While OneDrive is a phenomenally useful tool that makes it easy to share files in the College, University, and beyond, it also introduces complexity: it’s possible to share documents stored in OneDrive, SharePoint, and Teams with unauthorized individuals both inside or outside of Purdue, and to make files – potentially containing sensitive or confidential information – discoverable by anyone at Purdue.
What follows are some tips for sharing documents safely. As you may know, there are a couple of ways to share documents in OneDrive.
WAYS TO SHARE
Create a special single-purpose “link”
Share internally with specific people (not using a link)
SHARING WITH A LINK
When creating a “link” to a folder or document in OneDrive, the default setting is to share with “Anyone” who has the link. This is a very powerful collaboration feature but has potential drawbacks. Sensitive or restricted Purdue data should never be shared in this way since an “Anyone” link is not password protected.
Our recommendation is to:
- Use OneDrive “links” sparingly.
- Ensure that links are set to expire automatically.
- Use “link options” to share with “People you choose” or “People in purdue.edu” rather than sharing the link with “Anyone” (i.e. “Anyone” in the world who may come across the link now or in the future).
SHARING INTERNALLY WITH SPECIFIC PEOPLE
OneDrive allows you to share files/folders with specific people internally without using “links.” For example, to share a folder, you can go to your “My Files” area of OneDrive, click the three dots “…” next to a folder name, and then select “Manage access.”
Rather than creating a “link” you can use the “Direct access” option and add only specific people who should have access through the OneDrive file explorer interface and not via a link.
This is the best way to ensure that ONLY authorized users, who have been deliberately added to a folder or file, will have access. When adding Purdue people by name, you can be assured that only you and the specified Purdue people will have password protected access.
HOWEVER… there is a way to (deliberately or inadvertently) share files/folders with EVERYONE AT PURDUE. This can be done by adding a group called “All Users” to a file/folder.
While most of us will not likely need this feature, it is important to know that OneDrive (and Teams and SharePoint) has the ability to share documents very widely in a way that can be discoverable by anyone at Purdue (faculty/staff/students/etc.).
This is why, when you go to the OneDrive “search” box and type in some keywords, you may see many documents from people you do not know. Or, you may see documents from people you do know, but did not know they had shared documents with you. Don’t panic if you see your own documents in the search, or documents from COE committees and offices. That is normal because you have access to your own documents and also documents from various Teams and SharePoint workspaces that you have been added to.
CONCLUSION
Please be deliberate and carful when storing or sharing documents in a collaborative cloud system of any kind such as: OneDrive / Box / Google Docs, etc. Sensitive & restricted Purdue data, along with unregulated “private or confidential” data, should not be shared with unauthorized users or stored in any publicly accessible and unprotected location. Here are some links that the central security team asked us to send along:
APPLICABLE POLICY AND PROCEDURES
Acceptable Use of IT Resources and Information Assets (VII.A.4)
Data Classification and Handling Procedures
FINAL TIP: HOW TO SEE EVERYTHING YOU ARE SHARING WITH OTHERS
If you would like to know what files/folders you are sharing with others in OneDrive, log into OneDrive…
https://purdue0-my.sharepoint.com/
…and select “Shared” in the left column close to the top. Then select “Shared by you” to see the documents you are sharing with others.
Here is a screenshot showing the process to “stop sharing” in OneDrive:
“Stop Sharing” in OneDrive Online
This may be a good time for us all to do some shared document spring cleaning in OneDrive. And by the way, deleting documents in OneDrive does not un-share them until you empty the “Recycle bin”.
CONSULTATION
If you need any assistance with sharing/un-sharing documents in OneDrive, SharePoint, or Teams, please contact Education IT (EdIT@purdue.edu) and we will be more than happy to schedule a consultation with you.