4

I have written a Google Apps Script function that uses Domain-Wide Delegation of Authority (Oauth 2 service account), and the Google Drive API to transfer ownership of all Google Drive files owned by a user (User A) to another user (User B) and then adds a third user (User C) as an editor on all of the files.

The reason I am doing this is because I want to automate the process of preserving files when an employee leaves the company and providing access to them for whomever will be handling their responsibilities.

  • User A is the person leaving the company,
  • User B is a Google account meant specifically to be an archive of files from people who have left the company,
  • User C is the person who is responsible for taking over User A’s responsibilities.

Google provides a Transfer Ownership tool for Apps admins, but it can not be invoked through a script as part of an automated process, only through the Admin Console GUI.

I’ve been able to successfully perform each step of this process using the API, but it takes several API calls per file. So if the user owns hundreds or thousands of files, in their Drive, the function will likely exceed the 5-minute script execution limit.

Is there a way to combine or remove any of these steps and still accomplish the same goal?

Here is the process I have come up with:

  1. Authenticate as User A

  2. Using Files: list, list all Drive files for User A which are owned by them and are not in the trash

  3. Loop through each page of results and store the file details (id, title, parents, etc) in an array

  4. Using Files: insert, create a root-level “container” folder which will eventually contain all of User A’s files and folders, for organization purposes (called “From User A (date)"

  5. Loop through each file in the file details array. If the parent of a file is the root of their Drive, set the parent to be the container folder (Using Files: patch). This moves all of the files they own into the container folder, but keeps the directory structure of subfolders/files intact.

  6. Using Permissions: insert, set User B as an owner of the container folder. This makes the container folder appear in the root of User B’s Drive. However, this does not cascade the Owner permission down to all of the files/folders contained within the container folder.

  7. Using Permissions: insert, set User C as an editor of the container folder so that the folder shows up in their "Shared with me" folder.

  8. Loop through each file in the file details array again and:

    1. Using Permissions: insert, set User B to be an owner of each file

    2. Using Permissions: insert, set User C to be an editor (using the sendNotificationEmails=false parameter so User C doesn’t get flooded with thousands of notification emails)

  9. Authenticate as User B, loop through each file in the file details array again and:

    1. Step 8-1 causes every single file to show up in the root of User B’s Drive as well (when you click on each file, it shows two parent folders: both the container folder AND the My Drive root folder), so now remove the root folder from the parents array of each file (using Files: patch)

    2. Using Permissions: delete, remove User A’s permission from the file (because their account will be set as a “Vault Former Employee,” which causes them to still show up in Google Drive Sharing panes, but they shouldn’t because they are no longer with the company).

Employee
  • 2,231
  • 3
  • 33
  • 60
  • I've been doing that with free GAS, though I have to make them open a Published Page with they're Google Account logged in, would that work for you, make them login into this page when leaving the company? Also this way it never hits the API calls, since it's just GAS scripting, no Advanced Services, and don't run into execution times, since it makes hundreds of calls from the HTMLPage, each which will have it's own timer. – Kriggs Sep 02 '15 at 11:00
  • For efficiency and security we can't rely on the user to do anything. As an admin I've already built an an entire automated process to handle "off-boarding" of employees who have left the company, which includes: changing their password, moving to a certain suborg where 2SV is not enforced, transferring ownership of calendar events, google sites, assigning Google Vault license, moving to Vault suborg, suspending user, removing from Groups, removing from GAL, creating email forwarding group, etc. – Employee Sep 02 '15 at 13:00
  • So the entire process is automated except for transferring Drive files, so one of my team members actually has to log in as the user, do a Google Takeout (because the Google transfer tool fails a lot, leaving "orphaned" files all over the place), then use the transfer tool in the GUI, then MANUALLY trigger the rest of the steps. Anyway, I am curious about how you're accomplishing this - is it done using the HTMLservice? And what does it use to interact with the files if not the Drive API? – Employee Sep 02 '15 at 13:02
  • Hi @Employee, can you provide the script you used? – user972014 Dec 31 '22 at 12:05

1 Answers1

2

Google just released a Data Transfer API that accomplishes most of this. It doesn't handle the parts that relate to User C, but it cuts out most of the steps that took the longest to run.

Employee
  • 2,231
  • 3
  • 33
  • 60