Revoking visibility of Google Drive documents in search....is this the right way to do it?
4,212 views
Skip to first unread message
Constantly Learning
May 9, 2018, 11:27:54 AM5/9/18
to GAM for G Suite
Is this the best way to do this?
I am trying to eliminate sensitive documents being visible in Google Drive when a random employee searches with source:domain as the parameter. My preference is that no documents show up in source:domain. Unfortunately, due to bad G Suite settings, we have many legacy documents that I need to update such that they are not visible in G Suite's Drive search.
Here is what I've started to do. I run this command to get all the documents that are visible via search:
gam all users show filelist query "visibility='domainCanFind'" todrive
This generates a Google Sheet that has all the users/document pairs that are visible. It's some 60,000 documents.
I then ran this command on a few entries: gam user <specific user email> show drivefileacl <specific long id for a file> and I see all the permissions. I key in on the one that looks like this (because of the allowFileDiscovery setting):
<long number>
displayName: <company name>
allowFileDiscovery: True
domain: walkersands.com
role: reader
type: domain
id: <another more important number>
I see that <another more important number> is the same regardless of what doc/user pair I look at.
So, then I created new columns in my sheet so that for every user/document pair, I have a line like this:
user <user email address> delete drivefileacl <unique file id as show in the URL for the doc> id:<another more important number...the one mentioned above>
Finally, I copy the line above (generated via Google Sheets formula) into a .bat file and I run it. I do about 1,000 at at time because it takes a while to run.
I've done about 3,000 so far of my 60,000+ and just want to confirm that this is the only way to do this and the best way to do this for somebody who doesn't want to run a Python program.
Is there a simpler command?
Are there any unintended consequences to this?
Also, just to be sure, this is not changing people's access to the document if it has been properly shared with them, right? I'm just removing domainwide visibility of docs that are accessible via a shared link, right?
Thanks.
for the search engines if anybody else is having this issue: documents shared with entire company, Google drive searchable, can see documents they shouldn't, allowFileDiscovery, People at <your domain> can find and access, G Suite, Drive, Google Docs, prevent doc from being searchable, prevent documents, stop documents, avoid documents, revoke, sensitive documents, secure, unsecure, exposed, fix
Ross Scroggs
May 9, 2018, 12:00:52 PM5/9/18
to google-ap...@googlegroups.com
Constantly,
id: <another more important number>
This uniquely defines the combination:
To simply delete those permissions you can do the following:
gam all users show filelist query "visibility='domainCanFind'" id title > DomainReaderDiscoverable.csv
gam csv DomainReaderDiscoverable.csv gam user ~Owner delete drivefileacl ~id id:<another more important number>
If some of the files are shared with type: domain, role: writer, there will be a Id:<different more important number> and you would have to repeat the process with that id.
Ross
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/e4e71989-ada8-4ebc-9409-d3305d89203b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Constantly Learning
May 9, 2018, 12:03:41 PM5/9/18
to GAM for G Suite
Constantly Learning
May 12, 2018, 3:14:12 PM5/12/18
to GAM for G Suite
Hi Ross,
Is there any reason why this approach might not get me all the files that can be found via a source:domain search?
I ask because a command using the query below did give me around 60,000 docs that were publicly accessible to anybody via the source:domain parameter in Drive search
gam all users show filelist query "visibility='domainCanFind'" id title
and then I updated those files using the command you gave me, and it worked fine. Those files were no longer exposed to everyone in the company.
But I was surprised to login to a random user account and still see a ton of docs exposed via source:domain and I confirmed they were not found in the first batch I generated, and I also confirmed that re-running the command above did not find any files.
So I then I ran
gam user <random user> print filelist allfields todrive
and I found 164 docs with 18361543690479069973 permission id, the one I'm trying to get rid of.
So I'm confused as to why the
gam all users show filelist query "visibility='domainCanFind'" id title
command can't find those and many other files that have that 18361543690479069973 permission id that equates to domaincanFind.
Any ideas? Thanks. I guess I can just run
gam user <random user> print filelist allfields todrive
as a second way to get domaincanFind docs but it seems odd that the first way didn't work. Thanks as always for any advice.
Ken
Graham Bright
May 12, 2018, 4:02:09 PM5/12/18
to GAM for G Suite
I'm not sure if I've fully got my head around this thread, but in case it's relevant. A couple of days ago it was reported staff were finding Google document with restricted info. On checking sharing permissions, in particular visibilty settings, it seemed as though quite a few documents were showing up that should not have. Documents with link sharing within the domain for those provided with a link were behaving like those with the link and 'Can find'. The case has been escalated to second line support and I am awaiting a reply. I did use GAM for a specific file and it showed 'allowFileDiscovery' as false (which I'm perhaps incorrectly assuming is relevant), but the document is showing up in searches by other staff that I don't expect it to.
