Skip to content

Shared Mailbox and Drive Access Review

Example prompt: "Every quarter, look at who has access to our shared mailboxes and shared drives, flag anyone who has left or moved teams, and draft a revocation list for each owner to confirm before I take anything away."

The Problem

Shared mailboxes and shared drives accumulate members the way coats accumulate on a coat rack. Somebody is added to the support@ alias because they were covering during a holiday, the cover ends and the membership stays. A finance shared drive ends up with a sales person who joined a project committee three years ago. The owner of the resource almost never reviews the membership because nobody flags it to them, and the only time access gets pruned is when audit asks for a list and the owner panics. The risk is not theoretical — confidential email threads land in the inbox of someone who should not see them, and confidential documents stay visible to a former teammate.

How GloriaMundo Solves It

We build a workflow that runs once a quarter. An integration step pulls every shared mailbox alias and shared drive from Google Workspace along with its current member list and its registered owner. A code step joins the membership against the active staff directory and the team-membership register and classifies each member: still in the right team (keep), no longer at the company (revoke), changed teams (review), or never recorded against this resource (review). For each shared mailbox or shared drive, an LLM step drafts a short message to the owner — the resource name, the count of keep / revoke / review entries, the names in each band, and a one-paragraph note on the highest-risk items. An integration step sends the draft to the owner with a deadline to confirm or amend the revocation list, and on the deadline date a conditional step posts a single summary in #it-security with the resources where the owner confirmed, the resources where the owner asked for changes, and the resources where the owner did not reply. Glass Box preview shows the membership classifications and the drafted messages before anything is sent.

Example Workflow Steps

  1. Trigger (scheduled): First working day of the quarter at 09:00, with a follow-up sweep two weeks later for owners who have not replied.
  2. Step 1 (integration): Pull the list of shared mailbox aliases and shared drives from Google Workspace with each resource's current member list and the registered owner.
  3. Step 2 (integration): Read the active staff directory and the team-membership register from Google Sheets or the HRIS.
  4. Step 3 (code): Join each member against the directory and the team-membership register and classify them as keep, revoke (left the company), or review (changed teams or not recorded).
  5. Step 4 (LLM): For each resource, draft a short message to the owner — name of the resource, counts in each band, names in each band, and a one-paragraph note on the highest-risk items.
  6. Step 5 (integration): Send the draft to the owner via Gmail or Slack DM with a clear deadline to confirm or amend.
  7. Step 6 (conditional): On the deadline date, branch on owner response — confirmed (queue revocations), amended (apply the owner's amendments), or no reply (flag to the IT lead and security lead).
  8. Step 7 (integration): For confirmed and amended revocations, remove the listed members from the shared mailbox or shared drive, and post a single summary in #it-security with the resources processed and the resources still pending owner reply.

Integrations Used

  • Gmail / Google Drive — the source of truth for shared mailbox aliases and shared drive membership, and where the owner-facing draft is sent; also where revocations are applied
  • Google Sheets — the team-membership register used to classify each member
  • Slack — the deadline-reminder DM to the owner and the security-lead summary at the end of the cycle

Who This Is For

Security leads and IT operations leads at companies of a hundred to a few hundred staff with a handful of shared mailboxes and a dozen or more shared drives, where the owners are line-of-business staff rather than IT and where the only way to get a proper review done historically has been to corner each owner one at a time.

Time & Cost Saved

A manual quarterly review across a dozen resources is half a day of work for the IT lead and another fifteen minutes per resource for each owner, and the result is usually that the owners never quite get round to it. This workflow does the membership listing, the join, and the drafting; the owner spends two minutes confirming a list rather than thirty minutes building one. The security value, again, is not really the time saving — it is the much smaller standing population of people with access they should no longer have.