Skip to main content

User Onboarding and Offboarding

Managing user access in Files.com goes beyond account creation and deletion. It involves ensuring that users and systems consistently have the correct access levels throughout their lifecycle. As a Site Administrator, your role is to implement a scalable, secure framework for onboarding internal employees, external collaborators, and service accounts while streamlining offboarding processes. Files.com supports both manual and automated provisioning methods, robust group-based permissions, and flexible folder and protocol controls to help you achieve this.

Identify Who You're Onboarding

Start by identifying the type of users you want to onboard. Internal users are typically employees or trusted contractors who need broad access to company resources.

External users include clients, vendors, trading partners, and temporary contractors who require scoped access to specific folders.

System users, or service accounts, represent internal or external systems connecting to Files.com for automated tasks such as integrations, workflows, automations, or scheduled file transfers.

Each type of user has different access needs, security requirements, and preferred onboarding methods. Files.com supports a wide range of onboarding and provisioning options, including one time or automated onboarding, giving you the flexibility to adapt to your organization’s structure.

Onboarding Methods

Files.com offers several onboarding methods to help site administrators efficiently manage access for different user types. The right method depends on the scale of onboarding, the available identity infrastructure, and the level of automation required.

For one-off or small-scale onboarding, you can create users directly through the web interface, approve user requests, or clone existing user configurations. Define folder permissions, group assignments, protocol access, and expiration dates for multiple users at once with a CSV-based mass onboarding. Advanced or programmatic onboarding is supported via the Files.com APIExternal LinkThis link leads to an external website and will open in a new tab, SDKs, or Files.com CLI, making it ideal for integration into internal workflows or custom systems.

SCIM provisioning is the most comprehensive method for organizations with centralized identity providers. Files.com supports SCIM integration with popular providers including Okta, Microsoft Entra ID, LDAP/Active Directory, OneLogin, JumpCloud, and SAML (any provider). It enables automated user creation, group mapping, updates, deactivation, and deletion. Permissions and protocol settings are enforced automatically via mapped groups, keeping Files.com access in sync with the identity provider.

LDAP-based onboarding is also supported for organizations using Active Directory or other LDAP services, allowing synchronization of user and group data from the existing directory structure.

In deployments with Child Sites, site administrators on the parent site can manage access to one or more child sites using a unified login. Users can be scoped to specific child sites, and folder permissions are managed independently per site. This setup is ideal for separating client environments, business units, or departments while maintaining central visibility.

Provisioning Based on Role

Once you have identified who you're onboarding, you can choose the appropriate provisioning method based on user type, scale, and available identity systems.

During provisioning, one of the key decisions is selecting how users will authenticate. Files.com supports a variety of authentication methods including SSO (SAML or OAuth), username and password, SFTP/SSH keys, API keys, and more. Internal users typically authenticate through SSO or SCIM, but may also use a username and password with optional two-factor authentication. Elevated roles such as Site Administrator, Group Admin, Read-Only Administrator, or Billing Administrator can be assigned to trusted users who help manage the environment.

Internal users benefit from automation via SCIM or Single Sign-On using your IdP. They are typically assigned to departmental groups and granted access to a home folder such as users/{username}. Permissions are applied through group membership, and protocol access may include the web interface, desktop apps, API, and certain protocol-based connections. If SCIM integration is unavailable or during large onboarding events, the bulk import method allows site administrators to define folder access, group memberships, and protocol settings for many internal users at once.

External users who are not part of the IdP are usually provisioned manually, Files.com CLI, API, or via bulk import. Their access tightly scoped to specific folders like clients/{client-name}/ or projects/clientA/, and group assignments reflect restricted access roles. Authentication typically uses a username and password, with optional two-factor authentication. Protocol access is often limited to SFTP only. Expiration dates can be applied to ensure temporary access is revoked automatically. Protocol access for external users is restricted to just what they need, with web, mobile, and desktop interfaces disabled unless explicitly required.

System users or service accounts support file transfers or automation workflows. These accounts are assigned fixed home folders such as integrations/payroll_export and typically authenticate using API keys or SFTP/SSH keys. They typically do not use two-factor authentication and are jailed to their assigned folder. Web and desktop access is usually disabled. Files.com also supports shared bot users, allowing a single account to support multiple automated workflows. Limit the scope of these accounts and regularly review them to maintain security.

