Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Removing a user's permissions

592 views
Skip to first unread message

Temple Rodgers

unread,
Apr 5, 2023, 4:26:07 AM4/5/23
to GAM for Google Workspace
Hi,
Please let me know if this is a good way of tackling this issue:
Interesting use case for GAM ... sometimes people move around in an organisation, from department to department, so we need to remove permissions from files/folders/shared drives etc and add new permissions for access to the new department's data. I worked out it could be done with two GAMADV-XTD3 commands (not sure if this works in standard GAM):

in the following GAM command, username is the email address of the person you're querying.
    gam user user...@asdb.dd.gov print filelist fullquery "sharedWithMe=True" showownedby others fields title,id,owners todrive oneitemperrow todrive 
    optional decorations to append to the command above, either add a new tab to the sheet you've already created (if you re-run the query) or update one of the tabs in the sheet (you need the quotes) ...
    • tdaddsheet tdsheet "tab nametdtitle "Google Sheet Name"
    • tdfileid <id> tdupdatesheet tdsheet "tab nametdtitle "Google Sheet Name"

  • this gives a list of files owned by users other than the name.surname (hence "showownedby others") 
  • ignore the column "Owner", I don't think that's the actual owner
  • adding oneitemperrow makes GAM enumerate each permission on a new row, rather than across the sheet
  • You end up with a list that you can filter and delete all the permissions that are out of scope
  • Then remove the permissions you need to.
  • Delete all the rows that aren't in scope, you'll need to filter on the column owners.0.emailAddress then delete all the rows with users who are not in scope.
in the subsequent GAM command, gamperson is the email address of the user who has access to the spreadsheet and is running the GAM command
  1. the spreadsheet id from its url is in red: https://docs.google.com/spreadsheets/d/1pQyFYD5_1_ATuslcVxuArIQi3i2yRr8SS0o4RwCJiLI/edit#gid=2043811683
  2. replace sheet id with the spreadsheet ID in the line below then run the GAM command, you must omit the < and >
  3. replace "tab name" with the name of the tab, enclosed by double quotes, you do need the double quotes and if you omit "tab name" then GAM will use the first tab in the sheet
  4. gamperson is the person who is able to run the GAM command

gam csv gsheet gamp...@asdb.dd.gov 1pQyFYD5_1_ATuslcVxuArIQi3i2yRr8SS0o4RwCJiLI "tab name" gam user ~owners.0.emailAddress delete drivefileacl ~id ~Owner

the first part of the command "gam csv gsheet gamp...@asdb.dd.gov <sheet id> "tab name" " tells GAM to find the spreadsheet and a tab with that specific name and use it for input to the second half of the GAM command
the second half of he command tells GAM to find the file/folder owner's email address from the column headed owners.0.emailAddress and impersonate that user to apply the acl to the file ID in the id column of the sheet and remove the user's permission (~Owner) of the file's id column of the sheet

I tested this on the files of someone who left last Friday, all seems to work fine, I removed around 400 permissions.

I'm interested to know if there's a better way or if I've made any mistakes.
Thank you 

Rance Hall

unread,
Apr 5, 2023, 10:09:13 AM4/5/23
to google-ap...@googlegroups.com

Temple:

 

I know it doesn’t help you with your current situation, but this looks like a reason to move to shared drives.  It’s much easier to just move a user from one drive to another.

 

R

 

-- 

Rance Hall

ESU10 Network Services

rance...@esu10.org

308-698-1919

 

 

 

From: 'Temple Rodgers' via GAM for Google Workspace <google-ap...@googlegroups.com>
Date: Wednesday, April 5, 2023 at 3:26 AM
To: GAM for Google Workspace <google-ap...@googlegroups.com>
Subject: [GAM] Removing a user's permissions

[EXTERNAL EMAIL]

Hi,

Please let me know if this is a good way of tackling this issue:

Interesting use case for GAM ... sometimes people move around in an organisation, from department to department, so we need to remove permissions from files/folders/shared drives etc and add new permissions for access to the new department's data. I worked out it could be done with two GAMADV-XTD3 commands (not sure if this works in standard GAM):

 

in the following GAM command, username is the email address of the person you're querying.

gam user user...@asdb.dd.gov print filelist fullquery "sharedWithMe=True" showownedby others fields title,id,owners todrive oneitemperrow todrive 

optional decorations to append to the command above, either add a new tab to the sheet you've already created (if you re-run the query) or update one of the tabs in the sheet (you need the quotes) ...

·          

o tdaddsheet tdsheet "tab nametdtitle "Google Sheet Name"

o tdfileid <id> tdupdatesheet tdsheet "tab nametdtitle "Google Sheet Name"

 

·  this gives a list of files owned by users other than the name.surname (hence "showownedby others") 

·  ignore the column "Owner", I don't think that's the actual owner

·  adding oneitemperrow makes GAM enumerate each permission on a new row, rather than across the sheet

·  You end up with a list that you can filter and delete all the permissions that are out of scope

·  Then remove the permissions you need to.

·  Delete all the rows that aren't in scope, you'll need to filter on the column owners.0.emailAddress then delete all the rows with users who are not in scope.

in the subsequent GAM command, gamperson is the email address of the user who has access to the spreadsheet and is running the GAM command

1.    the spreadsheet id from its url is in red: https://docs.google.com/spreadsheets/d/1pQyFYD5_1_ATuslcVxuArIQi3i2yRr8SS0o4RwCJiLI/edit#gid=2043811683

2.    replace sheet id with the spreadsheet ID in the line below then run the GAM command, you must omit the < and >

3.    replace "tab name" with the name of the tab, enclosed by double quotes, you do need the double quotes and if you omit "tab name" then GAM will use the first tab in the sheet

4.    gamperson is the person who is able to run the GAM command

 

gam csv gsheet gamp...@asdb.dd.gov 1pQyFYD5_1_ATuslcVxuArIQi3i2yRr8SS0o4RwCJiLI "tab name" gam user ~owners.0.emailAddress delete drivefileacl ~id ~Owner

 

the first part of the command "gam csv gsheet gamp...@asdb.dd.gov <sheet id> "tab name" " tells GAM to find the spreadsheet and a tab with that specific name and use it for input to the second half of the GAM command

the second half of he command tells GAM to find the file/folder owner's email address from the column headed owners.0.emailAddress and impersonate that user to apply the acl to the file ID in the id column of the sheet and remove the user's permission (~Owner) of the file's id column of the sheet

 

I tested this on the files of someone who left last Friday, all seems to work fine, I removed around 400 permissions.

 

I'm interested to know if there's a better way or if I've made any mistakes.

Thank you 

 

 

Disclaimers apply, for full details see: https://hackney.gov.uk/email-disclaimer

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/4d400f4e-57b8-48ff-94cb-ddc3b4b04efdn%40googlegroups.com.

Reply all
Reply to author
Forward
Message has been deleted
0 new messages