Documentation

server-side security since-version:3.28.0

13.14. Group inheritance for permissions

We created this short guide as the starting resource for those interested in using SFTPPlus groups to allocate account permissions.

Permissions can be set on the operating system level (for example, via changing the Windows file and folder permissions setting) but they can also be set on the application level via the SFTPPlus groups configuration. Please note that the OS permissions is overrides the application-level permissions set in SFTPPlus.

Let's say you need better control to allocate permissions based on groups of users.

To give you an example of how the group permissions configuration option work, bob, charlie and alice are three accounts with permissions set to upload FTP files. They belong in a group called Education_Group_A:

[groups/b904e6a6-d29f-4ccf-8abd-edcae4d3324f]
name = Education_Group_A
enabled = Yes
permissions = read

We set the Education_Group_A group to only have allow-read permissions, meaning that the accounts in this group can only upload files, download existing files or obtain the attributes of files.

If one of the users, alice, requires additional permissions to create a folder while maintaining the permissions for bob and charlie, the user alice will need to be allocated into another group that has allow-full-control permission.

You cannot change the settings for Education_Group_A, in order to fix the alice account since the changes will also affect the other users in that group, in this case bob and charlie.

For example, even when account is configured with full-control permissions in SFTPPlus, if the OS does not permit the account to read, write, delete and create files or folders, it will still fail with a permission error.

13.14.1. Managing user-level permissions and group inheritance

Administrators can set user-level permissions that will override a group permissions.

Let's say alice can only have read permissions:

[accounts/4b535c97-c15a-4632-8b29-9aca6cff5ce8]
name = alice
type = application
group = b904e6a6-d29f-4ccf-8abd-edcae4d3324f
permission = allow-read

The charlie account can only have write permissions:

[accounts/dc90e2c7-1149-4b8b-9e7e-91f96c4c607a]
name = charlie
type = application
group = b904e6a6-d29f-4ccf-8abd-edcae4d3324f
permission = allow-write

And the rest of the users (in this case, one of them is bob) in the Education_Group_A group need allow-full-control permissions:

[accounts/30548ad7-0090-4c44-82d2-cfcc1c4b7351]
name = bob
type = application
group = b904e6a6-d29f-4ccf-8abd-edcae4d3324f
permission = Inherit

[groups/b904e6a6-d29f-4ccf-8abd-edcae4d3324f]
name = Education_Group_A
enabled = Yes
permissions = allow-full-control

On the user configuration sections for alice and charlie you can set their own permissions, while bob will inherit permissions set by Education_Group_A. Once set, SFTPPlus will respect the user-level permissions set for alice and charlie even though the Education_Group_A group has full-control permission.

13.14.2. More information

You can read more about the configuration options in the group configurations page.

You can use SFTPPlus to implement AAA (Authentication, Authorization and Accounting) systems in order to track user activities and to control their access to resources on the network.

This guide focused on the Authorization component. For information on covering the Authentication process, check the authentication section, and for the Accounting process, see the account documentation.