As a Workspace Manager, you have the possibility to audit the permissions and sharing of your workspace and of all of its subfolders.

To do so:

  • Start by selecting the folder you want to audit the permissions of,
  • Click on the Powertools action button,
  • And select the "Audit" option.



The permission auditing window opens with the file tree expanded up to the selected folder. This window is split into three sections:

  • The file tree
  • The permissions
  • The users and groups



File Tree


The file tree shows the folder structure of the Workspace. Folders can be expanded to display their subfolders.


An icon is displayed whenever one of those folders is shared with the whole company or publicly:

  •      Folder shared with the whole company through a link

  •    Folder shared with the whole company and findable through search

  •      Folder shared publicly through a link

  •     Folder shared publicly and findable through search



For each of those folders, you can hover it with your mouse and click on the  icon to select one of the options below:

  • Share company-wide or externally
    This option allows you to either enable sharing of the folder within the company or externally, through a link or through search, or to disable those sharing options.
    Note that enabling the sharing of a folder within the company or externally will automatically be inherited by the files contained in the folder and by all subfolders and their subfolders.
  • Push to the users Drive
    Pushes the root of the Workspace into the My Drive of all the users and groups currently having access. This option is available only at the root of the Workspace.



Permissions


The middle section of the window shows the matrix of users/groups and permissions they have on each folder in the expanded File Tree. 

By default, the list of users and groups displayed is the list of all users having access to at least one of the folders displayed in the File Tree section. The list can however be customised from the users and groups section.


For each combination of a user/group and a folder, you can hover it with your mouse and click on the  icon to select one of the options below:

  • Set as Reader
    Sets the user as Reader on the selected folder.
    Note that this permission will also be inherited by the files contained in the folder and by all subfolders and their subfolders. 

  • Set as Commenter
    Sets the user as Commenter on the selected folder.
    Note that this permission will also be inherited by the files contained in the folder and by all subfolders and their subfolders.

  • Set as Editor
    Sets the user as Editor on the selected folder.
    Note that this permission will also be inherited by the files contained in the folder and by all subfolders and their subfolders.

  • Revoke permissions
    Removes any permission of the user on the selected folder.
    Note that this change will also be inherited by the files contained in the folder and by all subfolders and their subfolders.

  • Push to the user's Drive
    Pushes the root of the Workspace into the My Drive of the selected user. This option is available only at the root of the Workspace.



Users & groups


This section displays by default the list of all users and groups having access to at least one of the folders displayed in the File Tree panel. Whenever folders are expanded in the file tree, this list is automatically populated with the users and groups having access to the newly displayed subfolders.


With this panel, you can control which users and groups to display in the "Permission" section by checking/unchecking them.


You can also add new users and groups by using the search bar at the top of the section, and remove them by clicking on the "X" next to their names. 




Understanding permissions inheritance in Drive


In order to properly use this permissions auditing feature, it is important to understand how permissions inheritance works in Google Drive. Indeed, the intent of this feature is not to change the behaviour of permissions within Google Drive but to provide a faster and easier option to manage them. When using this panel, permissions will thus inherit in Drive as they usually would if managed directly from Google Drive.


Standard permission inheritance

Whenever a permission is set on a folder, this permissions will by default automatically be inherited by:

  • all the files contained in this folder,
  • all the subfolders contained in this folders,
  • and thus all the files and folders contained in those subfolders,
  • and so on until the bottom of the chain is reached.


The same thing is true when a permission is revoked or changed, or when a folder is shared company-wide or publicly.



Break permission inheritance

It is possible in Drive to "break" the permission inheritance. To do so, all you have to do is change the permission set on a subfolder. 


For instance, if User 1 has access to Folder A and Subfolder B as Reader, changing their permission as "Editor" on the subfolder B will break the permission inheritance for this specific folder. If I revoke the permission of User 1 from Folder A, their permissions will NOT be revoked from subfolder B (but will be revoked from any other subfolder where the inheritance has been left untouched).

Once the permission inheritance is broken for a user, it cannot be restored. Setting back the permission of User 1 to "Reader" on the subfolder B would NOT restore the link.


This means that changing or revoking permissions of users and groups on any subfolder irremediably implies breaking the inheritance link for those specific users and on this specific subfolder.



Permission inheritance delays

Permissions usually inherit in Google Drive in a matter of seconds. However, in some cases - for instance when the folder structure contains several levels and a high number of documents - it can take several minutes or even hours to completely spread all the way into the folder structure

Our recommandation when auditing and changing permissions on large workspaces is thus to do it step by step: start by changing permissions on the highest level, then wait a few hours until you are confident the change has been inherited everywhere before proceeding to further changes.