8.14. Group inheritance for permissions¶
We created this short guide as the starting resource for those interested in using SFTPPlus groups to allocate account permissions.
Permissions can be set on the operating system level (for example, via changing the Windows file and folder permissions setting) but they can also be set on the application level via the SFTPPlus groups configuration. Please note that the OS permissions is overrides the application-level permissions set in SFTPPlus.
Let’s say you need better control to allocate permissions based on groups of users.
To give you an example of how the group permissions configuration option
alice are three accounts with permissions
set to upload FTP files.
They belong in a group called
[groups/b904e6a6-d29f-4ccf-8abd-edcae4d3324f] name = Education_Group_A enabled = Yes permissions = read
We set the
Education_Group_A group to only have allow-read permissions,
meaning that the accounts in this group can only upload files,
download existing files or obtain the attributes of files.
If one of the users,
alice, requires additional permissions to create a
folder while maintaining the permissions for
charlie, the user
alice will need to be allocated into another group that has
You cannot change the settings for
Education_Group_A, in order to fix the
alice account since the changes will also affect the other users in that
group, in this case
For example, even when account is configured with full-control permissions in SFTPPlus, if the OS does not permit the account to read, write, delete and create files or folders, it will still fail with a permission error.
Administrators can set user-level permissions that will override a group permissions.
alice can only have read permissions:
[accounts/4b535c97-c15a-4632-8b29-9aca6cff5ce8] name = alice type = application group = b904e6a6-d29f-4ccf-8abd-edcae4d3324f permission = allow-read
charlie account can only have write permissions:
[accounts/dc90e2c7-1149-4b8b-9e7e-91f96c4c607a] name = charlie type = application group = b904e6a6-d29f-4ccf-8abd-edcae4d3324f permission = allow-write
And the rest of the users (in this case, one of them is
bob) in the
Education_Group_A group need allow-full-control permissions:
[accounts/30548ad7-0090-4c44-82d2-cfcc1c4b7351] name = bob type = application group = b904e6a6-d29f-4ccf-8abd-edcae4d3324f permission = Inherit [groups/b904e6a6-d29f-4ccf-8abd-edcae4d3324f] name = Education_Group_A enabled = Yes permissions = allow-full-control
On the user configuration sections for
charlie you can set
their own permissions, while
bob will inherit permissions set by
Once set, SFTPPlus will respect the user-level permissions set for
charlie even though the
Education_Group_A group has
You can read more about the configuration options in the group configurations page.
You can use SFTPPlus to implement AAA (Authentication, Authorization and Accounting) systems in order to track user activities and to control their access to resources on the network.
This guide focused on the Authorization component. For information on covering the Authentication process, check the authentication section, and for the Accounting process, see the account documentation.