Well, we finally moved from using shared folders to Shared Drives adding a whole new level of permissions confusion. We have a few goals:
- Only allow a small number of users to share externally (before any one could)
- Have a dedicated External shared drive where we could keep track of it all
- Reorganize our many random Shared Drives into something sensible with useful permissions.
This turned out to be quite a bit harder than you think. So here’s the missing conceptual manual of what is going on.
Shared Drives Need to Be Created Out of the Admin Console with Groups and Organization Unit
In the old days, you just create one quickly, but now you have to start with Admin > Directory > Groups so that you can create a group that is all that you can use.
Then orthogonal to Groups is the idea of Organization Units so you will have your complete org and create a separate sub organization called External Allowed or say Sales if you want all sales people external access for example.
Then you have to put users into each of these Organization Units, which you do in an unintuitive way by going to Admin > Directory > Users and then selecting as many users as you want and then More options > Change organizational unit
Now you set the permissions for shared drives in yet another place Admin > Apps > Google Workspace > Drive and Docs > Shared Settings and this leads you to a strange picker, on the left are the organizational units and on the right are the permissions that members of the unit have.
So the first thing in Sharing options turn Sharing outside of tne.ai and turn this off and you can read the rest. Then on the left click on External Allowed and enable this.
OK, the preliminaries are done, so now it is time to create the Shared Drives. YOu probably want to disable random shared drive creation in the above because otherwise you end up with lots of random one.
Create Shared Drives, Set Permissions and add members
Now you have to do this on the Web, the Google Drive local applications do not do this. YOu must to an administration to do this by right click on Shared Drives in the menu and choosing new.
Now you set the Shared Drive settings and make sure Allow people outside of tne.ai to access files is off for everything but the external drives.
Now choose Manage Members and you can pick what people can do. I would normally like to make only admins Managers and then everyone else a Content manager except for one “feature” or bug.
The Content Managers cannot move files outside of a Shared Drive. This makes some sense because the point is to limit what’s in a Shared Drive just to folks who can access it. But if you have this External drive, then you do need to move (since there is no Save As in Google land). So that means you basically need to make everyone a Manager and not a Content Manager.
Otherwise, the Move dialog shows grey for everything except the Shared Drive inwhich the file lives
Make sure in the External Shared Drive, you set folder permissions
The other tricky thing is that in the External Shared Drive, you will want to create folders for each external user, but when you do this, you have to set the permissions on *every* new folder to make sure they allow external sharing.
This is a security thing but confusing, it means that to really share, you have to be on an Shared Drive to those permissions and the folder in which the content lives also need to be set appropriately. Again, this can only be done in the Google Drive web application.
Note that you can use Groups as management members, so that’s why you should create the groups above. Note that you can’t do this with Organizational Units, so you need to have both groups and organizational units (even though they may duplicate, that is rich@tne.ai needs to be in both the Sales Groups and the Sales Organizational Unit. Confused yet?
How do you create a new folder, you have to do it in the web application and then right click on it,
Deleted Shared Drives Only in the Google Workspace Console
With Shared Drives, deleting them is hard, you have to go to the Workspace console and do it in Google Workspace > Drive and Docs > Managed Shared Drives and this again causes a big context switch
Making a Folder Available to Anyone with a Link
Create a folder in the Shared Drive with the Web application. Then right click and choose Share and then at the bottom click “Anyone with Link” and typically you want “Viewer Rights
Leave a Reply