Control access to files and folders in shared drives

Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; Nonprofits; G Suite Business; Essentials.  Compare your edition

As an administrator, you can restrict access to files in a shared drive. You can also set the default access for new shared drives. You can apply these restrictions in a specific organizational unit or to your entire organization.

You can also prevent shared drive members with Manager access from modifying settings. In the shared drive, you can restrict:

  • Non-members from accessing files 
  • People outside your organization from accessing files
  • Commenters and viewers from downloading, copying, and printing files

Control file sharing and access

Moving and sharing files

When a file is moved into a shared drive, it keeps its file-sharing permissions. So if an owner sets their file to prevent downloading, copying, and printing, it stays like that after it's moved to a shared drive. Moving files does not affect sharing permissions or user roles, such as Content manager or Viewer.

Users can't share files with anyone outside the shared drive’s restrictions. For example, if a shared drive restricts users outside the organization from accessing the shared drive's content, external users are removed from files in that shared drive in the future.

If you change a shared drive’s restriction settings, this does not automatically remove existing users or change a file’s sharing permissions. For example, assume a user outside the organization is added to a file. Then later on, a restriction is applied to the file's shared drive. In that case, the external user is not removed from the file. This means a user might regain access if restrictions are relaxed in the future.

Note about sharing with non-Google users: If you want to allow users without a Google account to collaborate on files as visitors, you can share files and folders in shared drives by following these instructions. This visitor sharing feature only works with sharing individual files and folders. You can’t can’t make non-Google users members of a shared drive.

Set the default access for all new shared drives
Admins can define the following options to restrict access to all new shared drives. See the G Suite Updates blog for more information.

Use the default sharing restrictions to restrict access to the content in all new shared drives. These settings must be actively enabled. 

 Define the default sharing restrictions

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenDrive and Docs.
  3. Select Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Business; Nonprofits; Essentials.  Compare your edition

  5. Next to Shared drive creation, select the default restrictions for all new shared drives.
    • Prevent users in your organization from creating new shared drives
    • Prevent full-access members from modifying shared drive settings
    • Prevent people outside your organization from accessing files in the shared drive
    • Prevent non-members of the shared drive from accessing files in the shared drive
    • Prevent commenters and viewers from downloading, copying and printing files in the shared drive

Note: If Prevent full-access members from modifying the shared drive’s settings is not checked, full access members can override any of these default restrictions for individual shared drives.

Key things to remember

  • If a document is moved in to a shared drive with default sharing restrictions:
    • These default settings override any document-level sharing settings, which might result in some users losing access to documents. If members will lose access, a warning is displayed before the file is moved. 
    • The document’s protections still apply if the shared drive has less restrictive protections. 
  • If a document is moved out of the shared drive to My Drive within the same organization:
    • The document’s original sharing settings are used instead. This can result in users gaining or losing access.
    • Document-level restrictions always stay in place unless specifically changed or removed from the document. Shared drive restrictions only apply to documents when they are in the shared drive. 
  • Changes to these default restrictions do not affect existing shared drives:
    • If these default restrictions are changed, users are not removed from the shared drive or individual file permissions. 
    • If the shared drive restrictions are more restrictive than the file permissions, however, some users might lose access to the file. 
    • If the shared drive default restrictions are removed, some users might regain access.
Restrict access for an existing shared drive
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenDrive and Docs.
  3. Select Manage shared drives.
  4. Hover over a shared drive, and click the Settings button. 
  5. Select Prevent full-access members from modifying shared drive settings to keep people from overriding the default settings for the shared drive.
  6. If full-access members can modify shared drive settings, click Edit to modify any of the following options: 
    • Sharing outside your organization—Allow or prevent external people from accessing files in the shared drive.
    • Sharing with non-members—Allow or prevent shared drive members from giving non-members access to files in the shared drive.
    • Download, copy, and print—Allow or prevent commenters and viewers from downloading, copying, and printing files in the shared drive.

Control folder sharing and access

You can share a specific folder with other users, or upgrade member access to provide users with additional permissions on specific folders within shared drives.

How to use folder sharing

There are a number of scenarios when sharing just a folder (and not an entire shared drive) is important, including:

  • For a marketing department, you can have a shared drive accessible by all internal employees, with a specific folder for advertising materials that’s also accessible to an external agency.
  • For a sales department organized by region, you can have a shared drive that enables team managers and directors to see all activity, with regional teams only able to see the information relevant to their specific area of focus in a shared folder.
  • For a shared drive used to prepare for a specific event, you can give all members view access to all files, while providing each specific team with edit access to the documents relevant to their part of the event.
How does the sharing experience work?

Access levels assigned at the shared drive level represent the minimum level of access users will have to all files and folders within that shared drive. This ensures transparency, predictability, and scalability. As a result, the access level of a user for a folder within a shared drive can only ever be greater than the access level of that user for the shared drive itself; it can’t be more restrictive.

