Set Drive users' sharing permissions

As an administrator, you can control how users in your organization share Google Drive files and folders. This includes Google Docs, Sheets, Slides, My Maps, folders, and any other items stored on Drive. When users share folders, all of the folder contents usually get shared as well. 

This article is for administrators. To learn how to share your own files, or set permissions for your own files, go to Share files from Google Drive

Before you begin (optional)

If you want to set permissions by department or domain

Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Business; Essentials.  Compare your edition

File owners can share their files based on the permissions you set for their organizational unit or group. Typically, you choose permissions for organizational units or your domain. Then you can customize permissions for groups of users within or across organizational units. 

  1. Add an organizational unit for each department or domain. For steps, see Add an organizational unit.
  2. Move users to your organizational units. For steps, see Move users to an organizational unit. 
  3. Set sharing permissions for each organizational unit using the instructions below.
  4. (Optional) Set sharing permission for groups

If file owners move to different organizational units or groups, or if file ownership transfers to someone in a different organizational unit or group, the file's sharing permissions change to those of the new organizational unit or group. Also, reordering the priority of groups can change a file owner's sharing permissions. Learn more about groups

Users can never share files they don’t own beyond what is allowed for the file owners. This is true even if users are in organizational units or groups with more permissive sharing settings.

Set sharing permissions

Let users in your organization share with anyone

You can let users invite people outside your organization to access shared files. You can also let them make files public on the web. 

Cloud Identity customers: If all of your users have Cloud Identity licenses, they can always share files with users outside your organization and publish files on the web for anyone to access.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Business; Nonprofits; Essentials.  Compare your edition

  5. Under Sharing outside of your organization, turn file sharing on, and choose sharing options:

    Option Description
    On Lets users invite people outside your organization to view, comment on, or edit shared files.
    For files owned by users in your organization, warn when sharing outside of your organization
     

    (Optional) Alerts users to make sure files aren't confidential before they share them outside your organization. 

    Warnings are displayed only when users share files through Docs editor or Drive sharing dialogs. If users share files directly, such as by emailing links, warnings aren't displayed.​

    Allow users in your organization to send sharing invitations to people outside your organization who are not using a Google account

    (Optional) Lets users share files with people outside your organization who don't use Google accounts. If you uncheck this box, users can share files with outside recipients only if those recipients use Google accounts or are on a Google Groups mailing list.

    If you check this option, you’ll also need to choose one of the following options.

    • Require Google sign-in for external users to view file. Requires recipients to sign in to Google accounts before opening files. That is, unless files are shared publicly on the web or available to anyone with links, if you allow that.

      Note: Google accounts don’t have to use Gmail or G Suite addresses. If someone needs a Google account, send them this link: https://accounts.google.com/signupwithoutgmail.
       
    • Allow external users to preview file without Google sign-in. Lets recipients preview file contents in a read-only mode without signing in to Google accounts.

    To edit or comment on files, reviewers must sign in to a Google account (or a visitor account if you have visitor sharing enabled), and invitations must allow commenting or editing.

    Allow users in your organization to publish files on the web or make them visible to the world as public or unlisted files

    (Optional) Lets users:

    • Publish Docs, Sheets, and Slides via File and then  Publish to the Web. This makes files accessible and searchable to anyone on the web. 
    • Select sharing settings that make files visible to the world as either public or unlisted files. Learn more about who links can be shared with.

    If you uncheck this box, users can still send file-sharing invitations to anyone. They just can't make files public on the web. 

    This setting is not available in the legacy free edition of G Suite. All free edition users can publish files on the web or share the link with anyone.

  6. Click Save.

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

Restrict sharing outside whitelisted domains

Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Business; Essentials.  Compare your edition

You can restrict file sharing to trusted (whitelisted) domains only. To be whitelisted, domains must be G Suite domains unless you're using visitor sharing. With visitor sharing, you can add non-G Suite accounts to your trusted domains list. Learn more.

Cloud Identity customers: If your organization has a mix of Cloud Identity and G Suite licenses for its users, the whitelisted domains configuration for G Suite users also applies to users with Cloud Identity licenses.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Business; Nonprofits; Essentials.  Compare your edition

    1. Under Sharing outside of your organization, choose sharing options:
      Option Description
      Whitelisted Domains

      Allows users in the specified organizational unit or group to share files with people in external whitelisted G Suite domains.

      For files owned by users in your organization, warn when sharing with users in whitelisted domains
       

      (Optional) Alerts users to make sure files aren't confidential before they share them with users in whitelisted domains. 

