Yes

1.8

This option specifies whether or not to disable all accounts that are associated with this group.

When set to No, all accounts from this group will be disabled and authentication will fail for these accounts.

''

1.7

This is a free form text for attaching notes or a description to this group.

Example:

[groups/92ad5b32-d8d7-4ed8-94e1-dbb9f01383f4]
name = OS file transfer
description = OS accounts with access to the file server.

Empty

1.6

This option specifies the path to the base folder, where the files for this group's accounts are stored. The home folder is used as the initial current folder for new connections.

It may contain the ${USER} placeholder which will be replaced with the user's name for each account.

If the defined path value does not contain the ${USER} placeholder, the placeholder is automatically appended to the end of the path. In this way all users from the group will have different home folders. This is why c:\\Users has the same effect as c:\\Users\\${USER}

The ${SHARED} marker can be used when all the accounts from this group should inherit the same path, without having the username appended to the path.

For example, if you want to have all the users from a group to have the same home folder path as c:\\FTP-Pub\\Inbox you can set the following configuration option below:

[groups/92ad5b32-d8d7-4ed8-94e1-dbb9f01383f4]
home_folder_path = ${SHARED}C:\FTP-Pub\Inbox

As another example, the ${OS_HOME} can be used as a placeholder for the user's home folder path provided by the operating system:

[groups/92ad5b32-d8d7-4ed8-94e1-dbb9f01383f4]
home_folder_path = ${OS_HOME}

When the option is left empty it will require each account associated with the group to define its own home folder path.

When defined, it should be defined as an absolute path.

On Windows: c:\\Users\\${USER}\\reports will be mapped as c:\\Users\\some_user\\reports for the account named some_user.

On Unix-like systems: /home/${USER}/reports will be mapped as /home/some_user/reports for the account named some_user.

When defining the home_folder_path for a group, the accounts belonging to it should use the Inherit value, otherwise the group values will not be applied. For a better understanding, please follow the explanations and examples on properties inheritance.

No

1.6.0

This option specifies whether or not the server should create the home folders for the accounts belonging to the group, in the case that they are missing.

If this option is set to No the server will deny access to users for which the home folder is not already created. When set to Yes the server will try to create missing home folders for users that have been successfully authenticated.

${DEFAULT_OS_USER}

1.6.0

When the server is configured to automatically create missing home folders, this option specifies who the owner of the newly created folder should be.

When this value is set to ${DEFAULT_OS_USER}, the folder owner will be set to the default value specified by the operating system.

${DEFAULT_OS_GROUP}

1.6.0

When the server is configured to automatically create missing home folders, this option specifies what operating system group should be associated with the newly created folder.

When this value is set to ${DEFAULT_OS_GROUP}, the folder group owner will be set to the default value specified by the operating system.

any

4.10.0

This defines the set of valid credentials required for authenticating this group of accounts.

Set it to password to authenticate an account once it provides a valid password.

Set it to ssh-key to authenticate an account once it provides a valid SSH key. The provided key is checked against all SSH keys from the configured list.

Set it to password, ssh-key to authenticate an account only if it provides both a valid password AND a valid SSH key.

Leave it empty or set it to any to authenticate the account once it provides any type of credentials, e.g. a valid password OR a valid SSH key.

Empty

1.7.0

This option specifies whether or not the server will permit access using a list of known SSH keys for each user.

It is defined as a path to a folder containing files with allowed SSH keys, each file name being associated with an account name.

Set it to the empty value to disable SSH key-based authentication.

More details about SSH key authentication can be found in the dedicated section.

When the defined value does not contain the ${USER} placeholder, the placeholder is automatically appended at the end of the path. In this way all users from the group will have different SSH authorized files. This is why for example setting the value to c:\\Path has the same effect as c:\\Path\\${USER}

Use the ${SHARED} prefix when you want all users from the group to use a single file to store the authorized SSH keys.

The files should be readable by the account under which the SFTPPlus process operates.

Failure occurs if private keys are found in the configured path.

Empty

3.45.0

This option defines the source IP addresses (v4 or v6) from which file transfer clients are allowed to authenticate for the accounts from this group.

You can configure a single source IP for which to allow authentication for this account.

