Managing departmental folders in Google Drive with ownership accounts
Ryerson’s CCS is offering departments the option of creating and assigning an ownership account (non-person account) to automatically “own” all files and documents that are stored in a Departmental Google Drive Folder. The main purpose of the “ownership accounts” is to protect all files managed in a departmental folder, preventing any loss of files owned by an individual if this individual leaves Ryerson.
What currently happens in Google Drive with shared files?
Every file stored in Google Drive has an account that “owns” the file or folder. This is the person who uploaded, or created the file in Google Drive. The recommended process when someone leaves Ryerson, is for them to review their files and be sure to transfer ownership of important shared files and folders to another user to avoid the deletion of their files when their account no longer exists.
What can departments do to prevent loss of files?
Many departments have created departmental or team folders in Google Drive with appropriate sharing permissions configured on the folder(s) for the department or teams to work and collaborate effectively. Currently, by request and consultation, CCS can configure a Departmental Google Drive Ownership Account to be assigned as the “owner” of a departmental folder.
How does a Departmental Google Drive Ownership account work for our shared departmental folder?
Once CCS creates the Departmental Google Drive Ownership Account for your department, everything in the designated shared departmental folder will have ownership of all items, such as subfolders and files, automatically transferred from the original owner, to the ownership account so no one individual owns any files in this departmental folder, the “owner” listed will change for all files. We call the folder a managed departmental folder.
About the Departmental Google Drive Ownership accounts:
- They are similar to a generic account (generic accounts that are not a person, for example: firstname.lastname@example.org, email@example.com), with the primary purpose being to act as an ownership account only. Since only an owner of a file can truly permanently delete a file from Google Drive, this will mitigate the loss of shared critical departmental files.
- CCS will maintain these ownership accounts and there will be no login credentials provided to any users in the department. This is to ensure no one has access to login to this account and accidentally make changes or delete files or folders.
- We will assign the primary contact person from each department, and a secondary backup contact, for each departmental account (usually a manager or the project’s working group member), who can authorize any changes, such as folder configuration changes needed to be made by CCS.
- This account will be kept secure with a randomized password being changed automatically on a monthly basis. CCS administrators can access the account when requested by the primary contact person.
- There is a clear naming convention for these accounts so it’s obvious that it’s a Departmental Google Drive Ownership account and not a personal user account. The username will be deptfolder.deptname, with the display name being “Department Dept Folder”
- For example, for the CCS department’s shared folder, the username would be: deptfolder.ccs The display name visible to users in Google Drive will appear as “CCS Dept Folder” for all subfolders, and files in this shared folder.
- With these ownership accounts and any managed folder in Google Drive, we recommend that users only move work or departmental files according to your department policy as the ownership will be removed from the original owners.
Configuration options for a managed departmental folder
Besides assigning a Departmental Google Drive Ownership account to automatically take ownership of transferred files and folders, there are a few other configuration options you have available for both access and permissions. CCS will consult with you to recommend the most appropriate configuration for your department’s needs:
Three security levels are available to your department or team folder, listed from general (standard) to the most highly secured folder options. Once we apply a configuration to your Google Drive folder, we consider this folder a “managed folder”.
Folder Configuration Option
What it does to files in the folder
Who should choose this setting?
Retain Ownership of Files
Changes the ownership of all items such as subfolders and individual files uploaded or moved into a departmental folder. The new owner will be the departmental Google Drive ownership account. No existing sharing on individual files will be changed even if a file was shared to someone outside of the department, or link sharing turned on.
This setting is the basic and recommended for most use cases. It takes care of managing all ownership of files, all sharing and permissions remain in tact.
Retain Ownership of Files & Reset Existing Sharing
Changes the ownership of all items such as subfolders and individual files uploaded or moved into a departmental folder. The new owner will be automatically changed to the departmental Google Drive ownership account.
