Best Practice for getting all Externally Shared Files in our Domain
677 views
Skip to first unread message
Harry Phillips
Apr 4, 2024, 8:57:41 AM4/4/24
to GAM for Google Workspace
Hi All,
The contents of this email message and any attachments are intended solely for the addressee(s). It may contain confidential and/or privileged information and may be legally protected from further disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited and may be unlawful.
I'm sorry, but this has probably been asked several times before. I'm fairly naive when it comes to combining Python Scripts and GAM, but I have been tasked to audit (and delete) all files shared with part of the business we have divested.
I've started looking at the GetSharedExternallyDriveACLs.py script and GAM Commands within this and have a good grasp - I'm able to pull the data I need for one user and manipulate/delete this accordingly.
However, the issue comes when shifting to multiprocessing and trying to pull data for all users. Running this command on my local machine is not feasible (for both memory consumption and the time required). I've launched GAM on a VM with a huge amount of RAM, but then time becomes a factor.
I'm curious how other people perform these types of exports. What's the best practice? If anyone has a bit of time to chat through this topic I'd appreciate it
Number of Users in Domain: ~ 15000
GAM Command I'm using: gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess all users print filelist fields id,name,permissions,owners.emailaddress,mimetype <pm clauses> pmfilter
Thanks in advance,
Harry
The contents of this email message and any attachments are intended solely for the addressee(s). It may contain confidential and/or privileged information and may be legally protected from further disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited and may be unlawful.
Ross Scroggs
Apr 4, 2024, 11:57:02 AM4/4/24
to google-ap...@googlegroups.com
Harry,
If doing all 15000 users at once is too much, you could do 15 commands of 1000 users each.
Send me a Meet/Zoom invitation to discuss.
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/05a991e6-a436-49bf-a050-ab8672e07df4n%40googlegroups.com.
Harry Phillips
Apr 9, 2024, 9:21:12 AM4/9/24
to GAM for Google Workspace
Hi Ross,
I sent a meeting invite, but I'm free anytime this afternoon. Drop me a message and I'll join:
Externally Shared Files in our Domain - Discussion
Video call link: https://meet.google.com/zyr-koyh-aus
Video call link: https://meet.google.com/zyr-koyh-aus
Thanks
Christian Busch
Apr 14, 2025, 4:28:47 PMApr 14
to GAM for Google Workspace
Hi Ross,
tryng to get externalsharecounts. When executing I get -bash: pm: No such file or directory.
GAM-Scripts3-master$ gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess all users print filelist fields id,name,permissions,owners.emailaddress,mimetype <pm clauses> pmfilter
-bash: pm: No such file or directory
tryng to get externalsharecounts. When executing I get -bash: pm: No such file or directory.
GAM-Scripts3-master$ gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess all users print filelist fields id,name,permissions,owners.emailaddress,mimetype <pm clauses> pmfilter
-bash: pm: No such file or directory
What do I need to do?
Ross Scroggs
Apr 14, 2025, 4:35:08 PMApr 14
to google-ap...@googlegroups.com
You didn't replace <pm clauses> with an actual permission asdocumented in the script
Ross
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/98484fe9-4864-43ed-8595-4f953707ab0en%40googlegroups.com.
Christian Busch
Apr 14, 2025, 4:59:50 PMApr 14
to google-ap...@googlegroups.com
lol, sorry, reading helps..
--
You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/5_QnVbxloRc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/D7B81F67-7DDE-4635-B52A-F33483FBF6C2%40gmail.com.
You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/5_QnVbxloRc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/D7B81F67-7DDE-4635-B52A-F33483FBF6C2%40gmail.com.
Robin Yoon
Sep 30, 2025, 2:15:55 PM (5 days ago) Sep 30
to GAM for Google Workspace
Hi Ross,
I was able to find all the external share in our domain using,
GetSharedExternallyDriveACLs.py script and gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess all users print filelist fields id,name,permissions pm type anyone em pmfilter
Is there a way to see the date a file was externally shared? I would like to automatically remove the external access after a certain number of days.
Thank you
I was able to find all the external share in our domain using,
GetSharedExternallyDriveACLs.py script and gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess all users print filelist fields id,name,permissions pm type anyone em pmfilter
Is there a way to see the date a file was externally shared? I would like to automatically remove the external access after a certain number of days.
Thank you
Ross Scroggs
Sep 30, 2025, 2:26:26 PM (5 days ago) Sep 30
to google-ap...@googlegroups.com
Here's what the API knows about permissions:
There is nothing about when the ACL was created.
You may be able to use this to find when the ACL was added:
Ross
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/fb2477ea-b518-4dcf-bdb8-f554a41ae5b2n%40googlegroups.com.
