The Google for Education Community Platform

tneuser · ‎05-05-2025

Hello everyone

Do you know if it is possible to stop a user from being able to share a google document with a person outside of our domain? I don't want to block the entire outside domain as there are legitimate documents that need to be shared with this domain, but I would like to be able to stop one user from sharing with another user. Is this possible?

ddelboccio · ‎05-05-2025

I have not seen a way to accomplish what you are asking. My experience has been you either can share outside the domain, not share outside the domain, or only share to an allow list of domains outside the domain.

None of these options seem to apply to any ONE individual user.

Unless I am wrong that is................

tneuser · ‎05-05-2025

That's what I've been seeing as well. I just wanted to make sure I wasn't missing something.

alexgrutza · ‎05-05-2025

You can utilize DLP policies with a wordlist if you know what type of words the user will utilize. Our utilization of this is slightly different but perhaps can help lead you to an answer.

Our provost (we're higher ed) wanted to share extremely confidential data with all their faculty
They didn't want the file to be able to be shared (internal nor external), but they did want the faculty to be able to download and copy the google sheet - so they could perform analysis on the document themselves if they wanted to
In the Google sheet, the provost entered a specific "DocumentID" value in multiple places in the document to make it look like it was generated by them exporting
I created a wordlist specifically with the "DocumentID" value as a string
Created DLP rules to perform the blocks or audits depending on what the faculty were doing (ie. blocked on all gmail, warn on internal drive share, block external drive share)

Again, that may not be exactly what you're looking for but perhaps some tidbits of information to get you to where you want to be

--
CISSP | LinkedIn | @Phyxiis

wandaterral · ‎05-07-2025

The data could still be analyzed through use of screenshots of the spreadsheet with OCR

Kim_Nilsson · ‎05-12-2025

Yes, but that type of data exfiltration is impossible to stop, after the data exists and has been shared with anyone. Only by never inputting and/or sharing the data at all can such methods be fully restricted, so it can't really be part of the normal least access necessary and data minimisation mindset.

Especially in an organisation where an outsider can ask for almost anything with a Freedom Of Information request. FOI might be called something else in other countries. Here in Sweden it's called allmän handling (public information), and is the default for all information.

Despite that, all such requests start with a discussion/control of secrecy and privacy. No information is provided before it has been concluded it doesn't contain information that is not public information, according to various laws.

--
https://wheretofind.me/@NoSubstitute

kaned · ‎05-05-2025

I was also going to suggest diving into DLP for this application. I believe DLP can be assigned by OU.

You may need to place a user in a separate group or OU to apply the DLP, but this may get you where you want to go.

Kim_Nilsson · ‎05-06-2025

Look into Drive Trust Rules.

It does require you have either Education Standard or Education Plus.

--
https://wheretofind.me/@NoSubstitute

The Google for Education Community Platform

Stop a user from sharing a document to a particular outside email address