# 11 Legacy public-share inventory & cleanup

> v0.1.3 · role: Prevent · [policy: #15 · #12](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Sharing defaults are prospective: tightening them leaves every file that is already link-shared to anyone, or shared domain-wide, exactly as it was. This runbook enumerates those files with GAM — the console will not show sharing state in bulk — triages each row into justified or not against a register, revokes the rest, and then re-runs on a schedule and diffs against the register. The recurring diff is what makes it a control rather than a one-off tidy-up.

Documentation: [Take action based on search results](https://knowledge.workspace.google.com/admin/security/take-action-based-on-search-results)

## Caveats

- Cleanup without the recurring diff is a one-off — and tightening the org-wide sharing default (№13) revokes nothing retroactively, so neither half works without the other.
- Do not mass-revoke blind — public links are load-bearing for some teams, which is why the triage register exists before the revoke script does.
- `print filelist` across all users is slow and quota-heavy on a large tenant — run it scoped per OU, overnight, and expect to tune GAM's threading.
- Revoking a public link on a file inside a shared drive can fail when the drive's own sharing policy conflicts — fix the shared-drive setting (№29) first.
- Files owned by suspended or deleted users still surface publicly — transfer ownership before you delete an account, or the share outlives the identity.

## Setup steps

1. Inventory every externally-visible file. GAM emits the sharing fields the console will not show you in bulk.

   ```
   gam all users print filelist fields id,name,owners.emailaddress,permissions,webviewlink > shares.csv
   ```

   docs: [Method: files.list](https://developers.google.com/workspace/drive/api/reference/rest/v3/files/list)

2. Filter the CSV to the two dangerous states: link-shared to anyone, and shared to a domain-wide audience. Record the matched permission's id in its own column — the revoke step deletes exactly that grant.

   Keep rows where permissions.*.type = anyone (allowFileDiscovery true or false) or type = domain; write that permission's id to a permId column

3. Triage against a register: each surviving row is either justified (record it) or not (remediate it). Do not mass-revoke blind — public shares are load-bearing for some teams.

   Output two lists: public-approved.csv (documented) and public-revoke.csv

4. Revoke the unjustified shares, addressing each by the permission id the triage recorded.

   ```
   gam csv public-revoke.csv gam user "~owners.0.emailAddress" delete drivefileacl "~id" "~permId"
   ```

   docs: [Method: permissions.delete](https://developers.google.com/workspace/drive/api/reference/rest/v3/permissions/delete)

5. Close the tap so the inventory does not refill: tighten the sharing default (control [№13](drive-external-sharing.md) covers this screen in full). — `Apps › Google Workspace › Drive and Docs › Sharing settings`

   - **Sharing outside of your organization** = Off, or Allowlisted domains
   - **General access default** = Private to the owner

   docs: [Manage external sharing for your organization](https://knowledge.workspace.google.com/admin/drive/manage-external-sharing-for-your-organization) · [Set general access sharing options for your organization](https://knowledge.workspace.google.com/admin/drive/set-general-access-sharing-options-for-your-organization)

6. Re-run the inventory on a schedule and diff against the approved register.

   Monthly cron: re-run print filelist → diff vs public-approved.csv → alert on new rows

## Ongoing maintenance

- **[automatable: script]** Monthly: re-run the sweep and diff against the exceptions register.
- **[requires a human]** Per finding: contact the owner and revoke or register the share.

## How to verify

1. Re-run the public-link inventory; the result should be empty or exactly the approved exceptions register.

   ```
   gam all users print filelist query "visibility='anyoneWithLink' or visibility='anyoneCanFind' or visibility='domainWithLink' or visibility='domainCanFind'" fields id,title,owners
   ```

## Settings screens

- Apps > Google Workspace > Drive and Docs > Sharing settings (stop the bleeding before you mop)
  - console: https://admin.google.com/ac/managedsettings/55656082996/sharing
  - screenshot: ../screenshots/admin.google.com/ac/managedsettings/55656082996/sharing.png
- Security > Security center > Investigation tool (bulk-remove 'Anyone with the link' sharing — Drive remediation needs Enterprise Standard+, Education Standard+, Frontline Standard+, Enterprise Essentials Plus or Cloud Identity Premium; the GAM path works on every edition)
  - console: https://admin.google.com/ac/sc/investigation
  - screenshot: ../screenshots/admin.google.com/ac/sc/investigation.png
