# 13 Drive external-sharing restriction / trust rules

> v0.1.2 · role: Prevent · edition: All (trust rules: Ent Std+, Edu Std+, Frontline Plus, Ent Essentials Plus) · [policy: #15 · #4](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Governs Drive's outbound boundary: whether files may be shared outside the organisation at all, to which domains, whether non-Google 'visitors' can be given PIN-based access, and what link state a newly created file is born in. A target audience narrower than the whole domain makes 'share with the company' mean a team rather than everyone. On Enterprise Standard/Plus, Education Standard/Plus, Frontline Plus and Enterprise Essentials Plus, the blunt domain allowlist can be replaced with directional trust rules — who may share, to whom, in which direction.

## Caveats

- Trust rules require Enterprise Standard/Plus, Education Standard/Plus, Frontline Plus or Enterprise Essentials Plus — on Business tiers you have exactly one lever, the domain allowlist, and it is bidirectional and coarse.
- Turning external sharing fully Off also revokes external users' access to previously shared items; the allowlist option does not — files already shared publicly stay shared, and the public-share cleanup (№11) is the retrospective half. Neither works alone.
- Shared drives carry their own sharing settings, which can be looser than the OU default — check №29 before you believe this screen.
- Visitor sharing is a distinct toggle and a routine blind spot — an org that has 'turned off external sharing' often still has it on.

## Setup steps

1. Select the OU (organizational unit), then set the outbound boundary. 'Off' is the honest default; 'allowlisted domains' is the usual compromise. — `Apps › Google Workspace › Drive and Docs › Sharing settings › Sharing options`

   - **Sharing outside of <domain>** = Off, or 'Allowlisted domains' with an explicit domain list

   docs: [Manage external sharing for your organization](https://knowledge.workspace.google.com/admin/drive/manage-external-sharing-for-your-organization)

2. Do not let the warning BE the boundary, and close visitor sharing: the warning stays ON as a speed bump for permitted external shares (it enforces nothing by itself), while non-Google visitor sharing quietly re-opens the boundary and goes OFF. — `Apps › Google Workspace › Drive and Docs › Sharing settings › Sharing options`

   Warn when sharing outside <domain> = On; Allow users or shared drives in <domain> to share items with guest accounts and visitors without Google Accounts = Off (visitor sharing)

   docs: [Allow sharing to non-Google users with visitor sharing](https://knowledge.workspace.google.com/admin/drive/allow-sharing-to-non-google-users-with-visitor-sharing)

3. Set the default link state for newly created files so nothing is born public. — `Apps › Google Workspace › Drive and Docs › Sharing settings › Sharing options`

   When sharing outside of <domain> is allowed, users can make files and published web content visible to anyone = Off; General access default = Private to the owner

   docs: [Set general access sharing options for your organization](https://knowledge.workspace.google.com/admin/drive/set-general-access-sharing-options-for-your-organization)

4. Define a target audience narrower than the whole domain to allow sharing with specific teams. — `Directory › Target audiences`

   Create a target audience per department; set it as the Drive default rather than the whole organisation

   docs: [Create a target audience](https://knowledge.workspace.google.com/admin/groups/create-a-target-audience) · [Set target audiences for a Google service](https://knowledge.workspace.google.com/admin/groups/set-target-audiences-for-a-google-service)

5. On Enterprise Standard/Plus, Education Standard/Plus, Frontline Plus or Enterprise Essentials Plus, replace the blunt allowlist with directional trust rules (who may share, to whom, in which direction). — `Rules › Create rule › Trust rule`

   - **Create trust rules: internal→external sharing** = allow to named partner domains only, warn or block otherwise
   - **external→internal receiving** = allow from named partner domains only

   docs: [Create and manage trust rules for Drive sharing](https://knowledge.workspace.google.com/admin/security/create-and-manage-trust-rules-for-drive-sharing)

## Ongoing maintenance

- **[requires a human]** Quarterly: review trust-rule exceptions and expire ones whose engagement ended.

## How to verify

1. From a test account, share a document to a personal address outside the trust rules — the share should be blocked or warned exactly as configured.

## Settings screens

- Apps > Google Workspace > Drive and Docs > Sharing settings
  - console: https://admin.google.com/ac/managedsettings/55656082996/sharing
  - screenshot: ../screenshots/admin.google.com/ac/managedsettings/55656082996/sharing.png
- Directory > Target audiences (define the default 'share with' audience)
  - console: https://admin.google.com/ac/targetaudiences
  - screenshot: ../screenshots/admin.google.com/ac/targetaudiences.png
- Rules > Create rule > Trust rule (Ent Std+, Edu Std+, Frontline Plus, Ent Essentials Plus)
  - console: https://admin.google.com/ac/dp
  - screenshot: ../screenshots/admin.google.com/ac/dp.png
