Google Shared Drives are one of the most powerful tools in Google Workspace — and one of the most commonly misconfigured. The problem isn't that they're complicated. It's that permissions accumulate silently over time. Someone joins, gets access to everything. A freelancer is added for a project, never removed. An external sharing link gets created for convenience and forgotten. And nobody ever goes back to review who can see what.
This article covers how Google Shared Drive permissions actually work, the most common mistakes, and how to audit and tighten your access in a systematic way.
How Shared Drive permissions work
Shared Drives differ from My Drive in one important way: files belong to the drive, not to an individual. This means when someone leaves and their account is deleted, their files aren't lost — they stay in the Shared Drive. This is a significant advantage for business continuity.
Access to a Shared Drive is controlled by membership roles. There are five:
- Viewer: Can see files but not edit or download.
- Commenter: Can view and add comments but not edit.
- Contributor: Can view, edit, add files, and organise content. Cannot manage drive settings or membership.
- Content Manager: Can do everything a Contributor can, plus move content and manage sub-folders.
- Manager: Full control — can change settings, manage members, and delete the drive.
For most employees, Contributor is the right level. Content Manager is appropriate for team leads who need to restructure content. Manager should be limited to one or two admins only.
"Most businesses have every employee as a Manager on every Shared Drive. That means anyone can add external members, change the drive's settings, or delete folders permanently."
The three most common mistakes
Everyone is a Manager
When a Shared Drive is created, the creator is a Manager by default. Most businesses then add other team members as Managers too — it's the easiest option and avoids any complaints about not being able to do something. The result is that every employee can add external users to the drive, change sharing settings, and delete content permanently.
External sharing is on by default
Under each Shared Drive's settings, there's an option to allow external people to be added as members. In many configurations, this is on. It means any team member with Contributor access or above can add a person outside your organisation to the drive — with no admin approval or audit trail beyond the activity log.
Right-click on a Shared Drive → Manage members → Shared Drive settings. Review the sharing permissions. For most businesses: external members should require admin approval. "Anyone with a link can access content in this drive" should be off unless you have a specific reason for it.
Former team members and contractors still have access
This is the most common data governance failure. A contractor finishes a project. Their Workspace account might be deleted — but if they were added as an external member to a Shared Drive, that access persists independently of their Workspace account. Their personal Gmail can still access the files.
Go to each Shared Drive → Manage members. Look for anyone listed with an external email address (not your domain). For each one, ask: do they still need this access? If in doubt, remove. They can always be re-added if needed — but you can't un-read something they've already seen.
Not sure how your Shared Drives are configured?
The free GetBulwark audit covers data sharing settings, Drive permissions, and external access as part of the 20-point review. Written report, no obligation.
Book the free auditThe right structure for most small businesses
A sensible Shared Drive structure for a 5–30 person business typically has three to five drives, each with clearly defined membership:
- All Staff: Policies, handbooks, shared templates. All employees as Contributors. No external access.
- Operations/Finance: Invoices, contracts, financial records. Limited membership — only those who need it. No external access.
- Client Work: One sub-folder per client. Team members who work on those clients only. External access disabled at drive level — use individual file sharing for client deliverables.
- HR/People: Contracts, reviews, sensitive employee records. Restricted to founders/senior management. Never shared externally.
The principle throughout: people get access to what they need for their role, and nothing more. Review membership quarterly, and make leavers a mandatory trigger for an access review.
One Admin Console setting that controls everything
In the Admin Console under Apps → Google Workspace → Drive and Docs → Sharing settings, you can control whether users can share files outside your organisation, and whether "anyone with the link" sharing is permitted. These settings apply organisation-wide and set the ceiling for what individual Shared Drive settings can allow.
For most small businesses handling client data, the right configuration is: external sharing restricted to specific approved domains, with link sharing limited to people within your organisation. Individual exceptions can be made for specific drives where external collaboration is genuinely needed.
If you're not sure what your current org-wide settings are, this is one of the things checked in a full security audit. It's consistently one of the top findings — and one of the easiest to fix.
