Google Workspace Permissions: A Small‑Business Checklist

If your team lives in Google Workspace, permission basics are your front line of defense. Get these right and you prevent accidental data leaks, risky admin access, and shadow‑sharing—without slowing anyone down. This checklist walks you through practical Google Workspace permission basics any small business can implement this week.

1) Start with Sharing Defaults

• Drive sharing: In Admin Console → Apps → Google Workspace → Drive and Docs → Sharing settings, set Default link sharing to Restricted and allow only the link scopes you truly need (e.g., “Anyone in your org” for internal docs).
• External sharing: Permit external sharing by exception, not by default. Require users to invite specific external people instead of “Anyone with the link.”

Quick win: Run a Drive audit for files shared “Anyone with the link.” Lock those down and track exceptions.

2) Use Groups for Access (Not Individuals)

• Create Google Groups for projects/teams and assign access to Drives, folders, Calendars, and Docs via the group, not individual users.
• When people join/leave, group membership updates their access automatically.

Quick win: Replace your top 3 ad‑hoc “share with these 9 people” lists with a single group each.

3) Right‑Size Admin Roles

• Avoid giving Super Admin to anyone who doesn’t truly need it.
• Use prebuilt admin roles (Groups Admin, User Management Admin, Help Desk Admin) or create custom admin roles with only the permissions required.

Quick win: Reduce super admin count to the absolute minimum and enable auditing for admin actions.

4) Enforce MFA and Context‑Aware Access

• Turn on 2‑Step Verification and enforce it (Admin Console → Security → Authentication).
• Use context‑aware access policies to restrict logins based on device, location, or IP for sensitive apps (Business Plus/Enterprise).

Quick win: Enforce MFA org‑wide and add an exception‑based process for new contractors (time‑boxed to project duration).

5) Segment Data with Shared Drives

• Use Shared Drives for projects and departments so content ownership stays with the business—not with individuals’ My Drive.
• Set manager/contributor/viewer permissions at the drive level; avoid granting “Content Manager” to everyone.

Quick win: Migrate critical team folders from My Drive into Shared Drives with proper roles.

6) Control External File Exposure

• Disable or limit Anyone with the link and public sharing for sensitive units.
• For client‑facing work, create separate Shared Drives with tighter defaults and periodic access reviews.

Quick win: Set an Access Review reminder every 90 days for external shares.

7) Monitor and Review Regularly

• Use Security dashboard / Investigation tool (if available) or Drive logs to spot unusually broad sharing.
• Review OAuth app access and restrict risky third‑party apps.

---

Tools & References

• Google Admin: Drive sharing settings
• Google Admin: Assign admin roles
• Google Admin: Enforce 2‑Step Verification

---

Ready to fix this fast? Book a free audit below