Managing departmental folders in Google Drive with ownership accounts
TMU’s CCS is offering departments the option of creating and assigning an ownership account (non-person account) to automatically “own” all files and documents that are stored in a Departmental Google Drive Folder. The main purpose of the “ownership accounts” is to protect all files managed in a departmental folder, preventing any loss of files owned by an individual if this individual leaves TMU.
What currently happens in Google Drive with shared files?
Every file stored in Google Drive has an account that “owns” the file or folder. This is the person who uploaded, or created the file in Google Drive. The recommended process when someone leaves TMU, is for them to review their files and be sure to transfer ownership of important shared files and folders to another user to avoid the deletion of their files when their account no longer exists.
What can departments do to prevent loss of files?
Many departments have created departmental or team folders in Google Drive with appropriate sharing permissions configured on the folder(s) for the department or teams to work and collaborate effectively. Currently, by request and consultation, CCS can configure a Departmental Google Drive Ownership Account to be assigned as the “owner” of a departmental folder.
How does a Departmental Google Drive Ownership account work for our shared departmental folder?
Once CCS creates the Departmental Google Drive Ownership Account for your department, everything in the designated shared departmental folder will have ownership of all items, such as subfolders and files, automatically transferred from the original owner, to the ownership account so no one individual owns any files in this departmental folder, the “owner” listed will change for all files. We call the folder a managed departmental folder.
About the Departmental Google Drive Ownership accounts:
- They are similar to a generic account (generic accounts that are not a person, for example: email@example.com, firstname.lastname@example.org), with the primary purpose being to act as an ownership account only. Since only an owner of a file can truly permanently delete a file from Google Drive, this will mitigate the loss of shared critical departmental files.
- CCS will maintain these ownership accounts and there will be no login credentials provided to any users in the department. This is to ensure no one has access to login to this account and accidentally make changes or delete files or folders.
- We will assign the primary contact person from each department, and a secondary backup contact, for each departmental account (usually a manager or the project’s working group member), who can authorize any changes, such as folder configuration changes needed to be made by CCS.
- This account will be kept secure with a randomized password being changed automatically on a monthly basis. CCS administrators can access the account when requested by the primary contact person.
- There is a clear naming convention for these accounts so it’s obvious that it’s a Departmental Google Drive Ownership account and not a personal user account. The username will be deptfolder.deptname, with the display name being “Department Dept Folder”
- For example, for the CCS department’s shared folder, the username would be: deptfolder.ccs The display name visible to users in Google Drive will appear as “CCS Dept Folder” for all subfolders, and files in this shared folder.
- With these ownership accounts and any managed folder in Google Drive, we recommend that users only move work or departmental files according to your department policy as the ownership will be removed from the original owners.
Configuration options for a managed departmental folder
Besides assigning a Departmental Google Drive Ownership account to automatically take ownership of transferred files and folders, there are a few other configuration options you have available for both access and permissions. CCS will consult with you to recommend the most appropriate configuration for your department’s needs:
Three security levels are available to your department or team folder, listed from general (standard) to the most highly secured folder options. Once we apply a configuration to your Google Drive folder, we consider this folder a “managed folder”.
Folder Configuration Option
What it does to files in the folder
Who should choose this setting?
Retain Ownership of Files
Changes the ownership of all items such as subfolders and individual files uploaded or moved into a departmental folder. The new owner will be the departmental Google Drive ownership account. No existing sharing on individual files will be changed even if a file was shared to someone outside of the department, or link sharing turned on.
This setting is the basic and recommended for most use cases. It takes care of managing all ownership of files, all sharing and permissions remain in tact.
Retain Ownership of Files & Reset Existing Sharing
Changes the ownership of all items such as subfolders and individual files uploaded or moved into a departmental folder. The new owner will be automatically changed to the departmental Google Drive ownership account.
If a file that is moved into the departmental folder had other sharing permissions, for example, shared with other users not part of the departmental folder, or the link sharing was turned on, these permissions will be removed from the file, and reset to the sharing permissions configured on the departmental folder. This happens only when ownership is first changed (the files may then be re-shared in the future)
This setting is recommended if you have files being moved into your department folder that need to be cleaned up of existing sharing settings and ownership moving forward. Note, files in the folder can still be re-shared in the future.
