Project Atlas AetherDev project hub
Atlas project development

Workspace Permission Audit Pipeline (GAM)

Detect, document, and remediate risky Drive sharing states at scale without manual inspection. It ingests target user/email; workspace drive ACL data; shared drive membership data and produces CSV reports; cleanup actions; audit evidence.

Type
Field Tool
Lifecycle
Active
Last touched
2025-11-06 (issues noted)
Visibility
Public
Why it's showcased

Illustrates security automation that detects risky sharing, produces audit evidence, and supports remediation at scale.

Purpose

Detect, document, and remediate risky Drive sharing states at scale without manual inspection.

Current state

Core pipeline works but hits edge cases with shared drive membership scans and inconsistent CSV headers.

Next step

Add a CSV normalization layer that enforces a canonical header schema every run.

Interfaces

Inputs
  • target user/email
  • workspace drive ACL data
  • shared drive membership data
Outputs
  • CSV reports
  • cleanup actions
  • audit evidence

Reality to Action trace

Reality Ingestion

Contributes in this stage.

Canonical Storage

Not in scope.

Automation Engines

Contributes in this stage.

Human Interfaces

Not in scope.

Operational Adoption

Contributes in this stage.

Core workflow

  1. Define target user or group scope.
  2. Run GAM to export Drive ACLs and shared drive membership.
  3. Normalize CSV headers into a canonical schema.
  4. Identify risky shares and MyDrive matches.
  5. Produce audit reports and exception lists.
  6. Optionally run cleanup and remediation commands.
  7. Archive artifacts for compliance evidence.

Data integrity and contracts

Canonical schema definitions

  • Canonical Drive ACL CSV schema with normalized headers.
  • Shared drive membership report schema.
  • Risk classification fields for visibility and external access.

Source of truth rules

  • GAM exports reflect authoritative Workspace state.
  • Normalization rules define canonical header names.
  • Remediation decisions are based on policy and audit review.

Data quality checks

  • Validate required headers exist after normalization.
  • Deduplicate entries across nested reports.
  • Detect empty or partial shared-drive membership exports.
  • Compare totals against expected counts.

Safe handling

  • Restrict audit reports to security staff.
  • Redact or minimize PII in shared artifacts.
  • Use admin accounts with least-privilege scopes.

Downstream integration map

  • Security and compliance reporting.
  • Remediation tasks for IT.
  • Policy updates and training.

Operational notes

Constraints and scars

  • Shared drive membership report sometimes returns empty records.
  • CSV headers can vary (permission.allowFileDiscovery appears inconsistently).

Reliability posture

Repeatable scans; normalization required for stable outputs.

Observability

  • command logs
  • report artifacts

Security and privacy

High; ACL data is sensitive.

Dependencies

Upstream
  • GAM access
  • Workspace directory/drive
Downstream
  • remediation actions
  • policy updates

Ownership

Owners

Josh Barton

Users

IT admin, security/ops, Josh Barton (owner)