As a Google admin, you have quite a bit of power when it comes to setting permissions for your teams. Depending on your Google Workspace plan, you are able to control how your users share links. We’ll briefly go over the permissions you can set for your employees and how to do it in your Admin console.
In this article, we’ll explore:
- Letting users share files outside of your organization
- Restricting all file sharing outside of your organization
- Restricting the access levels users can give to files
- Controlling the default settings of how users share links to files
For a deeper dive into best practices for document security, get our full ebook.
How to let users share files outside of your organization
Supported editions include Business Standard and Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus; G Suite Business; Nonprofits; Essentials.
For sharing outside your organization, admins can decide if users can make files visible for anyone with the link under the “Sharing options” section in “Sharing settings.” This means that when sharing outside of your organization is allowed, your employees can make files public for anyone who has access to the link.
How to do it
- Within the admin panel, go to “Apps” > “Google Workspace” > “Drive and Docs” > “Sharing settings” > “Sharing options”
You can either apply the setting to everyone in the organization by leaving the top organizational unit selected, or you can choose a child organizational unit that allows you to apply different permissions to select people under an organizational unit or a configuration group.
- You will then see “Sharing outside of your organization” and click “On.”
This sharing option will allow users to make files and published web content visible to anyone with the link.
How to restrict all file sharing outside of your organization
Supported editions include Business Standard and Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus; G Suite Business; Essentials.
When you set this permission, you can keep users from sharing outside your organization for certain items including links to files stored in Drive.
You can even go further and make it so employees cannot receive files from accounts outside of your organization. This means your users cannot open or edit files from outside of your organization or in third-party storage systems.
Why it matters
This method can be useful for keeping company data safe by regulating the links employees can share and receive.
However, although it is possible to lock down external sharing via links and receiving of files coming inbound from outside of the organization, this leads to risks of its own.
For example, employees may try workarounds to share or open documents, such as copying the document to a personal account and then sharing, or using an unsanctioned application to create documents. It’s typically better to educate your employees about best practices instead of locking everything down.
How to do it
- In the Admin panel, go to “Apps” > “Google Workspace” > “Drive and Docs” > “Sharing settings” > “Sharing options”
You can apply the setting to everyone in the organization by leaving the top organizational unit selected. Or, you can choose a child organizational unit or a configuration group.
- When you see “Sharing outside of your organization,” click “Off.”
3. After you restrict file-sharing, you have the additional option to stop employees from receiving files from users outside of your organization. They cannot open or edit files from outside of your organization or in third-party storage systems.
Just uncheck the “Allow users in your organization to receive files from users outside of your organization” box.
4. Click “Save.”
How to restrict the access levels users can give to files
Supported editions for this feature: Business Standard and Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus; G Suite Business; Essentials.
What is it?
Admins can control the level of access users can give other users when they are prompted to share files. Employees are asked if they want to share files with additional people when they attempt to share a file but not everyone has access.
For example, an employee tries to send a document link that they hadn’t previously shared with their coworker in a Gmail message or a Google chat.
Or they want to attach a document link to a calendar invite for their team, but not everyone on the team has access to the file. They will then receive a prompt asking if they want to share the file.
How much power employees have will depend on if they own the file. If they aren’t the owner, it will depend on the actual file owner’s organizational unit and its sharing permissions. If they share multiple files and different organizational unit settings apply, the options come from the least permissive organizational unit.
Why it matters
It can be difficult to work collaboratively when you need to share a document and the recipients haven’t been granted access.
However, there might have been a good reason they weren’t given that access in the first place. The document may contain sensitive data like PII or strategic information like marketing and sales plans that shouldn’t be shared with just anyone with the link.
Being able to mediate the levels of access users can grant helps combat further issues down the road. However, this can also lead to employees trying workarounds, which is why, as always, employee education, plus access control measures taken by admins, are key.
How to do it
- Within the Admin panel, go to “Apps” > “Google Workspace” > “Drive and Docs” > “Sharing settings” > “Sharing options”
To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
- Click “Sharing options.”
- You can then use “Access Checker” and choose an option:
Recipients only, your organization, or public
Employees can grant access to anyone who has the link. This is the least restrictive setting; it’s available only if sharing is turned on for your organization, and you allow employees to publish files online.
Note: if you have target audiences set up, you can choose the suggested target audience. You will find more information on setting a target audience in the following section.
Recipients only or your organization
Employees can grant access to required recipients and anyone in your organization who has the link.
Note: if you have target audiences set up, you can choose the suggested target audience.
This is the most restrictive setting. Users can only give access to required recipients. However, if the file has been shared with other people, they will still have access.
How to control the default settings of how users share links to files
Please note that only these Google Workspace plans come with this permission: Business Standard and Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus; G Suite Business; and Essentials.
Admins on the plans listed above can control how users share links to files in My Drive. This does not apply to files and folders within shared drives, which you can find in our free ebook.
As an admin, you can apply these permissions to everyone in the company, or you can apply policies to specific users through an organizational unit or to a group of users through a configuration group.
In your Admin console, you will have the ability to set default link sharing settings in several ways. For example, you may turn it “OFF” automatically, so that only the owner, and then those they choose to share with, have access to the document. You can also set it to “ON-Anyone at your organization with the link” which allows anyone at your company to access the document if they have the link or “ON-Anyone with the link,” which allows anyone in your organization to search for and view the file.
Set a Primary target audience
You can go a step further when setting up your organization’s permissions and create “target audiences.” These are basically groups of people, such as the Marketing department or a Sales team, that you can recommend your users share with.
You will create a “primary target audience” and then can add multiple secondary target audiences, up to five in all.
By setting up a target audience, you have an added level of protection when configuring sharing privileges.
How to do it
- You will first create a target audience: “Directory” > “Target audiences.”
- Click “Create target audience.”
- Under “Name,” write a name for the target audience, such as Sales or Engineering.
- Under “Description,” you can write a quick blurb explaining the target audience.
- Click “Create.”
Then, you can add members to the target audience. This step may be completed later if you’re not sure yet which users you need to add. However, make sure you have added some members before applying the target audience to a Google service.
- Click “Add members.”
If you have the Service Settings Admin privilege, you may apply your target audience to a Google service. You can create and apply up to five target audiences for a specific service.
- Click “Apply to Google services,” and select a service. In this case, you will set it for “Drive and Docs.”
Remember: To make the primary target audience appear as the default link-sharing option to users, make sure link sharing is turned on.
You have the option to “Create another” target audience, for a total of five target audiences.
- Click “Done.”
Link sharing defaults
Now, when a user creates a document, admins can decide what the default settings for link sharing will be.
They can either turn them “OFF” which will only allow the owner of the document to have automatic access, or they can turn it “ON” for a “Primary target audience” or “ON” for a “Primary target audience with the link.”
- In the Admin console, you will go to “Apps” > “Google Workspace” > “Drive and Docs,” and then select “Sharing settings” and then “Link sharing default.”
- Here are the three link sharing default settings you can select from:
OFF: Only the file owner and people the owner has shared the file with can access the file.
ON Primary target audience with the link: Only those in your primary target audience who have the link can access it.
ON Primary target audience: Anyone in your primary target audience can find and access the file.
- You will then save your permissions, but be aware that it can take up to 24 hours for the changes to take effect.
It’s important to note that employees are used to collaborating freely and if their habits get hampered, they can use workarounds to be able to share documents, which can lead to other Access-Risk issues.
Instead of immediately locking down employees’ permissions, the method that we’ve found to work best is to educate employees and give them visibility of security risks related to link sharing. And to control access to Google Workspace documents by using a Cloud Document Security system.