Users are the most fundamental building block for creating a hierarchy of access among your organization.

Adding Users

Only administrators and group admins can create users. As an administrator, you can add new users from Settings > Users.

You will need to provide a username and password for each user, but all other fields are optional or can be left as the default. Remember that if you ever forget what a setting or user input is, you can hover over the help icon and a tooltip will appear with a description of the setting.

Below is a description of each basic user setting. See Advanced User Settings for a list of more advanced user options.

Username This is the username that the user will use to log in via the web interface, desktop app, or FTP client. Usernames are limited to 50 characters. You may choose to use an email address as the username to ensure uniqueness.
Authentication method This is the authentication method that this user can use to log in to their account. The default method is ‘Password/Public key’. Other available methods are ‘Active Directory or LDAP’ (if LDAP synchronization is enabled on your site) and ‘Google OAuth’ (if Google user authentication is enabled on your site).
Password This is the password this user will use when logging in to the web interface, desktop app, or FTP client.
Password expiration Default is to use your site-wide setting, or choose This user must change their password and enter an integer to define the change interval in days. This user will then be required to change their password on every cycle of the change interval.
Require password change on first login? If enabled, this user will be required to change their password when they log in. The user will also be prevented from accessing FTP/SFTP/WebDAV until their password is changed.
Email address Providing the user’s email address allows us to contact them via email with important account information. This may include forgotten password recovery and notifications for file uploads.
Full name This setting is optional and is for your records only.
Groups Choose the Groups that this user will belong to.
Enable admin access Enable to make this user a site-wide administrator. See Adding Administrators for more information.
Folder permissions Grant permissions on the folders you want this user to have access to. See Permissions for more information.
Share Link permission This setting controls whether the user is able to use the sharing features to generate Share Links.
Shared/bot user? Users flagged as a bot or a shared user are not able to change their own password, email address or time zone, and are exempted from 2FA requirements (if any).
Notes Here you can enter notes that are for your records only.

Cloning Users

Administrators can save time when creating a new user by cloning an existing user. This speeds up the user creation process by prepopulating most of the user’s settings from the user being cloned, including group membership and permissions.

To clone a user, click the Clone button in the rightmost column of the user list.

You will then be presented with the New User form with the cloned user’s settings prepopulated.

Disabling Users

Disabling a user will terminate their active sessions and prevent the user from logging in or accessing the REST API, while keeping their settings and history intact.

There are 3 ways to disable users in

  1. Disabling on demand
  2. Setting an access expiration date
  3. Disabling automatically based on inactivity

Note that only standard, non-administrator users can be disabled. To disable an administrator user, you must first change their Access level to ‘Standard user’.

Disabling on demand

To disable a user immediately, simply adjust their Account status to ‘Disabled’.

Administrators can re-enable a user at any time by adjusting their Account status back to ‘Enabled’.

Setting an access expiration date

Administrators can also schedule a user to be disabled at a future date by setting their Access expiration date. This is useful when you want to grant a user temporary access to your site.

Disabling automatically based on inactivity

Administrators may opt to disable users automatically after a period of inactivity via the site-wide setting at Settings > General > Disable inactive users.

This setting allows you to set a number of days of inactivity after which a user account will automatically be disabled.

Deleting Users

To delete a user, simply click the Delete button in the rightmost column of the user list. The user will immediately be deleted, and they will no longer be able to log in to your site.

Adding Administrators

You can make any user a site-wide administrator by setting their Access level to ‘Admin user’. You may have as many administrators as you wish.

Keep in mind that administrators will have the same level of access that you have, including Read/Write/Delete access on all folders, and the ability to create and manage users.

Advanced User Settings

Time zone

All times in the web interface will be displayed in this time zone for the user.

FTP/SFTP client root folder

The user will see this folder as the ‘home’ or root’ when logging in via an FTP/SFTP client. The user will not be able to see folders which are parents of this one, even if they have permissions there. This setting only affects FTP/SFTP clients, NOT the web interface, and you still need to give the user permissions to the folder. This is mainly used for providing compatibility with existing FTP/SFTP deployments.

IP whitelist

This setting allows you to limit which IP addresses the user is allowed to connect from. List allowed IPs, one per line. You may specify a range in CIDR format, such as

If you are also using a site-wide IP whitelist, users connecting from an IP address matching in either whitelist will be allowed to log in.

Bypass site IP whitelist

If your site uses a site-wide IP whitelist, this setting allows this user to log in from IP addresses not contained in that list. However, this user’s IP whitelist will still be enforced (if set).

Plain/unencrypted FTP Support

If changed, this setting will override the site-wide default, which can be set at Settings > Security > Plain/unencrypted FTP Support.

Note: Allowing unencrypted connections is dangerous because it will cause passwords and file contents to be transmitted across networks in clear text.

Access expiration date

You can grant the user temporary access to your site by entering a date here. Access for this user will be blocked after this date occurs (midnight of the selected date).

This field uses your current time zone when you set or change it.

Protocol access

Use this setting to control which protocols this user will have access to.

You can selectively allow access to:

  • FTP
  • SFTP
  • WebDAV
  • Web, Desktop app, and API


Add SFTP public keys here to allow the user to connect via SFTP without having to type a password. Review the SFTP documentation for more details.