Using GAM to Monitor and Change File/Folder Ownership?

[Dave Mackey]

Hi All,

I'm looking to offer a traditional file server sort of hierarchy in Google Drive where there is a central structure in which files/folders are stored. I know, theoretically, Team Drives is the way to accomplish this - but I find the functionality lacking in some particulars. Namely (maybe I'm understanding this incorrectly?) that if someone is a member of a Team Drive they have access to all the files on that drive with at least view permissions. This seems problematic to me for several reasons:

1. Say in the case of a Finance Department, individuals who are members of Finance should have access to that Team Drive but perhaps not all members should have access to payroll related files.

2. If one wants to use a single Team Drive (for a smaller organization) this becomes even more problematic - does facilities need access to payroll files? Probably not.

I know I'm using the example of Finance files, but this could extend to any number of other departments - e.g. Human Resources, Executives, Information Technology (should details of system configurations be available to everyone? I'd say no).

If I'm thinking about this wrong, please correct me. If I'm understanding the limitations of Google Team Drives correctly, then here is my dilemma...I have created a separate Google user who acts as the owner of a shared folder which all other users are to place their files/folders in. This shared folder includes directories for each department. Theoretically, the idea is that individuals would put their files into a folder (or create sub-folders) and these files/folders would be public to the organization by default but could be restricted on an as-needed basis (I prefer this to a secure by default within the organizational context, since most materials are not sensitive and if one does not know the materials exist elsewhere there is high likelihood of wasted effort recreating already existing resources).

The issue I'm running into at the moment is that when someone moves files (or creates files/folders) in the shared folder the ownership is given to them. Ideally I'd like the ownership to reside with the special user created for this purpose - this way there aren't any issues with deleting the files/folders, etc. if needed.

I know AODocs offers functionality like this and it appears gPanel and BetterCloud do as well, but the cost for these solutions is beyond what I have available, so I was hoping to accomplish the same using GAM. Ideally this would be a monitoring situation where as soon as the file/folder is added the permissions are updated.

Any thoughts on specifically implementing this functionality is appreciated but I'm also open to having my understanding of best practices for this sort of thing expanded!

Thanks,

Dave

[Peter Smulders]

Hi Dave,

I'm looking to offer a traditional file server sort of hierarchy in Google Drive where there is a central structure in which files/folders are stored. I know, theoretically, Team Drives is the way to accomplish this - but I find the functionality lacking in some particulars. Namely (maybe I'm understanding this incorrectly?) that if someone is a member of a Team Drive they have access to all the files on that drive with at least view permissions. This seems problematic to me for several reasons:

The reasons you state van partially be solved by using multiple Team Drives, rather than the one. This may run into unmanageable numbers, but for some use cases the solution is exactly that.

The use case for Team Drives is a collaboration tool; as such it is somewhat logical that anyone who can contribute, can edit and can remove.

Wat you are looking for is more of a 'distribution' model: you 'publish' files with granular access configurations with the final say-so safely out of users' reach.

The issue I'm running into at the moment is that when someone moves files (or creates files/folders) in the shared folder the ownership is given to them. Ideally I'd like the ownership to reside with the special user created for this purpose - this way there aren't any issues with deleting the files/folders, etc. if needed.

There is off course the manual way to do that. However, this just does not work with file trees (hierarchical sets of folders in folders, etc). You can adjust ownership for a number of files in one go and with some clever searching you can actually get a lot done in a few fell swoops, but the process is tedious and laborious. it may be my configuration, bandwith or other local issue, but it feels dead slow as well. So: not a viable option for mass use AND quite n00b user unfriendly.

I am dealing with similar requirements, where 40-odd users will need to hand over sometimes extensive collections of folder trees to a number of different other users (and am I largely dealing with technically challenged folk as well), so at the very least I am registering with you that we share goals.

I investigated a Team Drive as a transfer medium. Given the appropriate access rights, this sort of works, with the caveat that files are transferred, whereas folders (in tree structures) are replicated. Not a big issue, unless folders are published (and used, referenced, bookmarked, etc) as URLs, which is easy, useful and common to do.

My next thing to try will be to write a wrapper script that uses GAMADV-X and some bash functions to take source folders and transfer them to a specific target user as the new owner. This is built-in functionality for GAMADV-X but my experience so far has been that the multiple possible parameters make for a seriously unfriendly command line to repeatedly have to type. I am thinking of setting up preconfigured targets ('receiving' folders) that match their owners. I.e. each (new) owner would maintain domain-wide writeable top-level folders. People can dump their stuff into those and I would just let scripts periodically rip through all of them, changing ownership recursively and moving the transferred material into a 'transferred' folder. Further processing (including the 'publishing' I mentioned above) would happen within the receiving accounts.

Does this align with your requirements? I would be happy to share the scripts.

--peter

[Peter Smulders]

Oh, and if you haven't figured this one out for yourself:distribution groups are your friend! i try to never ever give rights to individual users; always to a group that describes their role, even if that one user is the only member in that group.

The ideal scenario (a bit of work to set up, but a godsend when diagnosing problems and even spotting malconfigurations) is to have each access profile as a named group:

• hr.payroll.writers
• hr.payroll.readers
• finance.transactions.writers
• finance.transactions.readers

etc.

You can add people to groups and in some cases groups can logically be stacked to form higher abstractions. Getting info on a user shows immediately which roles they have and possibly which content they are allowed to read or write. Getting the info on a file should show pretty damn obvious that there should be only a reader group with read acces, a writer group with write acces and an owner. If you want to quickly know who can read finance transactions, you only need to get the member list of that group.

