Sharing exposure and file types within Google Drive

In Drive audit, we can see a nice overview of all drive files of your entire G Suite domain.

An admin can select each of the categories and it will lead them to all the files from which the category was created from.
In this case will display all Google Drive files which are Open to internal users.
Sharing flags is set ‘Open to internal’, the users are in grey background color, which also indicates that the user are local and not from an outside domain.

Removing Public Access to a Google Document

Open the offending document (Click on the link in the email we sent you).

In the top right corner of your document, you will find a share button…

Repeat these steps for each document you are concerned about.

How to a Create a Report of End Users Documents They Own

In this usage case, GAT allows domain admins to prepare a report that is sent to each user, showing the files that they own as a spreadsheet attachment.

The report can be prepared around several different user sets, depending on the scope the admin wishes to give to the report.

Select the Drive feature

First, we select Drive Audit then we apply a custom filter and search for files owned by our domain.

Select the filter

We simply search for files where the owner is our domain.

Select apply

Once we find all files owned by our domain, we can click the Apply button and this will run the search.

Click on the Files Operations button and select Remove Permissions. Remove Permissions has a feature to notify the owners of the files in this search result and provide them with a spreadsheet of all the files they own.

Click on the Files Operations button and select Remove Permissions.

Select 'scan' in the multi permission change tab

In the Permission change option select “Report onlythis will ensure no actions are happening on the selected search.

Add a message of your choice.

Key terms to know about when creating a custom message:

{{RECIPIENT}} – recipients full name
{{RECIPIENT.FIRSTNAME}} – recipient first name,
{{RECIPIENT.LASTNAME}} – recipient surname,
{{RECIPIENT.EMAIL}} – recipient email.

{{FILES}} – Displays in the email the files in question with a URL link.

This is the message the end user will see. The email will show them all of the files they own.

Clicking on the ‘View files’ button at the bottom will open a Google Spreadsheet for the user.

Find Files Shared to a Group

GAT+ allows an admin to find files based on User/Group or OU members.

For example you want to find all the files owned by members of a particular group.

Admin can also find files where members of this group have access to the files ,but not as owners of the files.
To see all the files where members of ‘Sales’ group has access, use the filter below.

The result will display all files where members of sales group has any access to it whether as reader, editor or owner.  To search for more specific file you can choose an option from the ‘Definition’ and ‘Add rule’.
If an Admin want to find a file where the ‘Owner’ is a member of ‘Sales’ group.
Simply apply the rule above and choose the option ‘Owned’.

The screenshot above will find all the documents used by members of the Sales group, but not owned by them. In other words this is the list of documents shared to members of Sales Group.

This question could also be interpreted as wanting to know what documents are shared to the address ‘’ – this is a group address and should be viewed as a separate entity to the members of the group.

To do this with GAT you search for all documents with viewers/readers ‘’.

And repeat for Editors by selecting ‘Editors’  equals

Using the filter option you can combine ‘Editors’ and ‘Readers to perform the search.

Note, you can never have an owner of a document as a ‘group’ so in this case you could also use the selector ‘Users’ to cover both editors and viewers in a single search.

There are multiple different option to find exactly what you need involving group and member of a group.

Get more G Suite User Audit detail in GAT

While it is essential to have a global audit for Drive, Emails, G+, etc giving you the big picture view for audits in those areas, GAT also recognizes that you need to see the Organizational, Group or User view.

The ‘Users’ audit gives you the ability to filter by user status and then see a whole range of important characteristics associated with the selected user(s).

The ‘Basic’ tab will display all the users with general information such as name, aliases, groups and org.unit they are member of, if admin or not, and last login info.

The ‘Drive’ tab will provide info for the particular user in regards to drive. Note:  stats are for all drive files from perspective of the user, to what type and how many files they have access to.

Drive productivity’ is giving stats for the user based of files Owned by the user.

File types’ again is based on the owned files, shows the make of all the owned files, what type of files they are.

Picking any user, you can see for example their total ‘Quota’ and how much is used, how much by docs and how much by email.

Security’ tab you can check if 2FA is enabled, last time the user login, las negative login and so on.

Applications’, ‘Calendars’, ‘Printers’, ‘Devices’ – will display information for each section respectively from the selected user perspective.

Email Info’ will provide information regarding the email of the user, such as Forwarding, Email delegates, Number of Filters, and Total messages.

Email info’ is also where using ‘Unlock’ function where you can add email delegation, by selecting the arrow under ‘Action’ subtab – Add email delegation.

Create Delegated Auditors within GAT+


This feature is ideal where Admins want to delegate the audit function to local managers or regional security personnel. GAT+ allows anyone to audit any range of users based on the model of Google Groups, Google Classrooms, and Org Units. It does not require passing on Google Admin authority. Selected auditors can be an individual user, group or Org Unit. This allows you to have multiple auditors for a specified scope.

This process is documented in this Youtube video.

To Enable Audit Delegation, go to the GAT+ on the side menu enter the section called Delegated Auditors.

Click on ‘Add new auditor’.

Now, set up the delegated auditors and give them scope.

For the above example, I just selected the product GAT+, choose one auditor Enrique and give him scope over the Sales team, choose the Valid time – until the access is granted or Indefinite expiration period(valid until the Admin revoke the access), then Save.  

Note: Once the delegation is completed, the delegated auditors when they launch GAT+ will be able to run reports and audits similar to a super admin but only for the scope they’ve been given.

You can verify the scope the auditor has by logging into GAT+ as them, you will see exactly what an auditor will see.

You can read more about G Suite Audit delegation here. 

GAT+: Domain Connections Feature

As we have seen, using the collaboration graphs one can see the detailed picture of how and with whom collaboration occurred. Sometimes we need to see the bigger picture. What if we want to know what domains we communicated with and what other parties were involved in those communications? For this, we need the domain connections graphs.

Email – Domain connections graph

Our Business Intelligence module provides 2 types of maps for domain level connections. Each of them covers one year of connections. In all cases, the time window can be varied. Using this tool we can see how your domain is communicating with other Google domains across time. Our unique copyrighted chart always places your domain at the centre of the graph and shows its relationship with every other domain in the chart in a manner that reflects the size of the relationship, the direction of the relationship, the relative strength of the relationship and the relative age of the relationship based on activity. This extremely powerful graph can be drawn based on the data from any timeframe, and can be further filtered by narrowing the time window inside the original timeframe or by selecting relationships of different strengths inwards or outwards.  There is nothing comparable in any other software environment.

With this chart, you can see both emerging and fading relationships. Managers can quickly identify when new relationships are starting and also when old relationships are fading. You can quite literally see at a single glance the activity horizons of your business. You have an instant view of the domains that your company are interfacing with, both through email and document sharing. Communication differs from collaboration because it can be often one-way and may not form part of a collaborative event. It is also susceptible to a high level of noise. Spam like email in or out might be recorded, as might document sharing, that in both cases have no follow through, thus showing intent, but not action.

It is equally vital for managers to be able to track this:
Google Drive – Domain connection graph

This unique graph can give a manager a full view of the horizons of his or her department’s relationships, identifying new and emerging relationships on the right and old or fading ones on the left. A manager can identify the key opportunities even before they hear from their staff and can easily view which relationships are being neglected. Both the time frame and the ‘density’ of the relationship can be set by the manager. Email and document sharing are covered. There is no other tool in the world like this.

Domains Communication can also be approached from both the drive and email audit tools. This will allow for the powerful filtering options available in both these audits to be applied before displaying the domain network. Any time period can be selected. Clicking through to the Domains Communication will then give a full visual summary of all spreadsheets shared to and from external domains. Anomalies will jump out immediately in a way that is not possible from a tabular view.

Selecting any one of those domains and clicking on it shows what other domains are in that cross relationship.

Among the uses for this type of visualization are identifying cross relationships with external domains, identifying strong relationships that may need to be taken care of for a leaver. Identifying unusual or unexpected domain relationships. All of these become possible at a single glance.

GAT Shield Tags

GAT Shield allows Admins and Users to assign tags to web pages. This new audit feature allows for convenient bundling of sites and web pages under a common tag for reporting and auditing purposes.

Any site or URL can have multiple tags. These tags can then be searched for in the Browsing report.

The tags apply across all users and will return the browsing history on any page with a tag containing one or more of the tags searched for.

The filtered report produces a detailed account of all the time spent on the tagged pages, and a full overview of the user’s allocation of time to the tagged pages and of the relative usage of the tagged page.

In addition, users can tag their own pages using the GAT Shield extension.

This allows for personal reporting based on tags for each user using their own extension, but also for reporting centrally.

Use cases include collective reporting for the time students spend of a collection of sites to business reporting by project or task. For example, if a group of staff have been assigned to a project for a particular customer they can tag all time spent on sites relating to that project with a particular customer name. They can also tag each page as being a subtask for that customer project. Using this method Admins can generate reports for management showing the total amount of time spent relating to that customer, with a detailed breakdown covering each task. The reporting will cover all staff on the project.

Measure How Much Time Your Staff is Spending on Gmail

Has management ever complained that staff are spending all their time in Gmail?
Now you can measure it using GAT Shield. Search for User and Tag equals ‘mail’.

The result will display the Gmail usage of the user in your domain.

As an assistance to exclude Gmail usage using different domain logins or personal Gmail usage we are extending our already powerful ‘Tags’ feature, we have created some ‘hard coded’ tags. The first is ‘Personal Gmail‘ and the second is ‘Other domain Gmail‘.

Under Browsing in GAT Shield using a tag search for these will show Admins how long each user is spending in Gmail or in an email account other than the primary domain mail account.

Admin can check the ‘Browsing Summary’ for different users by selecting the scope, and showing overall browsing summary for the user selected.

Best Practice: How to Remove Permissions for ‘Docs Shared with Link’

Best Practice Tip: Before you remove permissions for ‘Docs shared out with link’ it is best practice to automatically inform your users of those shares, allow your own users to take the initiative to clean up the share.  If the shares have not been removed in the allocated time period, as a super admin you can remove those permissions from Drive Audit.

To notify your users to clean up their own shares, click on “File Operation”, then select “Remove permissions”.

When the menu appears, Select the option “Report only” which will only generate a report for the Super Admin, but will not carry out the action below. If Report only is not enabled the action will be carried out.

Your users will receive an email which outlines the documents they have shared out with a link so they can click on them and remediate the sharing rights.

Now that your users have been notified, you can return to these documents in the future and manually remove the “Public with link” (everyone with link) access rights. To do this first select Public with a link from the exposure summary table.

Once you have selected this category, a custom filter will be automatically applied.

Click on “Apply custom filter” to verify.

Now you will probably realize that in the Drive result table you can see files Shared Out and files Shared In which fall into the Public with Link category.

You only have administrative control over docs owned by users on your own domain, so let’s expand this custom filter to ignore the files shared in from external users.

Click on “+ Add rule” and select the rule “Sharing Flags” contains “Shared out”. Then click on the button “Apply”.

Now in the Drive result table, you will only see files owned by your local users and shared out with a link.

Best Practice Tip 2: Before removing some or all of these permissions. We would recommend you export the data as is to a Google Spreadsheet for record keeping purposes.

You can click on the drop-down menu option next to the “everyone (with link)” permission and remove it, for just one single doc or all of the documents within the selected filter you have applied.