To allow authentication from multiple source IPs, define them as a comma-separated list or a range of IP addresses from the same subnet using the Classless Inter-Domain Routing (CIDR) notation.

Leave it empty to allow this account to be authenticated from any source IP address.

Yes

1.8.1

Allow this group to authenticate using SSL certificates.

Certificates need to be issued using the same Common Name field (CN) as the account name.

If SSL certificate base authentication is not enabled, accounts belonging to this group will have to use other means of authentication.

Yes

4.9.0

This defines whether the AS2 partner is required to perform HTTP authentication together with the incoming AS2 message request.

Set it to No to allow receiving AS2 from non-authenticated HTTP connections. SFTPPlus will still validated the signature and encryption of the received AS2 message.

For increased security, we recommend setting this to Yes.

No

3.43.0

Allow users of this group to change their own password.

In order for a new password to be changed, it must meet the password policy requirements.

0

3.46.0

Number of days for which a password is valid.

Once a new password is set, it is valid for the configured number of days.

If the password is not changed for the configured number of days, the account is automatically disabled. To re-enable it, a new password needs to be set by an administrator.

Empty folder

3.18.0

A directory or a list of directories to be automatically created for accounts which were successfully authenticated.

The configured directories can't be defined outside of the home folder path. This is why they are defined relative to the home folder path. Even if you define them as /pull/invoices for:

[groups/92ad5b32-d8d7-4ed8-94e1-dbb9f01383f4]
home_folder_path = /users/John

The /users/John/pull/invoices folder will be created. The same /users/John/pull/invoices is created for a configuration value of pull/invoices (notice the meeting leading slash).

The directories should be defined using slash (/) delimiter, even when the account is targeted for a Windows system. Do not include the drive letter. Do not use absolute paths.

Parent directories are not created. This is done in order to prevent creating directories caused by accidental typos. If you need to create a deep structure, configure each parent on a separate line. For example, to create the sub-directory /pull/invoices configure the value as:

[groups/92ad5b32-d8d7-4ed8-94e1-dbb9f01383f4]
home_folder_structure =
    /pull
    /pull/invoices

allow-full-control

3.28.0

This allows access rights to be defined in the file management operations permitted for the accounts from this group.

The permissions control the ability of the account to read, write, and navigate the contents of the files and folders associated to the account.

The following permissions are supported:

• allow-full-control / deny-full-control

• allow-read

• allow-list

• allow-create-folder

• allow-traverse

• allow-write

• allow-rename

• allow-delete-folder

• allow-delete-file

• allow-set-attributes

You can define multiple permissions by separating them with commas.

When not set, the members of the group will have full access to any of their files.

Different permissions can be set for different paths.

The first set of permissions will apply to any path for which there is no explicit configuration. They are called the global permissions. The global permissions are only used for accounts for which this group is the primary group.

All the remaining sets of permissions will define per-path permissions. The first value in the list is a path matching expression, followed by the permissions for those paths.

The path expressions are matched against the virtual path, that is the path as observed by the client-side and not the real path on the server's storage.

For more detailed information and examples on how to configure the permissions, see the dedicated authorization documentation.

Empty

3.30.0

This configuration allows the option to transparently amend the file name used during a file upload request.

Set it to uuid-prefix to have an UUID version 4 prefixed to the file name.

Leave it empty to not amend the file names for the upload requests.

Empty

3.35.0

By defining one or more virtual folders, you can allow access to selected files which are located outside an account's locked home folder.

This is a comma-separated list of values containing two elements - the virtual path and the real path.

The virtual path is always in Unix-like format (slash separators) and should be an absolute path, relative to the account's home folder.

The real path can be a Unix-like or Windows path and should be an absolute path to an existing folder on the local filesystem.

For example, to allow access to a folder D:\pull\invoices as /team-invoices and to a folder E:\storage\company as /company/storage for an account which is locked in c:\Users\Johnd:

[groups/92ad5b32-d8d7-4ed8-94e1-dbb9f01383f4]
home_folder_path = C:\users
virtual_folders =
    /team/invoices, D:\pull\invoices
    /company/storage, E:\storage\company

For more details and examples on how to configure virtual folders, see the filesystem access documentation.