How To Secure Shared Drive Folders In Google Workspace
Creating and managing access to folders in Google shared drives can be confusing for admins and employees alike. There are a lot of nuances to how they work—get it wrong, and suddenly confidential information sitting inside a folder within a shared drive could be shared with people who shouldn’t have access. That’s why it’s incredibly important to understand exactly how shared drive folders work and how to use them.
In this article, we’ll examine:
- What to know about folders in shared drives and their security risks
- How to deal with external users and folders in shared drives
- How admins can move Drive folders to a shared drive
We’ll go into each of these items and more in this post. However, if you want to go even deeper, download our full ebook on protecting documents in Google workspace.
What to know about folders in shared drives
Here are some important points to remember when it comes to folders in shared drives:
- Documents within folders inherit their permissions. So if you add a Company link to a shared drive folder, all items within that folder will now be accessible by anyone in the company.
- Although shared drives can’t have public or company links, folders within shared drives can. This means the Finance team shared drive folder and all its contents can be accessible by anyone on the internet if someone makes the link Public.
- Your employees can’t move folders from My Drive into a shared drive even if they have Manager-level permissions.
- But, employees are able to create new folders in a shared drive if they have the required permissions to do so.
- Admins can only move folders that they or users in their organization own.
- When a folder is moved from one shared drive to another shared drive, the users with access to the shared drive can access the files within it (even if they previously didn’t have access.)
- To move folders from one shared drive to another shared drive, users must have Manager access in both shared drives.
- If a previously shared folder is moved to a shared drive, users who had access to that shared folder don’t automatically retain access. To gain access, they must be added as members to the shared drive.
- When an admin moves a folder to a shared drive, all of its files will be visible to all members of the shared drive, including hidden files.
What are some security risks?
Several security factors should be considered when dealing with folders in shared drives. You should be aware that when a folder is moved from one shared drive to another shared drive, new users may immediately receive access to that folder and any files within it. This could create access-risk issues as users who should not have access to sensitive files within the folders could now have access.
Let’s look at an example. Marissa has Manager-level permissions and created a folder for a shared drive that has files containing client sales projections within it. Only the Sales team has access to the shared drive.
However, she decides to share the folder with another shared drive that comprises Marketing and Sales team members. Unbeknownst to Marissa, an external contractor also has access to the combined Marketing and Sales shared drive. When she moves the folder to the new shared drive, this external contractor also gains access to the files with sensitive client information.
It’s important to be aware of where folders are located and who has access to the shared drives where they are stored.
How to deal with external users and folders in shared drives
Important points to remember:
- External users (including users with personal Google Accounts) can’t move folders to shared drives in your organization even if they have Manager access.
- Admins can’t move folders owned by external users even if the external user is a member of the destination shared drive.
- Admins can’t move internally owned subfolders that are part of an externally owned folder.
- When an admin moves a folder to a shared drive, everyone with access to that shared drive now has access to the files within that folder, including external accounts with access.
How to move Drive folders to a shared drive as an admin
Please remember that admins can only move folders that users in their organizations own.
- To move existing folders, ask employees to grant your admin account Viewer access or higher to the folder/s you want to move.
- Note: If you’re using a real-time access control system, you can make this change there instead. For information about access control systems, download our ebook.
- Next, ask the employees to add you as a Manager of the destination shared drive.
- Open drive.google.com and sign in with your Admin account.
- Open “Shared with me” to view the folders you want to move and expand the “Shared drives” folders to which you’re moving them.
- Drag the “Shared with me” folders to the “Shared drives” folders.
- Accept the confirmation request to begin the moving process.
Although folders within shared drives can be confusing, it’s important to keep them secure to prevent accidental oversharing with accounts that do not need access. Remember, admins cannot move folders owned by external accounts, or even the internally owned subfolders within them. Meanwhile, external users cannot move folders to shared drives within your organization.
However, when admins move folders to shared drives, everyone with access to that shared drive now has access to files in that folder. For more information on shared drives and folder security, read our full ebook.