In our last post, we told you everything we know about Shared Drives – their sharing structure, their security settings, their pros, their cons. In other words, we threw a lot of stuff at you. If, after all that, you're wondering where to begin, let us walk you through a focused use case – how to set up a Google Shared Drive to manage files and documents for an existing organization.
Enable Shared Drives
We're starting with the easy stuff! If your Google Workspace edition supports Shared Drives, this is as simple as going to Apps > Google Workspace > Drive and Docs in the Admin Console, finding Shared Drive Creation under Sharing Settings, and unchecking the Prevent users in your organization from creating new shared drives checkbox.
Establish a folder structure
At a high level, the smartest way to organize files in a Google Workspace is in a way that mirrors the structure of your IRL workspace – bucketed into top-level folders for each team or department within your organization.
From there, specific needs may vary by department: maybe your product team’s files will be organized by quarter or project while your HR team’s files will be organized by document type. There’s some room for variation among teams so long as the resulting file structure remains intelligible and intuitive for anyone with access to a given departmental subfolder.
Establish a permission structure
Access – there’s a key concept to keep in mind. If you’re not familiar with the way Shared Drives work, you might assume that permissions are as simple as restricting members of a department to their own team folder and allowing them to request access to other files as needed. Unfortunately, it’s a little more complicated than that. Let’s take another look at the five levels of Shared Drive access:
- Viewer – Can view but can’t change or share files.
- Commenter – Can make comments and suggestions but can’t change or share files.
- Contributor – Can view, edit, create, share, and restore files from Trash.
- Content Manager – Can view, edit, create, share, restore, and move files to Trash.
- Manager – Can view, edit, create, share, restore, and move files to Trash; can edit shared drive. Can edit membership, can permanently delete files, can delete the shared drive.
A user’s permission levels can vary by folder, but they can only build on the base level of permissions they have as a member of the Shared Drive. That means that a user with Content Manager permissions can’t be restricted to Viewer level in a specific drive – perhaps more importantly, it means that members of a Shared Drive have, at a minimum, read access to everything in that Shared Drive.
Think about what that means for your folder structure: it may be okay for a member of the Finance team to have read-only access to documents and files in the Development team’s folder, but you might not want everyone on the Development team to be able to read everything in the Finance folder. For many organizations, this will mean devoting separate Shared Drives to teams that handle sensitive information, like Finance and HR.
With that major consideration out of the way, you can start thinking about two other key file security questions:
- What is your base level of access? By default, members of a shared drive are assigned the Content Manager permission set. This is reasonable if you’re using a Shared Drive for a personal project or a very small organization, but if more than a handful of people have access to the Drive, you probably don’t want them all to be able to share every file they can touch, let alone move them to the Trash. Luckily, Google allows you to fine-tune Shared Drive access levels, allowing you to do everything from restricting non-admin access to the read-only Viewer level to granting everyone in your org the omnipotent can-do-everything-including-deleting-the-Drive Manager level (you definitely don’t want to do this…but you could).
- How many levels of access do you need? There's no one-size-fits-all answer to this question – it depends on the size of your organization, the sensitivity of yo
ur files, and how granular you want to get when it comes to security. Do you want to have a different level of access for everyone from a first-day intern all the way up to the CEO? Do you just want to do one level of security for base-level employees and one for managers? Do you want to give every member of the Shared Drive Manager permissions? (Again, you shouldn't do this. But you could.) It's up to you.
Set up Google Groups
Let's say that Sydney, the head of Marvelpoint's Product team, has Content Manager permissions for the Product folder, but is restricted to Commenter permissions for the Development and Design folders, and is limited to Viewer status everywhere else – how do you keep track of an entire organization full of individualized permission sets like this? Do you have to run through every subfolder in your Shared Drive adding specific sharing permissions every time a new person joins your organization? Nah – that's where Google Groups come in handy.
Google Drive allows you to add individual users as members of a Shared Drive, but it also allows you to add entire Google Groups as members of a Shared Drive, creating a powerful tool for managing Shared Drive permissions. Let’s take a look at the above scenario – how can we recreate Sydney's various levels of individual file access with Groups?
- First, we'll need to create three different Google Groups within the Marvelpoint Workspace – one general Team Group for everyone in the organization, one Product Group for everyone on the Product team, and one Product Leads Group for, well, Product leads. We'll add Sydney to all three Groups.
- Next, we'll assign the Team Group the lowest-level Viewer access for the entire Shared Drive. This allows everyone in the organization read-only access to everything in the Drive.
- After that, we'll give the Product Group Commenter permissions for the folders of teams they collaborate closely with, like Development and Design, and Contributor permissions for their own Product folder.
- Finally, we'll give the Product Leads Group higher-level Content Manager permissions for the Product folder.
This is a little bit of work up front, but it's worth it to build out a scalable role-based system like this. When members of your team change departments or move up in your organization, simply add them to the appropriate Groups and their Shared Drive permissions will be handled for you. In larger organizations, this can be managed automatically with dynamic groups that update their membership based on a set query of your Workspace's users.
Share & Collaborate with External Users
So you've got things set for your organization – but what happens when you want to collaborate with someone outside the Shared Drive? Remember, members of a Shared Drive have read access to everything in that Drive, so you probably don't want to extend full membership to a contractor or a client.
Luckily, it's possible to grant access to a single file or folder within a Shared Drive. If you'd like to share a Shared Drive file with an external user or anyone with the link, you'll need Contributor access or above to the file in question. You'll be able to assign Viewer, Commenter, or Editor permissions to the file, which can be changed or retracted at any time.
If you'd like to share a Shared Drive folder with an individual or group, you'll need Manager access, and you'll have the option to assign Viewer, Commenter, Contributor, or Content Manager permissions to the folder. This can be a useful option for collaborating with contractors or clients who need to work closely with you on a single project.
If all of this is making you a little nervous, don't worry – Google Workspace admins have a lot of power to lock down the content of a Shared Drive. In the Admin Console, you have the ability to prevent Shared Drive users from sharing files or adding external members as users, to prevent lowly Viewers and Commenters from downloading, copying, or printing files in Shared Drives, and to prevent users from sharing files outside of your organization altogether.
When the latter restriction is turned on for your Workspace, if a member of your team attempts to share a file with an external user, they will receive an error message informing them that this information can only be shared within your organization's Google Workspace apps.
Okay – so we threw a lot of stuff at you again. Whether you implement everything in this setup guide in one go, or pick and choose from the lessons shared here, we hope we've made the process of implementing Google Shared Drives for your organization a little simpler.
Of course, we're a Salesforce company, so it's time to talk…Salesforce. Drive Connect is the easiest way to integrate any kind of Google Drive file structure with a Salesforce workflow, and in our next post in this series, we'll show you how to set up a Shared Drive for maximum Salesforce compatibility. We'll see you next week for more on that – until then, why not get started with Drive Connect for free?