4 Examples of Google Docs Policy Enforcement Using GAT+ [Old UI]

A policy is what an organisation decides is best practice for the use of its Google Drive.

With GAT a Policy violation can manifest itself as

  1. a warning to the Admin,
  2. a warning to the Admin and document owner
  3. a warning to the Admin and document users
  4. a warning to the Admin and/or the owner and/or the users, and the removal of access.

Option 4 is often described as policy enforcement, and sometimes incorrectly as document ‘security’.  It is important to understand that it is not possible to do security enforcement using Google’s current APIs. Firstly removal of access is ‘after the event’, meaning the contents are already leaked and secondly, local Admins have no control over documents shared into the domain, they can not remove local access from these, they can only warn users that their access to these documents is being monitored.

In this paper we hope to show you four use cases of ‘Policy enforcement’ you can do using the General Audit Tool

Example 1Removing access to documents shared to personal accounts.

Here the organization allows documents to be shared with other business domains but does not want it’s documents shared with personal accounts (like gmail.com).

Example 2Removing all remote access to documents that contain the words “private and confidential”.

Here we do a text search of every document for the selected words and remove sharing if those words are found.

Example 3Removing external access to spreadsheets used by members of the group Finance.

Here we identify all the members of a Google Group and make sure one document type is not shared outside the domain (except to the Auditors).

Example 4Warning local users about organization policy with respect to images.

Here we check for all images shared into the domain and warn local users about the company policy on viewing images in the workplace.

For each of the examples, we show the Admin how to run the policy on an ongoing basis. To apply the rules retrospectively you can leave the ‘From’ date blank and run the policy as a scheduled job once. Before doing so, look through the file listing returned in your filter.  These are the files that will be changed. The beauty of integrating a policy engine with the drive audit is that you can see what will be affected. Having run the rule once, you can revisit the rule after its first run and set it up as a scheduled job, to run daily, weekly or monthly.

Example 1 – Removing access to documents shared to personal accounts

Image above is of the completed fields to build the policy. Expand the image to see it better.

Remember to select ‘Users’ and you can cut and paste the regular expression below.


Add your own popular local domains. ‘.’ is a special character, so we escape it with a ‘\’ in the expression. (Example is given to show you how to use regular expressions with GAT)


GAT also allows for the much simpler non-regular expression based listing of domains. To add this list simple type after ‘Users’ gmail.com,hotmail.com,yahoo.com

Select from today’s date to have this ready for a nightly scan.  

Leave the start date blank to see all the files that match. You can run the rule once with no start date to clean up your back history, then schedule it as a daily or weekly job.

When you click ‘Schedule/Save’ you are taken to the following scheduler configuration screen

Complete the fields to your own requirements.  Free text boxes can be dragged to expand.

See the update on this feature set at the end of this document.

Example 2 – Removing all remote access to documents that contain the words “private and confidential”

See the update on this feature set at the end of this document.

Example 3 – Removing access to spreadsheets shared by members of the group Finance.

See the update on this feature set at the end of this document.


Example 4 – Warning local users about organization policy with respect to images.

This is the sample Reg Ex for images used in the above example, you can cut and paste


png, jpg and gif are the image type ending, extend with your own selection, for example if you include jpeg the expression will be ([^\s]+(\.(?i)(png|jpg|jpeg|gif))$)

You can also include audio and video files in this sweep.

Remember we are only interested in images ‘Shared in’, so after the initial search, we narrow the filter by clicking on ‘In’

See the update on this feature set at the end of this document.


GAT has a unique concept of a ‘search chip’, as you add more filters the ‘chip’ builds up, eventually giving us something like this

  • Docs shared in not deleted with Document name [([^\s]+(\.(?i)(png|jpg|gif))$)] changed from 07/10/2013 23:00:00

These ‘chips’ can be scheduled, saved and even added to other chips. (see recent filters)


Example 5 – Free Bonus Example 🙂 – Removing remote access to a specific Folder

This is a very useful concept because instead of trying to protect the domain, it protects a working area, any file shared into the working area will be subject to its protection.

First, find the folder

Then find the contents by clicking on the arrow behind the directory name

Next click on ‘Out’ to add that filter to the ‘Chip’.

We have our search filter, ‘all files in this folder shared out’ 

Now let’s apply a policy.

Note, it does matter that there are zero files that match this search criteria – that just shows the folder is in compliance right now. If it were not, you would see exactly the files that were non-compliant, the owners and the external parties. This is really useful because it lets you have a discussion with the parties before applying the rule.

To add the policy, click ‘Schedule/Save’

In scheduling the job we can now set all our rules.

We set it as a ‘policy’, audits and policies do the same thing, but with a policy you only get notified if there was a breach of the rule, an audit will give you a status report everyday, even if there was no change.

Have the report output in CSV or PDF format.

Run everyday, after midnight.

Send a copy of the report to a particular manager

Remove the external shares.

Notify the local owners.

Send them a message, which can be in any language.

And finally, click ‘Update’ to activate.


This final example is interesting because it combines several features of GAT that are simply not available on other audit or security tools and adds them to a Policy engine that is at once both simple and powerful. The solution is fully integrated, you can see the results as you progress, you are not making the rule up in one place and hoping you will see the correct results in another place.  Before you affect the policy, you can see it built up on your live data in front of your eyes.

Everything follows from Audit and of course the Audit has to be accurate in the first place. If your audit tool is still not finding all the files, it is not even off first base.


Update on Audit and Policy Scheduler

We have greatly enhanced the features on the scheduler page, see the screenshot below.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *