Understanding user management is one of the first essential steps in designing a secure and productive work environment on

When you combine a well-designed user schema with a thoughtful folder hierarchy, the result is a powerful and secure digital organization ready to scale to meet any enterprise needs.

Globally Unique Usernames is a multi-tenant platform that, by default, requires that all user names across all sites be unique.

If you need to use a user naming convention or have other requirements that mean you need to create user names that may exist in other sites on the platform, you can set up a custom user namespace by:

  1. setting up a custom domain for your site 
  2. toggling the Sitewide setting for Settings > Users > User Settings > Globally Unique Usernames to No, this site is using a custom namespace.

A note on disabling Globally Unique Usernames

If you have disabled Globally Unique Usernames (either through the setting or by setting up a custom domain for your site) and you are using a single-sign on provider, you must first disable your SSO integration before you can enable Globally Unique Usernames. This means you must edit every username associated with an SSO provider to change the authentication method first.

Requiring That Groups be Used for All Permission Assignment

To ensure consistency in how your site is applying permissions, it is possible to require all Permissions to be assigned only to Groups, and not to individual users.

With this feature enabled, you can ensure that a group permission framework is followed, and no one - whether accidentally or purposely - grants users individual permissions.

Site administrators can enable this feature under Settings > Groups > Group Settings > Manage all permissions via groups. This setting requires the Power or Premier plan.

Enabling this setting will not remove permissions previously granted to individual users.

Prerequisites prior to creating users

Before you add users, you’ll need to have a folder ready for them and, possibly, configure some global site settings before your users log in.

We recommend the following process:

  • Configure your site
  • Create a folder for the user
  • Create the user

Configuring Your Site 

This step is optional, and you're not required to configure anything in your site before moving on to the next step.

However, when your users log in, they’ll interact with your site and you may want to apply some visual branding to it or apply some limitations and restrictions so that users cannot upload content that you wish to prohibit.

At a minimum, you may want to apply some branding, such as your logo and corporate color scheme, and define a folder structure as a “landing zone” for your users.

Creating folders for your users

Your users will require a “home folder” so that, once they log in, they have a place where they can upload and download files. allows you to create any folder structure you require and you can specify that any folder, or subfolder, becomes the “home folder” of a user.

For easier management, it’s best to place users into a well organized folder hierarchy. There is no “one size fits all” for a folder hierarchy but a common practice is to have a top-level folder named “users” or “home”.



Then, within this top-level folder, you can create subfolders for individual users, or subfolders for departments, teams, or groups, building a hierarchy that matches your needs.

For example, if you have a relatively small set of users, where you don't have a need to further differentiate them from each other, you could use a simple structure such as:




You could also arrange users based on their department, such as:




If your organization is global, you might wish to arrange users based on geographic regions, such as:




If your site will be used by both internal employees and external partners, you may wish to arrange users based on that criteria, such as:




Ultimately, the best hierarchy will be the one that best fits your business model.

If you have an existing identity system, such as an Active Directory or LDAP, or your users are being migrated from another system, then you may wish to match the folder hierarchy of the users as defined in that system.

If the users of your site are not related to the users of an existing system, or you wish to define a newer folder structure, then this is an opportunity to plan out a structure that best fits your needs.

To create folders, navigate to the Files section of your site and use the New Folder button to build the structure that you require.

Automating the creation of user folders

You can also automate the creation of “home folders” for users.

Navigate to the folder that you want to create user “home folders” within, for example /users/ or /home/, and select Folder Settings > Automatically create new user folders here when users are created.

Once you've created some home folders, or configured them to be created automatically, you're ready to create user accounts.

Creating Users offers a few different methods of creating a user. Site Administrators can use the Web to create a single user or use the Bulk import users feature to save time when creating multiple users. Additionally, we also offer the ability to Clone a user, and create user groups to help with onboarding additional users. With, you can also automate user creation using the API/SDKs or our CLI application.

For creating a single user using the web as a site administrator go to Settings > Users and select New User

New user creation allows you to select authentication methods, group permissions, as well as Folder permissions on selected Folders for the user. Additionally, Advanced Settings are available while creating users, using these settings you can setup additional configurations and permissions for this user including Admin permissions, IP restrictions, shared/bot user config, allowed protocols to be used, SSH (SFTP) keys, expiration date, to mention a few.