When creating a user, you can configure essential settings like role, protocol access, folder permissions, root or home folder, two-factor authentication, and access controls such as expiration dates or IP restrictions. You can also set language preferences and time zone for the user to ensure a localized experience.

Managing Groups and Permissions

Groups are the foundation of scalable access management in Files.com. Instead of assigning settings and permissions individually, add users to groups such as Finance, HR, or External Partners. Groups support folder permissions, protocol access settings, child site permissions, IP whitelisting, and even group-level notifications. Centralizing these settings in a group makes it easier to manage access and maintain consistency across users.

Users can belong to multiple groups, and their effective access is a combination of all assigned group permissions. SCIM group mapping enables your identity provider to control group assignments automatically. These mappings determine not only folder access but also protocol restrictions and user account status, allowing seamless, policy-driven provisioning from external systems.

Designing Folder Structures and Permissions

An intuitive folder structure simplifies navigation and permission management. The most straightforward way to organize folders is by department, project, or client. For example: departments/finance, projects/clientA, or integrations/ERP.

Folder permissions in Files.com are assigned directly to users or through group memberships to streamline access control. It's best practice to manage access primarily through groups, allowing changes to propagate efficiently across multiple users. Permissions define what actions a user can perform within a folder, such as read, write, delete, or full control.

Permissions follow a hierarchical model: access granted at a parent folder is inherited by subfolders unless overridden. For more precise control, you can insert a permission fence to break inheritance and define new rules for a specific folder path. Regularly reviewing and adjusting these permissions ensures users have the right level of access as needs evolve.

Folder structures can be locked to prevent renaming, deletion, or creation by unauthorized users.

Only Site Administrators have access to the root folder by default. Scope all other users to their respective folders as needed.

Assigning Home Folders

Files.com allows automatic creation of home folders during provisioning. For example, internal users may have folders under users/{username} or a departmental structure like departments/finance/{username}. External users receive scoped access to limited paths, while service accounts are mapped to integration-specific locations such as integrations/payroll_export.

Preconfigure the folders with subdirectories like incoming and outgoing to help standardize file workflows. To replicate an existing folder layout, Files.com allows you to copy just the folder structure (without its contents) using the Only copy the folder structure option.

Users who connect via FTP or SFTP land in their assigned home folder by default. Enabling the jail to home folder setting restricts their visibility to that folder alone, which is especially useful for external users and service accounts. By tailoring the home folder strategy for each user type, such as internal, external, or system, site administrators maintain clear organization, enforce strong security practices, and simplify user onboarding.

Controlling Protocol Access

Files.com supports multiple access methods including the web interface, SFTP, FTP, WebDAV, API, and mobile and desktop apps. Protocol access is controlled through user or group assignments.

Enforce strict protocol access per user or group to reduce the surface area for unauthorized activity.

Internal users often require interactive access via the web and desktop apps. Restrict external users to the protocols they need, such as SFTP. System users or service accounts typically require API or certain protocol access such FTP, SFTP or WebDAV.

Offboarding Users Securely

Offboarding is just as important as onboarding and plays a critical role in maintaining security and resource control. For SCIM or LDAP-provisioned users, removing the user from the identity provider automatically deactivates their Files.com account and revokes group-based access if applicable.

For manually managed users, Site Administrators deactivate accounts directly, set expiration dates to automatically disable accounts after a specific period, or delete users when necessary. Files.com also supports automatic deactivation of inactive accounts and newly created users who never log in, with the option to configure exceptions.

Automatically remove disabled accounts after a set number of days. Removing users from groups immediately revokes their folder and protocol access. Regularly review accounts without a predefined expiration date, and disable them when no longer needed.

These controls support secure and consistent user lifecycle management across all provisioning methods.

Conclusion

Files.com provides site administrators with flexible and powerful tools to manage user access throughout the entire lifecycle. Whether onboarding employees through SCIM, provisioning external users manually, or setting up service accounts, Files.com scales to meet your needs. By leveraging group-based access, structured folder organization, protocol restrictions, and home folder automation, administrators enforce security, maintain compliance, and streamline user management across the platform.

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.