Overview
Google is changing how permissions work in Google Drive. Starting mid-February 2026, permissions will always cascade from parent folders to all children, and the ability to selectively restrict or remove inherited permissions on individual items is being removed.
This article explains what's changing, how it affects your migrations, and what you can do to prepare.
What Google is Changing
The Technical Change
Google is enforcing expansive access in Google Drive. This means:
- When a user has access to a parent folder, that access automatically cascades to all child folders and files
- The ability to selectively restrict or remove inherited permissions on individual items is being removed
- The "Update item only" and "Remove from item" options are no longer available
Why Google Made This Change
Google's user research found that hidden folders caused confusion. Users reported inconsistent experiences where some team members could see items in a folder while others could not, with no clear indication of why.
Google's solution is to make restricted items visible but inaccessible — users can see that a folder exists (it appears greyed-out) but cannot open it or access its contents.
Google's Solution: Limited Access Folders
For scenarios where you need to restrict access to a subfolder, Google provides Limited Access folders. These folders:
- Break permission inheritance from the parent
- Appear greyed-out to users who don't have direct access
- Block access to contents while preserving folder hierarchy visibility
- Are controlled via the
inheritedPermissionsDisabledproperty in the Drive API
How This Affects Migrations to Google Drive
Source Platforms with Restrictive Permissions
Many source platforms support permission structures where users have access to a parent folder but are excluded from specific child folders or files:
| Source Platform | Common Restrictive Pattern |
|---|---|
| Microsoft 365 | SharePoint "broken inheritance" — child items with different permissions than parent |
| Windows File System | NTFS "Deny" ACEs or disabled inheritance on subfolders |
| Dropbox | Members removed from child folders within a shared folder or Team Space |
| Box | Rare — Box's waterfall model generally prevents this pattern |
What Happens During Migration
When CloudM Migrate detects these restrictive permission patterns, it uses Google's Limited Access feature to preserve your access controls:
- Parent folder permissions are applied normally
-
Restricted child folders have
inheritedPermissionsDisabledset totrue - Direct permissions are applied to the restricted folder for users who have access
- Excluded users see the folder as greyed-out but cannot access it
File-Level Restrictions: Wrapper Folders
Google's Limited Access feature only applies to folders, not individual files. When a file has more restrictive permissions than its parent folder, CloudM creates a wrapper folder:
- A folder is created with the naming pattern
_[filename].[extension]/ - The restricted file is moved into this wrapper folder
- Limited Access is applied to the wrapper folder
- Users with access see the file normally; excluded users see the wrapper folder greyed-out
Example:
Before migration (SharePoint):
/Projects/
├── Public-Report.docx (all users)
└── Confidential-Budget.xlsx (restricted to Finance team)
After migration (Google Drive):
/Projects/
├── Public-Report.docx (all users can access)
└── _Confidential-Budget.xlsx/ ← Wrapper folder (greyed-out to non-Finance)
└── Confidential-Budget.xlsx
What Users Will See After Migration
Folders with Restricted Access
| User Type | What They See |
|---|---|
| Users with access | Folder appears normally, full access to contents |
| Users without access | Folder appears greyed-out, cannot open or access contents |
Files with Restricted Access
| User Type | What They See |
|---|---|
| Users with access | Wrapper folder appears normally, file accessible inside |
| Users without access | Wrapper folder appears greyed-out, cannot access file |
Key Points
- Access controls are preserved — users who couldn't access an item before still cannot access it
- Visibility has changed — folder and file names are now visible to users who previously couldn't see them
- Folder hierarchy is preserved — users can see where content sits in the structure, even if they can't access it
Preparing for Migration
Step 1: Run the Environment Scan
CloudM Migrate includes an Environment Scan that detects folders and files with restrictive permissions (negative ACLs). This scan:
- Identifies all items where users are excluded or have reduced access compared to the parent
- Shows you which folder and file names will become visible after migration
- Provides results in the UI and as a CSV export
- Supports all source platforms: Microsoft 365, Windows File System, Dropbox, and Box
We recommend running this scan before migration to review potentially sensitive items.
Step 2: Review Sensitive Item Names
If your organisation has folders or files with sensitive names that you don't want visible to excluded users, consider renaming them at the source before migration.
Examples of potentially sensitive names:
/HR/Redundancy-Plans-2026//Finance/Salary-Review-JohnSmith.xlsx/Legal/Lawsuit-ClientName/
After migration, these names would be visible (though the contents remain inaccessible) to users who were previously excluded entirely.
Step 3: Communicate to Your Users
Prepare your users for the visibility change. Key points to communicate:
- Some folders may appear greyed-out — this means they don't have access
- This is Google's new standard behaviour, not an error
- Access controls haven't changed — if they couldn't access something before, they still can't
- The folder structure is now more visible to help users understand where content is located
Step 4: Test Before Full Migration
We recommend testing the migration with a subset of non-production data first to:
- See how restricted folders appear in the destination
- Verify that access controls are correctly preserved
- Identify any unexpected visible items
Shared Drive Considerations
When migrating to Shared Drives, there are additional considerations.
Manager Visibility
Managers (organisers) will always see Limited Access folders as greyed-out. This is a Google platform behaviour that cannot be changed.
| User Role | Limited Access Folder Visibility |
|---|---|
| Manager (Organiser) | Always visible (greyed-out) |
| Content Manager | Greyed-out if excluded |
| Contributor | Greyed-out if excluded |
| Viewer | Greyed-out if excluded |
For most organisations, this only affects a small number of administrative users.
