Understanding user management is one of the first essential steps in designing a secure and productive work environment on

When you combine a well-designed user schema with a thoughtful folder hierarchy, the result is a powerful and secure digital organization ready to scale to meet any enterprise needs.

Globally Unique Usernames is a multi-tenant platform that, by default, requires that all user names across all sites be unique.

If you need to use a user naming convention or have other requirements that mean you need to create user names that may exist in other sites on the platform, you can set up a custom user namespace by:

  1. setting up a custom domain for your site 
  2. toggling the Sitewide setting for Settings > Users > User Settings > Globally Unique Usernames to No, this site is using a custom namespace.

Requiring That Groups be Used for All Permission Assignment

To ensure consistency in how your site is applying permissions, it is possible to require all Permissions to be assigned only to Groups, and not to individual users.

With this feature enabled, you can ensure that a group permission framework is followed, and no one - whether accidentally or purposely - grants users individual permissions.

Site administrators can enable this feature under Settings > Groups > Group Settings > Manage all permissions via groups. This setting requires the Power or Premier plan.

Enabling this setting will not remove permissions previously granted to individual users.

Cloning Users

Administrators can save time when creating a new user by cloning an existing user. This speeds up the user creation process by pre-populating most of the user's settings from the user being cloned, including group membership and permissions.

To clone a user, click the Clone button in the rightmost column of the user list.

Bulk Import

You can create/import users in bulk via the web interface using our Bulk Create tool found at Settings > Users > Manage Users.

Simply click the Bulk Create button to open the tool, then expand the Supported columns legend to review the data options you can include with your import.

You can also use the Download CSV template button to get a copy of an example CSV file which you can modify to use for your import.

Once you have your CSV file populated according to the template and legend, use the Choose File button to select the CSV file from your local file system and then begin the import process.

The system will verify your file and show you any data errors that need to be corrected before your user import can be processed.

Column NameDescriptionAcceptable values


The login name for the new user

REQUIRED Can be any text


How the user's credentials are created.

password (default), password_with_imported_hash, email_signup, or any enabled SSO provider


The new user's password. Only valid if the authentication_method is password

Any text that matches your site's password rules


How many days a password is valid before the user is required to change it. This overrides the site-wide setting.

Any whole number or 0. Can also be blank if not overriding the site-wide setting


Should the user be forced to change their password when the log in the first time?

Y or N


The user's email address. Required if authentication_method is email_signup

A valid email


The user's full name.

Text containing at least 2 words separated by a space


The name of the user's associated company

Any text


Which groups this user is a member of

Comma-separated list of numbers, which must be valid group IDs.


Is this user an administrator (who has full access to the entire site and its settings)?

Y or N


Does this user manage its own credentials (i.e., is NOT a bot/shared user)?

Y or N. Can only be Y if authentication_method is email_signup


Any notes about this user. Will be visible to all site admins on the users page.

Any text


What time zone the user is in

The time zone name


Root folder for FTP (and optionally SFTP if the appropriate site-wide setting is set.) Note that this is not used for API, Desktop, or Web interface.

Text containing a valid path to a folder the user has permission to access, e.g. "Customers/ACME" or "Sales". Does not need leading or trailing slashes.


A list of IP addresses the user is allowed to connect from.

Text containing the IP addresses in CIDR format, separated by newline (\n) characters. You may specify a range in CIDR format, such as Example: "\n13.211.6.58\n192.168.17.0/27"


Should this user be required to connect from a site-allowed IP address? If Y, then the "Bypass site IP whitelist" setting for the user will be disabled. If N, then the "Bypass site IP whitelist" setting will be enabled. If the user has their own ip_whitelist configured (see above), that list will still be valid even if this field is set to N.

Y or N


Whether the user is required to use TLS or SSL when connecting via FTP. If this is set to Y, the user cannot connect with an unencrypted FTP connection.

Y or N. If left blank, will use the site-wide setting.


