A role is a collection of permissions that allows users to perform specific actions on Google Drive resources. To make permissions available to users, groups, and service accounts, you assign roles. When you assign a role, you grant all the permissions that the role contains.
Each permission in the Google Drive API has a role that defines what users can do with a file or folder. For more information, see Scenarios for sharing Drive resources.
The following table shows the operations users can perform for each role, when the role isn't restricted to a view. For more information, see Views.
| Permitted operation | owner |
organizer |
fileOrganizer |
writer |
commenter |
reader |
|---|---|---|---|---|---|---|
| Read the metadata (such as name, description) of the file or folder | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Read the content of the file | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Read the list of items in the folder | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Add comments to the file | ✔ | ✔ | ✔ | ✔ | ✔ | |
| Modify the metadata of the file or folder | ✔ | ✔ | ✔ | ✔ | ||
| Modify the content of the file | ✔ | ✔ | ✔ | ✔ | ||
| Access historical revisions | ✔ | ✔ | ✔ | ✔ | ||
| Add items to the folder | ✔ | ✔ | ✔ | ✔ | ||
| Remove items from the My Drive folder | ✔ | ✔ | ||||
| Share items from the My Drive folder | ✔ | ✔ | ||||
| Share a shared drive item | ✔ | ✔ | ✔ | |||
| Add files to shared drives | ✔ | ✔ | ✔ | |||
| Can access detailed file permissions | ✔ | ✔ | ✔ | ✔ | ||
| Move items into the Trash | ✔ | ✔ | ✔ | |||
| Reorganize items within a shared drive [1] | ✔ | ✔ | ||||
| Move items outside of a shared drive [2] | ✔ | |||||
| Delete a file or folder | ✔ | ✔ | ||||
| Delete items in shared drives [2] | ✔ | |||||
| Edit shared drive metadata | ✔ | |||||
| Add shared drive members | ✔ | |||||
| Delete an empty shared drive | ✔ | |||||
| Add a content restriction to a file in a My Drive folder | ✔ | ✔ | ||||
| Add a content restriction to a file in a shared drive | ✔ | ✔ | ✔ |
Views
A permission might be restricted to a view, in which case the role only
applies to that particular view.
A permission with view=published and role=reader grants reader access to
the published view of the file, but it doesn't grant reader access to the
file.
Conversely, any permission that's not restricted to a particular view, grants
reader access to the published view of the file.