Cloning Users

Administrators can save time when creating a new user by cloning an existing user. This speeds up the user creation process by pre-populating most of the user's settings from the user being cloned, including group membership and permissions.

To clone a user, click the Clone button in the rightmost column of the user list.

Bulk Import

You can create/import users in bulk via the web interface using our Bulk Create tool found at Settings > Users > Manage Users.

Simply click the Bulk Create button to open the tool, then expand the Supported columns legend to review the data options you can include with your import.

You can also use the Download CSV template button to get a copy of an example CSV file which you can modify to use for your import.

Once you have your CSV file populated according to the template and legend, use the Choose File button to select the CSV file from your local file system and then begin the import process.

The system will verify your file and show you any data errors that need to be corrected before your user import can be processed.

Column NameDescriptionAcceptable values


The login name for the new user

REQUIRED Can be any text


How the user's credentials are created.

password (default), password_with_imported_hash, email_signup, or any enabled SSO provider


The new user's password. Only valid if the authentication_method is password

Any text that matches your site's password rules


How many days a password is valid before the user is required to change it. This overrides the site-wide setting.

Any whole number or 0. Can also be blank if not overriding the site-wide setting


Should the user be forced to change their password when the log in the first time?

Y or N


The user's email address. Required if authentication_method is email_signup

A valid email


The user's full name.

Text containing at least 2 words separated by a space


The name of the user's associated company

Any text


Which groups this user is a member of

Comma-separated list of numbers, which must be valid group IDs.


Is this user an administrator (who has full access to the entire site and its settings)?

Y or N


Does this user manage its own credentials (i.e., is NOT a bot/shared user)?

Y or N. Can only be Y if authentication_method is email_signup


Any notes about this user. Will be visible to all site admins on the users page.

Any text


What time zone the user is in

The time zone name


Root folder for FTP (and optionally SFTP if the appropriate site-wide setting is set.) Note that this is not used for API, Desktop, or Web interface.

Text containing a valid path to a folder the user has permission to access, e.g. "Customers/ACME" or "Sales". Does not need leading or trailing slashes.


A list of IP addresses the user is allowed to connect from.

Text containing the IP addresses in CIDR format, separated by newline (\n) characters. You may specify a range in CIDR format, such as Example: "\n13.211.6.58\n192.168.17.0/27"


Should this user be required to connect from a site-allowed IP address? If Y, then the "Bypass site IP whitelist" setting for the user will be disabled. If N, then the "Bypass site IP whitelist" setting will be enabled. If the user has their own ip_whitelist configured (see above), that list will still be valid even if this field is set to N.

Y or N


Whether the user is required to use TLS or SSL when connecting via FTP. If this is set to Y, the user cannot connect with an unencrypted FTP connection.

Y or N. If left blank, will use the site-wide setting.


Scheduled Date/Time at which user will be deactivated

Text containing a date in ISO 8601 format (YYYY-mm-ddTHH:MM:SS followed by offset from UTC) Example: 2020-03-14T13:27:01-04:00


Whether the user is permitted to connect via FTP or FTPS

Y or N


Whether user can connect via SFTP

Y or N


Can user connect with WebDAV?

Y or N


Can user connect via the web UI or the API?

Y or N


Permissions to automatically assign to new users

Text containing a list of folders and permissions, separated by pipe symbols (|), to assign to the newly created user.

Bulk Create with Folder Permissions

Automatically assign folder permissions to users with the folder_permissions column of the import file. Supply a list of folders and permissions, separated by pipe symbols, to be assigned to the user.

Possible Permission Values

  • admin : Able to manage settings for the folder.
  • full : Able to read, write, move, delete, and rename files and folders.
  • readonly : Able to list and download files and folders.
  • writeonly : Able to upload files and create folders.
  • readwrite : Shorthand for readonly,writeonly
  • list : Able to list files and folders, but not download.
  • bundle : Able to share files and folders via a share link.
  • history : Able to view the history of files and folders.



This defines 3 permissions: Sales=readonly and Engineering=readwrite,history and Home/Adam=admin. The user will be given Read-Only permission on the /Sales folder, Read/Write and History permissions on the /Engineering folder, and Admin permission on the /Home/Adam folder. If any of those folders do not exist, they will be created automatically.