Scheduled Date/Time at which user will be deactivated

Text containing a date in ISO 8601 format (YYYY-mm-ddTHH:MM:SS followed by offset from UTC) Example: 2020-03-14T13:27:01-04:00


Whether the user is permitted to connect via FTP or FTPS

Y or N


Whether user can connect via SFTP

Y or N


Can user connect with WebDAV?

Y or N


Can user connect via the web UI or the API?

Y or N


Permissions to automatically assign to new users

Text containing a list of folders and permissions, separated by pipe symbols (|), to assign to the newly created user.

Bulk Create with Folder Permissions

Automatically assign folder permissions to users with the folder_permissions column of the import file. Supply a list of folders and permissions, separated by pipe symbols, to be assigned to the user.

Possible Permission Values

  • admin : Able to manage settings for the folder.
  • full : Able to read, write, move, delete, and rename files and folders.
  • readonly : Able to list and download files and folders.
  • writeonly : Able to upload files and create folders.
  • readwrite : Shorthand for readonly,writeonly
  • list : Able to list files and folders, but not download.
  • bundle : Able to share files and folders via a share link.
  • history : Able to view the history of files and folders.



This defines 3 permissions: Sales=readonly and Engineering=readwrite,history and Home/Adam=admin. The user will be given Read-Only permission on the /Sales folder, Read/Write and History permissions on the /Engineering folder, and Admin permission on the /Home/Adam folder. If any of those folders do not exist, they will be created automatically.

Advanced Usage Notes:

  • Use a slash for the folder name to specify the Root Folder, for example: /=readonly
  • If a folder name contains a vertical bar, for example Sales|North-America, the vertical bar must be escaped with a preceding backslash: Sales\|North-America=readonly
  • If site_admin is enabled for the user, then the value of folder_permissions is ignored, because site administrators have admin access to all folders.
  • Permissions are applied recursively to all sub-folders. To limit a permission to the specified folder name and not its sub-folders, add an asterisk * after the permission value. For example: Home=admin*

Unlocking Users

To unlock a user that has been locked due to repeated failed login attempts, follow these steps:

  1. Sign in to your site as an administrator.
  2. Navigate to Settings > Users.
  3. Find the locked user in the list, and click the Unlock button in the far-right column.
  4. Finally, click the Unlock this user button to unlock the user.

You can adjust your site lockout settings if needed at Settings > Authentication > Brute force protection.

Disabling A User

There are two main approaches to disable a user account:

  1. At Settings > Users > User Settings > Disable inactive users, set a number of days after which users that have not logged in will automatically be disabled. This option disables the affected users within 24 hours of the specified duration. For example, if you set the duration to 7 days then the affected users will be disabled between the 7th and 8th day from their last activity.
  2. At Settings > Users > [user name] > General > Account enabled, toggle the activation button to the deactivated state. This option takes effect immediately.

Once a user is disabled/deactivated, they are not able to log in. A site administrator must explicitly re-enable the account using the setting noted in option 2. above before the user may access the site.

Disabled users are not counted for billing purposes.

A third approach is also available. At Settings > Users > [user name] > Authentication > Access expiration date, set a date after which the user should not be able to access the site. This approach allows you to set an end date for users with a known project duration or other situation where a specific date makes sense.

Restricting a User's Protocol Privileges

Access to data transmission protocols can be specified for each user, allowing you to specify exactly which protocols a user is allowed to use to connect to

Navigate to Settings > Users > [user name] > Privileges > Protocol Access and select the Edit button. You can allow or disallow the selected user's access to FTP (including FTPS and FTPES), SFTP, WebDAV, Web Portal, Desktop app, and the API.

Available Administrative Permission Levels

There are four different types of "Administrative" permission levels that can be granted to a user.

Site Administrators are the highest level. Users with this permission have access to and authority over everything within your site including users, data, settings, and logs. The first user created on a site is a Site Administrator by default, however does not have any special permissions beyond that. The initial user can have his or her Site Administrator status revoked by another Site Administrator.