If a file that is moved into the departmental folder had other sharing permissions, for example, shared with other users not part of the departmental folder, or the link sharing was turned on, these permissions will be removed from the file, and reset to the sharing permissions configured on the departmental folder. This happens only when ownership is first changed (the files may then be re-shared in the future)
This setting is recommended if you have files being moved into your department folder that need to be cleaned up of existing sharing settings and ownership moving forward. Note, files in the folder can still be re-shared in the future.
Retain Ownership of Files & Secure Files (no further sharing allowed by users)
Changes the ownership of all items such as subfolders and individual files uploaded or moved into a departmental folder. The new owner will be the departmental Google Drive ownership account.
If a file had other sharing permissions, for example, there was sharing set to other users not part of the departmental folder, or the link sharing was turned on too wide, these permissions will be removed, and reset to the sharing permissions configured on the departmental folder when ownership is changed.
Anyone who has access to this folder, will NOT be able to share any items in this folder with anyone else outside of the folder’s sharing permission.
This setting offers the highest level of security for the files in your folder so files do not get shared with users outside of the department.
For this security setting, it’s recommended that sharing of this folder be done with a Google Group, that way, the group manager can allow new members access to the folder.
- How do I get a Departmental Google Drive Ownership account for our folder(s)?
- I moved a file (or created a new file) in the shared departmental folder, it’s been an hour and it still displays myself as the owner of the file. How often will ownership be updated and transferred to the departmental ownership account?
- Will we lose the history and activity on existing files?
- Our department already has a generic account. We transfer ownership of files to this account manually, and also use it for Gmail. Can we use this account as the account that automatically gets assigned ownership?
- We are interested in the highest security level 3 “Retain & Secure Files”, I see using a Google Group to control the permissions is recommended. How do I get a Google Group created?
- Can I prevent people with edit access to the folder from deleting files altogether?
- For level 2 and level 3 security settings, what if the original owner of the file we are moving into this folder doesn’t have permission to the folder?
- What if I’ve used the “Add” feature to add a file to a managed departmental folder so that the file is stored in multiple locations?
Contact the CCS help desk at firstname.lastname@example.org or ext. 6806
When the folder is first configured, it will run immediately and finish processing in approximately 30 minutes depending on the size of all the files stored in your folder. After the initial configuration, changes will not happen in real-time. Expect the ownership settings and other configuration settings to new items to transfer once overnight.
No. The only thing that will change is the owner (and in some more restrictive setting cases - who the file is shared with Level 2 & 3). For example, if jane.doe was the owner of a file stored in a shared folder, and john.doe has access to the shared folder with “can edit” sharing permissions, when this folder becomes managed by a ownership account with level 1 setting to “Retain files”, jane.doe becomes an editor, with “can edit” permissions, just like john.doe. The ownership changes to the ownership account. All revisions and history remain in tact.
Unfortunately, departments can not use an existing account to manage departmental folders. Since one or many people assumedly know the password for this generic account, you can not prevent anyone with access to this account from permanently deleting important files. CCS can not assist with recovering files lost do to deletion from this account.
The Departmental Google Drive Ownership accounts are for administrative purposes only. They are set to automatically change passwords every month.
Staff, with the permission of a manager or director, can request a Google Group. For more information on Google Groups, please see the help page. You can also contact the CCS help desk at email@example.com or ext. 6806 for support.
No. At this time, we do not have the capability for preventing users with edit access to a folder from deleting a file, but know that only an owner can permanently delete a file from Google Drive. Deleted files owned by an ownership account can be recovered by CCS by request from the departmental contact.
If preventing deletion is a very important feature for you, you may want to consider looking into Google Team Drives as this functionality exists.
Be very careful what you move into a level 2 or level 3 managed departmental folder. The owner could be completely removed from their own file, no longer having access to it. This is the intended behaviour as in many cases, the file is being moved into this folder to clean permissions from staff who have left the department or Ryerson.
For departmental managed folders, “Add” is the same as a using “Move”. Ownership will be changed and permission settings will be inherited from the folder on the file.