Control access to files and folders in shared drives

Supported editions for this feature: Business Standard and Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus; Nonprofits; G Suite Business; Essentials.  Compare your edition

As an administrator, you can apply these restrictions to your entire organization. Or, set different rules for groups or departments.

You can also prevent shared drive members with Manager access from modifying settings. In the shared drive, you can restrict:

  • Non-members from accessing files 
  • People outside your organization from accessing files
  • Commenters and viewers from downloading, copying, and printing files

Control file sharing and access

Moving and sharing files

If you want to allow users without a Google Account to collaborate on files as visitors, go to the steps for sharing with non-Google Accounts instead.

When a file is moved into a shared drive, it keeps its file-sharing permissions. So if an owner sets their file to prevent downloading, copying, and printing, it stays like that after it's moved to a shared drive. Moving files does not affect sharing permissions or user roles, such as Content manager or Viewer.

Users can't share files with anyone outside the shared drive’s restrictions. For example, if a shared drive restricts users outside the organization from accessing the shared drive's content, external users are removed from files in that shared drive in the future.

If you change a shared drive’s restriction settings, this does not automatically remove existing users or change a file’s sharing permissions. For example, assume a user outside the organization is added to a file. Then later on, a restriction is applied to the file's shared drive. In that case, the external user is not removed from the file. This means a user might regain access if restrictions are relaxed in the future.

Set the default access for all new shared drives
Admins can define the following options to restrict access to all new shared drives. Visit the Google Workspace Updates blog for more information.

Use the default sharing restrictions to restrict access to the content in all new shared drives. These settings must be actively enabled. 

 Define the default sharing restrictions

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Select Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    Supported editions for this feature: Business Standard and Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus; G Suite Business; Nonprofits; Essentials.  Compare your edition

  5. Next to Shared drive creation, select the default restrictions for all new shared drives.
    • Prevent users in your organization from creating new shared drives
    • Prevent full-access members from modifying the shared drive’s settings
    • Prevent people outside your organization from accessing files in the shared drive
    • Prevent non-members of the shared drive from accessing files in the shared drive
    • Prevent commenters and viewers from downloading, copying and printing files in the shared drive

Note: If Prevent full-access members from modifying the shared drive’s settings is not checked, full access members can override any of these default restrictions for individual shared drives.

Key things to remember

  • If a document is moved in to a shared drive with default sharing restrictions:
    • These default settings override any document-level sharing settings, which might result in some users losing access to documents. If members will lose access, a warning is displayed before the file is moved. 
    • The document’s protections still apply if the shared drive has less restrictive protections. 
  • If a document is moved out of the shared drive to My Drive within the same organization:
    • The document’s original sharing settings are used instead. This can result in users gaining or losing access.
    • Document-level restrictions always stay in place unless specifically changed or removed from the document. Shared drive restrictions only apply to documents when they are in the shared drive. 
  • Changes to these default restrictions do not affect existing shared drives:
    • If these default restrictions are changed, users are not removed from the shared drive or individual file permissions. 
    • If the shared drive restrictions are more restrictive than the file permissions, however, some users might lose access to the file. 
    • If the shared drive default restrictions are removed, some users might regain access.
Restrict access for an existing shared drive
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Select Manage shared drives.
  4. Hover over a shared drive, and click the Settings button. 
  5. Select Prevent full-access members from modifying shared drive settings to keep people from overriding the default settings for the shared drive.
  6. If full-access members can modify shared drive settings, click Edit to modify any of the following options: 
    • Sharing outside your organization—Allow or prevent external people from accessing files in the shared drive.
    • Sharing with non-members—Allow or prevent shared drive members from giving non-members access to files in the shared drive.
    • Download, copy, and print—Allow or prevent commenters and viewers from downloading, copying, and printing files in the shared drive.

Control folder sharing and access

Open all   |   Close all

You can share a specific folder with other users. You can also upgrade member access to provide users with additional permissions on specific folders within shared drives.

How to use folder sharing

There are a number of scenarios when sharing just a folder (and not an entire shared drive) is important, including:

  • For a marketing department, you can have a shared drive accessible by all internal employees, with a specific folder for advertising materials that’s also accessible to an external agency.
  • For a shared drive used to prepare for a specific event, you can give all members view access to all files, while providing each specific team with edit access to the documents relevant to their part of the event.
How does folder sharing work?