Changing roles and responsibilities in the organisation only need to be reflected in group membership; file and folder access will immediately adjust.

Again: this is a significant task to set up, but it pays off in the longer run and may greatly assist when you need to prove (lack of) access to particular material.

--peter

[+KimNilsson]

Hi, Peter and Dave.

There is such a feature of GAM/GAMADV-X, called claim.

https://github.com/taers232c/GAMADV-X/wiki/Users-Drive-Ownership#claim-ownership-of-files-that-other-users-own

Running that will recursively change ownership of anything put into a shared folder to your utility account (your "shared content owner" account).

The previous owner will be changed to editor, or whatever access you want (applied to all users).

You can even skip the transfer for certain users, or files.

If you have subdomains, remember to add them to the list.

[+KimNilsson]

Also, you only type really great GAM commands once!

Then you put them into scripts with obvious names. :-)

[Peter Smulders]

My next thing to try will be to write a wrapper script that uses GAMADV-X and some bash functions to take source folders and transfer them to a specific target user as the new owner. This is built-in functionality for GAMADV-X but my experience so far has been that the multiple possible parameters make for a seriously unfriendly command line to repeatedly have to type. I am thinking of setting up preconfigured targets ('receiving' folders) that match their owners. I.e. each (new) owner would maintain domain-wide writeable top-level folders. People can dump their stuff into those and I would just let scripts periodically rip through all of them, changing ownership recursively and moving the transferred material into a 'transferred' folder. Further processing (including the 'publishing' I mentioned above) would happen within the receiving accounts.

My first draft is below.

NB: I have regular GAM and GAMADV-X installed side by side; 'xgam' refers to the latter.

#!/bin/bash# Function to grab the ID of a given folder for a given user, with the added functionality that if the folder does not exist, it will get created.ensured_id () { # get fileinfo on $1 as name # if found, return id, else # create folder and call self OWNER="${1}"; shift FOLDER_NAME="${1}"; shift E_ID="$(xgam user school print filepath query "title='${FOLDER_NAME}'" 2>/dev/null | cut -d',' -f2 | tail +3)" if [[ -n "${E_ID}" ]]; then echo "${E_ID}" else # create folder xgam user "${OWNER}" create drivefile drivefilename "${FOLDER_NAME}" mimetype "application/vnd.google-apps.folder" ensured_id "${OWNER}" "${FOLDER_NAME}" fi return}## MAIN SCRIPT STARTTARGET_OWNER="${1}"; shift # we take this as gospel, but checking for existence avoids havoc down the line.GRAB_ID="$(ensured_id ${TARGET_OWNER} "_Overdragen naar account ${TARGET_OWNER}")"Q_GRAB_ID="'${GRAB_ID}'"# For avoiding quoting hell, we add the single quotes to the string itself.DONE_ID="$(ensured_id ${TARGET_OWNER} "_Overgedragen materiaal")"# get files --> IDsxgam user ${TARGET_OWNER} print filepath query "${Q_GRAB_ID} in parents" | \ cut -d',' -f2 | \ # grabs the id out of the csv line tail +3 | \ # could not figure out how to not get headers, so just skip them. while read TRANSFER_ID; do # Claim ownership of this item; folders recursively. xgam user ${TARGET_OWNER} claim ownership id "${TRANSFER_ID}" retainrole none # Move the processed item to different (not shared) folder xgam user ${TARGET_OWNER} update drivefile id "${TRANSFER_ID}" parentid "${DONE_ID}" doneexit# Wish list:# - process items by echo-ing commands in a loop to a gam batch --> parallel processing.# - loads more error checking.

When I run this on a bit of test data, the transfer happens, but the moving to another folder (i.e. changing parentid) does not. Does anybody have any idea why? I though it might be timing issues, but running the move command ten minutes later (I would think that the back-end storage metadata would be updated by then) has no effect.

The offending command is:

$ xgam user ${TARGET_OWNER} update drivefile id "${TRANSFER_ID}" parentid "${DONE_ID}"

Any ideas?

--peter

[Peter Smulders]

Sorry -- that script again with some newlines:

#!/bin/bash

(apparently copy & paste straight from cloud shell does funny stuff to text)

--peter

[Peter Smulders]

i tried several variations of read and write access for the user where the test data originated (which happens to be me) to the folder where processed material needs to go after claiming. No luck so far. I get no error message, but the change in parent_id also does not seem to happen. (not visible in web interface; not reported through 'gam user XX show filepath' etc.

Am I missing some dead obvious way to move files/folders from FolderA to FolderB?

--peter

[Peter Smulders]

I can think of no reason why this works, but it does: to move a file or folder, first add the target folder as a parent, then remove the source folder.

--peter

[Ross Scroggs]

Peter,

For moving files in Advanced GAM see: https://github.com/taers232c/GAMADV-X/wiki/Users-Drive-Copy-Move#move-files-and-folders

Ross

On Mon, Jul 9, 2018 at 12:42 AM Peter Smulders <peter.s...@montessoriplus.nl> wrote:

I can think of no reason why this works, but it does: to move a file or folder, first add the target folder as a parent, then remove the source folder.

--peter

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/a89d710c-82c2-43f7-9853-59de1c88b422%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Ross Scroggs

ross.s...@gmail.com

[Peter Smulders]

Dave -- in case you missed it, I solved my variant of the use case and wrote up a detailed description. You might want to refer to that: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/google-apps-manager/OXgZjKSi9lE

--peter