Administrative Permission Levels

Administrative permission levels define what management actions a user account can perform within a Files.com site. These permissions allow Site Administrators to delegate responsibilities safely, limit access to sensitive controls, and separate duties across teams without granting full administrative access to every user.

Each administrative role grants a clearly scoped set of capabilities. Some roles provide full control over the site, while others allow limited administration of users, folders, billing, or visibility into system configuration and logs. Choosing the correct administrative level helps maintain security, accountability, and operational clarity as your environment scales.

Site Administrator

Site Administrators have the most powerful level of access to your site. Users who are Site Administrators can manage everything within your Files.com site; there are no restrictions on the types of records that Site Administrators can change. For this reason, the best practice is to limit the Site Administrators for your site to only the users who require that level of access.

When a new site is created, the first user is a Site Administrator. That first user account may be modified by any other Site Administrator.

Site Administrators and Child Sites

Site Administrators for a parent site can connect to all its child sites. When they connect, those users will have the same level of access to the child site as a Site Administrator.

Users of a parent site can be made Site Administrators for a child site. This provides the same access for that user as creating their account within the child site and configuring them as a Site Administrator, but requires less configuration. With this approach, you only provision the user once in the parent site and manage their access to relevant child site content, rather than re-creating separate user accounts in each applicable child site for the same person.

Parent site users can be members of a group that is granted Site Administrator access to a child site, making it even easier to delegate administration for your child sites.

Users with Site Administrator access for a child site have full control over every file and folder within the child site. They can configure any of the settings for the child site that are not blocked by a child sites settings policy.

Partner Admin

Partner Admins are Partner Users who are designated to manage users within their own Partner. Their authority is limited to the Partner boundary and does not extend to site-level settings, internal users, Groups, or resources outside the Partner.

Site Administrators explicitly control Partner Admin capabilities through Partner Admin settings. These settings define which user management actions Partner Admins can perform for their Partner. Partner Admins have the same folder access as other Partner Users, cannot be added to Groups, and cannot hold administrative permissions outside the Partner.

Group Admin

Each group can have one or more members designated as a Group admin. Group admins can see which users are in their group. They can also create new users, who are added to that group.

Once users are created, group admins are not able to change the user accounts or remove users from the group. Only Site Administrators can change or remove group users.

Site Administrators can be designated as admins for a group, but that does not grant them any additional capabilities because Site Administrators can make any changes to any users or groups.

Folder Admin

Folder admin is a user or group permission that is granted for a folder. Users who are folder admins have full control over all the Folder Settings and Automations for a folder. Folder admins have unlimited access to the contents of their folder.

Folder admins can manage permissions for their folder by assigning or removing permissions for other users and groups, or by managing permission fences for the folder. They cannot add or remove their own folder permissions. As they can only manage folder permissions, they do not have access to create, change, or remove groups or other users.

Within the web interface, folder admins can list other user accounts, so they can create notifications and permissions for other users.

Unlike other permissions, the folder admin permission is always recursive, granting administrator level access for all sub-folders.

Site Administrators do not have permissions assigned for any folders, so a Site Administrator cannot also be a folder admin. While they do not have folder permissions, Site Administrators have unlimited access to every folder in their site.

Billing Administrator

Users can be designated as a Billing administrator in the user's settings. A billing administrator can see billing information, invoice history, and usage data. Billing administrators can open tickets with our support team, but they cannot grant site access to the support team.

Making a user account a billing administrator does not grant access to any files or folders.

Site Administrators are automatically billing administrators because Site Administrators have access to everything for a site, including billing information.

Read-only Administrator

Users can be configured as a Read-only administrator in the user's settings. A read-only administrator can view but not change site settings.

The read-only administrator setting is separate from the user's file or folder permissions. This means that a read-only administrator user must have Share permission in order to create their own share links, but they can view all existing share links because they are a read-only administrator. Similarly, a read-only administrator can see all existing automations, but must also be a Folder admin to create a new automation, or to make any changes to an automation.

Site Administrators can configure a read-only administrator to receive alert emails about problems with their site. These include alerts about LDAP, SMTP, Webhook or single sign-on integration failures, alerts about SSL certificates about to expire, Sync and GPG encryption/decryption errors, users locked out after too many failures, CLI operation failure for logs to be sent to the cloud and similar messages.

Site Administrators cannot be granted the read-only administrator privilege, because Site Administrators have full access to everything within your site.

Read-only Administrators and Child Sites

Users of a parent site can be made read-only administrators for a child site. This provides the same access for that user as creating their account within the child site and configuring them as a read-only administrator. This approach requires less configuration that creating separate user accounts for each child site, and it allows your users to log in at a central parent site to gain access to any of their child sites.

Parent site users can be members of a group that is granted read-only administrator access to a child site, making it even easier to delegate that access for your child sites.

Just like on a parent site, making a user a read-only administrator for a child site does not grant access to any files or folders of the child site. Read-only administrators on a child site will have access to view relevant site settings, but can't change those settings.

Demonstration Use Case

In this scenario, we have a mortgage broker that needs to assign the appropriate administration privileges for their Files.com site.

The mortgage broker operates from 2 separate branches (central and east). Carter is the head of IT, and works out of the central office. Ellen is a help desk technician stationed in the east office. Each office has a sales team, a processing team, and a client services team, and each of those teams have their own designated team leader. All vendor payments are handled by Chale, who works from the central office.

Carter, as the head of IT, will be a Site Administrator for the Files.com site. This means Carter can update any setting or file within the site. Carter can directly create any needed users, and groups, or set up automatic provisioning.

Carter defines user groups representing each team at each office, and assigns the users into their appropriate teams. Carter can assign folder permissions to the group to give each group member a base level of access to specific folders, and can assign his team leads admin-level access for specific folders.

Carter can designate the team lead users as group admins for their respective groups. As group admins, they will be able to add new users directly to their individual groups. With folder permissions assigned at the group level, this may be all the setup needed to create user accounts for new team members.

Ellen is responsible for helping the staff of the east office when they run into a technical problem, so she needs to access log files or review how an automation is configured. To achieve this, Carter makes Ellen a read-only administrator.

Finally, because Chale is responsible for vendor payments, Carter creates a user account for Chale that is not assigned to any of the department teams, and does not have access to any files or folders. The account for Chale is set as a billing administrator, allowing them to access the invoices for their Files.com site.