User Provisioning and Management

User provisioning, also called onboarding, represents a core administrative function for controlling access to Files.com. Provisioning includes creating user accounts, defining authentication methods, assigning roles and group memberships, and granting folder permissions that determine which files, folders, and services each user can access.

Files.com provides user management capabilities that allow Site Administrators to update user information, adjust security settings, modify permissions, and manage access throughout the user lifecycle.

Site Administrators provision users manually or through automated provisioning depending on the scale of the environment and the identity infrastructure in use.

User administration supports delegated models. Group Admins and Partner Admins can be assigned as administrative permission levels. Group Admins create users within their assigned groups. Partner Admins create and manage users for their Partner organization. Site Administrators can also create users directly within Child Sites, where those users inherit that site’s authentication configuration and access boundaries.

Provisioning Methods

Files.com supports several methods for provisioning users.

Site Administrators can create individual users through the web interface. This approach works well for individual onboarding events.

Bulk import allows Site Administrators to create many users in one operation using a CSV file. Administrators define group membership, folder permissions, protocol privileges, and account settings during the import process.

Automated provisioning allows external identity systems and automation platforms to create and manage users automatically. Identity providers can synchronize users and groups through SCIM provisioning or create accounts during login through Just-in-Time (JIT) provisioning. Internal systems and automation workflows can also provision users through the Files.com API and SDKs, or the Files.com CLI.

Refer to the Automated Provisioning documentation for detailed guidance on these automation models and recommendations.

Provisioning Users

After configuring the site and establishing folder structures, Site Administrators select a provisioning method that aligns with their identity architecture and operational workflows.

During provisioning, Site Administrators define how users authenticate with Files.com. Files.com supports authentication through Single Sign-On (SSO) using SAML or OAuth, username and password authentication, SFTP/SSH keys, and API keys.

Site Administrators can enable Two-Factor Authentication (2FA) to strengthen account security. Two-factor authentication requires users to verify their identity through two independent authentication factors before accessing their account.

Authentication configuration, group membership, and permission assignments determine how users interact with files, folders, and services inside Files.com.

Managing Users

Managing users is an ongoing administrative function, ensuring that each user's settings align with their respective roles and responsibilities as well as securing access to the accounts.

Site Administrators can update user details including name, email address, company name, tags, and internal notes. Tags help categorize users and can be used with User Lifecycle Rules to automatically disable or delete inactive accounts, while internal notes provide administrators with a place to store additional information about the user for administrative reference.

They can also manage a user's security settings, including authentication methods and Two-Factor Authentication (2FA). Administrative actions include resetting passwords, setting password expiration dates, updating protocol privileges, adding or removing SFTP/SSH keys or API keys, managing IP whitelists, and revoking active desktop connections.

Site Administrators can fine-tune folder or group permissions or modify the permission levels. They can establish access expiration dates, modify user roles or disable the user. Site administrators have the capability to adjust user language, timezone, header text, or notification preferences, as well as review user activity.

Site Administrators can impersonate a user to view the web app exactly as that user sees it. This feature is especially useful after onboarding to confirm that access, permissions, and configurations are correctly applied. The impersonation session is read-only, allowing administrators to review settings without making any changes.

De-provisioning Users

In the context of user lifecycle management, Site Administrators have the ability to de-provision or off-board users. This process acts as a vital security measure, preventing unauthorized access and optimizing resource allocation. Files.com provides Site Administrators with various methods to disable user accounts.

Site Administrators can manually enable or disable individual user accounts as needed. In addition, you can configure your site to automatically manage inactive users through the User Lifecycle Rules.

When a Site Administrator deletes a user manually, they can choose how to handle resources owned by the deleted user, including Share Links, Automations, GPG Keys, Remote Servers, Custom Forms, and folder settings. These resources can be reassigned to another user to maintain visibility and control, or left without an owner if reassignment is not required.

After creating new users, you can set a date for automatic account disabling if the user hasn't logged in by a particular time. You can set an access expiration date, after which the account will be disabled. There is also the option to permanently delete user accounts.

When Partners are used, de-provisioning can occur at the Partner level. Removing a Partner automatically deletes all users associated with that Partner. This ensures that access for the entire external organization is removed cleanly and prevents orphaned user accounts when a partnership ends.

Identity Provider Provisioning and Management

When SCIM provisioning is configured with an external identity provider (IdP), Files.com creates, updates, disables, or deletes users and groups based on changes in the identity provider. The identity provider creates, updates, disables, or deletes users and groups in Files.com through the configured SCIM integration. These updates include user attributes like name, email address, group names, and memberships.

User and Group Provisioning Control

The settings Allow manual creation, editing, and deletion of users outside of SSO based provisioning and Allow manual creation, editing, and deletion of groups outside of SSO based provisioning determine whether administrators manage users and groups directly in Files.com or whether the identity provider manages them through SCIM provisioning.

By default, these settings remain enabled. Administrators can create, edit, enable, disable, and delete users and groups directly in Files.com. This configuration supports environments where administrators manage some accounts locally while the identity provider provisions others.

Disable these settings only when the identity provider manages all users and groups through SCIM. In this configuration, the identity provider acts as the authoritative source for user lifecycle state and group membership. All provisioning, updates, and deprovisioning originate in the identity provider and synchronize to Files.com through SCIM.

This configuration represents a narrowly scoped deployment. Environments often include users that do not exist in the identity provider, including external collaborators, partner users, supplier accounts, or service accounts. In these environments, keep these settings enabled so administrators can manage those accounts directly in Files.com while the identity provider continues to provision users through SCIM.

Enable manual management when administrators need to create or manage users directly in Files.com. This scenario includes external collaborators, partner users, service accounts, or other users that do not exist in the identity provider.

Lifecycle Rules with SSO or SCIM Provisioned Users

Do not apply Files.com User Lifecycle Rules to users authenticated through SSO or managed through SCIM provisioning. The identity provider controls the lifecycle state of these users. Lifecycle rules in Files.com introduce a second lifecycle control point and can create inconsistent lifecycle states between Files.com and the identity provider.

If SCIM provisioning manages users and the setting Allow manual creation, editing, and deletion of users outside of SSO based provisioning is disabled, administrators cannot re enable accounts directly in Files.com after a lifecycle rule disables them. The identity provider must send an updated active state through SCIM to reactivate the user.