[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

Create and manage trust rules for Drive sharing

Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition

With trust rules, you can create granular policies to control who can get access to Google Drive files. Your policies can apply to individual users, groups, organizational units, and domains to specify:

  • Which users' files can be shared with internal or external users
  • Which users can receive files from internal or external users
  • Which internal or external users can be invited and add items to shared drives

Because trust rules provide flexibility in establishing collaboration boundaries, they can help you secure sensitive information and maintain compliance with industry standards and regulations.

Use trust rules to control external sharing

Suppose your organization's Marketing team needs to share their files with specific people at your partner organization. To help keep your organization's information confidential, you can create rules to establish the following external collaboration boundaries:

  • Allow files that your Marketing team owns to be shared with specific people at the partner organization.
  • Block files that other teams in your organization own from being shared with the partner organization.
  • Block other teams in the partner organization from sharing their files with anyone in your organization.
Use trust rules to control internal sharing

Suppose your organization's Finance team should share their files only with your Executive team. To help prevent other teams from receiving confidential financial information, you can create rules to establish the following internal collaboration boundaries:

  • Allow files owned by Finance to be shared with Finance and Executives.
  • Block files that Finance owns from being shared with any other teams in your organization.
Use trust rules to help prevent spam and phishing

Drive tries to block external users from sharing spam or phishing with your users. However, if you’d like to take additional steps to decrease your risk, you can create a rule that allows only external users from trusted domains to share files with internal users. To ensure users can still collaborate, you can apply this rule only to organizational units with users who usually don’t usually receive files from external users.

How trust rules replace Drive sharing settings

Expand section  |  Collapse all

Your Drive sharing settings are converted to trust rules

Drive sharing settings are automatically converted to trust rules

Trust rules replace your Drive settings under Sharing optionsand thenSharing outside of your organization.

You can preview rules converted from Drive settings

To preview rules automatically created from your Drive settings:

From the Admin console home page, go to Rules. You can filter rules by type, by clicking Add a filterand thenRule typeand thenTrust.

In the Rules list, you'll see:

  • Two default rules for sharing outside your organization

    Once enforced, these rules will be either active or inactive, depending on the state of your equivalent Drive sharing settings.

  • Any other rules needed to match the sharing boundaries of your current Drive settings

Important: These rules aren't enforced until you turn on trust rules.

Your equivalent Drive sharing settings become inactive

Once you turn on trust rules, you can no longer use the Drive setting for sharing outside your organization. For details about Drive sharing settings, go to Set users' Drive sharing permissions.

You can turn off trust rules

At any time, you can turn off trust rules and return to using Drive sharing settings instead. For details, go to Turn trust rules on or off below.

Trust rules provide more control than Drive sharing settings

With a trust rule's scope and conditions components, you can control file sharing more precisely than you can with Drive sharing settings. For details about rule components, go to the section Understand trust rule components later on this page.

The following charts compare available controls in Drive sharing settings and trust rules.

Scope controls

Scope

Drive sharing settings

Trust rules
Include organizational units
Include groups
Exclude organizational units  
Exclude groups  

 

Conditions controls

Condition Drive sharing settings Trust rules
Entire organization
Allowlisted domains
External organizations  
Organizational units  
Groups (created internally)  
Users (internal)  

Before you begin

Expand section  |  Collapse all

Understand trust rule components

To create a trust rule, you define its scope, trigger, conditions, and action components. Using these components, you can create a rule that says if xhappens, do y.

For example, if you create a rule to allow files your organization's Sales department own to be shared with anyone at your customer's organization (other-company.com), the rule's components would be:

  • The scope is the organizational unit for your Sales department.
  • The trigger is that someone attempts to share a file owned by a user in the scope.
  • The condition is other-company.com.
  • The action is to allow the file to be shared.

Defining the scope

The scope is the user in your organization to whom a rule's trigger applies:

  • If a rule's trigger is Sharing files, the scope is the user who owns the file for which you want to control sharing.

    Important: A sharing rule also controls sharing by users with Edit privileges for a file owned by a user in the scope.

  • If a rule's trigger is Receiving files, the scope is the intended recipient of the file.

For the scope, you can:

  • Include your whole organization.
  • Include or exclude organizational units (which can contain users and shared drives).
  • Include or exclude groups in your organization's Google Groups service.