Permission Placement Settings
When migrating to a Shared Drive, CloudM Migrate provides two settings that control where permissions are applied:
- Shared Drive Folder Permissions — controls where folder permissions are applied (Folder, Root, or None)
- Shared Drive File Permissions — controls where file permissions are applied (File, Root, or None)
| Option | Behaviour | Best For |
|---|---|---|
| Folder / File | Permissions are applied to each individual folder or file. Each item's permissions match the source exactly. | Most migrations — produces the most accurate permission mapping |
| Root | The top-level source folder's permissions are applied to the Shared Drive root. Due to Google Drive's expansive access model, these permissions cascade to all content in the drive, establishing each user's minimum access level. Subfolder permissions can grant additional access above this baseline but cannot restrict below it. | When the top-level folder's permissions represent the access level you want across the entire drive |
| None | Permissions are not applied for that item type. | When permissions are managed manually or via other means |
Recommended: Use Folder for folder permissions and File for file permissions. This produces the most accurate permission mapping where each item's access matches the source platform.
Timeline
| Date | Event |
|---|---|
| 11 February 2026 | CloudM Migrate update released |
| Mid-February 2026 | Google enforces change — affects all other tools and manual processes |
| 11 Feb – 14 March 2026 | CloudM grace period — upgrade window for customers |
| 15 March 2026 | CloudM grace period ends — upgrade required to continue migrations |
CloudM Grace Period
Google has granted CloudM a grace period until mid-March 2026. This means:
- Other migration tools and manual processes are affected immediately in mid-February
- CloudM customers have additional time to upgrade and prepare
- After 15 March 2026, the updated version is required to migrate to Google Drive
Frequently Asked Questions
General Questions
Q: Is this a CloudM decision?
A: No. Google is enforcing this change to Drive's permission model. CloudM is using Google's recommended Limited Access feature to preserve your access controls.
Q: Will users be able to access content they couldn't access before?
A: No. Access controls are unchanged. The only difference is visibility — users can now see that restricted folders exist (greyed-out) but still cannot access them.
Q: Why are folder names visible to users who can't access them?
A: Google's new model shows restricted items as greyed-out rather than hiding them completely. Google's user research found that hidden items caused confusion; visible-but-inaccessible items provide clearer feedback.
Q: Can we keep the old behaviour where restricted folders are hidden?
A: No. Google is removing this capability from the Drive API. The Limited Access approach (greyed-out folders) is the only supported method going forward.
Technical Questions
Q: What are the wrapper folders with underscore prefixes?
A: These are synthetic folders created for files with unique restrictive permissions. Google's Limited Access feature only applies to folders, not files, so we create a wrapper folder to hold the restricted file.
Q: Will wrapper folders affect my folder structure?
A: Wrapper folders are only created when a file has more restrictive permissions than its parent folder. The original file is moved inside the wrapper. Users with access will see the file in a subfolder; users without access will see the wrapper folder greyed-out.
Q: How do delta migrations handle permission changes?
A: If permissions change between migration runs:
- User regains access → File moved back to original folder, Limited Access removed if no longer needed
- User loses access → Limited Access applied or wrapper folder created
Q: Does this affect Google-to-Google migrations?
A: No. Google handles internal migrations differently. This change only affects migrations from external platforms (M365, WFS, Dropbox, Box) to Google Drive.
Q: What do the Shared Drive Folder/File Permission settings do?
A: When migrating to a Shared Drive, these settings control where permissions are applied. Folder/File applies permissions to each individual item (recommended — most accurate). Root applies the top-level folder's permissions to the Shared Drive root — these cascade to all content in the drive due to Google's expansive access model, establishing each user's minimum access level. None skips permission application for that item type. See the Shared Drive Considerations section above for details.
In-Flight Migration Questions
Q: I've already migrated some users on the previous version. Do I need to start over?
A: No. You do not need to start the migration from scratch. Upgrade to the new version and run a delta migration. All restricted folders will be automatically patched to use Limited Access during the delta. Restricted files will only be reprocessed and placed into wrapper folders if they have changed at the source.
Q: Will restricted items be exposed to users during the upgrade?
A: There is a potential exposure window. Items migrated with negated permissions on the previous version will lose those restrictions when Google enforces the change. During the CloudM grace period (until 1st April 2026), the previous API behaviour is maintained, reducing this risk. We recommend upgrading and running a delta as early as possible to minimise any window.
Preparation Questions
Q: How can I identify which items will be affected?
A: Run the Environment Scan in CloudM Migrate. It detects all folders and files with restrictive permissions and provides results in the UI and as a CSV export.
Q: What should I do about sensitive folder names?
A: Review the Environment Scan results and rename any items with sensitive names at the source before migration. After migration, those names will be visible to excluded users.
Q: Do I need to upgrade immediately?
A: CloudM customers have until 15 March 2026 (grace period). However, we recommend upgrading early to allow time for testing and preparation.
Q: How does this impact each different source platform?
A: Please review the below article for each source platform.
Google Drive Permission Changes - File System to Google Workspace
Google Drive Permission Changes - Microsoft 365 to Google Workspace
Google Drive Permission Changes - Box to Google Workspace
Google Drive Permission Changes - Dropbox to Google Workspace
Additional Resources
- Google Workspace Updates: Updating the access experience in Google Drive
- Google Drive API: Manage folders with limited and expansive access