If you assign access to a shared drive, the access level is the minimum level of access that users will have to all files and folders in the shared drive. Any folders in the shared drive can only be shared with the same or higher access level. You (and your users) can’t make the access to folders more restrictive.

For example, a user with Commenter access to a shared drive cannot have Viewer access to a folder in that shared drive. If access to a file or folder is downgraded, access to parent folders is downgraded as well.

Change permission on parent folder

 

Who can share folders?

Managers of a shared drive can share folders in the shared drive. Folders in shared drives have the same access levels as the shared drives, with the exception of the Manager access level. Learn more about Shared drives access levels.

What happens when someone moves a file or folder?

When someone moves a file or folder in, within, or between shared drives or to My Drive, inherited access to content is updated, and direct access stays the same. 

For example, say you have a document in the Sales team shared drive. All members of the Sales team have Viewer access to the shared drive, and therefore, to the document as well. Five Sales team members have Editor access to the document. If the document gets moved out of the Sales team shared drive, the Sales team loses their inherited Viewer access, but the five users still have Editor access.

Moving folders in a shared drive can create broad changes to content access. Therefore, only users who have Manager access to the original and target locations can move folders into or between shared drives.

Note: If you grant a parent folder in a shared drive "Anyone in this group with this link can view", you lose the ability to share to "Anyone with the link" on child items in the parent folder. To work around this limitation, do the following:

  • Share the child folder first, then share the parent.
  • Use the API to share the child folder after the parent (API supports this, the UI does not).
Where do I find shared folders?

You can find folders from shared drives in the Shared with me section in Google Drive. If a user has Member access to the shared drive, they will also see the shared folder under the shared drive in Drive. When you share a folder, the recipient gets a notification. Anyone can organize shared folders using shortcuts.

Folders do not automatically appear in Google Drive for desktop or a shared drive unless you have Manager access. You can, instead, create a shortcut to the shared folder to access in Drive for desktop and sync the content.

Control sharing for your organization

Use the following settings to restrict sharing for your organization. These settings apply to all Drive files. For example, if your organization restricts sharing outside of the organization, shared drive content is also restricted.

Restrict users from moving content outside of your organization
 

Supported editions for this feature: Business Standard and Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus; G Suite Business; Essentials.  Compare your edition

You can control who can move files and folders outside of your organization when moving content from:

  • A shared drive in your organization to: 
    • A shared drive owned by another organization
    • Someone’s My Drive in another organization
  • Someone’s My Drive in your organization to a shared drive owned by another organization 
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settingsand thenSharing options.
  4. Select the desired organizational unit or group
  5. In Distributing content outside of your organization, select an option:
    • Anyone
      • People with Manager access to a shared drive can move files from that shared drive to a Drive location in a different organization. Learn more
      • People in the selected organizational unit or group can move content from their My Drive to a shared drive owned by a different organization (for example, another business, group, or school). Learn more
    • Only users in your organization
      • People with Manager access to a shared drive can move files from that shared drive to a Drive location in a different organization.
      • Users in the selected organizational unit or group can move content from their My Drive to a shared drive owned by a different organization.
    • No one
      • Files on a shared drive cannot be moved to a Drive location in a different organization.
      • No one in the selected organizational unit or group can move content from My Drive to a shared drive owned by a different organization.
      • No one in the selected organizational unit or group can create files on a shared drive owned by another organization.
  6. Click Save.

Important: If you select a child organizational unit or group, this setting only controls moving content from someone’s My Drive to a shared drive in a different organization (for example, another business or school). Settings at the top-level organizational unit, which owns shared drives, always controls content moving from a shared drive to another organization.

It can take up to 24 hours to see changes. During this time, old and new settings might be intermittently enforced.

Set file-sharing permissions

Set permissions for your organization

As an admin, you control if users can share files outside of your organization. Go to Set Drive users' sharing permissions
Shared drives use the top-level organization settings. For example, if external sharing is disabled for a user's organizational unit but allowed at the top-level organization, the user can share documents in shared drives with people outside the company or school.
Admins can define additional restrictions for each organizational unit using the default settings for the creation of new shared drives. A shared drive’s restrictions can't be broader than the top-level organization’s restrictions. But you can use the default settings to further restrict access for shared drives created in specific organizational units.

Share all files and folders in a shared drive

Add members to a shared drive to grant access to files in the shared drive.

Go to Store and share files with shared drives for more information.

Share a specific file

Shared drive members can also share specific files with people who aren't members of the shared drive.

Go to Share files outside of shared drives for more information.

 

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false