Defining the trigger

The trigger is the activity that a rule allows or blocks. You can select one of the following triggers:

  • Sharing files
  • Receiving files

Defining the conditions

Conditions are the users whom a file is intended to be shared with or received from:

  • If a rule's trigger is Sharing files, the condition is the intended recipient of the file.
  • If a rule's trigger is Receiving files, the condition is the user who owns the file.

You can specify multiple conditions for a rule, both inside and outside your organization, including:

  • Organizational units
  • Groups in your organization's Google Groups service (can include external users)
  • Trusted domains (all users at all external domains on your allowlist)
  • External domains not on your allowlist
  • Specific users in your organization
  • Anyone with a Google Account

Note: Only one condition needs to be met for the rule to take effect.

Defining the action

The action is the outcome you want to occur when a rule is triggered. You can:

  • Allow sharing
  • Allow sharing with a warning

    Note: If you select this option, users see a warning when sharing files but not when receiving them.

  • Block sharing
Understand default rules for sharing outside your organization

You have 2 default rules that specify sharing outside your organization:

Rule name Scope Trigger Condition Action Status
[Default] Users in my organization can share and receive within the organization Top-level organizational unit (entire organization) Sharing files and Receiving files My organization Allow Active*
[Default] Users in my organization can share with anyone who has a Google Account Top-level organizational unit (entire organization) Sharing files

Anyone in the world

Include visitors

Allow Active*

You can't edit default rules, but you can deactivate or reactivate them (unless you're using Cloud Identity).

* If you've already set up Drive settings for sharing outside: The status of default rules depends on your equivalent Drive sharing settings that were converted to trust rules.

Prepare organizational units, groups, and trusted domains list

To allow or block sharing by departments or groups

Make sure you create the organizational units and groups you want to create trust rules for:

To restrict sharing to trusted domains only

Make sure the trusted domains are on your allowlist. Trusted domains must use Google Workspace and be domain-verified. For details, go to Allow external sharing only with trusted domains.

Cloud Identity customers: If your organization has a mix of Cloud Identity and Google Workspace licenses, domains on an allowlist for Google Workspace also apply to users with Cloud Identity licenses.

Plan your trust rules (with example)

Before creating trust rules, consider which type of sharing to allow or block across your organizational structure. Make sure your rules don't let users share with people they don't intend to or prevent them from sharing with people they intend to.

For example, assume you have the 4 organizational units—Sales, Legal, Research, and All other teams—and you want to restrict the following types of sharing:

  • Files that Sales owns can't be shared internally with Research.
  • Files that Legal owns can't be shared externally except with your outside counsel.
  • Files that Research owns can be shared only internally among Research and Legal.
  • Files that all other teams own can't be shared externally with anyone.

The following are recommended steps to implement your sharing model.

Step 1: Map collaboration boundaries

You might want to use a matrix to map which sharing is allowed for different users, such as the following:

 

Internal sharing

External sharing
Organizational unit Files they own can be shared with... Files they own can't be shared with... Files they own can be shared with... Files they own can't be shared with...
Sales Sales, Legal,
All other teams
Research Anyone  
Legal All teams   Outside counsel Everyone else
Research Research, Legal Sales,
All other teams
  Anyone
All other Teams All teams     Anyone

 

Step 2: Create the following rules:

Rule Scope Trigger Condition Action
Internal sharing

Include: Root
organizational unit

Exclude: Research

Sharing files
Receiving files

Your
organization
Allow
Research - Internal sharing Include: Research Sharing files
Receiving files
Research,
Legal
Allow
Legal - External sharing Include: Legal

Sharing files
Receiving files

Outside counsel
domain
Allow
Sales - External sharing Include: Sales Sharing files
Receiving files
Anyone with a
Google Account
Allow
Sales - Blocking sharing Include: Sales

Sharing files
Receiving files

Research Block

 

Step 3: Deactivate the 2 default rules

The default rules allow broad sharing both inside and outside your organization; in this example, they'll conflict with the more specific sharing model you want to use.
Understand which admin privileges you need to manage trust rules
To... You need these admin privileges...
Turn trust rules on or off
View trust rules in the Rules list
View trust rule details
Create or edit trust rules
Activate or deactivate specific trust rules
Delete trust rules

If you need additional privileges to manage trust rules, contact your administrator.

Tip: If you're a super administrator, you can create a custom admin role for managing trust rules and assign it to a delegated admin. For details, go to Create, edit, and delete custom Admin roles.

