Access to files & folders is determined by an access control list (ACL). An ACL is a list of permissions that determine whether or not users can perform actions on a file such as read or write.
Types, roles and values: how the permissions work
Lists of permissions are available for each file and folder in Drive. Each permission specifies a type, role, and emailAddress or domain, permitting a level of access to a file or folder. These values work together to limit the access appropriately. The type limits access to a set of users. The email address and domain fields specify which users can have access. Finally, the role gives these users the ability to do something to the file, like read it. When combined, these properties define a complete permission.
Each permission in the Google Drive API has a role. A role defines what users can do with a file. The following table describes what operations users in each role can perform.
|Read the metadata (e.g. name, description) of the file or folder||✔||✔||✔||✔|
|Read the content of the file||✔||✔||✔||✔|
|Read the list of items in the folder||✔||✔||✔||✔|
|Add comments to the file||✔||✔||✔|
|Modify the metadata of the file or folder||✔||✔|
|Modify the content of the file||✔||✔|
|Access historical revisions||✔||✔|
|Add items to the folder||✔||✔|
|Remove items from the folder||✔||✔|
|Delete the file or folder||✔|
Types and values
Every permission of a file or folder has a
type. The type is the scope of
the permission, and determines which users have a role. Permissions with
groups also have an
emailAddress. Permissions with
domain have a corresponding
domain property that specifies the
domain name. For example, a permission with a type of
domain may have a
thecompany.com, indicating that the permission grants the given
role to all users in the G Suite domain
The list shows what types and values are possible.
||Email address of a user. Example: firstname.lastname@example.org|
||Email address of a Google Group. Example: email@example.com|
||Domain name of G Suite domain. Example: thecompany.com|
|anyone||N/A||The anyone permission does not require an
IDs and names
id is always the unique identifier of the value of the permission. IDs
should be treated as opaque values.
displayName is always the "pretty" name of the value of the permission. The
following is a list of potential names for each type of permission.
|Type||Possible name values|
|user||User's full name, as defined for their Google account. Example: Joe Smith|
|group||Name of the Google Group. Example: The Company Administrators|
|domain||String domain name. Example: thecompany.com|
|Share a Team Drive item||✔||✔|
|Add files to Team Drives||✔||✔|
|Delete items in Team Drives1||✔|
|Move items in Team Drives1||✔|
|Edit Team Drive metadata||✔|
|Add Team Drive members||✔|
|Delete an empty Team Drive||✔|
ACLs set on folders propagate downward to all contained items. Propagation occurs whenever permissions or the hierarchy are changed, and is done recursively through all nested folders.
Inherited permissions can not be removed from an item in a Team Drive. Instead it can be adjusted on the direct or indirect parent from which it was inherited. Inherited permissions may be removed from items under "My Drive" or "Shared with me."
The effective permissions for the current user are represented as
capabilities in the file metadata. Capabilities are a collection
of boolean fields that indicate whether or not an action can be performed
on the file.