Unable to share subfolder after main folder transfer

Problem

You notice that after transfering main folder ownership, not all the nested folders are affected by this change.

Environment

  • Drive
  • Drive data

Solution

If subfolders had manual changes for their own permissions, once a main folder is modified the nested folders will not propagate that change
Only nested folders that did not have manual changes will propagate the ownership change applied to the main folder

Cause

Positive and negative ACLs

Adding permissions and removing permissions result in different propagation behavior.

Imagine the following scenario. For the folder hierarchy A/X:

   A ~ {Bob:Owner, Anne:Writer}
   A/X ~ {Bob:Owner, Anne:Writer}
 
The removal of Anne:Writer from folder A can result in two situations:
 
Situation 1:
   A ~ {Bob:Owner}
   A/X ~ {Bob:Owner}

OR
 
Situation 2:
   A ~ {Bob:Owner}
   A/X ~ {Bob:Owner, Anne:Writer}
 
Even though the user does the exact same thing in both cases, you have two different results.
Situation 2 resulted because the permission A/X ~ {Anne:Writer} was set explicitly on the file A/X. On the other hand, in situation 1, the permission A/X ~ {Anne:Writer} was inherited from its parent. Note, that explicitly adding A/X ~ {Anne:Writer} is persistent, whereas when removing A/X ~ {Anne:Writer} the permission will match Situation 1.

Negative ACL and its effect on inherited ACLs

Imagine the following scenario, 

For the folder hierarchy A/B/X.txt 
A ~ {Bob:Owner}
    B ~ {Bob:Owner}
            X.txt ~ {Bob:Owner}

Now Bob adds Anne:Writer to folder B

 A ~ {Bob:Owner}
    B ~ {Bob:Owner, Anne:Writer}
            X.txt ~ {Bob:Owner, Anne:Writer} //X.txt inherits this permission

Now Bob removes Anne:Writer from the file X.txt

 A ~ {Bob:Owner}
    B ~ {Bob:Owner, Anne:Writer}
            X.txt ~ {Bob:Owner} //A negative ACL is added to X.txt

Now Bob adds Anne:Writer to folder A

 A ~ {Bob:Owner, Anne:Writer}
    B ~ {Bob:Owner, Anne:Writer}
            X.txt ~ {Bob:Owner}

Anne’s write access does not propagate down to X.txt because a negative ACL was already added to the file and negative ACLs are persistent. To resolve this issue, you’ll need to remove the negative ACL from the object. This can be accomplished by adding a positive ACL back to the object, or you can copy the object and it will inherit all the sharing permissions of its parent folder.

Positive ACL can be affected by default permission settings in the Admin console

The following scenario will cause positive sharing permissions to be applied on each sub-folders and sub-sub-folders in a given domain. 

If the default Link Sharing setting is set to On - Anyone at the domain with the link in the Admin console, this implies newly created folders have positive ACL for domain-wide link sharing permission. So even if you were to remove this permission on a parent folder, positive domain-wide view permission will persist on its children. 

The only permissions that will propagate down from the parent folder to the child folders in this case, would be if you change the access level on the parent folder (e.g. making the folder public).

As a workaround, you can change the permissions on each sub-folder and file by making multiple selections and then changing the sharing permissions on the files/folders that you have selected.