Turn the trust rules feature on or off

Expand section  |  Collapse all

Turn on the trust rules feature for Drive

If you turn on trust rules:

  • Existing rules in your Rules list are enforced, and your Drive settings for sharing outside your organization are deactivated. For details, go to How trust rules replace Drive settings earlier.
  • If you change any Drive sharing settings shortly before turning on trust rules, your rules might enforce the Drive settings' previous state temporarily. It can take up to 48 hours for trust rules to sync with recent changes to Drive sharing settings.

To turn on trust rules:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Rules.
  3. In the Collaborate securely card at the top of the page, click Turn on for Drive.

    Requires having the Manage Trust Rules and Drive & Docsand thenSettings administrator privileges.

    Your Tasks list opens automatically and shows the progress of trust rules activation.

Turn off the trust rules feature for Drive

If you turn off trust rules:

  • Your organization's Drive sharing settings become active again and revert to their state when you turned on trust rules.
  • Any trust rules you created are permanently deleted.

To turn off trust rules:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenDrive and Docs.
  3. Click Sharing settings.
  4. Under Sharing outside of your organization, click Turn off trust rules.

    Requires having the Manage Trust Rules and Drive & Docsand thenSettings administrator privileges.

    Your Tasks list opens and shows the progress of trust rules deactivation.

Create and manage trust rules

Expand section  |  Collapse all

Create a trust rule

After you create a trust rule, you can:

  • Edit it at any time to change settings, such as conditions and action, or to deactivate or reactivate it.
  • Delete a trust rule at any time.
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Rules.
  3. Click Create ruleand thenTrust.

    Requires having the View Trust RulesManage Trust RulesDrive & Docsand thenSettings, Groupsand thenRead, and Organizational Unitsand thenRead administrator privileges.

  4. Under Name, enter a name and optionally a description for your rule.
  5. Under Scope, choose one of the following:

    By default, the rule applies to everyone in your organization.

    To apply the rule to only specific users:

    • For a sharing rule, choose which users' files the rule applies to. Trust rules apply only to the files owned by users or shared drives in your rule's scope. Get details.
    • For a receiving rule, choose which users are the intended recipients of a shared file.
    1. Click Specify organizational units or groups.
    2. Select an option to include or exclude organizational units or groups.
    3. Select the organizational unit or group to include or exclude.
    4. (Optional) Include or exclude more organizational units or groups.

      For example, to apply a rule to everyone in your organization except for one group, include the top-level organizational unit and exclude the one exempt group.

      To remove an organizational unit or group, click Clearnext to it.

  6. Click Continue.
  7. Under Triggers, select one or both events for which you want to apply the rule:
    • Sharing files—Rule triggers when files owned by people in your scope are shared with the users you select in Conditions.
    • Receiving files—Rule triggers when people in your scope receive files owned by users or shared drives you select in Conditions, or are added as members to shared drives in Conditions.
  8. Under Conditions, click Add condition, and then select the internal or external people you want to allow or block from sharing or receiving with users in your scope.

    Internal options:

    • User—Start typing the user's name or email address.
    • Organizational unit—Click Select an organizational unit.
    • Group—Start typing the group's name or email address.
    • My organization

    External options:

    (Optional) To allow users to share externally with people who don't have a Google Account, check the Include visitors box. This option doesn't apply to some types of conditions. Get details.

    • External organization—Enter the organization's domain name (such as other-company.com).
    • Allowlisted domains—Optionally check which domains are on your allowlist by clicking View allowlisted domains.
    • Anyone with a Google Account (includes internal and external users)
  9. Click Continue.
  10. Under Action, choose what happens when your rule is triggered: Allow, Allow with warning, or Block.
  11. Click Finish.
  12. Choose whether to make the rule active or inactive, and then click Complete.

It can take up to 48 hours to see changes. During this time, old and new settings might be intermittently enforced.

View and edit trust rule details

You can edit a trust rule at any time to change settings, such as conditions and action, or to deactivate or reactivate it.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Rules.
  3. Find the rule in the Rules list.

    Tip: You can sort the list by rule type, by clicking the Rule type column heading. Or filter the list by clicking Add a filterand thenRule typeand thenTrust.

  4. (Optional) To view the rules scope, conditions, trigger, and action, point to the rule in the list and click Quick view.
  5. (Optional) Click the rule to open its details page and view settings.
  6. (Optional) To edit settings:
    1. On the left of the details page, click Edit rule. Or click a settings section.