The three additional, limited, administrator types are:

  1. Group Administrator - This type of admin is able to add and create users to existing groups for which the admin is responsible. Once users are created, group admins are not able to alter them. Any subsequent changes must be performed by a site admin.
  2. Folder Administrator - This type of admin is able to manage folder settings for specific folders. A site administrator or another folder administrator must grant this user folder admin privileges for specific folders. Subfolders inherit folder admin privileges by default.
  3. Billing Administrator - This type of admin is able to access the Settings > Account tab and can see billing information, invoice history, and usage data.

In many cases, the same user may be both a Group Administrator and a Folder Administrator for one or more folders.

Shared/Bot Users

We strongly encourage our customers to create individual user accounts for each person accessing However, some use cases require that accounts be shared amounts multiple people or automated scripts/bots.

You can set an account as Shared/Bot user to create a user account that is shared by multiple people, typically with limited access, or used by an automated script. Shared/Bot users can use all aspects of the Web UI, including Previews and Office integration, but they have some special restrictions:

1. Users set as a Shared/Bot user are prevented from changing their own password, email address or time zone.

For example, you may want to create one shared username through which several people will be uploading documents to your site. Creating that username as a Shared/Bot user prevents an individual from changing the password, email address or time zone, which would disrupt service for all of the other people attempting to use this user account.

2. Shared/Bot users bypass all 2FA requirements. 2FA requires a physical device, which would only be able to be possessed by one physical person. 2FA is disabled for Shared/Bot users to allow multiple people as well as automated scripts or bots to log in using this account.

Because of all the restrictions listed here, Shared/Bot users may not also be site admins. To promote a Shared/Bot user to an admin, you must first disable the Shared/Bot user setting before you can enable the Administrator access setting.

Resetting User Passwords

Site administrators can change the password for any user on their site by following these steps:

  1. Log in to your site as an administrator.
  2. Navigate to Settings > Users and click on the username of the user, then click the Authentication tab.
  3. Click Set new password, and you will be prompted to enter and confirm the new password. You'll also be prompted to reauthenticate by entering your own password for added security.

Users can also reset their own passwords themselves by using the Forgot your password? link on your site's login page. If the link is not present on your site's login page, you can enable it via the setting at Settings > Authentication > Password recovery via email. You'll also want to ensure that the user has an email address set in their user settings.

When creating new users going forward, you can opt to manually set their password by selecting the "Password" authentication method (instead of the default "Email signup") upon user creation.

Listing Users

You can find your current list of users by going to Settings > Users. Any user account that has been disabled will be displayed in grey.

Site administrators are listed at the top, and have the "Site administrator" icon on their avatar. Bot/shared users have the "Bot/shared" icon on their avatar.

To download the entire list, we recommend using the Command Line App (CLI). To list all your users, run this command:

files-cli users list

The disabled field will be labelled true for disabled user accounts and false for active users.

You might find it helpful to export in CSV format and save that output to a file. Here's how to do that using the CLI:

files-cli users list --format csv > users.csv

Click here to download the CLI App. On that page, you'll need to pick your exact operating system to download the correct version.

User Requests includes a feature that allows non-users to request a user account on your site, streamlining the whole process from request to user creation.

You can enable this feature at Settings > Users > User Settings > Allow non-users to request a user account.

If this setting is enabled, a "Request an account" link will appear under the Log in button on your login page. Clicking the "Request an account" will prompt the visitor to enter their information for a new user account.

Account requests can be reviewed in the web interface at Settings > Users > User Requests. Click the Create user button to pre-populate the new user form with their name and email address. You can then provide the rest of the information, such as assigning a username and folder permissions.

Notification of New User Requests

Site admins can be notified by email when a new user request is received. Enable this feature at Settings > Users > User Settings > Notify admins of requests for a user account All site admins who have not opted out of site alert emails will receive a notification email for each new user request.

Get Instant Access to

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.

Start My Free Trial

©2022 All right reserved


  • Start My Free Trial
  • Pricing
  • Docs
  • API and SDKs
  • Contact


(800) 286-8372


9am–8pm Eastern