Constantly Learning
May 13, 2018, 8:04:02 AM5/13/18
to GAM for G Suite
Thanks, Graham for that info, but I don't believe that's my issue at the moment, although I guess it's possible that some data issue on Google is root cause rather than GAM's code. My issue is that this command
gam all users show filelist query "visibility='domainCanFind'" todrive
is not finding all the documents for the domain that can be found via source:domain but this command does find them
gam user <random user> print filelist allfields todrive
if I look at the permissionids column
The former command is preferable to the latter because it brings back way less data and only the data I care about. I tried adding query to the latter, but that doesn't work with permissionids as far as I can tell.
Constantly Learning
May 15, 2018, 11:13:40 AM5/15/18
to GAM for G Suite
Still have not figured this out.
gam all users show filelist query "visibility='domainCanFind'" todrive
should give me all files that can be found via a source:domain search via Drive's web interface from any user account.
However, it's not doing that. I ran it and it brought back some files. I changed those files such that they can no longer be found via source:domain search. That worked.
But there are still many, many files showing up when I do a source:domain search via Drive's web interface. This is not a caching issue. When I check the permissions of doc found via source:domain search, they have the same permission id I was using to get rid of domaincanFind files. Here's an example:
My Company Inc.. (7/8)
id: 18361543690479069973
type: domain
domain: mydomain.com
role: reader
withLink: False
I notice that in this case the results does not include
allowFileDiscovery: True
but instead has
withLink: False
So my theory is that is why query "visibility='domainCanFind'" is not working to find these many, many other files that can be found with source:domain search. So I try writing command like these (none of which work):
gam user <user email that I know owns docs showing up in source:domain search> show filelist query "withlink='false'" todrive
gam user <user email that I know owns docs showing up in source:domain search> show filelist query "type='domain'" todrive
Apparently, these are not legit queries. But is there a way to find docs that have this permission id with a one-liner GAM command?
My Company Inc.. (7/8)
id: 18361543690479069973
type: domain
domain: mydomain.com
role: reader
withLink: False
Thanks for any help.
Ken
Constantly Learning
May 15, 2018, 11:23:10 AM5/15/18
to GAM for G Suite
@Ross, Doh! I just realized you shared a solution to this with me via your email. I was assuming that email was related to the recover Trash thing I was figuring out. Let me give that a try. Sorry for my confusion.
Ken
Deepak Balakrishna
May 16, 2018, 7:19:52 AM5/16/18
to GAM for G Suite
Hi Constantly,
If you are looking at solutions other that GAM, also check out Adya at https://gsuite.google.com/marketplace/app/adya/109437140823
Adya will show you how your data on GDrive is exposed across the domain, external, public, etc - and you can take action to limit exposure. Let me know if you'd like to know more on how we can help.
Disclaimer: I work at Adya
Thanks,
- deepak
+KimNilsson
May 16, 2018, 8:51:49 AM5/16/18
to GAM for G Suite
@Deepak
I don't know about others, but I am personally just fine without blatant marketing of non-free products in this forum.
✉ Kevin Melillo
May 16, 2018, 9:15:50 AM5/16/18
to google-ap...@googlegroups.com
Deepak,
This seems like a really new application, and Google has not verified it yet. I would not recommend posting it here until it is at least verified.
Other solutions are always helpful, but since this is the GAM forum, I would suggest it only if it is something GAM does not offer.
On Wed, May 16, 2018 at 8:51 AM +KimNilsson <there.is.no...@gmail.com> wrote:
@DeepakI don't know about others, but I am personally just fine without blatant marketing of non-free products in this forum.
--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/b39630d1-ef61-4d21-bf4d-bcd1a0fd2124%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Kevin Melillo
Electronic Communications Analyst
Information Technology
445 Hoes Lane
Piscataway, NJ 08854
Phone:732-465-6609 | Mobile: 732-609-4331
E-mail: k.me...@ieee.org
Deepak Balakrishna
May 16, 2018, 9:48:23 AM5/16/18
to Amit Agarwal, google-ap...@googlegroups.com
Hi Kevin - it is a google verified app. Not sure if a recent update we did toggled something on the google side I’ll reach out to you one on one if that is ok to get more details
All - I apologize if I overstepped any bounds did not realize discussion of third party tools is not ok.
