topic Re: Drive file permissions and audit check in Peer-Peer Topics

Drive file permissions and audit check

Justin_W — Wed, 07 May 2025 01:15:06 GMT

I've got higher-ups looking for answers to an issue:

An external user (parent of student) has requested access to view an internal user's Doc (using the formal "request access" link for Docs).

This doc is Not meant for external viewing, and permissions show the doc set to Internal (Domain)-only level sharing (view only). It's currently set to "Must have link to access".

So the problem isn't that someone viewed something they aren't supposed to (the request was simply denied), but rather - how did this person even come across the file in the first place??

The first theory is that perhaps originally the "must have link to access" was instead set to "can find in search results" and the parent used their student's account to stumble on to it. Given that the default permission when choosing to share with everyone in our domain is set to "must have link to access" this seems unlikely, but not impossible.

The audit tools I have used don't seem to show anything weird with permissions/changes. The Activity Dashboard for the document doesn't show the student or anyone else unwanted having viewed the document.

As best I can tell, the Workspace Admin Security->Investigation Tool doesn't differentiate between visibility of "Must have link" or "Can find in search" setting. So it's not possible to tell if that was the setting at some point and it was changed after.

As an aside, I also noted that while there's a domain setting to set Activity History showing (Apps->Google Workspace->Settings for Drive and Docs->Activity dashboard settings), that is set to "ON" domain wide for us and I still have users (staff) that show "View history isn't available" in the activity history. That doesn't seem right.

I'm not sure what other possible scenario there could be that isn't any less far-fetched/impossible than "Random parent used student's account to stumble across specific document and then tried to open said document with their personal Google account (while NOT accessing it with the student account)"

Is there something I'm missing?

Re: Drive file permissions and audit check

MarkLoundy — Wed, 07 May 2025 01:28:56 GMT

Justin,

The odds of "stumbling" over an individual file would imply access to the directory where it was stored. Most likely, the parent was supplied with the file's link by someone with permissioned access to it.

Re: Drive file permissions and audit check

Olger — Wed, 07 May 2025 01:35:42 GMT

My guess would be that the parent was given the link (intentionaly or not) via email or found it in another document. Once they have the link, they can request access, even though the location where the file is stored may not allow for external access.

We have one shared drive that allows external access, all other shared drives do not allow external sharing. However, if a document was at one point externally shared (either through My Drive or from the shared drive that can have external sharing) and is then moved to a drive without external sharing enabled, parents can still request access (and in our environment we do get regular requests to these documents which are generally old documents that are no longer relevant) if they stored that link somewhere (ie favorites).

We're in the process of moving all (most) documents that need to be externally accessible (ie for parents) to master documents, and export current versions to PDF, which are then made available via the website or SIS. When a master doco is updated, we export the PDF again and overwrite the previous PDF which preserves the Google link. That way parents/external parties can save the link and always get the current version.

Re: Drive file permissions and audit check

kaned — Wed, 07 May 2025 10:58:57 GMT

I would agree, they came across the link to that document either in another document or a link to it in an email was supplied to the parent.

Most the time when I see this, it's the day Google share notification it gets forwarded to somebody else. Though there are times where hyperlinks and documents to get posted publicly, but in my experience this is much more rare.

Re: Drive file permissions and audit check

Michael_Roop — Wed, 07 May 2025 11:46:13 GMT

Does your staff use Apps that allow guardians/parents to view the activity (such as of a class)? We have had some inquisitive parents see links in the timeline and request access which required an explanation of PII.

I have seen some teachers put links on their "about me" pages not realizing that they are not publicly accessible.

Does your school have a system in place that allows parents to keep an eye on their student's activity during the school day (like Bark or Linewize Parents) which might show the links the user visited?

Of course I have heard of some schools that mistakenly post a link on their webpage or in their PS sections that was meant for internal use.

I would think Google could add a "Comments" input on the Request Access page to enter information on where the link was found but that would require end user input.

I probably would just contact the parent and ask them if they can help you out. That is, unless the situation has turned toxic.

Re: Drive file permissions and audit check

panderson — Wed, 07 May 2025 13:07:19 GMT

Like others said, I would guess that an internal user got the link or email and then forwarded the email or the link. If it is PII about some other student, the parent would not have any valid rights to the document. If it isn't covered under PII, the user could still deny the request and make the parent go through "Open Records," and then the document could have the appropriate parts redacted. The parent may not have any idea what is in the document and somehow got the "shared with you" email and just clicked on the link, not having a clue what it is.

Re: Drive file permissions and audit check

Justin_W — Wed, 07 May 2025 16:40:07 GMT

Interesting thought, but I don't believe anyone involved with with document uses an app that interacts with parents during class.

The document is an RFP that was only viewed/useful to those related to that project (administrators and perhaps board members)