      Requires having the View Trust RulesManage Trust RulesDrive & Docsand thenSettings, Groupsand thenRead, and Organizational Unitsand thenRead administrator privileges.

    2. Edit settings.

      To navigate to other settings, click Continue. To close a section, click Canceland thenDiscard & exit.

    3. When you're finished editing settings, click Finish.

It can take up to 48 hours to see changes. During this time, old and new settings might be intermittently enforced.

Delete a trust rule
If you delete a trust rule, it's permanently removed from your Google service. Alternatively, you can edit a rule to deactivate it in case you want to reactivate it later. Go to View or edit trust rule details.
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Rules.
  3. Under Rules, click Add a filterand thenRule typeand thenTrust.
  4. In the Rules list, point to the rule you want to delete and click Delete.

    Requires having the View Trust RulesManage Trust Rules, and Drive & Docsand thenSettings administrator privileges.

    You can also find the Delete option at the left on the rule's details page (click the rule to open its details page).

  5. In the confirmation message, click Delete.
It can take up to 48 hours to see changes. During this time, old and new settings might be intermittently enforced.
View trust rule log events

You can view detailed logs that show admin activity on trust rules. Three types of logs are available:

  • Rule creation
  • Rule deletion
  • Update rule

You can view detailed logs that show user activity on shared Drive file trust rules. Three types of logs are available:

  • Blocked recipient
  • File share blocked
  • File view blocked

For steps on how to see what types of events you can view, go to Admin log events and Rule log events.

Learn more about how trust rules work

Expand section  |  Collapse all

You need 2 rules to allow 2 internal teams to collaborate
To allow one team's or user's files to be shared with another internal team or user, you need 2 rules—one for sharing and one for receiving.

Example: Allow a team's files to be shared with another team

Suppose you want to let files your Sales team owns to be shared with your Marketing team. In this case, you'd need one rule to allow Sales to share files with Marketing and another rule to allow Marketing to receive files from Sales:

Rule Scope Trigger Condition Action
1 Sales Sharing files Marketing Allow
2 Marketing Receiving files Sales Allow
 

Example: Allow two teams' files to be shared between them

Suppose you want to let files your Sales and Marketing teams own to be shared between the two teams. Like the example above, you'd need 2 rules; however, in this case, each rule's trigger needs to include both sharing and receiving:
Rule Scope Trigger Condition Action
1 Sales

Sharing files
Receiving files

Marketing Allow
2 Marketing

Sharing files
Receiving files

Sales Allow
Trust rules apply only to files that users in the scope own
If a rule specifies what happens when a file is shared, it applies only to the files owned by users (and any shared drives) in the rule's scope. The rule doesn't apply to files for which users in the scope have Editor privileges but don't own.
For example, if you create a rule to prevent files your Research team owns from being shared with your Sales team, the Research team can still share any other files for which they have Editor privileges with Sales. To prevent Sales from receiving files from another team, you can create blocking rules.
Note:
  • If a file owner moves to a different organizational unit or group, the file's sharing rules change to those of the new organizational unit or group. This rules change also applies if file ownership transfers to someone in a different organizational unit or group.
  • For files they don't own, users can't share files beyond what's allowed for file owners. This restriction applies even if users are in organizational units or groups with more permissive sharing rules.
How trust rules work with visitor and unmanaged Google accounts

Here's how trust rules work with people who don't have a Google Account or have a Google Account that's not managed by an administrator.

People without a Google Account (visitors)

Rules that allow sharing

If you create a rule that allows users to share files externally, by default, sharing is allowed only with people who have a managed Google Account. However, you can also allow users to share files with people who don't have a Google Account. In this case, the recipient is given a special type of account called a visitor account. Learn more about sharing with visitor accounts.

To allow sharing with people who don't have a Google Account, in the Conditions settings for the rule, select the Include visitors option. This option applies only to rules that allow users to share externally, with either an external domain or all external users.

Note: You can't allow sharing with a visitor account by adding it to a group for which you allow external sharing.

Rules that block sharing

Any rules that block users from sharing outside your organization always apply to visitors, even if the Include visitors option isn't selected for the condition.

However, if there's another rule that allows sharing with visitor accounts, a blocking rule doesn't apply to visitor accounts in groups. For example, if you have the following rules:

  • Rule 1—Allow sharing files with Anyone with a Google Account, with Include visitors selected.
  • Rule 2—Block sharing with a mailing list group that includes people with visitor accounts.

