Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition
With trust rules, you can create granular policies to control who can get access to Google Drive files. Your policies can apply to individual users, groups, organizational units, and domains to specify:
- Which users' files can be shared with internal or external users
- Which users can receive files from internal or external users
- Which internal or external users can be invited and add items to shared drives
Because trust rules provide flexibility in establishing collaboration boundaries, they can help you secure sensitive information and maintain compliance with industry standards and regulations.
Suppose your organization's Marketing team needs to share their files with specific people at your partner organization. To help keep your organization's information confidential, you can create rules to establish the following external collaboration boundaries:
- Allow files that your Marketing team owns to be shared with specific people at the partner organization.
- Block files that other teams in your organization own from being shared with the partner organization.
- Block other teams in the partner organization from sharing their files with anyone in your organization.
Suppose your organization's Finance team should share their files only with your Executive team. To help prevent other teams from receiving confidential financial information, you can create rules to establish the following internal collaboration boundaries:
- Allow files owned by Finance to be shared with Finance and Executives.
- Block files that Finance owns from being shared with any other teams in your organization.
Drive tries to block external users from sharing spam or phishing with your users. However, if you’d like to take additional steps to decrease your risk, you can create a rule that allows only external users from trusted domains to share files with internal users. To ensure users can still collaborate, you can apply this rule only to organizational units with users who usually don’t usually receive files from external users.
How trust rules replace Drive sharing settings
Drive sharing settings are automatically converted to trust rules
Trust rules replace your Drive settings under Sharing optionsSharing outside of your organization.
You can preview rules converted from Drive settings
To preview rules automatically created from your Drive settings:
From the Admin console home page, go to Rules. You can filter rules by type, by clicking Add a filterRule typeTrust.
In the Rules list, you'll see:
- Two default rules for sharing outside your organization
Once enforced, these rules will be either active or inactive, depending on the state of your equivalent Drive sharing settings.
- Any other rules needed to match the sharing boundaries of your current Drive settings
Important: These rules aren't enforced until you turn on trust rules.
Your equivalent Drive sharing settings become inactive
Once you turn on trust rules, you can no longer use the Drive setting for sharing outside your organization. For details about Drive sharing settings, go to Set users' Drive sharing permissions.
You can turn off trust rules
At any time, you can turn off trust rules and return to using Drive sharing settings instead. For details, go to Turn trust rules on or off below.
With a trust rule's scope and conditions components, you can control file sharing more precisely than you can with Drive sharing settings. For details about rule components, go to the section Understand trust rule components later on this page.
The following charts compare available controls in Drive sharing settings and trust rules.
Scope controls
Scope |
Drive sharing settings |
Trust rules |
---|---|---|
Include organizational units | ✔ | ✔ |
Include groups | ✔ | ✔ |
Exclude organizational units | ✔ | |
Exclude groups | ✔ |
Conditions controls
Condition | Drive sharing settings | Trust rules |
---|---|---|
Entire organization | ✔ | ✔ |
Allowlisted domains | ✔ | ✔ |
External organizations | ✔ | |
Organizational units | ✔ | |
Groups (created internally) | ✔ | |
Users (internal) | ✔ |
Before you begin
To create a trust rule, you define its scope, trigger, conditions, and action components. Using these components, you can create a rule that says if xhappens, do y.
For example, if you create a rule to allow files your organization's Sales department own to be shared with anyone at your customer's organization (other-company.com), the rule's components would be:
- The scope is the organizational unit for your Sales department.
- The trigger is that someone attempts to share a file owned by a user in the scope.
- The condition is other-company.com.
- The action is to allow the file to be shared.
Defining the scope
The scope is the user in your organization to whom a rule's trigger applies:
- If a rule's trigger is Sharing files, the scope is the user who owns the file for which you want to control sharing.
Important: A sharing rule also controls sharing by users with Edit privileges for a file owned by a user in the scope.
- If a rule's trigger is Receiving files, the scope is the intended recipient of the file.
For the scope, you can:
- Include your whole organization.
- Include or exclude organizational units (which can contain users and shared drives).
- Include or exclude groups in your organization's Google Groups service.
Defining the trigger
The trigger is the activity that a rule allows or blocks. You can select one of the following triggers:
- Sharing files
- Receiving files
Defining the conditions
Conditions are the users whom a file is intended to be shared with or received from:
- If a rule's trigger is Sharing files, the condition is the intended recipient of the file.
- If a rule's trigger is Receiving files, the condition is the user who owns the file.