      Warnings are displayed only when users share files through Docs editor or Drive sharing dialogs. If users share files directly, such as by emailing links, warnings aren't displayed.​ 

      Allow users in your organization to receive files from users outside of whitelisted domains

      (Optional) Enables users to:

      • Open files that are shared with them by people in domains that aren't on the whitelist.
      • Use Docs editors to edit Google Docs, Sheets, and Slides stored on 3rd-party storage systems, such as Box. 

      If you uncheck this box, users can edit files only if those files are shared by people in domains on the whitelist. Also, users can't use Docs editors to edit files on 3rd-party storage systems. Learn more about using 3rd-party storage systems.

      Allow users in your organization to send sharing invitations to people outside your organization who are not using a Google Account

      (Optional) Allows PIN-verified sharing to non-Google users in whitelisted domains. These users are identified in the sharing dialog by their email addresses, just like Google users. Learn more.

  5. Click Save
  6. Add trusted G Suite domains to the whitelist. The whitelist is automatically available to all organizational units and groups in your organization.

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

Restrict sharing outside your organization

Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Business; Essentials.  Compare your edition

You can restrict users from sharing or receiving the following items outside your organization:

  • Invitations to Docs, Sheets, and Slides, which can be used for 14 days after they are created 
  • Links to files stored in Drive
  • Email attachments that can be sent or received by users, uploaded directly from devices, and stored in Drive
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Business; Nonprofits; Essentials.  Compare your edition

  5. Under Sharing outside of your organization, turn sharing off, and select options: 
    Option Description
    Off

    Prevents users from sharing Google Drive files with people outside your organization through invitations, links, and email attachments. Users outside of your organization will not be able to view new published sites. Also, prevents users from submitting Google Forms that require them to share documents outside your organization.

    Allow users in your organization to receive files from users outside of your organization

    (Optional) When unchecked, prevents users from:

    • Opening files that are shared with them by people in domains that aren't on the whitelist.
    • Using Docs editors to edit Google Docs, Sheets, and Slides stored on 3rd-party storage systems, such as Box. 

    If you check this box, users can open files shared from outside your organization, but they can share within your organization only. Also, you can let users edit Google files stored on 3rd-party storage systems if you check this box. Learn more about using 3rd-party storage systems.

    Note: If you set a policy that restricts external users from accessing your organization’s content, files can still be shared with Google Groups that contain external users, but those users will not be able to access the files.
  6. Click Save.

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

Control files stored on shared drives

Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Business; Essentials.  Compare your edition

You can control who can move files and folders outside of your organization in these situations:

  • Moving content from a shared drive in your organization to a shared drive owned by another organization
  • Moving content from a shared drive in your organization to someone’s My Drive in another organization
  • Moving content from someone’s My Drive in your organization to a shared drive owned by another organization
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settings.
  4. Select the desired organizational unit or group

    Important: If you select a child organizational unit or group, this setting only controls moving content from someone’s My Drive to a shared drive in a different organization (for example, another business or school). Moving content from a shared drive to another organization is always controlled by the top-level organization setting. This is because shared drives are owned by the top-level organization.
     
  5. In Distributing content outside of your organization, select an option from the table below, then click Save.
     
    Option Description
    Anyone Anyone with Manager access to a shared drive can move files from that shared drive to a Drive location in a different organization. Learn about user access permissions.

    In addition, anyone in the selected organizational unit or group can copy content from their My Drive to a shared drive owned by a different organization (for example, another business, group, or school). Learn about migrating content to a shared drive.
     
    Only users in your organization Only people in your organization with Manager access to a shared drive can move files from that shared drive to a Drive location in a different organization.

    In addition, users in the selected organizational unit or group can copy content from their My Drive to a shared drive owned by a different organization.
     
    No one Files on a shared drive cannot be moved to a Drive location in a different organization.

    In addition, no one in the selected organizational unit or group can copy content from My Drive to a shared drive owned by a different organization.
     

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

 

Control shared drive creation

You can control whether users can create shared drives in your organization. For instructions, see Manage your shared drives users and activity.

Allow users to publish files publicly

Quick steps to make a file public to anyone
  1. Sign in to the Admin console and go to Appsand thenG Suiteand thenDrive and Docsand thenSharing settings.
  2. Under Sharing options, select:
    • ON - Files owned by users in your organization can be shared outside of your organization. This applies to files in all shared drives as well.
    • For files owned by users in your organization warn when sharing outside of your organization
    • Allow users in your organization to send sharing invitations to people outside your organization who are not using a Google account
      • Allow external users to preview file without Google sign-in
    • Allow users in your organization to publish files on the web or make them visible to the world as public or unlisted files
  3. Click Save.

