Why and how to check permissions before moving a folder to a Shared Drive

Permission model in My Drive and Shared Drives are different

In My Drive, permissions can be restrictive. This is not the case with Shared Drives, where permissions are strictly expansive.

In My Drive you can completely revoke someone’s access to a specific folder and all of its descendants, like depicted in the picture opposite:

In Shared Drive, if someone is a member of the Shared Drive, he will have access to its entire content. Same if someone has access only to a folder, he will necessarily have access to all of its content below. 

The same applies to access levels.

The picture opposite is an example in My Drive. The user has access to the root folder as a Commenter. His access level has been increased to Editor on two subfolders, unchanged on one, and decreased to Viewer on another one. This last configuration cannot be reproduced in a Shared Drive.

To sum up: 

In Shared Drive you can only increase the level of permission on a specific file or folder.

Managers can also allow people that are not Shared Drive members (Guests) to access specific files or folders.

Attention point: by doing so, Guests will be able to grant permissions to the files shared with them if you grant them Content Manager or Contributor access and if the Shared Drive settings allow it. 

Folgo is perfect to scan any folder and report all permissions changes between a given folder and its content.

Use Folgo’s “Inspection” feature to check how permissions are inherited in your folder

When you run an inspection on a folder, you can select the option“List files permissions”. 

With this option activated, Folgo will allow you to identify files and folders that have different permissions from their parent.

You will get a full report in Google Sheet (sent by email at the end of the inspection), with the list of all files and folders inventoried and a specific column named “Permission changes from parent” where you will see when a specific file has different permissions from its direct parent folder 

This column has 4 possible values : 

• HAS_INCREASED_PERMISSIONS: when a higher access has been given compared to its parent folder : someone has been added or someone's access has been increased (e.g. : from viewer to editor)
• HAS_REDUCED_PERMISSIONS: when someone’s access has been revoked or decreased (e.g.: from editor to commenter) compared to its parent folder
• HAS_DIFFERENT_PERMISSIONS: when you have the two previous cases at the same time : some permissions have been increased while others have been decreased. (e.g.: user A’s rights changed from editor to commenter while user B’s rights changed from viewer to editor)
• NO_CHANGE: when the item has the exact same permissions as its parent folder.

Example

Below is an example of the different situations you might find yourself in: 

I am the owner of a folder named “Accounting documents”, located in My Drive. I want to transfer it to a new Shared Drive dedicated to accounting. I choose to run an Inspection before, so I can analyze all the permissions given to the items it contains.

The root folder “Accounting documents” is shared with all the employees and has 4 subfolders: 

• “Knowledge base” which contains many information for the employees about compensation and benefits
• “Payslips” which contains all the payslips of all the employees from the beginning of the financial year
• “Balance sheets - CONFIDENTIAL” which contains sensitive information about the economic health of the company
• “Templates for expenses claims” which contains several documents and presentations to guide employees and external partners in their reimbursement procedures

Below is the report sent by Folgo after the inspection:

• The folder “Templates for expenses claims” is shared with all the employees but also with some external partners. It is flagged as “HAS_INCREASED_PERMISSIONS” since it has been shared with additional people compared to its parent folder. The move to the Shared Drive won’t change anything since the permissions have only increased. 

All of its content below is flagged as “NO_CHANGE” because no permissions modification has been made on them. 

• Due to its sensitive nature, the folder “Balance sheets” is not shared with any employee but it has been shared with the accountant, who works for another company. Since some rights have been increased and others have been decreased, the folder is flagged as “HAS_DIFFERENT_PERMISSIONS”. This is going to be a problem during the move and I should definitely reconsider my “Accounting documents” folder’s organization before moving the folder if I don’t want sensitive data to be accessible by the wrong people.
• The folder “Payslips” has the same permissions as its parent folder too, which is why it is marked as “NO_CHANGE”. However, each document in this subfolder is only shared with the person concerned. Therefore, they are labeled as “HAS_REDUCED_PERMISSIONS” and just like the previous case, this access restriction won’t be replicated in the Shared Drive. If I resume the move without making any change, all the employees will have access to every single document in the folder.

As you can see on the picture below, Folgo warns you directly in the report mail when you have reduced permissions in your folder.

• Finally, the folder “Knowledge base” is shared with the same accounts as the root folder “Accounting documents”, that is, all the employees. It is flagged as “NO_CHANGE” because there are no modifications in the permissions inherited by the root folder.

Now you know how to use Folgo at its full potential by combining the “Move to Shared Drive” feature to the “Inspection” !