You can specify multiple conditions for a rule, both inside and outside your organization, including:
- Organizational units
- Groups in your organization's Google Groups service (can include external users)
- Trusted domains (all users at all external domains on your allowlist)
- External domains not on your allowlist
- Specific users in your organization
- Anyone with a Google Account
Note: Only one condition needs to be met for the rule to take effect.
Defining the action
The action is the outcome you want to occur when a rule is triggered. You can:
- Allow sharing
- Allow sharing with a warning
Note: If you select this option, users see a warning when sharing files but not when receiving them.
- Block sharing
You have 2 default rules that specify sharing outside your organization:
Rule name | Scope | Trigger | Condition | Action | Status |
---|---|---|---|---|---|
[Default] Users in my organization can share and receive within the organization | Top-level organizational unit (entire organization) | Sharing files and Receiving files | My organization | Allow | Active* |
[Default] Users in my organization can share with anyone who has a Google Account | Top-level organizational unit (entire organization) | Sharing files |
Anyone in the world Include visitors |
Allow | Active* |
You can't edit default rules, but you can deactivate or reactivate them (unless you're using Cloud Identity).
* If you've already set up Drive settings for sharing outside: The status of default rules depends on your equivalent Drive sharing settings that were converted to trust rules.
To allow or block sharing by departments or groups
Make sure you create the organizational units and groups you want to create trust rules for:
- For details on creating organizational units, go to Add an organizational unit.
- For details on creating groups, go to Create a group.
To restrict sharing to trusted domains only
Make sure the trusted domains are on your allowlist. Trusted domains must use Google Workspace and be domain-verified. For details, go to Allow external sharing only with trusted domains.
Cloud Identity customers: If your organization has a mix of Cloud Identity and Google Workspace licenses, domains on an allowlist for Google Workspace also apply to users with Cloud Identity licenses.
Before creating trust rules, consider which type of sharing to allow or block across your organizational structure. Make sure your rules don't let users share with people they don't intend to or prevent them from sharing with people they intend to.
For example, assume you have the 4 organizational units—Sales, Legal, Research, and All other teams—and you want to restrict the following types of sharing:
- Files that Sales owns can't be shared internally with Research.
- Files that Legal owns can't be shared externally except with your outside counsel.
- Files that Research owns can be shared only internally among Research and Legal.
- Files that all other teams own can't be shared externally with anyone.
The following are recommended steps to implement your sharing model.
Step 1: Map collaboration boundaries
You might want to use a matrix to map which sharing is allowed for different users, such as the following:
Internal sharing |
External sharing | |||
---|---|---|---|---|
Organizational unit | Files they own can be shared with... | Files they own can't be shared with... | Files they own can be shared with... | Files they own can't be shared with... |
Sales | Sales, Legal, All other teams |
Research | Anyone | |
Legal | All teams | Outside counsel | Everyone else | |
Research | Research, Legal | Sales, All other teams |
Anyone | |
All other Teams | All teams | Anyone |
Step 2: Create the following rules:
Rule | Scope | Trigger | Condition | Action |
---|---|---|---|---|
Internal sharing |
Include: Root Exclude: Research |
Sharing files |
Your organization |
Allow |
Research - Internal sharing | Include: Research | Sharing files Receiving files |
Research, Legal |
Allow |
Legal - External sharing | Include: Legal |
Sharing files |
Outside counsel domain |
Allow |
Sales - External sharing | Include: Sales | Sharing files Receiving files |
Anyone with a Google Account |
Allow |
Sales - Blocking sharing | Include: Sales |
Sharing files |
Research | Block |
Step 3: Deactivate the 2 default rules
The default rules allow broad sharing both inside and outside your organization; in this example, they'll conflict with the more specific sharing model you want to use.To... | You need these admin privileges... |
---|---|
Turn trust rules on or off | |
View trust rules in the Rules list | |
View trust rule details | |
Create or edit trust rules | |
Activate or deactivate specific trust rules | |
Delete trust rules |
If you need additional privileges to manage trust rules, contact your administrator.
Tip: If you're a super administrator, you can create a custom admin role for managing trust rules and assign it to a delegated admin. For details, go to Create, edit, and delete custom Admin roles.
Turn the trust rules feature on or off
If you turn on trust rules:
- Existing rules in your Rules list are enforced, and your Drive settings for sharing outside your organization are deactivated. For details, go to How trust rules replace Drive settings earlier.