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

Steps in Admin console to publish docs

Recommend link-sharing options for users

Set target audiences (beta)

Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Business.  Compare your edition

If you turn on link sharing, the pre-defined default target audience is your organization, which includes all users in your organization. If your organization has created additional target audiences, you can apply them to Drive and set a different default audience for all or just specific users. You can also remove any target audiences. Learn more about target audiences.

For more information about applying or removing target audiences, go to Set target audiences for a Google service.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Business; Nonprofits; Essentials.  Compare your edition

  5. Click Target audiences. The Audiences list shows any target audiences that are already applied to the service, in the order they appear in users' sharing settings.

  6. (Optional) To add one or more audiences:
    1. Click Add target audiences.
    2. Check the box for up to 3 target audiences you want to apply to the service.

      Or, if there are many audiences, you can search for an audience by entering the first few letters of its name. 

  7. (Optional) To remove a target audience, click Remove item""for the audience.
  8. (Optional) To change the default target audience or move an audience to a different position in the list, click and drag the audience to a new position (the first position is the default audience).

    Or, enter the order in which you want it to appear in the box to the left of the audience's name.

  9. Click Save.

Note: If you want the default target audience to also be the default link-sharing option, make sure link sharing is turned on.

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

Set Access Checker options & the link-sharing default

Choose Access Checker options

When users share files through G Suite tools, Access Checker verifies that recipients have access to files. The service also prompts users to give access if necessary. This happens when users:

  • Send Gmail or Google Chat messages with links to files that haven't been shared with recipients.
  • “+” someone into a comment on a doc who doesn't have access to the doc.
  • Attach files to calendar events where guests don't have access to the files.

If users share files they don't own, Access Checker options come from the file owner's organizational unit. If users share multiple files, and different organizational unit settings apply, Access Checker options come from the least permissive organizational unit.

As an administrator, you can specify the level of access users can give.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Business; Nonprofits; Essentials.  Compare your edition

  5. Click Sharing options
  6. Under Access Checker, specify how you want users to resolve file-access issues: 
    Option Description
    Recipients only Gives users one option: give access to required recipients only.* This is the most restrictive setting. 
    Recipients only or your organization

    Gives users 2 options:

    • Give access to required recipients.*
    • Give access to everyone in your organization who has the link.
    Recipients only, your organization, or public (no Google account required)

    Gives users 3 options:

    • Give access to required recipients.*
    • Give access to everyone in your organization who has the link.
    • Make the file public (available to anyone who has the link).

    This setting, which is the least restrictive, is available only if sharing is turned on for your organization, and you allow users to publish files on the web.


    * Giving access to required recipients simply adds recipients to the sharing list. If the file has been shared with other people, they still have access.
     
  7. Click Save

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

Set the default for link sharing

You can set the default link-sharing option that's displayed to users when they share files from within Docs editors. This default applies when sharing content in My Drive, but not in shared drives. Users can use this default or choose a different option for sharing their files. To prevent users from choosing a different sharing option, you can restrict file sharing.

Cloud Identity customers: If your organization has a mix of Cloud Identity and G Suite licenses for its users, the link-sharing setting for the G Suite users also applies to the users with Cloud Identity licenses.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Business; Nonprofits; Essentials.  Compare your edition

  5. Click Link Sharing, and then select the default sharing option to be displayed in the link-sharing dialog when users share files:
    Option Description
    Off Only the file owner, and people the owner has shared the file with, can access the file.
     
    On - Anyone at your organization with the link

    Anyone in your organization who has the link can access the file. Files with this visibility don’t normally appear in search results unless there are links to them from other files that are searchable.

    Important: If you set a different default target audience than the pre-defined audience for anyone at your organization (named your organization), this option shows that audience instead in users' sharing link-sharing options.

    On - Anyone at your organization

    Anyone in your organization can search for and view the file. However, a file with this visibility appears in a user’s Drive only after they access the file or the file is shared with them.

    Important: If you set a different default target audience than the pre-defined audience for anyone at your organization (named your organization), this option shows that audience instead in users' sharing link-sharing options.

  6. Click Save.

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

Verify changes

It's best to wait 24 hours before you test any changes to sharing settings. During this time, both old and new settings might be intermittently enforced.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue