Inherited permissions in Google Drive simplify file and folder management by automatically granting users the same access level they have to a parent folder. This means if a folder is shared with a user as a "Viewer," they'll automatically have "Viewer" access to all files and subfolders within that folder.
Key differences between My Drive and Shared Drives
My Drive:
Permissions are inherited from the top down. When you grant someone access to a folder in My Drive, they automatically receive the same permissions for all files and subfolders within that folder.
These inherited permissions can be overridden for individual files or subfolders, allowing you to restrict or expand access as needed.
Shared Drives:
Permissions are also inherited from the top down, but inherited permissions cannot be removed or customized for individual files or subfolders within the shared drive.
To change access, you must adjust permissions at the parent folder level. If someone has access to a folder, they automatically have access to all the files within it, and you cannot selectively remove their access to specific files or subfolders.
Examples
My Drive
You share a folder named "Project X" with John as an Editor.
Inside "Project X" are two subfolders, "Documents" and "Images."
John automatically inherits Editor access to both "Documents" and "Images" and all files within them.
You can now remove his access to the subfolder “Documents”, and downgrade his permissions for the subfolder “Images” to Viewer.
If new files and subfolders get added to the “Project X” folder in the future, John will automatically get Editor access to them, unless you remove or change it.
Shared Drive
You share a folder named "Marketing Materials" with Sarah as a Viewer within a shared drive.
Inside "Marketing Materials" is a subfolder named "Campaign A."
Sarah automatically inherits Viewer access to "Campaign A" and all its contents.
You can upgrade Sarah to Editor for the subfolder “Campaign A”. Downgrading permissions can only be done at the parent level.
If you want to remove Sarah's access to "Campaign A” subfolder, you need to remove her permissions on the "Marketing Materials" folder.
Migration between shared drives and My Drive
When moving files between My Drive and a shared drive, inherited permissions may not transfer perfectly. It's essential to review and adjust permissions after moving files.
Best practices
Plan your folder structure: A well-organized folder structure is key to efficient permission management. Think about how you want to group files and who needs access to what.
Principle of Least Privilege: Grant only the necessary level of access (Viewer, Commenter, Editor) to each user. Avoid oversharing by default.
Shared Drives for collaboration: Use shared drives for collaborative projects where multiple users need consistent access to files.
Review permissions regularly: Periodically audit your shared files and folders to ensure the correct users have the appropriate access levels.
Stay informed: Keep up-to-date with Google Drive's updates and changes to permission settings to avoid unexpected behavior.
External sharing oversights: Think carefully when sharing files externally. Consider setting an expiration date or disabling downloads to keep your data safe and sound.
Ownership change complications: When someone leaves your organization or a project, make sure the ownership of important files and folders is passed on to the right person to avoid access headaches.
By understanding how inherited permissions work and following best practices, you can effectively manage access to your Google Drive content and maintain control over your data.
Audit and manage inherited permissions
In shared drives
Inherited permissions have a significant impact in shared drives. If an unauthorized user gains access at the shared drive level, they can view all documents and folders within it, including sensitive information.
Given that many businesses store their most confidential data in shared drives, incorporating regular audits into your security processes is essential.
However, auditing shared drive permissions in Google Drive presents a challenge: the Google Admin Console lacks an efficient way to perform this task.
Luckily, Florbs can help: it provides you with a complete overview of all shared drives in your organization, with their access permissions. It also allows you to manage or remove access on the shared drive level.
For individual files
How can I detect inherited permissions in Florbs? Florbs provides details about inherited permissions and their origins. To view this information, open the File Details within Audit files and look at the Users and groups with access section. You'll find a column named Inherited access. If the permission is inherited, this column will show the location from which it originates. See the screenshot below for an example. In this case, it's a shared drive, you can click on the shared drive to remove the permission from the Shared Drive details view.
The origin can also be a folder, in that case, you will be guided to the folder's details view.
For many files in bulk
When removing access permissions in bulk, inherited permissions require extra caution, especially when removing access based on "Last modified", "Created", and “Last Opened” dates.
For example, you would like to remove external access from files that were created more than a year ago. A potential issue arises if a folder itself was created more than a year ago, but its contents are newer. If you include that folder in your bulk action, users with access at the folder level will lose access to all files within it. To avoid it, you can consider removing folders from the bulk action or automated policy.
When executing a bulk file management task or implementing an automated policy in Florbs, we recommend to use Impact Analyzer to identify any files that may not be affected by the changes due to inherited permissions.
