Preparing for Upcoming Changes in the Google File Picker
The multiple Google files pickers currently used in Brightspace are now updated to be one file picker. While there is no change to the mechanics of selecting files, features related to account types and permissions are changing.
The updated file picker supports PIE items that Let Students Submit from their Personal Drives (D2792, D1709, D5795, and D5086).
The new file picker supports both personal and Workspace (managed) Google accounts and the new picker includes an account switching option to select between managed and personal accounts if they are both enabled.
Related to this new capability is a redesign of the permissions and enablement steps for these accounts. Prior to this update, the permission to use personal accounts was granted through a single configuration variable; and the permission to use managed accounts was managed through role-based permissions. Now, permissions to use either personal or managed accounts are granted through independent role-based permissions.
With this additional permission granularity, customers may apply IT, document management, or educational policies to file management.
As part of the changes to the personal account permissions, the configuration variable d2l.3rdParty.GoogleDrive.EnableGooglePicker is no longer used as personal workspace access settings are managed by a role-based permission. D2L will perform a one-time migration of settings for customers who did have EnableGooglePicker set to On.
Let us review the various settings to understand what is changing.
Tool
There is a single tool called Google Workspace that must be enabled going forward for any Google File Picker functionality to work.
Permissions
When this tool is enabled, two new permissions called Can add files from a personal Google account and Can add files from managed Google account are available. These permissions control which roles may access Google files to add or link them to Brightspace. These new permissions do not distinguish between add a file or link/embed a file. These actions are considered the same for the purposes of the permission.
Figure: Permission options for Google File Picker.
Migration
Prior to this update, the configuration variable d2l.3rdParty.GoogleDrive.EnableGooglePicker controlled if personal accounts for staff may add links to Google files. This configuration variable will no longer be used.
If this variable was on at the organizational level, then D2L will take the following migration steps:
Enable Google Workspace at this organizational level and at the instance level if it was not already on.
Grant all permissions for Can add files from a personal Google account.
Turn the d2l.3rdParty.GoogleDrive.EnableGooglePicker to Off.
If this variable was off, then D2L will do nothing.
It is important to note that step two of the migration grants more privileges than existed prior to the migration. The customer administration should review permissions following this update to confirm if all roles should be granted this permission.
After the Migration
Customers may modify Google Workspace and associated permissions following the update.
The File Picker
The functionality of selecting files remains unchanged. The same file picker dialog is displayed for adding a file or linking to a file.
Users will notice a new ‘change’ option at the bottom right, which allows them to switch between personal and managed accounts if the permissions are granted.
Figure: Google File Picker displaying inside Google Drive.
Additional Minor Notes
Selecting and adding multiple files is temporarily not possible and will be restored later.
Settings in Google Workspace such as Export as PDF can now be applied to both managed and personal accounts.
There are no changes to existing links or link permissions and there are no changes to files already uploaded.
OAuth2 Permissions
To support Google File Picker for personal accounts, Brightspace will request the following file permissions.
Figure: Google Drive heading with the integration's description.
If these are not granted, the user will not be able to use Google File Picker with personal accounts.
A user may at any time revoke Brightspace’s granted permissions by reviewing and updating the security settings on the user’s personal account. These settings are not part of Brightspace.
Google File Permissions
When a file is shared, Google File Picker will adjust permissions on the file using Google permissions.
If this is a personal file, then Google File Picker will grant view permissions to anyone with the link.
If this is a managed file, then Google File Picker will grant view permissions to anyone in the managed organization.
Detailed Behavior Changes
This is applicable for customers who have both Google File Picker enabled and the Google Workspace integration set up as their users had two file pickers and permission systems in use. After this release, there will be one system: the same drive and one consistent permissions process.
| Before | Notes | After | Notes |
| Workspace Only | Learner can add from their institutional (managed) account only: Assignment - Upload Response Discussions - Add Attachment Quizzes - Add Attachment to Written Response Surveys - Add Attachment to Written Response ePortfolio - Add a file
Instructor can add from their institutional (managed) account only: Discussions - Add Attachment to Topic Announcements - Add Attachments Quizzes - Evaluation Feedback (legacy) - Add Attachment Content (legacy) - Overview - Add Attachment Content (legacy) - Upload (Add file) Activity Feed - Message: Attach
| All users | Learners will be able to select from?their personal accounts (multiple-managed domains as configured in Workspace Administration?or any personal account if allowed by Workspace Permissions): Assignments - Upload Response as file Discussions - Add Attachment as file Quizzes - Add Attachment to Written Response as file Surveys - Add Attachment to Written Response as file Brightspace Editor - Insert Quicklink as link ePortfolio - Add a file
Instructors will be able to select from their personal accounts?(multiple managed domains as configured in Workspace Administration?or any personal account if allowed by Workspace Permissions): Content (Lessons) - Add Existing as link Content (Classic) - Add Existing Activities as link Content (legacy) - Overview - Add Attachment as file Content (legacy) - Upload (Add file) as file Assignments - Upload file Attachment as file Discussions - Add Attachment to Topic as file Quizzes - Evaluation Feedback (legacy) - Add Attachment as file Announcements - Add Attachments as file Activity Feed - Message: Attach
Note: There is no difference in functionality between managed or personal (unmanaged) accounts - just the ability for Administrators to control if personal and/or managed accounts are used on a role-by-role basis. This could allow enforcing instructors to only use official institutional accounts but allow learners the ability to use any account depending on IT or educational policies. |
| Picker Only | Learners can add from one personal or institutional account: Instructors can add from one personal or institutional account: | All Users | Same as above field |
| Homepages > Google Workspace widgets | Google Workspace integration is required | No change | Google Workspace integration is required Google Workspace |
| Insert Stuff > Google File Embed | LTI integration is required | No change | LTI integration is required Google LTI Integrations |
Automated Permission and Configuration Changes
| Scenarios | Customers not using Google File Picker and not using Google Workspace Integration | | Customers not using Google File Picker and using Google Workspace | | Customers using Google File Picker and not using Google Workspace | | Customers using Google File Picker and using Google Workspace | |
| | Before | After | Before | After | Before | After | Before | After |
| Users | No functionality | No change | Only one managed account was used | Multiple managed accounts supported | One personal account could be easily used. Note: users could sign in and authenticate with their official account but there were no controls to enforce this. | Multiple personal accounts | Users could have one personal account in some locations and one managed in others depending on the tool and methods used. | Multiple managed and personal accounts |
| Automated Permission Changes | | None | | Allow personal permission is not enabled for any role | | Allow personal permission is automatically granted for all roles as personal accounts can be used by any user. | | Allow managed will not be changed and will respect existing settings. Allow personal permission is automatically granted for all roles as personal accounts can be used. |
| Role Review Recommendations | | Option to allow personal or set up Google Workspace to control access to managed accounts. | | Option to allow personal account use per role is now available. | | Review all roles with personal permissions as there is now control available to limit each role. Review all roles and determine if managed accounts could be set up using Google Workspace. | | Review all roles and determine if managed or personal accounts mix based on your IT or educational policy. |
