Google Workspace

Fixing Google Drive Permissions Pt. 1

Joshua Martin

3 min read
Fixing Google Drive Permissions Pt. 1
Photo by Mitchell Luo / Unsplash

In my last post I talked about a recent string of security breaches, and my frustration in dealing with Google Drive permissions in an effort to protect my district. Here I'd like to discuss some of the solutions I have discovered.

First, what does a perfect solution look like?
Based on our threat model, this is what I want to accomplish:

  1. No one has the option to share with the entire Org. This prevents accidentally sharing with students and forces them to use the groups I spent all summer crafting.
  2. Staff can share files/folders with any staff or students they like
  3. Staff can share files/folders with external staff on trusted Domains.
  4. Staff can create Shared Drives, but they are locked into the same rules as above.
  5. Staff cannot share with external untrusted users (so-and-so@gmail.com). We create domain accounts for anyone heavily involved in the district anyway, even if they are not employees. If they need to they can save a file and send it in an Email.
  6. Staff CAN accept shared files from external untrusted users (so-and-so@gmail.com) This is often needed for parents.
  7. A set of official drives, conspicuously named and only accessible to a certain group (e.g. All Teachers Drive) are available.
  8. A set of official drives are available, for specific purposes, that are internal only but DO allow Anyone with the link sharing (for linking view only forms on our website, etc.) but do not allow sharing with external untrusted users (so-and-so@gmail.com)

source:domain YOU can use this trick to find out which files are inappropriately shared, but there are some catches.

  1. It's possible the files are shared by accounts that have been suspended. You may have to log in as them, and fix the permissions, delete the files, or transfer them.
  2. It's possible the files are not in shared drives you have access to. You may have to take control of those drives first.
  3. The file may be shared by a user who is still active. You may have to email them and ask them to change the permissions.

You CAN disable sharing to Anyone with the link however public links are needed for a few reasons:

  1. Google Sites/Forms. (Self-Explanatory)
  2. Public documents linked from your website etc. Anything a parent would need to see.
  3. Documents posted to assignments in your CMS. Canvas will not share Google Docs unless it can make them "Anyone with the link". Annoying, I know.

You either have to re-enable, and then log in as that user and change permission manually, or transfer all their files to another user (via workspace admin console) and fix the permissions from there. Ugh.

This means everyone's Email and Drive must be transferred before we can delete their account.

Solutions:

Fix your groups.


I may do another full writeup on this, but make sure your group names are obvious and the right people are in the right groups. Add the groups to the drive as Content Managers, and make your Google Drive Admin account the Manager.


Take control of existing Drives.


Create a new user who will act as the Google Drive SuperAdmin. Maybe name it Google.Drive?
Go to Apps > Google Workspace > Settings for Drive and Docs > Manage Shared Drives
Make the new Google Drive account a Manager of every single existing drive.

Create new Official Drives


Use your brain on this one, you'll likely want to name them the same as the groups who have access (e.g. All Teachers Drive)

Create Drive OUs.

Create a series of OUs for your drives, then apply different rules for each OU:

  • Public drives: Sharing outside of the Org is allowed, as is "Anyone with the link"
  • Sites: Same permissions as Public Drives. Each site gets its own drive.
  • Untrusted Drives: Sharing outside of the org is allowed, but "Anyone with the link" is not.
  • Trusted Drives: Sharing with our trusted list of domains is allowed, but no other external users.
  • Internal Drives: Internal Only
  • Official Drives: Same permissions as Internal.

Categorize your existing Staff-Created Drives


Log in as your Google Drive Admin, and look for the sharing icon. Check the permissions.

  • If a drive has any files that are set to "Anyone with the link" move that drive into the Public Drives OU.
  • Otherwise, check if any files are shared with so-and-so@gmail.com. If there are, move that drive to the 1 - Untrusted Drives OU.
  • If not, check for files shared with your trusted domains. This is a good time to create that list as well. (Maybe neighboring school districts, your ESD, or government institutions?) Move the drive to 2 - Trusted Drives.
  • Every other drive can be moved to 4 - Internal Drives.

Doing things this way should prevent breaking anything, as you are enforcing the strongest policy you can without actually changing permissions. From here we can start to dig in to individual drives and identify problem children, either manually or using tools like GAMADV-XTD3

Watch for part 2 soon.

Read more