Block actions don't apply to the visitor accounts in the group. Users in rule 2's scope can still provide the visitor accounts with access to their files.

People with an unmanaged Google Account

Rules that allow sharing

If you create a rule that allows users to share externally with a specific domain or organization, users can't share with unmanaged Google accounts at that domain or organization. These accounts include consumer accounts and accounts with certain Google products, such as Google Workspace Essentials.

You can, however, allow users to share with specific unmanaged accounts: Add the accounts to a group and create a rule that allows sharing with that group.

Rules that block sharing

Any rules that block users from sharing outside your organization always apply to unmanaged accounts.

How trust rules apply to shared drives

If a trust rule's scope includes an organizational unit, the rule applies to any shared drives in that organizational unit. For example, if you create a rule that allows your Manufacturing team's organizational unit to share files with Legal, users in Legal can access Manufacturing's shared drives.

To create trust rules for shared drives, make sure you set up shared drives in the appropriate organizational units.

Trust rules precedence: How conflicting rules are handled
If multiple trust rules' scope, trigger, and conditions match a sharing event, the following order of precedence is followed for the rules' action component:
  1. Block sharing
  2. Allow sharing
  3. Allow sharing with a warning
Here are some examples of how rule conflicts are handled. In these examples:
  • "your-organization.com" is the organization's top-level organizational unit.
  • "Marketing department" is a child organizational unit under the top level.

Example 1

Rule Scope Condition Trigger Action
1 your-organization.com Anyone in the world Sharing files Allow
2 Marketing department Allowlisted domains Sharing files Allow

Result: Because the Marketing department is a subset of your entire organization, Rule 1 also applies to them. Therefore, they can share with anyone in the world, not just allowlisted domains. Example 2 below shows you how to create rules to restrict Marketing to sharing only with allowlisted domains.

Example 2

Rule Scope Condition Trigger Action
1

your-organization.com

Except Marketing department

Anyone in the world Sharing files Allow
2 Marketing department Allowlisted domains Sharing files Allow

Result: Because Rule 1 excludes the Marketing department, only Rule 2 applies to them. Therefore, they can share only with allowlisted domains. All other users can share with anyone in the world.

Example 3

Rule Scope Condition Trigger Action
1 your-organization.com Allowlisted domains Sharing files Allow
2 Marketing Department Anyone in the world Sharing files Allow

Result: Rule 2 is more permissive, so the Marketing department can share with anyone in the world. All other users can share only with allowlisted domains.

Example 4

Rule Scope Condition Trigger Action
1 your-organization.com Anyone in the world Sharing files Allow
2 Marketing department other-company.com Sharing files Block

Result: Because Rule 2 blocks sharing, it takes precedence over the sharing allowed by Rule 1. Therefore, the Marketing department can share with anyone in the world, except other-company.com.

You can deactivate and reactivate trust rules at any time
By default, the status of new rules you create is set to Active. However, you can set any new or existing rule to Inactive. For example, you might create a new rule and deactivate it until you're ready to use it.

Trust rules FAQ

Expand section  |  Collapse all

How long do changes to a trust rule take to apply?
If a trust rule's scope or conditions don't include any organizational units, it can take up to 24 hours for the trust rule to apply to Drive sharing. However, if a trust rule's scope or conditions do include one or more organizational units, it can take up to 48 hours for the rule to apply, depending on the size of the organizational units.
What are the limits for trust rules and rule conditions?

You can have a maximum of:

  • 200 active trust rules
  • 2,000 trust rules (active + inactive)
  • 150 conditions per trust rule
  • 500 conditions of the following types across all your organization's trust rules:
    • organizational units
    • groups
    • allowlisted (trusted) domains
    • external domains
    • specific users—1-200 users counts as 1 condition, 201-400 users counts as 2 conditions, and so on

    Note: There's no limit to the number of the following types of conditions you can have across all your trust rules:

    • Organization
    • Anyone with a Google Account
  • 500 included and excluded organizational units or groups for the scope, per rule
Which types of groups can I select for a rule's scope or condition?
You can choose admin- or user-created groups in your Groups list in the Admin console. Group addresses must end with your organization's domain—you can't choose external groups for a rule's scope or conditions.
Here are some types of groups to consider for trust rules:
  • Dynamic groups—Manage memberships automatically when users join, move within, or leave your organization. Available in the Admin console or with the Cloud Identity API, dynamic groups help you reduce time spent managing group membership manually. To use a dynamic group for a trust rules policy, make sure it's also a security group (which has the Security label). Learn more about dynamic groups.

