Groups

Groups in Files.com map one-to-one with how groups already exist in every enterprise SSO system. Most organizations already use groups inside their identity provider to mirror departments, job functions, or teams. Files.com Groups inherit that structure, so provisioning groups becomes an extension of what you already have.

If your identity provider has a group called "HR," you can mirror that Group in your Files.com site and assign it the right permissions, such as full access to the HR folder. When your identity system is updated as people join or leave the HR department, those changes cascade into your Files.com site automatically. You don't have to touch each user's permissions individually because the Group does the work.

Groups are the connective tissue between your existing enterprise identity model and the permissions framework inside your Files.com site. They also serve as a shortcut for assigning rights to multiple users at once.

Managing Groups

Only Site Administrators can manage groups and assign existing users to them.

When you create a group, you must give it a unique Group name. We recommend using a name that is relevant to its purpose (e.g. a department or organization name) so that the group's purpose is obvious anywhere the name is listed.

You can also enter a Note for your reference. This note is not used by any other part of your Files site.

Users can be added as members of a group while you are creating the group, or later when you are editing the group.

Deleting Groups

When a group is deleted, group members lose any permissions granted by the group, but the user accounts are not removed.

Delegating Group Administration

Files.com includes the Group Admin feature, which delegates user management within a group to selected users. Group Admins can create and manage users within their group, including editing details, enabling or disabling accounts, deleting users, and managing passwords, based on Group Settings.

Group Membership Reporting

The web interface includes a Group Matrix display to clarify the structure of your groups and the members in those groups. The Group Matrix shows all the members on your system and their associated groups. You can filter the Group Matrix to show only selected groups.

The Membership Report shows which users are in which group on your site, and whether they are Group Admins for the group. Like the Group Matrix display, the Membership Report can only be accessed through the web interface by a Site Administrator or Read-only Admin. The Membership Report produces a CSV file for text-based analysis by another system.

Manage All Folder Permissions via Groups

To keep folder permissions consistent across your site, Site Administrators can require that all folder permissions be managed through groups rather than assigned to individual users.

With this feature enabled, the group permission framework is enforced, and no one can grant individual user permissions either accidentally or intentionally.

This setting requires the Power or Enterprise plan.

Enabling this setting will not remove folder permissions previously granted to individual users.

When this feature is enabled, users will not automatically receive access permissions to folders, including those created automatically. You will need to assign the appropriate permissions to each folder and user separately.

Manage Protocol Access

Protocol access for SFTP, FTP, WebDAV, Web, Desktop Access, and API can be managed at the group level. Managing protocol access this way keeps assignment, management, and auditing of protocol permissions consistent across your internal and external users, especially when you manage a large number of users through groups.

When the Protocol access can be managed at group only setting is enabled, users with existing protocol access can have it removed, and any new users will have their protocol access set by their associated groups.

All existing and new groups have permissions set to 'Disallowed' for all protocols by default. Before switching to the Protocol access can be managed at group only setting, enable protocol access for the appropriate groups. Once this setting is saved, users must belong to a group with access to connect.

Site Administrators are always allowed to access Web, Desktop Access, and API regardless of the permissions set at the group or user level.

IP Whitelisting

Whitelisting of specific IP addresses or IP ranges can be managed through groups. This lets you specify the IP addresses that group members are permitted to connect from to your Files.com site. The feature is useful when you use separate groups for internal and external users, or when groups are organized by user geographic location.

Only connections from the listed IP addresses or ranges will be permitted; all other connections will be denied. You can use this list to restrict connectivity to specific network locations, such as allowing connections only from your VPN or office locations.

IP whitelisting restrictions can also be applied at the site level or for individual users. If you are also restricting IP addresses per user or through the sitewide IP whitelist, users with addresses that exist in either list will be allowed to log in.

Role-Based Access Control (RBAC) with Files.com

You can use Groups in Files.com to implement RBAC. Determine the permissions for each role in your organization, then create Groups that reflect those roles and assign the associated permissions.

If you use an external identity provider (IdP) to manage your users through LDAP or Active Directory, Files.com integrates with many IdPs so that Groups synchronize between Files.com and the external IdP. See the SSO documentation for more information.

Desktop Configuration Profiles

Groups can also carry a Desktop Configuration Profile, so Desktop App's mounted drive mapping policies apply to every member automatically during Desktop App pairing.