The real power of Groups is that they aren’t an invention of Files.com at all; instead, they’re designed to map one-to-one with how groups already exist in every enterprise SSO system. Most organizations already use groups inside their identity provider to mirror departments, job functions, or teams. Files.com Groups simply inherit that structure, which means provisioning groups becomes an extension of what you already have.

If your identity provider has a group called “HR,” you can mirror that Group in your Files.com site and assign it the right permissions, such as full access to the HR folder. As your identity system is updated because people join or leave the HR department, those changes cascade into your Files.com site automatically. You don’t have to touch each user’s permissions individually because the Group does the work.

Groups aren’t just a shortcut for assigning rights to multiple users at once, though they certainly do that. They’re the connective tissue between your existing enterprise identity model and the permissions framework inside your Files.com site.

Managing Groups

Only Site Administrators can manage groups and assign existing users to them.

When you create a group, you must give it a unique Group name. We recommend using a name that is relevant to its purpose (e.g. a department or organization name) so that the group's purpose is obvious anywhere the name is listed.

You can also enter a Note for your reference. This note is not used by any other part of your Files site.

Users can be added as members of a group while you are creating the group, or later when you are editing the group.

Deleting Groups

When a group is deleted, group members lose any permissions granted by the group, but the user accounts are not removed.

Delegating Group Administration

Files.com includes the Group Admin feature, providing added flexibility by delegating user creation within a group to select users. Group Admins can create new users who become members of their group, but only site administrators can remove users from a group or control who is a Group Admin.

Group Membership Reporting

The web interface includes a Group Matrix display to clarify the structure of your groups and the members in those groups. The Group Matrix shows all the members on your system and their associated groups. You can filter the Group Matrix to show only select groups.

The Membership Report shows which users are are in which in your site, and whether they are Group Admins for the group. Just like the Group Matrix display, the Membership Report can only be accessed through the web interface by a Site Administrator or Read-only Admin. The Membership Report produces a CSV file for easy text-based analysis by another system.

Manage All Folder Permissions via Groups

To ensure consistency in how your site applies folder permissions to users, site administrators can manage all folder permissions via groups, and not to individual users.

With this feature enabled, you can ensure that a group permission framework is followed, and no one - whether accidentally or purposely - grants users individual permissions.

This setting requires the Power or Premier plan.

Enabling this setting will not remove folder permissions previously granted to individual users.

If this feature is enabled, users will not automatically receive access permissions to folders, including those created automatically. You will need to assign the appropriate permissions to each folder and user separately.

Manage Protocol Access

Protocol access such as SFTP, FTP, WebDAV, Web, Desktop Access, and API access can be managed at the group level. Managing protocol access at the group level ensures proper assignment, management, and auditing of protocol permissions for your internal and external users, especially when managing a large number of users using groups.

When the setting Protocol access can be managed at group only setting is enabled, users with existing protocol access can have theirs removed, but any new users will have their protocol access set by their associated groups.

All existing and new groups have permissions set to 'Disallowed' for all protocols by default. Before switching to the setting Protocol access can be managed at group only, ensure that protocol access is enabled for the appropriate groups. Once this setting is saved, users must belong to a group with access to connect.

Site Administrators are always allowed to access Web, Desktop Access, and API regardless of the permissions set at the group or user level.

IP Whitelisting

Whitelisting of specific IP addresses or IP ranges can be managed via groups. This allows you to specify the IP addresses that group members are permitted to connect from to your Files.com site. This feature is particularly useful when using separate groups for internal and external users or when organizing groups based on user's geographical locations.

Only connections made from the listed IP addresses or ranges will be permitted; all other connections will be denied. You can utilize this list to restrict connectivity to specific network locations, such as allowing connections only from your VPN or office locations.

Note that IP whitelisting restrictions can also be applied at the site level or for individual users. If you are also restricting IP addresses per user or via the sitewide IP whitelist, users with addresses that exist in either list will be allowed to log in.

Role-Based Access Control (RBAC) with Files.com

Customers can use Groups in Files.com to implement RBAC with Files.com. If you determine the permissions and map them to the necessary roles in your organization and users, Groups can be created to reflect the roles and the associated permissions.

Additionally, if you are using an external identity/SSO solution (IdP) to manage the LDAP or ActiveDirectory of your users, Files.com can also integrate to many IdPs where the Groups will be synchronized between Files.com and the external IdP solution. Please refer to the SSO documentation for further information.