Free checklist · no email gate

Google Workspace access review checklist

One working session in the Admin Console, one honest picture of who and what can reach your Workspace. Built from VXSec's Google Workspace governance work, including the Shared Drive and Google Groups architecture on the selected work page.

1. Users and accounts

  • List all users and sort by last sign-in. Investigate anything over 60 days.
  • Match every account to a current employee or contractor. Flag the rest.
  • Check suspended accounts: they still own files and consume attention. Decide their end state.
  • Review contractor and vendor accounts: expiry date, sponsor, and whether either still applies.

2. Admin roles

  • List Super Admins. Most teams under 150 people need two: one daily owner, one break-glass.
  • Review delegated admin roles against what each person's job actually requires.
  • Confirm every admin account has 2-Step Verification enforced, not just enabled.

3. Groups

  • Review group membership against current teams. Groups drive access; stale membership is stale access.
  • Check who can join, post to, and view each group. "Anyone on the internet" settings surface in odd places.
  • Reassign groups owned by departed users.

4. Shared drives and file ownership

  • List shared drives and their managers. Every drive needs a current, named manager.
  • Find business-critical folders living in personal My Drive instead of shared drives. That is a departure risk.
  • Identify files owned by suspended or departed accounts and transfer ownership.

5. External sharing

  • Check the domain-level sharing setting: can users share externally, and to anywhere?
  • Review files shared to anyone with the link, especially with edit access.
  • Review sharing to personal Gmail addresses of current staff, a common shadow-access pattern.

6. Third-party app access

  • Open the app access control report and list every third-party app with OAuth grants.
  • Flag apps with mail, Drive, or admin scopes that nobody recognizes or that belong to cancelled tools.
  • Decide your baseline: allowlist trusted apps, or at minimum review high-scope grants quarterly.

7. Offboarding hooks

  • Confirm a written departure checklist exists for Workspace. If not, start from the Offboarding Gap Checklist.
  • Check the last three departures against it. Gaps found here are gaps for every future exit too.

If this took more than one session: that usually means the structure is the problem, not the review. Role-based access through Groups, department-based shared drives, and provisioning workflows make the next review take an hour. That structural work is what the Google Workspace audit and a Cleanup Sprint deliver.

Want the audit version, with evidence?

VXSec runs these checks against your actual environment, read-only, and returns a findings report with owners and a sequenced fix list.

Book a 15-minute scope check