Understanding Permissions
Learn how to analyze and interpret Drive permissions.
Permission Types
DriveAuditr shows four types of permissions:
User Permissions
Individual people with access to a file.
- Shows their email address and display name
- Most common type of permission
- Example:
john@example.comhaseditoraccess
Group Permissions
Google Groups with access.
- Shows group email (e.g.,
sales@example.com) - All group members inherit the permission
- Useful for team-wide access
Domain Permissions
Your entire organization has access.
- Shows domain name (e.g.,
example.com) - Anyone with an email at this domain can access
- Common in enterprise environments
Anyone Permissions
Public access - the file is accessible by anyone with the link.
- No authentication required
- Highest security risk
- Should be reviewed carefully
Permission Roles
Each permission has a role defining what they can do:
Owner
- Full control of the file
- Can delete the file
- Can change sharing settings
- Transfer ownership
Writer/Editor
- Can edit file contents
- Can comment and suggest
- Can share with others (if enabled)
- Cannot delete or transfer ownership
Commenter
- Can add comments
- Can view contents
- Cannot edit
- Cannot share
Reader/Viewer
- Can only view the file
- Cannot edit or comment
- Can still download (unless restricted)
Security Analysis
Finding Public Files
Public files are the biggest security risk. Find them by filtering:
- Filter Permission Type =
anyone - Review each file:
- Does it contain sensitive data?
- Should it be public?
- Can you restrict access?
Finding External Shares
Files shared with people outside your organization:
- Filter Permission Email for external domains
- Check Permission Domain for non-company domains
- Review if external access is necessary
Finding Over-Privileged Access
Users with more access than needed:
- Filter Permission Role =
owneroreditor - Ask: Do they need edit access?
- Consider downgrading to
viewerif appropriate
Common Scenarios
Scenario 1: Finding Files Shared Outside Company
You work at acme.com and want to find files shared externally:
- Filter Permission Email column
- Look for emails NOT ending in
@acme.com - Review each external share
Scenario 2: Audit Files You Own
Find files you own and their sharing:
- Filter Owner = your email
- See all permissions on your files
- Remove unnecessary access
Scenario 3: Finding Public Documents
Find publicly accessible files:
- Filter Permission Type =
anyone - Check Permission Role (often
reader) - Review if public access is intentional
Scenario 4: Group Access Review
See what files a group can access:
- Filter Permission Email = group email
- See all files the group has access to
- Review roles assigned to the group
Best Practices
Regular Audits
- Run audits monthly or quarterly
- Set up weekly scheduled audits
- Review results consistently
Principle of Least Privilege
- Give minimum necessary access
- Viewer > Commenter > Editor > Owner
- Remove access when no longer needed
Review External Sharing
- Limit external shares
- Use domain permissions for team files
- Avoid public/anyone permissions for sensitive data
Document Ownership
- Ensure files have clear owners
- Transfer ownership when people leave
- Avoid orphaned files
Taking Action
After identifying issues:
- Remove Public Access: Change "anyone" to specific users
- Revoke External Shares: Remove outside access if not needed
- Downgrade Permissions: Change editors to viewers if possible
- Transfer Ownership: For departing employees' files
Make changes directly in Google Drive, then run a new audit to verify.
Limitations
DriveAuditr is read-only. It:
✅ Shows you all permissions ✅ Helps identify issues ✅ Exports to spreadsheet
❌ Cannot automatically remove permissions ❌ Cannot change sharing settings ❌ Cannot enforce policies
You must make changes manually in Google Drive after reviewing the audit.