This lesson is part of the "TAMING GAM - A practical guide to GAM and GAMADV-XTD3" course.
You and your staff are sharing files with your Google Drive inside and outside your company. The simplest way to do it is by making a file that anyone with a link can see. This is the most dangerous way of sharing. You have no idea who is looking at your files. You have are not aware if the person you shared the file with, decided to s
You, and your staff, are sharing files within your Google Drive, inside and outside your company.
The simplest way to do this by making a file that anyone with a link can see. Unfortunately, this is the most dangerous way of sharing because you have no idea who is looking at your files or if their intentions are nefarious. You don't know if the person you shared the file with, decided to share the link with other people in their company. And, if they did so, what their intentions are.
Before we continue, we are going to be using GAMADV-XTD3 in this blog. If you are not sure how to install and get started with GAM, please see these articles.
GAMADV-XTD3 on Google Cloud Shell
If you are looking to upgrade your GAM then go to upgrade your installation of GAM?
Let's get started.
This lesson works with the python file created by Ross Scroggs here called GetSharedWithAnyoneDriveACLs.py
The first step is to get the ACLs for all the files. You can do it for either an individual user or for your entire domain. This first GAM script looks at a single user and exports all of their files to the Google Drive along with the ACLs with targeted headings.
gam user jim print filelist id title permissions todrive
This GAMADV-XTD3 script pushes all the users in your domain with a Google Drive to a Google Sheet with their drive permissions.
gam all users print filelist allfields permissions todrive
Using the scripts that are in the comments of the GetSharedWithAnyoneDriveACLs.py file.
gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess all users print filelist fields id,title,permissions,owners.emailaddress <PutQueryHere>
This script allows you to pick either "all users" or an individual user and then at the end of the script you have the option for a query. These are the 3 options:
DESIRED_ALLOWFILEDISCOVERY = 'Any' - query "visibility='anyoneCanFind' or visibility='anyoneWithLink'"
DESIRED_ALLOWFILEDISCOVERY = 'True' - query "visibility='anyoneCanFind'"
DESIRED_ALLOWFILEDISCOVERY = 'False' - query "visibility='anyoneWithLink'"
I would specifically like to look at all files that have been shared with anyone with a link, so my script looks like this.
gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess all users print filelist fields id,title,permissions,owners.emailaddress query "visibility='anyoneWithLink'"
The CSV that is generated is then exported to the GAM Work folder, if that is where you ran the script from. You will then be able to open the CSV in Google Sheets or Microsoft Excel. However, you do not have to open it.
Once you have created the filelistperms.csv file, with the first GAM command, you will then need to convert that file to a new file, called deleteperms.csv, using the GetSharedWithAnyoneDriveACLs.py. Run this script and this is what your output should look like in the command line.
python3 GetSharedWithAnyoneDriveACLs.py filelistperms.csv deleteperms.csv
Then inside your c:\GAMWork folder you will see the newly created file called deleteperms.csv. You can open it and look at it. You will see that the python script has cleaned up the script, changed the headers and simplified the permissions.
You need to carefully look through this file and see if you need to remove anything from here. You are looking to remove the external sharing from files. So if there is a file in this CSV, the permissions will be removed in the next step. If you do not want the permissions removed, then remove it from this CSV file.
If you are happy that all the files that need to have their permssions removed are in the CSV, then close it and you can then run this script.
gam csv ./deleteperms.csv gam user "~Owner" delete drivefileacl "~driveFileId" "~permissionId"
The below is what your command line will look like. It shows you what files or folders have had their ACLs removed.
Now to test a final time. Run this script and then open the filelistperms.csv and check that the sharing is what you want.
gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess all users print filelist fields id,title,permissions,owners.emailaddress query "visibility='anyoneWithLink'"
You can either be quite specific about removing permissions from your staff's files and folders or you can remove all external sharing in a couple of minutes, it is really up to you and what you want to do.
For a more complete understanding of how to use GAM and GAMADV-XTD3 for your Google Workspace, check out our full course of over 9 hours and 50 pages of free resources!