User Onboarding and Offboarding

Managing user access in Files.com goes beyond account creation and deletion. It requires maintaining accurate access as users and systems join, change roles, or leave. Site Administrators define the access model for internal users, Partners, and service accounts, while delegating appropriate responsibilities where needed.

Files.com supports onboarding through manual creation, automated provisioning, and delegated administration. Partners allow external organizations to manage their own users within controlled boundaries, and Partner Admins handle day-to-day user management for their Partner without affecting internal users or site-wide settings. Group-based permissions, scoped administration, flexible folder permissions and protocol privileges provide a consistent framework for secure onboarding and efficient offboarding across all user types.

Identify Who You're Onboarding

Start by identifying the type of users you want to onboard. Internal users are typically employees or trusted contractors who need broad access to company resources.

External users include clients, vendors, trading partners, and temporary contractors who require scoped access to specific folders.

System users, or service accounts, represent internal or external systems that connect to Files.com to perform automated tasks, including integrations, workflows, automations, and scheduled file transfers.

Each type of user has different access needs, security requirements, and preferred onboarding methods. Files.com supports a wide range of onboarding and provisioning options, including one-time onboarding and automated onboarding, giving you the flexibility to adapt to your organization's structure.

Onboarding Methods

Files.com provides several onboarding methods to provision user access. The appropriate method depends on the organization’s identity infrastructure and the level of automation required.

Recommended: SCIM Provisioning

SCIM provisioning through an Identity Provider represents the recommended onboarding method for most organizations. SCIM synchronizes users and groups between the identity provider and Files.com and manages the full user lifecycle, including creation, updates, group membership changes, and deactivation.

Identity provider administrators define synchronization rules that control user creation, updates, group membership, and deactivation. Files.com applies folder permissions and protocol settings through mapped groups.

Alternative: Just-in-Time (JIT) Provisioning

If the identity provider supports Single Sign-On but does not support SCIM, Just-in-Time provisioning provides an automated onboarding option. JIT creates a Files.com user account automatically when a user signs in through SSO for the first time.

Automated Provisioning with APIs and Automation Tools

Organizations that manage identity workflows through internal systems can provision users programmatically through the Files.com SDKs, APIs, or CLI. Internal systems create, update, and deactivate user accounts automatically when identity records change in employee systems, customer systems, or operational platforms.

Integration Platform (iPaaS) Provisioning

Integration Platform as a Service (iPaaS) platforms automate user provisioning through workflow automation across connected applications. Organizations use this approach when identity or operational events originate in other systems and workflows manage account creation or updates. This method fits environments that already operate iPaaS platforms to coordinate automation across multiple SaaS systems.

Manual User Onboarding

For individual onboarding events, Site Administrators create users through the web interface, approve user requests, or clone an existing user configuration. During creation, administrators define folder permissions, group assignments, protocol privileges, and expiration dates.

Bulk User Import

For larger onboarding events without identity automation, Site Administrators use CSV-based bulk import to create many users in a single operation. Bulk import allows administrators to define folder permissions, group memberships, protocol access, and account configuration across large user sets.

LDAP and Active Directory Authentication

In LDAP or Active Directory environments, users authenticate through LDAP/Active Directory SSO. LDAP verifies credentials against the directory service, while Site Administrators manage user accounts through manual onboarding, bulk import, or automated provisioning.

Child Site Access Management

In environments that use Child Sites, Site Administrators on the parent site manage access to one or more child sites through a unified login. Administrators scope users to specific child sites while managing folder permissions independently in each site. This structure separates environments for clients, departments, or business units while maintaining centralized administrative visibility.

Provisioning by User Type

After identifying the user type, Site Administrators select the appropriate provisioning method.

Authentication configuration forms a critical part of provisioning. Files.com supports several authentication methods, including Single Sign-On (SSO) using SAML or OAuth, username and password, SFTP/SSH keys, and API keys.

Internal Users

Internal users typically authenticate through Single Sign-On (SSO), while SCIM provisioning manages lifecycle synchronization between the identity provider and Files.com. These users belong to departmental groups and receive home folders under paths like users/{username}. Group membership controls folder permissions and protocol privileges.

For large onboarding events or environments without SCIM provisioning, bulk import allows Site Administrators to define folder access, group memberships, and protocol permissions across large sets of users.

External Users

External users who do not exist in the identity provider receive accounts through manual provisioning, the Files.com CLI, the Files.com API, or bulk import. These users often represent external collaborators such as clients, vendors, or partner organizations.

Files.com supports Partners to allow external organizations to manage their own users within defined boundaries. Partner administrators can create and manage users within their Partner without affecting internal users or site-wide configuration.

External users receive tightly scoped access to folders like clients/{client-name} or projects/clientA. Groups enforce restricted access roles and ensure that external users only access the folders and workflows relevant to their organization.

Authentication for external users typically uses username and password with optional two-factor authentication (2FA). Protocol access can be controlled through protocol privileges. Expiration dates enforce automatic removal of temporary access. Administrators disable web, mobile, and desktop access unless workflow requirements demand it.

