1. Start from least privilege

The rule of thumb: give a role the minimum access it needs to do the job, then add more only when there's a reason. It's far easier to grant access later than to discover, after a breach, that the summer intern's account could read every contract and payroll file. Two habits make this practical in Google Workspace: manage access by group, not by person, and keep shared files in Shared Drives, not personal My Drives.

2. Organize people: OUs & groups

Google gives you two tools for grouping people, and they do different jobs:

  • Organizational units (OUs) control settings and policies—which apps are on, how strict MFA is, whether POP/IMAP is allowed. Build a simple tree that matches your company (e.g., Staff, Finance, Admins). Find them at admin.google.com → Directory → Organizational units.
  • Groups control access to things—Shared Drives, calendars, and documents. Create a group per team (sales@, finance@, leadership@) at admin.google.com → Directory → Groups.

The payoff: when you share a Shared Drive or folder with the finance group instead of five named people, access management becomes "add or remove someone from the group." Onboarding and offboarding turn into one click, and nobody gets forgotten.

3. Lock Shared Drives to the right teams

This is where most small-business access control actually happens. A Shared Drive is owned by the organization (not a person), so files don't vanish when someone leaves. Create one per team or function—Sales, Finance, HR, Leadership—and add the matching group as a member.

Each member gets an access level, from most to least powerful:

  • Manager — full control, including membership and settings (keep this to a couple of people per drive)
  • Content manager — add, edit, move, and delete files (most team members)
  • Contributor — add and edit, but not move or delete
  • Commenter / Viewer — read-only, with or without comments

Example: the Finance Shared Drive has only the finance group (as Content managers) and the owner (as Manager). Sales staff have no path to it at all—not because a file was set to "private," but because they were never given the drive. For the most sensitive drives, open the drive's settings and restrict sharing outside the drive's members, turn off download, copy, and print for Viewers/Commenters, and prevent non-members from being added to individual files. Admins can set defaults for new Shared Drives at admin.google.com → Apps → Google Workspace → Drive and Docs → Sharing settings.

4. Control external sharing

RBAC inside the company means little if a file can be shared to the whole internet with one link. Set sensible defaults at Apps → Google Workspace → Drive and Docs → Sharing settings:

  • For most OUs, allow external sharing but warn when sharing outside the organization and set the default link to restricted (specific people), not "anyone with the link."
  • For sensitive OUs (Finance, HR, Leadership), set sharing to off or "only to allowlisted domains."
  • Turn off the ability to publish files to the web for those OUs.

5. Least-privilege admin roles

RBAC applies to your admins too—and this is where small businesses most often over-grant. Not everyone who helps with IT needs to be a super admin (who can do anything, including delete the company). Use Google's built-in roles instead:

  • Help Desk Admin — reset passwords, little else
  • User Management Admin — manage non-admin users
  • Groups Admin, Services Admin, and others for specific jobs

Assign these at admin.google.com → Account → Admin roles, and keep super admin to a minimum—ideally two accounts, on security keys, used only when truly needed. You can also build a custom role with just the privileges a person needs, and scope it to a single OU.

6. Limit third-party app access

A connected third-party app can quietly hold broad access to your Drive and Gmail. Review and restrict what's allowed at admin.google.com → Security → Access and data control → API controls—block high-risk OAuth scopes, and switch unverified or unneeded apps to "blocked" so staff can't grant them access to company data.

7. Offboard cleanly

The flip side of good access control is removing it promptly. When someone leaves: suspend the account immediately (this preserves data while cutting access), remove them from all groups (which revokes the access those groups granted), and transfer ownership of any files in their My Drive to a manager. Because your shared files live in Shared Drives—owned by the company, not the person—nothing important leaves with them.

Your Google Workspace access checklist

  • Access managed by groups, not named individuals
  • Shared files kept in Shared Drives (company-owned), not My Drive
  • One Shared Drive per team, members added by group, with right-sized access levels
  • Sensitive drives restrict external sharing, download/copy/print, and file-level adds
  • External sharing defaults set (warn + restricted links; off for sensitive OUs)
  • Admin access uses least-privilege roles; super admins kept to a minimum
  • Third-party app/OAuth access reviewed and restricted
  • Offboarding removes group membership and transfers file ownership

Google relabels and moves these settings from time to time—the bold names are stable search terms. Running Microsoft too? See Role-Based Access Control in Microsoft 365.