Set Drive users' sharing permissions

As a G Suite administrator, you can control how users in your organization share Google Drive files and folders. This includes Google Docs, Sheets, Slides, My Maps, folders, and any other items stored on Drive. When users share folders, all of the folder contents usually get shared as well. 

This article is for administrators. To learn how to share your own files, or set permissions for your own files, go to Share files from Google Drive

Before you begin (optional)

If you want to set permissions by department or domain

This feature is available with G Suite Enterprise, Enterprise for Education, Drive Enterprise, Business, Education, and Nonprofits edition. Compare editions

File owners can share their files based on the permissions you set for their organizational unit or group. Typically, you choose permissions for organizational units or your domain. Then you can customize permissions for groups of users within or across organizational units. 

  1. Add an organizational unit for each department or domain. For steps, see Add an organizational unit.
  2. Move users to your organizational units. For steps, see Move users to an organizational unit. 
  3. Set sharing permissions for each organizational unit using the instructions below.
  4. (Optional) Set sharing permission for groups

If file owners move to different organizational units or groups, or if file ownership transfers to someone in a different organizational unit or group, the file's sharing permissions change to those of the new organizational unit or group. Also, reordering the priority of groups can change a file owner's sharing permissions. Learn more about groups

Users can never share files they don’t own beyond what is allowed for the file owners. This is true even if users are in organizational units or groups with more permissive sharing settings.

Set sharing permissions

Let users in your organization share with anyone
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenDrive and Docs.
  3. Click Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    You can select an organizational unit or group for this feature only if you have G Suite Enterprise, Business, Education, Nonprofits, or Drive Enterprise edition. (Compare G Suite editions.)

  5. Under Sharing outside of your organization, turn file sharing on, and choose sharing options:

    Option Description
    On Lets users invite people outside your organization to view, comment on, or edit shared files.
    For files owned by users in your organization, warn when sharing outside of your organization
     

    (Optional) Alerts users to make sure files aren't confidential before they share them outside your organization. 

    Warnings are displayed only when users share files through Docs editor or Drive sharing dialogs. If users share files directly, such as by emailing links, warnings aren't displayed.​

    Allow users in your organization to send sharing invitations to people outside your organization who are not using a Google account (Optional) Lets users share files with people outside your organization who don't use Google accounts. If you uncheck this box, users can share files with outside recipients only if those recipients use Google accounts or are on a Google Groups mailing list.

    Note: Google accounts don’t have to use Gmail or G Suite addresses. A Google account is simply a unified sign-in system that provides access to Google products, including Docs, Sheets, and Slides. If someone doesn’t have a Google account, send them this link: https://accounts.google.com/signupwithoutgmail.

    • Require Google sign-in for external users to view file. Requires recipients to sign in to Google accounts before opening files. That is, unless files are shared publicly on the web or available to anyone with links, if you allow that.
    • Allow external users to preview file without Google sign-in. Lets recipients preview file contents in a read-only mode without signing in to Google accounts.

    To edit or comment on files, reviewers must sign in to Google accounts, and invitations must allow commenting or editing.

    Allow users in your organization to publish files on the web or make them visible to the world as public or unlisted files

    (Optional) Lets users:

    • Publish Docs, Sheets, and Slides via File and then  Publish to the Web. This makes files accessible and searchable to anyone on the web. 
    • Select sharing settings that make files visible to the world as either public or unlisted files. Learn more about who links can be shared with.

    If you uncheck this box, users can still send file-sharing invitations to anyone. They just can't make files public on the web. 

    This setting is not available in the legacy free edition of G Suite. All free edition users can publish files on the web or share the link with anyone.

  6. Click Save.

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

Restrict sharing outside whitelisted domains

This feature is available with G Suite Enterprise, Enterprise for Education, Drive Enterprise, Business, Education, and Nonprofits edition. Compare editions

You can restrict file sharing to trusted (whitelisted) domains only. To be whitelisted, domains must be G Suite domains.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenDrive and Docs.
  3. Click Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    You can select an organizational unit or group for this feature only if you have G Suite Enterprise, Business, Education, Nonprofits, or Drive Enterprise edition. (Compare G Suite editions.)

    1. Under Sharing outside of your organization, choose sharing options:
      Option Description
      Whitelisted Domains

      Allows users in the specified organizational unit or group to share files with people in external whitelisted G Suite domains.

      For files owned by users in your organization, warn when sharing with users in whitelisted domains
       

      (Optional) Alerts users to make sure files aren't confidential before they share them with users in whitelisted domains. 

      Warnings are displayed only when users share files through Docs editor or Drive sharing dialogs. If users share files directly, such as by emailing links, warnings aren't displayed.​ 

      Allow users in your organization to receive files from users outside of whitelisted domains

      (Optional) Enables users to:

      • Open files that are shared with them by people in domains that aren't on the whitelist.
      • Use Docs editors to edit Google Docs, Sheets, and Slides stored on 3rd-party storage systems, such as Box. 

      If you uncheck this box, users can edit files only if those files are shared by people in domains on the whitelist. Also, users can't use Docs editors to edit files on 3rd-party storage systems. Learn more about using 3rd-party storage systems.

  5. Click Save
  6. Add trusted G Suite domains to the whitelist. The whitelist is automatically available to all organizational units and groups in your organization.

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

Restrict sharing outside your organization

You can restrict users from sharing or receiving the following items outside your organization:

  • Invitations to Docs, Sheets, and Slides, which can be used for 14 days after they are created 
  • Links to files stored in Drive
  • Email attachments that can be sent or received by users, uploaded directly from devices, and stored in Drive
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenDrive and Docs.
  3. Click Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    You can select an organizational unit or group for this feature only if you have G Suite Enterprise, Business, Education, Nonprofits, or Drive Enterprise edition. (Compare G Suite editions.)

