Brainforge Knowledge

google-workspace-management-plan

5 min read

Google Workspace management plan (Brainforge)

Owner: Ops (Uttam, Rico, Elizah)
Last updated: 2026-03-11

Status (today)

  • Unblocked ops shared-drive membership management via a Google Group that has Manager access on key Shared Drives (see “What we did”).
  • Baseline inventory of Shared Drives, owners, and groups.
  • EOM checks running as a simple checklist + Linear recurring work.
  • Automation (optional) via GAM CLI.

Goals

  • Make access changes fast and safe (especially Shared Drives).
  • Use group-based access wherever possible (less one-off permission drift).
  • Keep admin power minimal (few super-admins; most ops work done via groups/roles).
  • Establish a cadence: light weekly maintenance, heavier EOM checks.

Scope

  • Google Workspace Admin (users, groups)
  • Google Drive / Shared Drives (membership + drive-level settings)
  • Gmail / inbound email (spam, phishing, content compliance)
  • Onboarding/offboarding basics (Workspace access)

Roles (small-team friendly)

  • Workspace super-admin (Uttam): rare/high-impact changes, emergency recovery, tooling/automation; Gmail/compliance (content compliance rules, Safety settings).
  • Ops Shared Drive admins (Rico, Elizah): day-to-day drive membership changes via the admin group, respond to access requests. Rico can perform Gmail compliance steps if Uttam grants access or does the changes with Rico’s input.

Gmail / inbound security

Goal: Reduce spam and BEC-style phishing to shared addresses (e.g. accounts@brainforge.ai) and all user mailboxes. Rules are applied org-wide so they cover all users and all Google Groups that receive mail.

Where to configure (Admin Console):

  • Safety: Apps → Google Workspace → Gmail → Safety — spam, phishing, malware sensitivity; “Protect against spoofing and phishing.”
  • Content compliance: Apps → Google Workspace → Gmail → Compliance — rules on subject/body/sender/attachments; actions: Quarantine or Reject.

Initial rule examples (apply to entire organization):

  1. Sender domain blocklist: Messages from sender domain (e.g. hella.com, seiha.com) → Quarantine (or Reject once confident).
  2. Subject pattern: Inbound messages with subject containing “Past Due Balance Notice” or “Accounting: Past Due Balance” → Quarantine (review, then consider Reject).

Start with Quarantine so Ops can review; switch to Reject once confident. Add domains or patterns as new threats are reported.

Owner: Workspace super-admin (Uttam); Rico can execute if granted Gmail admin or equivalent.

Reference: Step-by-step Admin UI: standards/03-knowledge/engineering/setup/google-workspace-gmail-filters.md. Google Help: Content compliance rules, Control delivery by content.

What we did (Gmail filters) — 2026-03

  • Safety hardened: phishing and spoofing protections confirmed/tightened for the org.
  • Content compliance (org-wide): Rules apply to the entire organization (all users and Google Groups, including accounts@, accounting@). Configured:
    • Phishing list — block/quarantine based on Google’s phishing list.
    • Subject rule — messages with subject containing “Past Due Balance Notice” are quarantined (aligned with hella.com- and seiha.com-style attempts).
  • Note: A similar variant targeted accounting@brainforge.ai from customer.sga@seiha.com with subject “[accounting] Past Due Balance Notice”. Consider adding seiha.com to the sender-domain blocklist in Compliance if not already covered.
  • Screenshots: Add Admin Console or email screenshots to gmail-filters-screenshots (e.g. safety-settings.png, compliance-rule.png, phishing-example.png). Reference in this doc with ![Description](gmail-filters-screenshots/filename.png).

What we did (step-by-step)

This is the exact flow used to unblock the immediate ask: “Ops can add members to Shared Drives.”

1) Create an admin Google Group

  1. Go to Google Admin Console: admin.google.com
  2. Create a group (example): brainforge-shared-drive-admins@<your-domain>
  3. Add Rico + Elizah as members (add Uttam as well if desired).

2) Grant that group “Manager” on each Shared Drive

For each Shared Drive (Operations, Sales, Project Management, Clients, Finance):

  1. Go to Google Drive: drive.google.com
  2. Left sidebar → Shared drives
  3. Right-click the drive (or click the ) → Manage members
  4. Add the admin group (brainforge-shared-drive-admins@<your-domain>)
  5. Set role to Manager

3) Fix: you were blocked on one Shared Drive

Symptom:

  • You opened Shared drive settings and saw: “Only shared drive managers can change these settings.”

Fix (admin path):

  1. Go to Google Admin Console: admin.google.com
  2. AppsGoogle WorkspaceDrive and Docs
  3. Open Shared drives / Manage shared drives
  4. Find the problem Shared Drive
  5. Add yourself (or the admin group) as Manager
  6. Return to drive.google.com and verify you can now Manage members

Operating model

Access requests (simple)

  • Request channel: Slack #ops (or a single “Access request” Linear issue)
  • Approver: Ops Shared Drive admins (Rico/Elizah) for drive membership; Uttam for Workspace-wide admin changes
  • Implementation rule: Prefer adding people to the correct Google Group, not adding them directly to drives, unless it’s truly one-off.

Shared drive principles

  • Each Shared Drive should have:
    • At least 2 Managers (avoid “one person can’t access it” failures)
    • A clear business owner and ops owner
    • A matching Google Group where it makes sense (e.g. ops@, sales@)

Now / Short-term / Long-term roadmap

Now (done)

  • Create brainforge-shared-drive-admins@<your-domain>
  • Add Rico + Elizah
  • Grant Manager to that group on the key Shared Drives

Short-term (next 1–2 months)

  • Inventory + ownership
    • List all Shared Drives and assign Owner (business) + Owner (ops).
    • Confirm at least 2 Managers per drive (including the admin group).
  • Document access + offboarding
    • Write a lightweight onboarding/offboarding checklist for Workspace access and Shared Drives.
    • Decide where requests live long-term (Slack-only vs Linear “Access request” intake).

Long-term (3–6+ months)

  • Policies
    • Shared Drive naming convention, creation rules, and lifecycle (archive process).
  • Security baseline
    • Keep super-admin list minimal; validate 2SV for admins; periodic review of risky sharing settings.
  • Automation via GAM (optional)
    • Evaluate GAM as a CLI for Workspace admin tasks (users, groups, shared drives, reports, bulk ops).
    • Use it to make EOM checks easier (membership exports, group membership diffs) and to standardize offboarding scripts.
    • If adopted: add a setup guide under standards/03-knowledge/engineering/setup/ and reference it here.

EOM checks (end-of-month)

Run these last week of the month (or first business day of the next month).

  • Shared Drives
    • Confirm each drive still has at least 2 Managers
    • Review membership on: Operations, Sales, Project Management, Clients, Finance
    • Remove offboarded users
    • Spot-check sharing settings (external access, link sharing defaults) on drives that matter
  • Google Groups
    • Review membership of brainforge-shared-drive-admins@<your-domain>
    • Review any role-based groups that gate access (ops/sales/etc.)
  • Admin/security
    • Review super-admin list (any surprises?)
    • Ensure 2SV is enforced for admins (and enabled for all admins)
  • Gmail
    • Review Gmail compliance rules and quarantine (new threats, false positives)
  • Optional reporting
    • Quick snapshot: total users, key licenses, Shared Drive count

Graph View