Re your point 2
You are heading in the same direction my company has gone. We have the equivalent of your 'Central System' as a Username, and have created three folders on its Drive - WORK, REFERENCE, EXTERNAL USERS - and shared them with our Sysadmin. Sysadmin shared WORK with Users on an Edit basis and our users built a sub-folder structure for our company to hold all our working files. Sysadmin shared REFERENCE with most Users on Read basis but with some Users granted Edit rights so they could create and maintain the folder/file structure for policy documents, manuals etc.
WORK is shared Edit and REFERENCE is shared Read to new starters as part of the User setup process and new Users immediately acquire inherited rights to all the contents of these folders.
Leavers, we change the User password immediately, use administration advanced tools to transfer ownership to their manager/colleague for any files/folders they may have created and then unshare them from WORK and REFERENCE.
We have not made WORK or REFERENCE to be the Owner of the sub-folders and documents which they contain because it would require that only someone logged into Central System would be able to delete them. We simply use our own version of Central System to provide a unified data structure for our Users. The Users each retain the 5gb of non-Gdocs storage space which is shared with other Users through WORK and REFERENCE.
We collaborate with external organisations and use EXTERNAL USERS as a portal. For example, our Auditors want access to our some of the data on our system. We created a sub-folder AUDITACCESS in the EXTERNAL ACCESS folder and granted our auditors' gmail accounts Read access to AUDITACCESS. We then use the Organise function to give them a View towards the files and folders which they need to access (but remember to hold the CTRL key down when you use the Organise function). This allows us to un-Organise files and folders, if necessary, since they are all listed in the AUDITACCESS folder and to un-share AUDITACCESS with our auditors email accounts, if necessary.
Hope this will give you a few ideas for organising your own system.
Giving edit access to Google Drive documents is sufficient. The way these files work, once they are shared with a user, the file will appear in their "Shared with me" list
If they remove or delete a file from this list, it will not remove the document from any other user's list, nor will it destroy the file. Only the owner can trash a document.
Learn more about trashing documents here: http://support.google.com/drive/bin/answer.py?hl=en&answer=2494934&p=restore_trash_collab
If the owner trashes a document, they can get it back from their Trash folder:
Learn how to recover a file or folder that you moved to the trash.
If something in Google Drive is moved to the trash, you'll see a
warning and you may lose access to it at any time. Read one of the
following sections to learn how to restore it to your Google Drive
from the trash. When you restore something, it'll be recovered in
Google Drive on the web, to the Google Drive folder on your computer,
and to your mobile devices.
If the item is in a folder, you’ll need to restore the entire folder
to recover any individual items inside of it.
Owners
If you're the owner of something and you’ve placed it in the trash,
you'll see a warning that reads "This item is in your trash" when you
open the doc or file.
If you’d like to restore a doc or file to your Google Drive:
Search for it in the Trash. Select the file(s) or doc(s) you’d like to
recover. Click the Restore button.
Folders and file structures behave the same way, if regular editors remove these it will disappear from their "Shared with me" list but it only affects them, not the rest of the collaborators.
Best Answer
Google Apps does not natively support reporting on who has access to what in Google Drive. The report you are looking for is possible through a Google Apps script.
As you probably know, from the
Reports
section of your Google Apps admin panel, you will be able to tell how many files are externally visible.If you are on the Google Apps Unlimited or Google Apps for Education license, you will have access to a Drive audit log, from which you may be able to generate a report based on sharing events. This could be cumbersome.
If you have a $30 to $40 USD budget, you can either procure the Drive Audit Google Sheet Add-on or the Drive Privacy script from tech blogger Amit Agarwal and produce the report.
A free option based on Stefan Lasiewski's suggestion below is to try whohasaccess.com. The app requires
View and manage the files in your Google Drive
permissions, among other simpler permissions.