Most accidental leaks come from the wrong link type or overly-broad permissions. A link that doesn't expire combined with "Anyone with link" means open doors that last forever. The right defaults - private, named people, view-only links, short expiries - stop mistakes without breaking collaboration.

This guide shows you exactly how to configure expiry links and permission models in Google Drive, Microsoft OneDrive (SharePoint), and Dropbox - both as a regular user and as an admin - and how to apply the same decision rules across platforms.

Quick Decision Rules (Always Apply These First)

  1. Default to private → share to named people / groups.
  2. If you must use a link, use view-only + sign-in required.
  3. Set an expiry (short) for temporary access (contractors, reviewers).
  4. Don't store secrets in shared docs - use a shared vault. For the full small-team checklist including shared vaults, contractor onboarding, and monthly routine, see our Home Office Security guide.

Google Drive

User: Create a link with expiry & restricted access

  • Open Drive → right-click file/folder → Share.
  • In the Share dialog, under Get link, click Change to anyone with the link only if you must - otherwise leave Restricted.
  • To share with specific peopletype their email → set permission (Viewer / Commenter / Editor) → Send.
  • To set expiryshare with a specific person, then click the person's name → Add expiry (choose date). If you don't see expiry, ensure you're a Workspace user (personal accounts may not have expiry).
  • Require sign-inKeep the setting Restricted or when using link sharing choose Anyone with the link but Sign in required (Enterprise/Workspace setting).
  • AuditFile → Manage versions / Activity dashboard to see access history.

Quick tip: For contractors, share a folder to a group (e.g., Contractors@yourdomain) that expires and is removed on contract end.

Admin: Enforce safer defaults (Workspace Admin Console)

  1. Console → Apps → Google Workspace → Drive and Docs → Sharing settings.
  2. Set Link sharing default to Off/Restricted. Disable "Anyone with link" by default.
  3. Under External sharing options, restrict external sharing to whitelisted domains or block downloads for external viewers.
  4. Use Access checker and Drive audit logs (Reports → Audit) to surface files with "Anyone" links.
  5. Enable Data Loss Prevention (DLP) policies for sensitive data types.

Microsoft OneDrive & SharePoint

User: Create expiring links & choose permission model

  1. In OneDrive/SharePoint, select file/folder → Share.
  2. Click the link settings (pencil icon) → choose People you specify (most secure) or People in your organization. Avoid Anyone unless public.
  3. Set expiry: in the link settings, choose Set expiration → pick a date.
  4. Set Allow editing toggles depending on need (turn off for view-only).
  5. For sensitive content, Require sign-in is default if you choose People you specify or People in organization.
  6. Check permissions via Details → Manage Access to see who has access and remove unwanted users.

Admin: Tenant controls (Microsoft 365 admin center)

  1. Admin center → SharePoint/OneDrive admin → Sharing.
  2. Configure default link type (People in organization / People with existing access / People you specify).
  3. Set external sharing restrictions (block specific domains or allow only whitelisted domains).
  4. Set link expiration policy and maximum expiry length.
  5. Use Audit log search & Access Reviews (Azure AD) to remove stale external users.

Dropbox

User: Set expiry & restrict access

  1. In Dropbox web, hover a file/folder → Share → Create link or edit existing link → Link settings.
  2. Select Who can view: People with link / Only invited people. Choose Only invited people if possible.
  3. In Link settings, set Expiration and toggle Only people with the password (optional) or Only people invited and disable downloads if you want view-only.
  4. Add people by email for named access and assign Can view / Can edit.

Admin: Team settings & security controls

  1. Dropbox Admin Console → Settings → Collaboration → default link settings: force "Only people invited" or require team member sign-in for links.
  2. Set maximum expiration window and disable "anyone" links by default.
  3. Enable Event logs and Data residency / Content Compliance features for enterprise retention.
  4. Use admin tools to run shared link reports for files with external or public links.

Cross-Platform Best Practices

  • Never share secrets in docs: use a shared vault/password manager for API keys & credentials.
  • Set expiries for temporary access (contractors, reviewers) and automate removal when possible.
  • Prefer groups over individuals for team grants; rotate group membership.
  • Require sign-in for links and restrict domain access where possible.
  • Use audit logs & scheduled reviews: monthly check for files with "anyone" or external links.
  • Train teams on the 30-second pre-share rule (Who? Why? How long?) and enforce it with templates and shortcuts.

Admin Playbook & Sample Policies

Policy snippets

  • Default link settingRestricted/People in organization (no anonymous links).
  • ExpiryMaximum 30 days for contractor links; 7 days for external reviewers where practical.
  • External domainswhitelist partner domains; block disposable email domains for sharing.
  • DLPblock uploads/shares containing PII across public links.

Automation suggestions

  • Weekly script/report: list files with "Anyone" or external links + owner + risk score (via Risk Checkup).
  • Alert: generate a ticket for files with "Anyone" links older than 30 days.

Sample Communication Template

When you must share publicly, use this template in the share message:

"Sharing access to [file] for review. It's view-only, requires sign-in, and will expire on [date]. If you need edit access, reply and we'll add you as an editor. Please don't download or redistribute."

This sets expectations and reduces accidental redistribution.

Simple Settings, Big Impact

Setting the right permission model and using expiries are simple, high-impact tactics. Adopt the 30-second pre-share rule (Who? Why? How long?), run a monthly audit to keep shares safe, and automate auditing where you can. Use Ivy's Risk Checkup to prioritize risky files and accounts.

For the underlying seven rules and platform-agnostic principles - private defaults, named access, expiries, secrets in vaults, and monthly audit routine - see our Share Files Safely guide.

Start with the checklist and an audit at getivy.ai/share-files-safely.