- If you change any Drive sharing settings shortly before turning on trust rules, your rules might enforce the Drive settings' previous state temporarily. It can take up to 48 hours for trust rules to sync with recent changes to Drive sharing settings.
To turn on trust rules:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu Rules.
- In the Collaborate securely card at the top of the page, click Turn on for Drive.
Requires having the Manage Trust Rules and Drive & DocsSettings administrator privileges.
Your Tasks list opens automatically and shows the progress of trust rules activation.
If you turn off trust rules:
- Your organization's Drive sharing settings become active again and revert to their state when you turned on trust rules.
- Any trust rules you created are permanently deleted.
To turn off trust rules:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsGoogle WorkspaceDrive and Docs.
- Click Sharing settings.
- Under Sharing outside of your organization, click Turn off trust rules.
Requires having the Manage Trust Rules and Drive & DocsSettings administrator privileges.
Your Tasks list opens and shows the progress of trust rules deactivation.
Create and manage trust rules
After you create a trust rule, you can:
- Edit it at any time to change settings, such as conditions and action, or to deactivate or reactivate it.
- Delete a trust rule at any time.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu Rules.
- Click Create ruleTrust.
Requires having the View Trust Rules, Manage Trust Rules, Drive & DocsSettings, GroupsRead, and Organizational UnitsRead administrator privileges.
- Under Name, enter a name and optionally a description for your rule.
- Under Scope, choose one of the following:
By default, the rule applies to everyone in your organization.
To apply the rule to only specific users:
- For a sharing rule, choose which users' files the rule applies to. Trust rules apply only to the files owned by users or shared drives in your rule's scope. Get details.
- For a receiving rule, choose which users are the intended recipients of a shared file.
- Click Specify organizational units or groups.
- Select an option to include or exclude organizational units or groups.
- Select the organizational unit or group to include or exclude.
- (Optional) Include or exclude more organizational units or groups.
For example, to apply a rule to everyone in your organization except for one group, include the top-level organizational unit and exclude the one exempt group.
To remove an organizational unit or group, click Clearnext to it.
- Click Continue.
- Under Triggers, select one or both events for which you want to apply the rule:
- Sharing files—Rule triggers when files owned by people in your scope are shared with the users you select in Conditions.
- Receiving files—Rule triggers when people in your scope receive files owned by users or shared drives you select in Conditions, or are added as members to shared drives in Conditions.
- Under Conditions, click Add condition, and then select the internal or external people you want to allow or block from sharing or receiving with users in your scope.
Internal options:
- User—Start typing the user's name or email address.
- Organizational unit—Click Select an organizational unit.
- Group—Start typing the group's name or email address.
- My organization
External options:
(Optional) To allow users to share externally with people who don't have a Google Account, check the Include visitors box. This option doesn't apply to some types of conditions. Get details.
- External organization—Enter the organization's domain name (such as other-company.com).
- Allowlisted domains—Optionally check which domains are on your allowlist by clicking View allowlisted domains.
- Anyone with a Google Account (includes internal and external users)
- Click Continue.
- Under Action, choose what happens when your rule is triggered: Allow, Allow with warning, or Block.
- Click Finish.
- Choose whether to make the rule active or inactive, and then click Complete.
It can take up to 48 hours to see changes. During this time, old and new settings might be intermittently enforced.
You can edit a trust rule at any time to change settings, such as conditions and action, or to deactivate or reactivate it.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu Rules.
- Find the rule in the Rules list.
Tip: You can sort the list by rule type, by clicking the Rule type column heading. Or filter the list by clicking Add a filterRule typeTrust.
- (Optional) To view the rules scope, conditions, trigger, and action, point to the rule in the list and click Quick view.
- (Optional) Click the rule to open its details page and view settings.
- (Optional) To edit settings:
- On the left of the details page, click Edit rule. Or click a settings section.
Requires having the View Trust Rules, Manage Trust Rules, Drive & DocsSettings, GroupsRead, and Organizational UnitsRead administrator privileges.
- Edit settings.
To navigate to other settings, click Continue. To close a section, click CancelDiscard & exit.
- When you're finished editing settings, click Finish.
- On the left of the details page, click Edit rule. Or click a settings section.
It can take up to 48 hours to see changes. During this time, old and new settings might be intermittently enforced.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu Rules.
- Under Rules, click Add a filterRule typeTrust.
- In the Rules list, point to the rule you want to delete and click Delete.
Requires having the View Trust Rules, Manage Trust Rules, and Drive & DocsSettings administrator privileges.