Daniel Kozak
Oct 1, 2025, 2:28:05 AM (5 days ago) Oct 1
to GAM for Google Workspace
Hello,
I had exact same idea to clean external ACLs after some time. It was pretty challenging with GAM itself (long processing, google api timeouts, large amount of files etc)
you can try setup Drive Inventory export to BigQuery, and from there you can analyze very fast which files are externally shared. but there is still no timestamp for ACL creation.
https://admin.google.com/ac/reporting/bigqueryexport
https://support.google.com/a/answer/15141054?hl=en&src=supportwidget0&authuser=0
we used external software to query once a week and store external shared files info with timestamps, (we used splunk to do it, little overkill but we use it anyway for other things)
then we create csv for GAM to delete those ACL's.
also remember about acls inheritance. in BQ schema you have properties like:
https://support.google.com/a/answer/15485686?sjid=10294617889435990357-EU#zippy=%2Cschema-and-definitions
access.permissions.permission_details.inherited_from The ID of the item from which this permission is inherited. This is only populated for items in shared drives.
access.permissions.permission_details.inherited A boolean indicating whether the permission is inherited.
which are very helpful.
another way is to pay for tools like https://gatlabs.com/products/gat/
but they are still based on Inventory export to bigquery and do not have data about historical ACLs.
According To Ross https://github.com/GAM-team/GAM/wiki/Users-Drive-Activity-Settings#display-drive-activity
there is also a problem because these logs are not forever stored and older activities will not be found with it. ( you can also export them to BQ for longer storage/audit purposes/faster searching)
regardless of the chosen solution, you still have to do "initial cleaning" manually based on e.g. modification date of files (last_modified_time_micros), and clean all old external shares, then you can track changes and delete ACLs after given time.
hope it will help a little.
I had exact same idea to clean external ACLs after some time. It was pretty challenging with GAM itself (long processing, google api timeouts, large amount of files etc)
you can try setup Drive Inventory export to BigQuery, and from there you can analyze very fast which files are externally shared. but there is still no timestamp for ACL creation.
https://admin.google.com/ac/reporting/bigqueryexport
https://support.google.com/a/answer/15141054?hl=en&src=supportwidget0&authuser=0
we used external software to query once a week and store external shared files info with timestamps, (we used splunk to do it, little overkill but we use it anyway for other things)
then we create csv for GAM to delete those ACL's.
also remember about acls inheritance. in BQ schema you have properties like:
https://support.google.com/a/answer/15485686?sjid=10294617889435990357-EU#zippy=%2Cschema-and-definitions
access.permissions.permission_details.inherited_from The ID of the item from which this permission is inherited. This is only populated for items in shared drives.
access.permissions.permission_details.inherited A boolean indicating whether the permission is inherited.
which are very helpful.
another way is to pay for tools like https://gatlabs.com/products/gat/
but they are still based on Inventory export to bigquery and do not have data about historical ACLs.
According To Ross https://github.com/GAM-team/GAM/wiki/Users-Drive-Activity-Settings#display-drive-activity
there is also a problem because these logs are not forever stored and older activities will not be found with it. ( you can also export them to BQ for longer storage/audit purposes/faster searching)
regardless of the chosen solution, you still have to do "initial cleaning" manually based on e.g. modification date of files (last_modified_time_micros), and clean all old external shares, then you can track changes and delete ACLs after given time.
hope it will help a little.
Robin Yoon
Oct 1, 2025, 4:47:52 PM (4 days ago) Oct 1
to GAM for Google Workspace
I will look into it. Thank you very much!
Christian Busch
Oct 1, 2025, 4:50:49 PM (4 days ago) Oct 1
to google-ap...@googlegroups.com
I figured out my script for the external shares. This was super helpful thank you very much everybody especially Ross for the help!
Get Outlook for iOS
From: 'Robin Yoon' via GAM for Google Workspace <google-ap...@googlegroups.com>
Sent: Wednesday, October 1, 2025 1:47:52 PM
To: GAM for Google Workspace <google-ap...@googlegroups.com>
Sent: Wednesday, October 1, 2025 1:47:52 PM
To: GAM for Google Workspace <google-ap...@googlegroups.com>
Subject: Re: [GAM] Best Practice for getting all Externally Shared Files in our Domain
|
You don't often get email from google-ap...@googlegroups.com.
Learn why this is important
|
To view this discussion visit
https://groups.google.com/d/msgid/google-apps-manager/12ae3b31-d851-4bad-94e5-ccf0c0e52e9an%40googlegroups.com.
NOTICE: This email and any files transmitted with it may be confidential and proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately by email and delete this email from your system. If you are not an intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Avails Medical places the highest priority on the security and privacy of our Clients. Therefore, we have put our efforts into ensuring that this message is free of errors and viruses. Despite our efforts, you should always scan all emails for any threats with proper software, as the sender does not accept liability for any damage inflicted by viewing the content of this email. Nothing in this communication is intended to operate as an electronic signature.
Reply all
Reply to author
Forward
0 new messages