'Dumping full file/folder permissions report for access permission auditing in Google Drive
We have Google Drive folders and team/shared drives with thousands of files and folders. Over the years they have been shared by numerous folks and thousands of folks have access to differnent files/folders at different levels.
I'm trying to find a way to dump every file/folder from a source folder along with what the permissions are for that file/folder. So, something that has a detailed report of every file/folder with permissions applied to it.
This would let someone review and see exactly who has access to what so they can make a decision on if the access needs to be removed.
For example, imagine a file/folder structure like this:
- Folder A - user1, user2
- Folder A.A
- File A.A.1 - user3
- Folder A.B
- Folder A.C - group1
- Folder A.A
- Folder C - group3
- Folder C.A
- Folder C.B - group4
- File C.B.1 - user1
- File C.B.2 - user2
- File C.1
- File C.2
A permission report for this would look like:
| Item Type | Item Path | Permission Application | Permission Grant |
|---|---|---|---|
| folder | Folder A |
direct | user1 |
| folder | Folder A |
direct | user2 |
| folder | Folder A > Folder A.A |
inherited | user1 |
| folder | Folder A > Folder A.A |
inherited | user2 |
| file | Folder A > Folder A.A > File A.A.1 |
inherited | user1 |
| file | Folder A > Folder A.A > File A.A.1 |
inherited | user2 |
| file | Folder A > Folder A.A > File A.A.1 |
direct | user3 |
| folder | Folder A > Folder A.B |
inherited | user1 |
| folder | Folder A > Folder A.B |
inherited | user2 |
| folder | Folder A > Folder A.C |
inherited | user1 |
| folder | Folder A > Folder A.C |
inherited | user2 |
| folder | Folder A > Folder A.C |
direct | group1 |
| folder | Folder C |
direct | group3 |
| folder | Folder C > Folder C.A |
inherited | group3 |
| folder | Folder C > Folder C.B |
inherited | group3 |
| folder | Folder C > Folder C.B |
direct | group4 |
| file | Folder C > Folder C.B > File C.B.1 |
inherited | group3 |
| file | Folder C > Folder C.B > File C.B.1 |
inherited | group4 |
| file | Folder C > Folder C.B > File C.B.1 |
direct | user1 |
| file | Folder C > Folder C.B > File C.B.2 |
inherited | group3 |
| file | Folder C > Folder C.B > File C.B.2 |
inherited | group4 |
| file | Folder C > Folder C.B > File C.B.2 |
direct | user2 |
| file | Folder C > File C.1 |
inherited | group3 |
| file | Folder C > File C.2 |
inherited | group3 |
When you have tens of thousands of files and folders, it may not be obvious that group4 has access to Folder C > Folder C.B > File C.B.2. Maybe group4 should not have access to File C.B.2. If you have a report like above then you can see that group4 has access to File C.B.2 and so you know you need to remove it.
My current thought is to:
- Use Drive API drive.files.list (https://developers.google.com/drive/api/v3/reference/files/list) to dump a list of files/folders from some root folder
- Use Google's batch request API (https://developers.google.com/docs/api/how-tos/batch) to make batched calls to drive.permissions.list (https://developers.google.com/docs/api/how-tos/batch)
But this seems horribly inefficient -- especially if there are tens of thousands of files/folders.
Solution 1:[1]
Check out GAMADV-XTD3 - command line tool for Google Workspace administration https://github.com/taers232c/GAMADV-XTD3
It has plenty of scripts, as per your requirements I would check GetTeamDriveFileACLs.py and GetSharedFiles.py but there are additional scripts that will give you insights about the permissions on personal and shred team drives.
https://github.com/taers232c/GAM-Scripts3
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | adambg |