You can also find the Delete option at the left on the rule's details page (click the rule to open its details page).
- In the confirmation message, click Delete.
You can view detailed logs that show admin activity on trust rules. Three types of logs are available:
- Rule creation
- Rule deletion
- Update rule
You can view detailed logs that show user activity on shared Drive file trust rules. Three types of logs are available:
- Blocked recipient
- File share blocked
- File view blocked
For steps on how to see what types of events you can view, go to Admin log events and Rule log events.
Learn more about how trust rules work
Example: Allow a team's files to be shared with another team
Suppose you want to let files your Sales team owns to be shared with your Marketing team. In this case, you'd need one rule to allow Sales to share files with Marketing and another rule to allow Marketing to receive files from Sales:
Rule | Scope | Trigger | Condition | Action |
---|---|---|---|---|
1 | Sales | Sharing files | Marketing | Allow |
2 | Marketing | Receiving files | Sales | Allow |
Example: Allow two teams' files to be shared between them
Rule | Scope | Trigger | Condition | Action |
---|---|---|---|---|
1 | Sales |
Sharing files |
Marketing | Allow |
2 | Marketing |
Sharing files |
Sales | Allow |
- If a file owner moves to a different organizational unit or group, the file's sharing rules change to those of the new organizational unit or group. This rules change also applies if file ownership transfers to someone in a different organizational unit or group.
- For files they don't own, users can't share files beyond what's allowed for file owners. This restriction applies even if users are in organizational units or groups with more permissive sharing rules.
Here's how trust rules work with people who don't have a Google Account or have a Google Account that's not managed by an administrator.
People without a Google Account (visitors)
Rules that allow sharing
If you create a rule that allows users to share files externally, by default, sharing is allowed only with people who have a managed Google Account. However, you can also allow users to share files with people who don't have a Google Account. In this case, the recipient is given a special type of account called a visitor account. Learn more about sharing with visitor accounts.
To allow sharing with people who don't have a Google Account, in the Conditions settings for the rule, select the Include visitors option. This option applies only to rules that allow users to share externally, with either an external domain or all external users.
Note: You can't allow sharing with a visitor account by adding it to a group for which you allow external sharing.
Rules that block sharing
Any rules that block users from sharing outside your organization always apply to visitors, even if the Include visitors option isn't selected for the condition.
However, if there's another rule that allows sharing with visitor accounts, a blocking rule doesn't apply to visitor accounts in groups. For example, if you have the following rules:
- Rule 1—Allow sharing files with Anyone with a Google Account, with Include visitors selected.
- Rule 2—Block sharing with a mailing list group that includes people with visitor accounts.
Block actions don't apply to the visitor accounts in the group. Users in rule 2's scope can still provide the visitor accounts with access to their files.
People with an unmanaged Google Account
Rules that allow sharing
If you create a rule that allows users to share externally with a specific domain or organization, users can't share with unmanaged Google accounts at that domain or organization. These accounts include consumer accounts and accounts with certain Google products, such as Google Workspace Essentials.
You can, however, allow users to share with specific unmanaged accounts: Add the accounts to a group and create a rule that allows sharing with that group.
Rules that block sharing
Any rules that block users from sharing outside your organization always apply to unmanaged accounts.
If a trust rule's scope includes an organizational unit, the rule applies to any shared drives in that organizational unit. For example, if you create a rule that allows your Manufacturing team's organizational unit to share files with Legal, users in Legal can access Manufacturing's shared drives.
To create trust rules for shared drives, make sure you set up shared drives in the appropriate organizational units.
- Block sharing
- Allow sharing
- Allow sharing with a warning
- "your-organization.com" is the organization's top-level organizational unit.
- "Marketing department" is a child organizational unit under the top level.
Example 1
Rule | Scope | Condition | Trigger | Action |
---|---|---|---|---|
1 | your-organization.com | Anyone in the world | Sharing files | Allow |
2 | Marketing department | Allowlisted domains | Sharing files | Allow |
Result: Because the Marketing department is a subset of your entire organization, Rule 1 also applies to them. Therefore, they can share with anyone in the world, not just allowlisted domains. Example 2 below shows you how to create rules to restrict Marketing to sharing only with allowlisted domains.
Example 2
Rule | Scope | Condition | Trigger | Action |
---|---|---|---|---|
1 |
your-organization.com Except Marketing department |
Anyone in the world | Sharing files | Allow |
2 | Marketing department | Allowlisted domains | Sharing files | Allow |
Result: Because Rule 1 excludes the Marketing department, only Rule 2 applies to them. Therefore, they can share only with allowlisted domains. All other users can share with anyone in the world.