Service Accounts

Service accounts represent machines, systems, or automation processes that interact with Files.com without human involvement. These accounts support automated workflows, integrations, scheduled jobs, and system-to-system file transfers.

Service accounts use fixed home folders like integrations/payroll_export to isolate automated workflows and maintain predictable file locations for integrations.

Authentication relies on API keys or SFTP/SSH keys rather than interactive login methods. Machines and automated systems use these key-based credentials to access Files.com programmatically.

Service accounts avoid interactive login methods and remain jailed to their assigned folder to restrict visibility and prevent unintended access to other areas of the system. Web and desktop access remains disabled to ensure the account functions only as a machine identity for automation workflows.

Files.com supports shared bot users when a single account must support multiple automated workflows. Administrators can limit scope and review these accounts regularly.

Managing Groups and Permissions

Groups form the foundation of scalable access management in Files.com. Instead of assigning permissions individually, Site Administrators assign users to groups representing departments, partners, or functional roles.

Groups support folder permissions, protocol privileges, child site permissions, IP restrictions, and group-level notifications.

Users can belong to multiple groups. Effective access combines permissions from each assigned group.

SCIM group mapping allows the identity provider to manage group membership automatically. Identity provider groups synchronize to Files.com groups and control folder permissions, protocol restrictions, and account status.

Designing Folder Structures and Permissions

A clear folder structure simplifies navigation and permission management. Administrators organize folders by department, project, or partner relationship. For example: departments/finance, projects/clientA, or integrations/ERP.

Folder permissions apply directly to users or through group membership. Group-based access management allows administrators to maintain consistent permissions across large numbers of users.

Permissions determine which actions a user can perform within a folder including read, write, delete, or full control.

Site Administrators maintain exclusive access to all folders and all sub folders, including the root folder. Administrators scope all other users to specific folders aligned with their responsibilities.

Folder structures can remain locked to prevent unauthorized renaming, deletion, or creation.

Files.com supports automatic creation of home folders during user provisioning. Internal users receive home folders under paths like users/{username} or departmental paths like departments/finance/{username}. External users receive scoped access to limited folders while service accounts use integration paths like integrations/payroll_export.

Site Administrators prepare folder structures in advance to support consistent workflows. Administrators configure subfolders like incoming and outgoing to standardize file movement.

When administrators need to replicate an existing layout, Files.com provides the Only copy the folder structure option. This option duplicates directory structures without copying files.

Users connecting through FTP or SFTP arrive directly in their assigned home folder. The jail to home folder setting restricts visibility to that folder and improves security for external users and service accounts.

Site Administrators can enable the Automatically Create New User Folders Here When Users Are Created setting. This configuration creates a dedicated subfolder for each new user under a defined parent folder.

Administrators restrict folder creation by group membership so that teams receive folders under different parent directories aligned with departmental workflows.

Administrators configure folder naming rules based on username or full name and configure default subfolders like incoming or outgoing.

The configuration can apply to newly created users or to existing users that meet the defined criteria.

If the Manage All Folder Permissions via Groups setting remains enabled, the system does not automatically grant access to the created folder. Site Administrators assign permissions through group membership.

Automatic folder creation reduces administrative effort, ensures consistent user experiences, improves audit visibility, and isolates user data for stronger security control.

Controlling Protocol Access

Files.com supports multiple access methods including the web interface, SFTP, FTP, WebDAV, API access, and desktop and mobile applications.

Protocol access often varies by user type. Internal users typically interact with Files.com through the web interface or desktop applications. External collaborators often use SFTP for secure file exchange. Service accounts and integrations commonly use API access or automated transfer protocols such as FTP, SFTP, or WebDAV.

Site Administrators control protocol access through user configuration and group settings. Administrators can enforce strict protocol controls to reduce unnecessary exposure.

Impersonating Users

Site Administrators can impersonate a user to view the web application exactly as the user experiences it. This capability helps administrators confirm permissions and configuration after onboarding.

The impersonation session remains read-only so administrators can review access without modifying settings.

Offboarding Users Securely

Offboarding protects the environment by removing access when users leave or when service accounts used by integrations and automated workflows are retired.

For users managed through SCIM provisioning, disabling or removing the user in the identity provider automatically deactivates the Files.com account and removes group-based access.

User Lifecycle Rules automate offboarding through inactivity policies that disable or delete accounts after defined inactivity periods.

Site Administrators should not apply lifecycle rules to accounts managed through SCIM provisioning or authenticated through SSO because the identity provider manages lifecycle state.

For manually managed users, Site Administrators deactivate accounts, configure expiration dates, or delete users directly. Files.com can also disable inactive accounts or newly created accounts that never log in.

When a Site Administrator deletes a user, the system prompts for handling resources owned by that user including Share Links, Automations, GPG Keys, Remote Servers, Custom Forms, or folder settings. Administrators can reassign resources to another user or leave them without an owner.

Files.com can automatically remove disabled accounts after a configured number of days.

Removing users from groups immediately revokes folder and protocol access. Site Administrators can regularly review accounts without expiration dates and disable unused accounts.

If a user account is deleted accidentally, the Restore User feature allows Site Administrators to recover the account and restore its configuration.