For example, a Commenter on a shared drive cannot be just a Viewer of a folder within that shared drive. However, a Viewer on a shared drive can have their access level expanded to Commenter or Contributor for specific files and subfolders within that shared drive. Therefore, if permission on a file or folder is downgraded, the action will take place on one or more parent folders where the permission was inherited from.

Change permission on parent folder

An example of the dialog if access level is reduced for a sub-folder in a shared drive

Who can share folders?

Folders in a shared drive can be shared by managers of that shared drive. Other shared drive access levels (e.g. content manager and commenter) are not eligible to share folders, because they are not allowed to control broad access to content. Folders in shared drives have the same access levels as the shared drives themselves, with the exception of the manager. These access levels include: Content manager (default), Contributor, Commenter, and Viewer. Note that a Contributor on a folder is an Editor on a file in that folder. Learn more about Shared drives access levels.

What happens with file and folder moves

When shared files or folders are moved in, within, or between shared drives, inherited access to content will be updated accordingly, and direct access will be preserved. The same is true when shared files or folders are moved from a shared drive to a user’s My Drive.

For example, imagine a document was originally in the Sales team shared drive. All members of the Sales team have Viewer access to the shared drive and so have Viewer access to the document. Additionally, five individual Sales team members have Editor access to the specific document. If that file was moved out of the Sales team drive, the Sales team would lose their inherited Viewer access, but the five individual users would still have Editor permissions.

As these (shared) folder moves can make broad changes to content access, folders moved into or between shared drives are only allowed for users who are managers on both the original as well as the target location.

Note: If you grant a parent folder in a shared drive "Anyone in this group with this link can view", you will lose the ability to share to "Anyone with the link (public)" on child items in this parent folder. To work around this limitation, do the following:

  • Share the child folder first, then share the parent.
  • Use the API to share the child folder after the parent (API supports this, the UI does not).
Where do shared folders show up?

Folders shared from shared drives can be accessed in the Shared with me section in Drive. They do not appear in the shared drives hierarchy of the recipient, unless they are a member of the shared drive. Recipients of shared folders get notifications, similar to how they will get an email if a Google Doc is shared with them. Users can also organize shared folders using shortcuts.

Note that shared folders do not automatically appear in Drive File Stream or a shared drive you have access to. To make them appear, you need to create a shortcut to the shared folder in My Drive or the shared drive you have access to. This shortcut will be accessible within Drive File Stream, where you can access the folder or sync the content.

Control sharing for your organization

Use the following settings to restrict sharing for your organization. These settings apply to all Drive files. For example, if your organization restricts sharing outside of the organization, shared drive content is also restricted.

Restrict users from moving content outside of your organization
 

Supported editions for this feature: Business Standard and Plus; Enterprise; Education and Enterprise for Education; G Suite Business; Essentials.  Compare your edition

You can control who can move files and folders outside of your organization in these situations:

  • Moving content from a shared drive in your organization to a shared drive owned by another organization
  • Moving content from a shared drive in your organization to someone’s My Drive in another organization
  • Moving content from someone’s My Drive in your organization to a shared drive owned by another organization
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenDrive and Docs.
  3. Click Sharing settings.
  4. Select the desired organizational unit or group

    Important: If you select a child organizational unit or group, this setting only controls moving content from someone’s My Drive to a shared drive in a different organization (for example, another business or school). Moving content from a shared drive to another organization is always controlled by the top-level organization setting. This is because shared drives are owned by the top-level organization.
     
  5. In Distributing content outside of your organization, select an option from the table below, then click Save.
     
    Option Description
    Anyone Anyone with Manager access to a shared drive can move files from that shared drive to a Drive location in a different organization. Learn about user access permissions.

    In addition, anyone in the selected organizational unit or group can copy content from their My Drive to a shared drive owned by a different organization (for example, another business, group, or school). Learn about migrating content to a shared drive.
     
    Only users in your organization Only people in your organization with Manager access to a shared drive can move files from that shared drive to a Drive location in a different organization.

    In addition, users in the selected organizational unit or group can copy content from their My Drive to a shared drive owned by a different organization.
     
    No one Files on a shared drive cannot be moved to a Drive location in a different organization.

    In addition, no one in the selected organizational unit or group can copy content from My Drive to a shared drive owned by a different organization.
     

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

Set file-sharing permissions

Set permissions for your organization

As an admin, you control if users can share files outside of your organization. See Set Drive users' sharing permissions
Shared drives use the top-level organization settings. For example, if external sharing is disabled for a user's organizational unit but allowed at the top-level organization, the user can share documents in shared drives with people outside the company or school.
Admins can define additional restrictions for each organizational unit using the default settings for the creation of new shared drives. A shared drive’s restrictions can't be broader than the top-level organization’s restrictions. But you can use the default settings to further restrict access for shared drives created in specific organizational units.

Share all files and folders in a shared drive

Add members to a shared drive to grant access to files in the shared drive.

See Store and share files with shared drives for more information.

Share a specific file

Shared drive members can also share specific files with people who aren't members of the shared drive.

See Share files outside of shared drives for more information.

 

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue