Posts

Identifying External Public Files Your Users Can Edit

Following our last post explaining how to deal with organization files that were shared to the public (Public Shared files – How to Address with GAT), this post will deal with a second potential source of accidental information leakage to the public. In this post, we will look at documents shared into the domain, that are open for your users to edit and which are also ‘Public’.

First, we will assess the current situation, which can be done in 4 simple clicks…

  1. Click on the Apply custom filters button within Drive Audit.

Click Apply custom filters button within Drive Audit

  1. In the filter menu select the following filter operators.
  • Editors matches mydomain.com.
  • Sharing Flags contains Public
  • Sharing Flags contains Shared in

Make sure that all of these search operators are properly combined by using AND.

Include further details in the Definition tab in the 'Drive Files filters'

From the resulting list, you can see what are the public files your staff can edit. They may believe this is a private collaboration with an external individual but in fact, the contents are public on the internet. Using the steps outlined in Public Shared files – How to Address with GAT, you can notify your users in the same way of the risk involved.

Shares Out, Shares In, Shares Internally, Top Externals

Shares Out – Shares In – Shares Internally – Top Externals

Sometimes it is good to be able to quickly get a table of some key metrics. A common question is ‘Who shares out the most documents?’, often followed by ‘Who shares in the most?’.

Shares Out and Shares In

GAT makes answering these three questions very easy. For the first two, go to the User Audit and select the ‘Docs’ tab. There you will see two columns, ‘Shared Out’ and ‘Shared In’. The first column lets you sort users by rank of who shares out the most internal documents.

The second column lets you sort local users by those who share in the most external documents.

Both columns are sortable, so it is very easy to bring the top users in each category to the top.

Click on any number to see the details of the files behind the number, including who it is shared with, shared from, number of visits, rights, last accessed, etc.

As with all the User Audit report tabs, each tab can be subject to further filtering, so you can find the information above for all the members of a particular Organization Unit or a particular group, or for Admins or accounts that match a particular name criteria, etc.

Shares Internally

To find the top internal sharer of documents you next need to move to the ‘Productivity’ tab in the same ‘User’ audit.

Here you will find the column ‘Own Files Shared Internally’, sorting on this column shows who is doing the top internal sharing. (An added bonus here is that you can sort on visits, this sorts users by the number of internal visitors to their documents – this is a key metric for a top influencer or collaborator)

GAT not only allows you to see the big picture, but to ‘zoom in’ very quickly.

Clicking on any one of the numbers shows you the files behind the number, allowing you to quickly identify who the shares are ‘to’ or ‘from’ (see here for next steps on visualizing the results).

Top Externals  – Who ‘outside’ is sharing in the most?

Find in a single click the top external users sharing documents into your domain.

Go back to the GAT homepage and from there under ‘Reports’ go to the ‘One click’ reports.

Select ‘External Users – Docs’

Sort on the first column ‘Owns (not ours)’ to see which external users share in the most files.  

Remember, from a security perspective a document shared in with edit rights is just as dangerous from a security perspective as a document shared out (a point often missed by other tools).

From this table you can also see and sort by rank the external domain users that have access to your documents, these can be ranked by volume and by type of access (Edit or View access).

Clear, clear, complete and simple reporting.

How to Stop Internal Shares Among Students

First, read the post here in the GAT G+ Community. This will save you a lot of time creating and sharing rules. Don’t forget to return to this post – this rule is a new rule and not the same as the ‘Chinese wall’ example in the link above.

(If you have some useful filters you can share with others in the GAT community, whether for business Admins or GAFE Admins.)

This rule will show you how to find all the internal shares for an OU called students. After finding the shares it will then show you how to remove remove them on a scheduled basis.

Having read the paper at the end of the link posted above, go to the GAT Drive audit and using the pencil icon (beside ‘Export to Spreadsheet’), paste the following rule

{

 “0privacy”: “OPEN_TO_DOMAIN_PRIVACY”,

 “0editedFrom”: “04/05/2015 23:00:00″,

 “0userOwnedDocs”: “true”,

 “0searchTextType”: “DOC_NAME”,

 “#multi”: “and 0 1”,

 “0deleted”: “false”,

 “1deleted”: “false”,

 “1privacy”: “NULL_PRIVACY”,

 “_reportType”: “USER_DOCS”,

 “0organization”: “/Students“,

 “1searchTextType”: “DOC_NAME”,

 “1negate”: “true”,

 “1organization”: “/Staff

}

 

After pasting the rule above, look carefully at the items in blue. Change the date to yesterday’s date (based on the date format you set for your domain dd/mm/yyyy or mm/dd/yyyy). Change the Students OU to the OU name you use for students on your domain. Change the Staff OU to the OU name you use for teachers or staff on your domain.

Having pasted this rule and run a search, next press the ‘Schedule/Save’ button, then schedule this report to run every day after midnight. This will generate a report for you in either pdf or csv output, showing students who shared documents internally, excluding those shared with teachers.

Run the report for a few nights to make sure you are happy with it. Also, test with a few documents to make sure your scopes are working fine. Note, based on the rule above, one use case where a pupil can share with another and not have it reported is where the share is to a teacher and a fellow pupil. In all cases, we expect this is legitimate as it will be transparent to the teacher.

When you are happy with the rule, return to editing the rule via the scheduled reports icon.

scheduled reports icon

From here, clicking on the scheduled report name (see area in red oval below)

lets you edit the scheduled report. From here you can automatically have all shares removed and optionally a warning sent to the students (select ‘Notify Local Users’ also).

Only implement this feature when you are sure the files being reported in the nightly reports are correct and are of the type you want to stop internal sharing of.

How it’s done

To learn how to build up the rule we outlined above, you first find all the documents owned by the OU you want to monitor/control, in the screenshot below we selected ‘Users’ as the OU.

You select the items as shown above and finally to build the search and filter string, you press the selection for internally shared, (‘1’ in the example above). If there is nothing already internally shared, the yellow filter may not exist, so share at least 1 internal document (an unlikely scenario).

Next, we find all the documents used by Teachers or Staff. This is the default search for an OU (in the example below we use the OU ‘Leavers’).

NOTE! Owned Docs selection box is not ticked. This means show all the docs for teachers which they either own, can read or can edit.

We are looking for these, so we can exclude them, so after you complete the search, select

‘Negate Filter’ New Filter button

The final step is to combine the two filters. To do this select the tab ‘Recent Filters’ and select the last two searches.

GAT filters

Combine with ‘AND’ and press ‘Show’, now you have your filter and a rule that you can schedule to run every night (‘Schedule/Save’).

Remember the example above is for an OU, but you can also repeat the above steps and just pick a Google group.