Control access to files in shared drives

This feature is available with G Suite Enterprise, Enterprise for Education, Drive Enterprise, Business, Education, and Nonprofits edition. Compare editions

As an administrator, you can restrict access to files in a shared drive. You can also set the default access for new shared drives. You can apply these restrictions in a specific organizational unit or to your entire organization.

You can also prevent shared drive members with Manager access from modifying settings. In the shared drive, you can restrict:

  • Non-members from accessing files 
  • People outside your organization from accessing files
  • Commenters and viewers from downloading, copying, and printing files

Moving and sharing files

When a file is moved into a shared drive, it keeps its file-sharing permissions. So if an owner sets their file to prevent downloading, copying, and printing, it stays like that after it's moved to a shared drive. Moving files does not affect sharing permissions or user roles, such as Content manager or Viewer.

Users can't share files with anyone outside the shared drive’s restrictions. For example, if a shared drive restricts users outside the organization from accessing the shared drive's content, external users are removed from files in that shared drive in the future.

If you change a shared drive’s restriction settings, this does not automatically remove existing users or change a file’s sharing permissions. For example, assume a user outside the organization is added to a file. Then later on, a restriction is applied to the file's shared drive. In that case, the external user is not removed from the file. This means a user might regain access if restrictions are relaxed in the future.

Set the default access for all new shared drives

Admins can define the following options to restrict access to all new shared drives. See the G Suite Updates blog for more information.

Use the default sharing restrictions to restrict access to the content in all new shared drives. These settings must be actively enabled. 

 Define the default sharing restrictions

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenDrive and Docs.
  3. Select Sharing settings.
  4. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.

    You can select an organizational unit or group for this feature only if you have G Suite Enterprise, Business, Education, Nonprofits, or Drive Enterprise edition. (Compare G Suite editions.)

  5. Next to Shared drive creation, select the default restrictions for all new shared drives.
    • Prevent users in your organization from creating new shared drives
    • Prevent full-access members from modifying shared drive settings
    • Prevent people outside your organization from accessing files in the shared drive
    • Prevent non-members of the shared drive from accessing files in the shared drive
    • Prevent commenters and viewers from downloading, copying and printing files in the shared drive

Note: If Prevent full-access members from modifying the shared drive’s settings is not checked, full access members can override any of these default restrictions for individual shared drives.

Key things to remember

  • If a document is moved in to a shared drive with default sharing restrictions:
    • These default settings override any document-level sharing settings, which might result in some users losing access to documents. If members will lose access, a warning is displayed before the file is moved. 
    • The document’s protections still apply if the shared drive has less restrictive protections. 
  • If a document is moved out of the shared drive to My Drive within the same organization:
    • The document’s original sharing settings are used instead. This can result in users gaining or losing access.
    • Document-level restrictions always stay in place unless specifically changed or removed from the document. Shared drive restrictions only apply to documents when they are in the shared drive. 
  • Changes to these default restrictions do not affect existing shared drives:
    • If these default restrictions are changed, users are not removed from the shared drive or individual file permissions. 
    • If the shared drive restrictions are more restrictive than the file permissions, however, some users might lose access to the file. 
    • If the shared drive default restrictions are removed, some users might regain access.

Restrict access for an existing shared drive

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenDrive and Docs.
  3. Select Manage shared drives.
  4. Next to a shared drive, click Settings Settings
  5. Select Prevent full-access members from modifying shared drive settings to keep people from overriding the default settings for the shared drive.
  6. If full-access members can modify shared drive settings, click Edit to modify any of the following options: 
    • Sharing outside your organization—Allow or prevent external people from accessing files in the shared drive.
    • Sharing with non-members—Allow or prevent shared drive members from giving non-members access to files in the shared drive.
    • Download, copy, and print—Allow or prevent commenters and viewers from downloading, copying, and printing files in the shared drive.

Control sharing for your organization

Use the following settings to restrict sharing for your organization. These settings apply to all Drive files. For example, if your organization restricts sharing outside of the organization, shared drive content is also restricted.

Restrict users from moving content outside of your organization
 

This feature is available with G Suite Enterprise, Enterprise for Education, Drive Enterprise, Business, Education, and Nonprofits edition. Compare editions

You can control who can move files and folders outside of your organization in these situations:

  • Moving content from a shared drive in your organization to a shared drive owned by another organization
  • Moving content from a shared drive in your organization to someone’s My Drive in another organization
  • Moving content from someone’s My Drive in your organization to a shared drive owned by another organization
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenDrive and Docs.
  3. Click Sharing settings.
  4. Select the desired organizational unit or group

    Important: If you select a child organizational unit or group, this setting only controls moving content from someone’s My Drive to a shared drive in a different organization (for example, another business or school). Moving content from a shared drive to another organization is always controlled by the top-level organization setting. This is because shared drives are owned by the top-level organization.
     
  5. In Distributing content outside of your organization, select an option from the table below, then click Save.
     
    Option Description
    Anyone Anyone with Manager access to a shared drive can move files from that shared drive to a Drive location in a different organization. Learn about user access permissions.

    In addition, anyone in the selected organizational unit or group can copy content from their My Drive to a shared drive owned by a different organization (for example, another business, group, or school). Learn about migrating content to a shared drive.
     
    Only users in your organization Only people in your organization with Manager access to a shared drive can move files from that shared drive to a Drive location in a different organization.

    In addition, users in the selected organizational unit or group can copy content from their My Drive to a shared drive owned by a different organization.
     
    No one Files on a shared drive cannot be moved to a Drive location in a different organization.

    In addition, no one in the selected organizational unit or group can copy content from My Drive to a shared drive owned by a different organization.
     

It can take up to 24 hours to see changes. During this time, both old and new settings might be intermittently enforced.

Set file-sharing permissions

Set permissions for your organization

As an admin, you control if users can share files outside of your organization. See Set file-sharing permissions for your organization
Shared drives use the top-level organization settings. For example, if external sharing is disabled for a user's organizational unit but allowed at the top-level organization, the user can share documents in shared drives with people outside the company or school.
Admins can define additional restrictions for each organizational unit using the default settings for the creation of new shared drives. A shared drive’s restrictions can't be broader than the top-level organization’s restrictions. But you can use the default settings to further restrict access for shared drives created in specific organizational units.

Share all files and folders in a shared drive

Add members to a shared drive to grant access to files in the shared drive.

See Store and share files with shared drives for more information.

Share a specific file

Shared drive members can also share specific files with people who aren't members of the shared drive.

See Share files outside of shared drives for more information.

 

Was this helpful?
How can we improve it?