  5. Under Sharing outside of your organization, turn sharing off, and select options: 
    Option Description
    Off

    Prevents users from sharing Google Drive files with people outside your organization through invitations, links, and email attachments. Users outside of your organization will not be able to view new published sites. Also, prevents users from submitting Google Forms that require them to share documents outside your organization.

    Allow users in your organization to receive files from users outside of your organization

    (Optional) When unchecked, prevents users from:

    • Opening files that are shared with them by people in domains that aren't on the whitelist.
    • Using Docs editors to edit Google Docs, Sheets, and Slides stored on 3rd-party storage systems, such as Box. 

    If you check this box, users can open files shared from outside your organization, but they can share within your organization only. Also, you can let users edit Google files stored on 3rd-party storage systems if you check this box. Learn more about using 3rd-party storage systems.

  6. Click Save.

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

Control files stored on shared drives

This feature is available with G Suite Enterprise, Enterprise for Education, Drive Enterprise, Business, Education, and Nonprofits edition. Compare editions

You can control who can move files and folders outside of your organization in these situations:

  • Moving content from a shared drive in your organization to a shared drive owned by another organization
  • Moving content from a shared drive in your organization to someone’s My Drive in another organization
  • Moving content from someone’s My Drive in your organization to a shared drive owned by another organization
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenDrive and Docs.
  3. Click Sharing settings.
  4. Select the desired organizational unit or group

    Important: If you select a child organizational unit or group, this setting only controls moving content from someone’s My Drive to a shared drive in a different organization (for example, another business or school). Moving content from a shared drive to another organization is always controlled by the top-level organization setting. This is because shared drives are owned by the top-level organization.
     
  5. In Distributing content outside of your organization, select an option from the table below, then click Save.
     
    Option Description
    Anyone Anyone with Manager access to a shared drive can move files from that shared drive to a Drive location in a different organization. Learn about user access permissions.

    In addition, anyone in the selected organizational unit or group can copy content from their My Drive to a shared drive owned by a different organization (for example, another business, group, or school). Learn about migrating content to a shared drive.
     
    Only users in your organization Only people in your organization with Manager access to a shared drive can move files from that shared drive to a Drive location in a different organization.

    In addition, users in the selected organizational unit or group can copy content from their My Drive to a shared drive owned by a different organization.
     
    No one Files on a shared drive cannot be moved to a Drive location in a different organization.

    In addition, no one in the selected organizational unit or group can copy content from My Drive to a shared drive owned by a different organization.
     

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

 

Control shared drive creation

You can control whether users can create shared drives in your organization. For instructions, see Manage your shared drives users and activity.

Set Access Checker options & the link-sharing default

Choose Access Checker options

When users share files through G Suite tools, Access Checker verifies that recipients have access to files. The service also prompts users to give access if necessary. This happens when users:

  • Send Gmail messages with links to files that haven't been shared with recipients.
  • “+” someone into a comment on a doc who doesn't have access to the doc.
  • Attach files to calendar events where guests don't have access to the files.

If users share files they don't own, Access Checker options come from the file owner's organizational unit. If users share multiple files, and different organizational unit settings apply, Access Checker options come from the least permissive organizational unit.

As an administrator, you can specify the level of access users can give.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenDrive and Docs.
  3. Click Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    You can select an organizational unit or group for this feature only if you have G Suite Enterprise, Business, Education, Nonprofits, or Drive Enterprise edition. (Compare G Suite editions.)

  5. Click Sharing settings
  6. Under Access Checker, specify how you want users to resolve file-access issues: 
    Option Description
    Recipients only Gives users one option: give access to required recipients only.* This is the most restrictive setting. 
    Recipients only or your organization

    Gives users 2 options:

    • Give access to required recipients.*
    • Give access to everyone in your organization who has the link.
    Recipients only, your organization, or public (no Google account required)

    Gives users 3 options:

    • Give access to required recipients.*
    • Give access to everyone in your organization who has the link.
    • Make the file public (available to anyone who has the link).

    This setting, which is the least restrictive, is available only if sharing is turned on for your organization, and you allow users to publish files on the web.


    * Giving access to required recipients simply adds recipients to the sharing list. If the file has been shared with other people, they still have access.
     
  7. Click Save

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

Set the default for link sharing

You can set the default link-sharing option that is displayed to users when they share files from within Docs editors. This default applies when sharing content in My Drive, but not in shared drives. Users can use this default or choose a different option for sharing their files. To prevent users from choosing a different sharing option, you can restrict file sharing.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenDrive and Docs.
  3. Click Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    You can select an organizational unit or group for this feature only if you have G Suite Enterprise, Business, Education, Nonprofits, or Drive Enterprise edition. (Compare G Suite editions.)

  5. Under Link Sharing, select the default sharing option to be displayed in the link-sharing dialog when users share files:
    Option Description
    Off Only the file owner, and people the owner has shared the file with, can access the file.
     
    On - Anyone at your organization with the link Anyone in your organization who has the link can access the file. Files with this visibility don’t normally appear in search results unless there are links to them from other files that are searchable.
     
    On - Anyone at your organization Anyone in your organization can search for and view the file. However, a file with this visibility appears in a user’s Drive only after they access the file or the file is shared with them.
  6. Click Save.

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

 

Verify changes

It's best to wait 24 hours before you test any changes to sharing settings. During this time, both old and new settings might be intermittently enforced.

Was this helpful?
How can we improve it?