  • Security groups—Convert a standard or dynamic group to a security group, which helps you regulate, audit, and monitor the group for permission and access control. You can create security groups in the Admin console or with the Cloud Identity Groups API, by adding the Security label to them. Learn more about security groups.

  • Migrated groups—Use Google Cloud Directory Sync (GCDS) to sync groups you create in Microsoft Active Directory or other tools with Google Workspace. Then, you use those synced groups in trust rules. Learn more about GCDS.

How do I apply trust rules to external users?
To apply trust rules to external users, you can create a group with external addresses (including external group or individual addresses). For example, if your organization's Legal team needs to share their files with specific attorneys at your outside council's firm, you can create a group with the attorneys' addresses. Then create a rule, such as:
  • Scope—Legal team's organizational unit
  • Trigger—Sharing files and Receiving files
  • Condition—Group with specific attorneys' addresses
  • Action—Allow
If a user's account no longer has Drive, do trust rules still apply to their shared files?

If a user no longer has the Google Drive and Docs service for their account—for example, the Google Workspace license was removed from their account—files they own can be shared only within your organization, even if the trust rules applied to their files allow external sharing. Sharing their files internally is still restricted by any boundaries set by the trust rules—for example, allowing sharing only with specific organizational units.

To remove the external sharing restriction from the user's files, you can add the Archived User (AU) license to their account. For details, go to Add Archived User licenses.

If a rule allows a user to share externally, and later remove the user from the rule, can their files still be accessed externally?
If you created a rule that allows a group to share files externally, and then remove a user from the group, any files that user shared externally can no longer be accessed outside of your organization.
Can I apply trust rules to users who have a Google Workspace license that doesn't include trust rules?
If your organization includes some users who have a Google Workspace license that doesn't include trust rules, you can still apply trust rules to those users and their files. Also, if a user has a Google Workspace license that does include trust rules, and their account is switched to a license that doesn't include the feature, trust rules still apply to the user and their files.
What happens to trust rules if my organization switches to a Google Workspace edition that doesn't include trust rules?

If your organization switches to a Google Workspace edition that doesn't include trust rules, your organization's active trust rules remain active and enforced. You can view trust rules but can't edit or delete them. If you're a super admin, you can turn off trust rules to use Drive sharing settings instead.

If you turn off trust rules: Your organization's Drive sharing settings become active again and revert to their state when you turned on trust rules. Any trust rules you created are permanently deleted.

If you cancel your Google Workspace subscription and have only Cloud Identity licenses, you can't use Drive sharing settings.

Why is the Anyone with the link sharing option no longer available to users?

When sharing a file, users can choose the Anyone with the link option if all of the following are true:

  • Trust rules that apply to the users' files let them share with everyone in your organization, anyone with a Google Account, and visitor accounts.
  • There are no trust rules applied to the users' files that block them from sharing files.
  • The following Drive sharing setting is turned on: When sharing outside of your domain is allowed, users can make files and published content available to anyone with the link. For details about this setting, go to Set users' Drive sharing permissions.
Do trust rules work with service accounts?
Yes, service accounts are included in the condition Anyone with a Google Account. For example, if you create a trust rule to block users at your organization from collaborating with Anyone with a Google Account, the rule also prevents service accounts from accessing files protected by the rule.
Why do trust rules block respondents' access to Forms?
Trust rules only block respondents from accessing a Form when the form contains a file upload question and the trust rule has a file sharing restriction. Users within the scope of a trust rule are not restricted from responding to Forms that do not prompt the respondents to upload files.

Trust rules known issues

Known issues list

Issue Details
Logs for trust rules don't include some details Admin logs for trust rules include who made a change and the type of change (create, update, or delete). However, the logs don't yet include what the change was and which setting was changed.
An admin with insufficient privileges to open a rule's "quick view" doesn't receive an informative message

If a delegated admin clicks the Quick view link for a trust rule in the Rules list, the rule's details won't open if the admin doesn't have all the privileges needed to view them (such as the Organizational units > Read privilege). However, the admin doesn't receive a message that they need additional privileges.

Users can't access shared drives owned by email-verified organizations

If you turn on trust rules, users can no longer collaborate with shared drives owned by another organization that has an email-verified account (such as a Google Workspace Essentials account).

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
5055242626883659697
true
Search Help Center
true
true
true
true
true
73010
false
false