Example 3
Rule | Scope | Condition | Trigger | Action |
---|---|---|---|---|
1 | your-organization.com | Allowlisted domains | Sharing files | Allow |
2 | Marketing Department | Anyone in the world | Sharing files | Allow |
Result: Rule 2 is more permissive, so the Marketing department can share with anyone in the world. All other users can share only with allowlisted domains.
Example 4
Rule | Scope | Condition | Trigger | Action |
---|---|---|---|---|
1 | your-organization.com | Anyone in the world | Sharing files | Allow |
2 | Marketing department | other-company.com | Sharing files | Block |
Result: Because Rule 2 blocks sharing, it takes precedence over the sharing allowed by Rule 1. Therefore, the Marketing department can share with anyone in the world, except other-company.com.
Trust rules FAQ
You can have a maximum of:
- 200 active trust rules
- 2,000 trust rules (active + inactive)
- 150 conditions per trust rule
- 500 conditions of the following types across all your organization's trust rules:
- organizational units
- groups
- allowlisted (trusted) domains
- external domains
- specific users—1-200 users counts as 1 condition, 201-400 users counts as 2 conditions, and so on
Note: There's no limit to the number of the following types of conditions you can have across all your trust rules:
- Organization
- Anyone with a Google Account
- 500 included and excluded organizational units or groups for the scope, per rule
-
Dynamic groups—Manage memberships automatically when users join, move within, or leave your organization. Available in the Admin console or with the Cloud Identity API, dynamic groups help you reduce time spent managing group membership manually. To use a dynamic group for a trust rules policy, make sure it's also a security group (which has the Security label). Learn more about dynamic groups.
-
Security groups—Convert a standard or dynamic group to a security group, which helps you regulate, audit, and monitor the group for permission and access control. You can create security groups in the Admin console or with the Cloud Identity Groups API, by adding the Security label to them. Learn more about security groups.
-
Migrated groups—Use Google Cloud Directory Sync (GCDS) to sync groups you create in Microsoft Active Directory or other tools with Google Workspace. Then, you use those synced groups in trust rules. Learn more about GCDS.
- Scope—Legal team's organizational unit
- Trigger—Sharing files and Receiving files
- Condition—Group with specific attorneys' addresses
- Action—Allow
If a user no longer has the Google Drive and Docs service for their account—for example, the Google Workspace license was removed from their account—files they own can be shared only within your organization, even if the trust rules applied to their files allow external sharing. Sharing their files internally is still restricted by any boundaries set by the trust rules—for example, allowing sharing only with specific organizational units.
To remove the external sharing restriction from the user's files, you can add the Archived User (AU) license to their account. For details, go to Add Archived User licenses.
If your organization switches to a Google Workspace edition that doesn't include trust rules, your organization's active trust rules remain active and enforced. You can view trust rules but can't edit or delete them. If you're a super admin, you can turn off trust rules to use Drive sharing settings instead.
If you turn off trust rules: Your organization's Drive sharing settings become active again and revert to their state when you turned on trust rules. Any trust rules you created are permanently deleted.
If you cancel your Google Workspace subscription and have only Cloud Identity licenses, you can't use Drive sharing settings.
When sharing a file, users can choose the Anyone with the link option if all of the following are true:
- Trust rules that apply to the users' files let them share with everyone in your organization, anyone with a Google Account, and visitor accounts.
- There are no trust rules applied to the users' files that block them from sharing files.
- The following Drive sharing setting is turned on: When sharing outside of your domain is allowed, users can make files and published content available to anyone with the link. For details about this setting, go to Set users' Drive sharing permissions.
Trust rules known issues
Known issues list
Issue | Details |
---|---|
Logs for trust rules don't include some details | Admin logs for trust rules include who made a change and the type of change (create, update, or delete). However, the logs don't yet include what the change was and which setting was changed. |
An admin with insufficient privileges to open a rule's "quick view" doesn't receive an informative message |
If a delegated admin clicks the Quick view link for a trust rule in the Rules list, the rule's details won't open if the admin doesn't have all the privileges needed to view them (such as the Organizational units > Read privilege). However, the admin doesn't receive a message that they need additional privileges. |
Users can't access shared drives owned by email-verified organizations |
If you turn on trust rules, users can no longer collaborate with shared drives owned by another organization that has an email-verified account (such as a Google Workspace Essentials account). |