different roles Just go to and click “Create Group”. Fill out the information. I suggest using a common naming convention for each group, and setting group type to “Email list”. https://groups.google.com/ Configure the initial “Basic Permissions”. It’ll be one less thing to clean up later. Ensure that “All members of the group” can “View Topics”. Remove the ability for group members to post, or for non-group members to request access to the group. Creating group and setting basic permissions With your group created, you can add new users by inviting or “direct adding” them. The added user will receive an email with an invitation, or a notification that they’ve been added to the group. Invitation email Once they’re added, you will see them in the group’s dashboard under All users You can also remove users from the group here. Configuring a Google Drive folder structure Once the groups are created for the different “roles” of your organization, you’ll want to configure a Google Drive folder structure. It may be helpful to tie your folder names to your Google Group naming conventions. After creating folders, right click and share the respective folders with the appropriate Google Group email addresses. Use advanced options to ensure that the “Notify people” and “Prevent editors from changing access and adding new people” boxes are both checked. Notice the group icon next to the Google Group email The Google Group will create a new topic when it receives an invitation to collaborate. Users load folder through group “topics” the first time When current or new users click the link it will appear in their Google Drives’ “Shared with me” section. A document shared with a user in a group Locking down a few items With our groups setup, our users added, and the folder structure created, there are a few last items to configure and things to think about. Configure permissions First, let’s set up permissions. Go to each groups’ permissions section, beginning with “Basic Permissions” Lock down all permissions in Basic Permissions excluding “View topics”. ”. Otherwise, they will not be able to open previously shared links and add them to their shared drive items. If you reviewed these settings when you created the group, you don’t need to worry about this. Prevent anyone from posting and only allow invited users to join the group. You can even disable inviting users, if you only plan on performing direct enrollment of all members. All group members need the ability to “View topics Basic permissions Also, make Posting Permissions, Moderation Permissions, and Access Permissions, the most restrictive. Be careful under Access Permissions to allow all members of the group to view topics. In Google Drive you should ensure that your team members follow the classification of data by only sharing files in the appropriate folders, and do not set one off, per-file, DAC permissions. Some other items to consider: When you delete a user from the group, they will lose access to folders and files, unless they’re in a different group that still has access After creating a new folder and sharing this entity with the Google Group email, users will have to load it for the first time by clicking the share link in the groups “Topics” section To stop sharing an entity with an entire group, simply remove that group from the shared options. If your team has team leaders, you may consider making those leaders “managers” of groups and giving them the appropriate capabilities for group management (adding users, deleting users, etc.) Some may be concerned that non-gmail users will not be able to access groups, and thus, will not be able to access Google Drive/Docs/etc. Luckily anyone can have a Google account. Simply go to or Click “I prefer to use my own email address” when doing . This is a great function, especially for teams made up member with a variety of email domains. https://accounts.google.com/SignUpWithoutGmail regular signup Final Thoughts If you can afford the G Suite accounts, they are the ideal way to go. They provide you with advanced security and auditing functions. They also make handling RBAC easier. But G Suite is expensive and free is free! With free comes a bit of extra work. But if you’re willing to put in the extra work, it will help keep you sane and your documents protected. This is a post from Isaiah Sarju of Revis Solutions . If you like this post be sure to clap, check out his other posts on the Revis Solutions Blog , and follow on Twitter @isaiahsarju , @revissolution