Advanced Usage Notes:

  • Use a slash for the folder name to specify the Root Folder, for example: /=readonly
  • If a folder name contains a vertical bar, for example Sales|North-America, the vertical bar must be escaped with a preceding backslash: Sales\|North-America=readonly
  • If site_admin is enabled for the user, then the value of folder_permissions is ignored, because site administrators have admin access to all folders.
  • Permissions are applied recursively to all sub-folders. To limit a permission to the specified folder name and not its sub-folders, add an asterisk * after the permission value. For example: Home=admin*

Unlocking Users

To unlock a user that has been locked due to repeated failed login attempts, follow these steps:

  1. Sign in to your site as an administrator.
  2. Navigate to Settings > Users.
  3. Find the locked user in the list, and click the Unlock button in the far-right column.
  4. Finally, click the Unlock this user button to unlock the user.

You can adjust your site lockout settings if needed at Settings > Authentication > Brute force protection.

Disabling A User

There are two main approaches to disable a user account:

  1. At Settings > Users > User Settings > Disable inactive users, set a number of days after which users that have not logged in will automatically be disabled. This option disables the affected users within 24 hours of the specified duration. For example, if you set the duration to 7 days then the affected users will be disabled between the 7th and 8th day from their last activity. This is a site level setting and applies to all non-admin users. If you want to bypass this setting for a particular non-admin user, enable the option Prevent this user from being disabled due to inactivity under Settings > Users > [user name] > General.
  2. At Settings > Users > [user name] > General > Account enabled, toggle the activation button to the deactivated state. This option takes effect immediately.

Once a user is disabled/deactivated, they are not able to log in. A site administrator must explicitly re-enable the account using the setting noted in option 2. above before the user may access the site.

Disabled users are not counted for billing purposes.

NOTE: User count or user's status has no relation to storage usage. Your site's storage usage will not be reduced if you disable users. If the file or folder is stored in, it counts toward storage usage.

A third approach is also available. At Settings > Users > [user name] > Authentication > Access expiration date, set a date after which the user should not be able to access the site. This approach allows you to set an end date for users with a known project duration or other situation where a specific date makes sense.

Note that user accounts which are marked as disabled will have to be re-enabled by a Site Admin. We specifically don't provide any automated re-enablement of users, since re-enabling a user needs to be examined carefully by a Site Admin.

Restricting a User's Protocol Privileges

Access to data transmission protocols can be specified for each user, allowing you to specify exactly which protocols a user is allowed to use to connect to

Navigate to Settings > Users > [user name] > Privileges > Protocol Access and select the Edit button. You can allow or disallow the selected user's access to FTP (including FTPS and FTPES), SFTP, WebDAV, Web Portal, Desktop app, and the API.

Deleting Users

Rather than disabling a user, site administrators can choose to completely delete a user from the site.

Web UI

To delete a user, navigate to Settings > Users and locate the user in the table, and click the Delete button. You will be prompted to enter your password to confirm the deletion.


A site administrator can use the Command Line App (CLI) to delete a user. First, you will need to obtain the user's ID. You can use a command similar to the one shown here (replace the $NAME with the username of the desired user)

files-cli users list --fields id,username --filter-by username=$NAME --use-pager=false

Then, use the ID reported back from the files-cli and use it like this command (replace $ID with the ID of the user to delete)

files-cli users delete --id $ID --reauthenticate

When prompted, enter your password or 2FA code.

Effects of Deleting a User

  1. Share Links are not affected. When a user is deleted, any Share Links they have created are not deactivated. Site administrators have access to all Share Links and will still be able to change the settings or revoke any Share Links that were created by a now-deleted user.
  2. Folder behaviors are not removed. With the exception of notifications for the now-deleted user, any folder behaviors they configured will still exist after the user is deleted.
  3. Automations are not removed. Site admins can monitor and update existing automations, even if they were created by a now-deleted user.
  4. Files and Folders are not automatically removed. Removing users does not remove "their" used storage.

Available Administrative Permission Levels

There are four different types of "Administrative" permission levels that can be granted to a user.

Site Administrators are the highest level. Users with this permission have access to and authority over everything within your site including users, data, settings, and logs. The first user created on a site is a Site Administrator by default, however does not have any special permissions beyond that. The initial user can have his or her Site Administrator status revoked by another Site Administrator.

