How to Audit Google Drive Access Permissions
If you've used Google Drive for more than a year, your sharing graph is almost certainly out of date. Files were shared with contractors who left. "Anyone with the link" was toggled on for a quick demo and never turned off. Folders inherited permissions you've long forgotten.
This guide walks through how to audit Google Drive access permissions — across My Drive, Shared Drives, and files shared with you — and produce a single spreadsheet you can filter, sort, and act on.
It uses DriveAuditr, a free Google Sheets template that does the heavy lifting. No payment, no subscription, no data leaves your Google account.
Why audit Google Drive permissions?
Most Drive accounts accumulate three categories of risk:
- External shares — files shared with people outside your domain who no longer need access (former contractors, ex-employees, vendors).
- Public links — files set to "Anyone with the link can view/edit," often forgotten after one-time sharing.
- Over-permissive folder inheritance — a sensitive document dropped into a broadly shared folder silently inherits that folder's access list.
Google Drive's native UI shows permissions one file at a time. To audit hundreds or thousands of files, you need a bulk export of every file's permissions into a spreadsheet — which is exactly what this guide produces.
What you'll need
- A Google account (personal Gmail or Workspace).
- The free DriveAuditr Google Sheets template — the link is emailed to you instantly.
- About 5 minutes of setup time. The audit itself runs in the background and may take longer for large Drives (10,000+ files).
Step 1: Get the audit template
Open the DriveAuditr template page and enter your email. You'll receive a link to a Google Sheet.
Click "Make a copy" to copy the template into your own Google Drive. Everything runs from your copy — your data never leaves your account.
Step 2: Run the audit
Open your copy of the template. A new menu called "Drive Audit" appears in the menu bar (next to Help). Click:
Drive Audit → Run Audit Now
The first time you run it, Google will ask for read-only Drive permission so the script can list your files. The script is open source — you can review the code on GitHub before authorizing.
Step 3: Wait for it to finish
The audit walks every file you have access to and writes one row per permission into the spreadsheet. Each row contains:
| Column | What it tells you |
|---|---|
| File name | The file's title |
| File ID | Stable identifier (useful for scripting) |
| Owner | Who owns the file |
| File type / MIME | Doc, Sheet, Slide, Folder, etc. |
| Created / Modified | When the file was created and last touched |
| File size | In bytes |
| Direct URL | Open the file in one click |
| Permission type | user, group, domain, or anyone |
| Role | owner, writer, commenter, reader |
| Email / Domain | Who has access |
| Display name | Friendly name where available |
Small accounts (under 500 files) finish in a few minutes. Larger accounts (10,000+ files) run in batches and can take several hours — that's normal, due to Google Apps Script's 6-minute execution cap. The "Audit Status" tab tells you where it's at.
Step 4: Filter for the things that matter
Once the audit is done, turn the result into a triage list. Apply a Google Sheets filter and look for:
- Permission type =
anyone→ Files shared via public link. These are the highest-risk rows. - Email domain ≠ your company domain → External shares. Sort by email to spot ex-contractors and old vendors.
- Role =
writer→ Editors. Anyone who can change the file. - Modified date > 1 year ago with external access → Stale shares on dormant files. Often safe to revoke.
Step 5: Schedule a recurring audit
Permissions drift. Re-run the audit monthly (or weekly for sensitive accounts) using:
Drive Audit → Setup Weekly Schedule
This installs a time-based Apps Script trigger that re-runs the audit and refreshes the sheet automatically. You can layer a Google Sheets conditional format on top so anything new and risky stands out.
What "good" looks like after auditing
After your first audit, expect to:
- Revoke 10–30% of external shares (most are stale).
- Find at least one or two "Anyone with the link" files you forgot about.
- Discover a few documents shared with personal email addresses instead of company ones.
- Identify dormant Shared Drives that can be archived.
Limitations to know about
- Google Drive permissions are eventually consistent — a permission revoked in the UI may still appear in an audit run minutes later.
- The script only sees files you have access to. To audit a Workspace tenant in full, run it from a super-admin account that has been granted access to all Shared Drives.
- "Published to web" (File → Share → Publish to web) is a different mechanism than link-sharing and isn't surfaced through the Drive permissions API. Check it manually for highly sensitive content.
Next steps
- See who has access to every Google Drive file you own
- Find publicly shared Google Drive files
- Google Drive security audit checklist
Have questions or want a specific scenario covered? Email driveauditr@terrydjony.com.