Retain Ownership of Files & Secure Files (no further sharing allowed by users)
Changes the ownership of all items such as subfolders and individual files uploaded or moved into a departmental folder. The new owner will be the departmental Google Drive ownership account.
If a file had other sharing permissions, for example, there was sharing set to other users not part of the departmental folder, or the link sharing was turned on too wide, these permissions will be removed, and reset to the sharing permissions configured on the departmental folder when ownership is changed.
Anyone who has access to this folder, will NOT be able to share any items in this folder with anyone else outside of the folder’s sharing permission.
This setting offers the highest level of security for the files in your folder so files do not get shared with users outside of the department.
For this security setting, it’s recommended that sharing of this folder be done with a Google Group, that way, the group manager can allow new members access to the folder.
Currently, CCS no longer accepts new enrollment of the managed department folder service. CCS recommends use of Google Shared drive as an alternative and encourge department currently using the managed department folder to migrate to Google Shared drive. For more information or to discuss the process of migrating to Google Shared drive, please contact CCS Help Desk or x556806
No. The only thing that will change is the owner (and in some more restrictive setting cases - who the file is shared with Level 2 & 3). For example, if jane.doe was the owner of a file stored in a shared folder, and john.doe has access to the shared folder with “can edit” sharing permissions, when this folder becomes managed by a ownership account with level 1 setting to “Retain files”, jane.doe becomes an editor, with “can edit” permissions, just like john.doe. The ownership changes to the ownership account. All revisions and history remain in tact.
Ownership changes to the departmental ownership account will appear in the file and folder's activity panel. If the security level is 2 or 3, you may also see changes to the sharing changes in the activity panel based on the sharing permissions configuration at the root level folder.
Unfortunately, departments can not use an existing account to manage departmental folders. Since one or many people assumedly know the password for this generic account, you can not prevent anyone with access to this account from permanently deleting important files. CCS can not assist with recovering files lost do to deletion from this account.
The Departmental Google Drive Ownership accounts are for administrative purposes only. They are set to automatically change passwords every month.
Staff, with the permission of a manager or director, can request a Google Group. For more information on Google Groups, please visit the help page. You can also contact the CCS help desk at email@example.com or ext. 556806 for support.
No. At this time, we do not have the capability for preventing users with edit access to a folder from deleting a file, but know that only an owner can permanently delete a file from Google Drive. Deleted files owned by an ownership account can be recovered by CCS by request from the departmental contact.
If preventing deletion is a very important feature for you, you may want to consider looking into Google Shared Drives as this functionality exists.
Be very careful what you move into a level 2 or level 3 managed departmental folder. The owner could be completely removed from their own file, no longer having access to it. This is the intended behaviour as in many cases, the file is being moved into this folder to clean permissions from staff who have left the department or TMU.
For departmental managed folders, “Add” is the same as a using “Move”. Ownership will be changed and permission settings will be inherited from the folder on the file.
Adding shortcuts to the Google Drive files and folders into departmental managed folders will not change the ownership of the original file however, it will just transfer the ownership of the shortcut.
Since ownership of the files and subfolders in a departmental managed folder is with an ownership account, you can remove people at the root level of the departmental managed folder if they are an editor, commenter or viewer.
You may find that people who have created files and subfolders in the departmental managed subfolder are not removed when you restrict the sharing at the root level. You will need to use Google Drive advanced search to find and bulk restrict access to the files and subfolders within the departmental managed folder. (google doc) Instructions can be found in this Google Doc on using search in Google Drive to find files and restrict sharing. (external link)
When ownership of any file or folder is transferred in Google Drive, an email notification from the owner to the new owner is generated. This happens automatically and cannot be switched off. When you first set up your departmental managed folder or move new files into this type of folder, you will find that your Sent label in Gmail is full of these ownership transfer emails. This is normal and is working as expected. If you feel these emails are creating clutter in your account, (google doc) you can set up a Gmail filter to automatically delete these emails from your Sent label, please visit this Google Doc for instructions. (external link)