Thanks
Deepak
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAKM%3DboZnBdCOQRygtMz3pPNP3creCWp-1HUVLOJ6RO5CvORBRw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
✉ Kevin Melillo
May 16, 2018, 10:38:25 AM5/16/18
to google-ap...@googlegroups.com, amit.a...@adya.io
No need to reach out. When I attempted to install it on a test account, Google said it was unverified. Contact Google about this.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAA5ebm7fW7G5Ld9A_E4piFpzeoGBkU_qnOfZ03zQ5FpGUUZn%2BA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Seth Dimbert (Hillel Yeshiva)
Mar 10, 2021, 4:05:56 PM3/10/21
to GAM for Google Workspace
I'm dredging up this old thread to see if there is any new information.
Someone shared the "People in <DOMAIN> can search for this file" checkbox with me today... I had not been aware of it until now. How new is that setting?
In any case, he told me that he found many documents in his school's domain that were "discoverable" by students including many that absolutely should not have been. I grew concerned and found this thread while doing my research. I used Ken's command (gam all users show filelist query "visibility='domainCanFind'" todrive) to search my own domain and was relieved that there were only 202 documents with that flag. I did some analysis and found:
- 24 are Docs
- 39 are Sites
- 2 are Jamboards
- The remaining 137 are drive.google links to media files, mostly images and videos.
I was able to view file names and previews and am pleased to report that none of them contain confidential information, so we are safe. But I want to share the potential risk with colleagues at other schools and am wondering if there is any new thinking about how to solve the issue. (Also, oddly, I noticed that I can preview the files but lack the permission to open some of them.)
Thanks, in advance for any help.
-SD
Seth Dimbert
Director of Technology, Hillel Yeshiva
ashish jha
Jun 12, 2021, 2:33:00 AM6/12/21
to GAM for Google Workspace
Hi Ross,
Kindly update it again, with example, how i can change the permission of existing file in google drive which is visible for everyone.
Ross Scroggs
Jun 12, 2021, 6:20:18 PM6/12/21
to google-ap...@googlegroups.com
Asiish,
gam user file ow...@domain.com delete drivefileacl <DriveFileID> anyone
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/18744771-0295-41d9-a23f-2e80514f891en%40googlegroups.com.
ashish jha
Jun 16, 2021, 3:52:20 AM6/16/21
to GAM for Google Workspace
Ross,
we need to Restrict the existing file with folder so that it can be accessible with there owner only, please guide..
Ross Scroggs
Jun 16, 2021, 10:53:26 AM6/16/21
to google-ap...@googlegroups.com
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/abe329dd-c470-4569-9614-403a1bc5b0a3n%40googlegroups.com.
Ross Scroggs
ashish jha
Jun 17, 2021, 4:45:16 AM6/17/21
to GAM for Google Workspace
Hi Ross,
as per your suggestion
Please help is it right syntax.
gam user <domain email id> delete drivefileacl 1ho9o2K9pMosSb2KM2WRTazwxcadQ9rfxZZEUgwEOGaQ anyonewithlink
Error! is coming like this:-
ERROR: 404: Permission not found: anyoneWithLink. - notFound
or
ERROR: 404: Permission not found: 02813744029275393614i. - notFound
Ross Scroggs
Jun 17, 2021, 8:49:24 AM6/17/21
to google-ap...@googlegroups.com
Ashish,
What does this show: gam user <domain email id> show drivefileacl 1ho9o2K9pMosSb2KM2WRTazwxcadQ9rfxZZEUgwEOGaQ
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/d306dfa4-c7dd-4ba1-a946-5631c37b572fn%40googlegroups.com.
ashish jha
Jun 17, 2021, 11:34:39 AM6/17/21
to GAM for Google Workspace
output is displayed as below:
11042027536352726547
id: 11042027536352726547
type: user
emailAddress: <Domain Email id>
role: owner
displayName: <Name of the owner>
deleted: False
Ross Scroggs
Jun 17, 2021, 11:44:51 AM6/17/21
to google-ap...@googlegroups.com
Ashish,
As the only ACL displayed is that of the owner, no other user has access to the file.
This script can help you make bulk changes, test with a single user, be sure you understand what's going on.
Ross
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/23d0bcf0-1a7b-49f8-8408-c059122afb56n%40googlegroups.com.
Ross Scroggs
Reply all
Reply to author
Forward
0 new messages