The three additional, limited, administrator types are:

  1. Group Administrator - This type of admin is able to add and create users to existing groups for which the admin is responsible. Once users are created, group admins are not able to alter them. Any subsequent changes must be performed by a site admin.
  2. Folder Administrator - This type of admin is able to manage folder settings for specific folders. A site administrator or another folder administrator must grant this user folder admin privileges for specific folders. Subfolders inherit folder admin privileges by default.
  3. Billing Administrator - This type of admin is able to access the Settings > Account tab and can see billing information, invoice history, and usage data.

In many cases, the same user may be both a Group Administrator and a Folder Administrator for one or more folders.

Shared/Bot Users

While you can set any user to be a Shared/Bot user, we anticipate each individual user on an account will be have their own set of permissions based on their security policies with your business. We strongly encourage our customers to create individual user accounts for each person accessing for their connections to manage appropriate permissions. However, some use cases require that accounts be shared amounts multiple people or automated scripts/bots.

You can set an account as Shared/Bot user to create a user account that is shared by multiple people, typically with limited access, or used by an automated script.

You can set an account as Shared/Bot user at Settings > Users > [user name] > Privileges. Note that you can not set an account as Shared/Bot user if that user's authentication method is already associated with any SSO provider.

Shared/Bot users can use all aspects of the Web UI, including Previews and Office integration, but they have some special restrictions:

1. Users set as a Shared/Bot user are prevented from changing their own password, email address or time zone.

For example, you may want to create one shared username through which several people will be uploading documents to your site. Creating that username as a Shared/Bot user prevents an individual from changing the password, email address or time zone, which would disrupt service for all of the other people attempting to use this user account.

2. Shared/Bot users bypass all 2FA requirements. 2FA requires a physical device, which would only be able to be possessed by one physical person. 2FA is disabled for Shared/Bot users to allow multiple people as well as automated scripts or bots to log in using this account.

Because of all the restrictions listed here, Shared/Bot users may not also be site admins. To promote a Shared/Bot user to an admin, you must first disable the Shared/Bot user setting before you can enable the Administrator access setting.

Resetting User Passwords

Site administrators can change the password for any user on their site by following these steps:

  1. Log in to your site as an administrator.
  2. Navigate to Settings > Users and click on the username of the user, then click the Authentication tab.
  3. Click Set new password, and you will be prompted to enter and confirm the new password. You'll also be prompted to reauthenticate by entering your own password for added security.

Users can also reset their own passwords themselves by using the Forgot your password? link on your site's login page. If the link is not present on your site's login page, you can enable it via the setting at Settings > Authentication > Password recovery via email. You'll also want to ensure that the user has an email address set in their user settings.

When creating new users going forward, you can opt to manually set their password by selecting the "Password" authentication method (instead of the default "Email signup") upon user creation.

Listing Users

You can find your current list of users by going to Settings > Users. Any user account that has been disabled will be displayed in grey.

Site administrators are listed at the top, and have the "Site administrator" icon on their avatar. Bot/shared users have the "Bot/shared" icon on their avatar.

To download the entire list, we recommend using the Command Line App (CLI). To list all your users, run this command:

files-cli users list

The disabled field will be labelled true for disabled user accounts and false for active users.

You might find it helpful to export in CSV format and save that output to a file. Here's how to do that using the CLI:

files-cli users list --format csv > users.csv

Click here to download the CLI App. On that page, you'll need to pick your exact operating system to download the correct version.

User Requests includes a feature that allows non-users to request a user account on your site, streamlining the whole process from request to user creation.

You can enable this feature at Settings > Users > User Settings > Allow non-users to request a user account.

If this setting is enabled, a "Request an account" link will appear under the Log in button on your login page. Clicking the "Request an account" will prompt the visitor to enter their information for a new user account.

Account requests can be reviewed in the web interface at Settings > Users > User Requests. Click the Create user button to pre-populate the new user form with their name and email address. You can then provide the rest of the information, such as assigning a username and folder permissions.

Notification of New User Requests

Site admins can be notified by email when a new user request is received. Enable this feature at Settings > Users > User Settings > Notify admins of requests for a user account All site admins who have not opted out of site alert emails will receive a notification email for each new user request.

Get Instant Access to

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.

Start My Free Trial

©2023 All right reserved


  • Start My Free Trial
  • Pricing
  • Docs
  • API and SDKs
  • Contact


(800) 286-8372


9am–8pm Eastern