The Complete Guide To Shared Drive Access Levels In Google Workspace
Shared drives in Google Workspace can be confusing. What are the security risks? Who has access to your company’s shared drive? What permissions do they have, and how can you change these permissions to keep your company’s data safe?
We’ll go over the security risks of using shared drives and give you a complete guide on different types of access levels, their permissions, and how to change them.
In this article, we’ll explore:
- What security risks come from using shared drives
- Shared drives access levels and what permissions each role has
- How to manage these shared drive access levels
For more information on shared drive security, download our full ebook.
What Security Risks Come from Using Shared Drives?
The biggest risk related to shared drives is permissions. That’s because permissions on shared drives are inherited by all documents and folders within them. If an account that shouldn’t have access gets added at the shared drive level, they’ll have access to all documents and folders in that shared drive. If this happens with confidential information, like a folder full of salary information or a secret project, it can have more consequences than if someone were added to a single document.
Another challenge with shared drives is when members are never fully removed once a project is finished. After you complete a project in a shared drive, it’s usually a good idea to remove members’ access or downgrade them from a Manager, Content manager, or Contributor so that they have fewer permissions. (More on these permission types below)
It’s also vital to make sure that users are not uploading anything to a company shared drive that shouldn’t be there. For example, one admin shared that an employee once uploaded their tax forms to a shared drive, causing a multitude of headaches for the admin as they tried to find and remove access to these sensitive personal files.
Departments often have their own shared drives, and they need to be extra careful with who has access.
If you have a department that regularly deals with sensitive customer or employee information such as HR and Finance, they will want to make sure their shared drives are not easily accessed by any external third parties, or anyone in the organization that shouldn’t be added as a collaborator, and that they do not have Company links.
Setting Permissions on Shared Drives
In shared drives, users have different access levels or roles: Managers, Content managers, Contributors, Commenters, and Viewers.
Within a shared drive, permissions can vary at the folder or document level, where there can be additional Managers, Editors, Commenters, and Viewers. Permissions are inherited from the folder level as well. So just because a top-level shared drive is secure, it doesn’t automatically mean that the folders within the drive and the documents in those folders are secure.
We’ll go over what each of these roles can do and how to change permissions in your organization.
Shared Drive Access Levels
A Manager has the highest level of permissions in the shared drive.
They can perform any task including viewing and commenting on files; making and rejecting edits in documents; creating, removing, or restoring files in the shared drive; as well as adding people and groups to specific files or folders.
When an account creates a new shared drive, they are automatically a Manager. However, when new members are added to the drive, they are not Managers by default but automatically become Content managers unless the default permissions are changed. There can be multiple Managers for a single shared drive.
Content managers have almost as many permissions as Managers, but they are unable to add people and groups to the drive or folders within it. They also can’t move files and folders from a shared drive to another shared drive or to their My Drive. And they can’t permanently delete files and folders in the trash.
On an overarching level, they cannot add or remove people to or from shared drives/folders or delete a shared drive. Only Managers have this permission. There can be multiple Content managers for a single shared drive.
Contributors are also known as Editors at the individual file level. They have a good amount of privileges. For example, they can add people to specific files in the drive, but they are restricted from doing other tasks, like adding people to specific folders.
In the files themselves, contributors can make or approve edits. They are also able to create and upload files and create folders in the shared drive. However, they won’t be able to move shared drive files or folders anywhere: not to My Drive, not to another shared drive, and not within the shared drive itself.
They are also unable to move any files or folders to the Trash or permanently delete them once they’re in there. However, they do have the privilege of being able to restore files and folders from trash for up to 30 days.
Commenters only have two actions they can take in shared drives: they can view the shared drives, files, and folders, and they can add their comments to the files.
Viewers are only allowed to view the shared drive, folders, and files. They can offer no further input to the drive or its individual documents.
For all of these permission types, access to the shared drive or the folders within the shared drive grants the same level of access to all folders and documents within it.
How to manage shared drives users’ access levels
You can manage the members of the shared drive by removing members or changing their access levels. You can also add new members to shared drives and then set their access levels.
How to do it
- “Apps” > “Google Workspace” > “Drive and Docs.”
- Go to “Service status” and double-check that Drive is turned on. The status should read “ON for everyone.”
- Click “Manage shared drives.”
- Choose a shared drive and click “Manage members.”
Here’s where you have several options:
- You can remove a member from the shared drive or change their access levels, by clicking the down arrow and choosing an option.
- You can also add new members to the shared drive and set access levels:
- Click “Add people and groups” and enter the names or email addresses of the people or groups you want to add. If you want to add more members than your limits will allow, it’s a good idea to add Groups rather than every individual email account.
- Set access levels by clicking the “Down arrow” and choosing an access setting. Remember by default, shared drive members can upload, edit, and delete files and invite other members.
- In the Message field, you can enter a custom message for the email notification. Or you can uncheck the “Notify people” box to forgo the welcome message with a link to the shared drive. Then, click “Send.”
- Click “Add people and groups” and enter the names or email addresses of the people or groups you want to add. If you want to add more members than your limits will allow, it’s a good idea to add Groups rather than every individual email account.
If you have “Manager” access, you are also able to manage members directly in the shared drive, simply by going to your shared drive section in Google Drive, clicking on the shared drive you want to manage, and then selecting “Manage Members” at the top right.
When you select “Manage Members,” you can then change the access levels of members on the shared drive or even remove their access.
Although shared drives may be tricky to manage, they can also be a key element in your company’s security response. Often, keeping documents in a shared drive can give admins better visibility into who has access to sensitive information. However, it’s important to be aware of the different access levels and permissions that your users have and be able to easily change them when needed.
For more information on shared drive access or how to keep your confidential information safe in Google Workspace, see a demo here.