Documentation forServ-U MFT & Serv-U FTP Server

Serv-U domain groups

Groups provide a method of sharing common configuration options with multiple user accounts. Configuring a group is similar to configuring a user account. Groups can be created at the server or domain level.

Virtually every configuration option available for a user account can be set at the group level. For a user to inherit a group's settings, it must be a member of the group. Permissions and attributes inherited by a user through group membership can still be overridden at the user level. A user can be a member of multiple groups in order to acquire multiple collections of permissions, such as directory or IP access rules.

However, groups are only available to user accounts that are defined at the same level. In other words, a global user (a user defined at the server level) can only be a member of a global group. Likewise, a user defined for a specific domain can only be a member of a group also created for that domain. This restriction also applies to groups created in a database in that only users created within a database at the same level can be members of those groups.

Add a group

  1. From the Groups page, click the Add button.

    The Group Properties window is displayed.

  2. Enter or navigate to the home directory for users in this group. This is where the users are placed immediately after logging in to the file server. This must be specified using a full path including the drive letter or the UNC share name.

    When you specify the home directory, you can use the %USER% macro to insert the login ID in to the path. This is used mostly to configure a default home directory at the group level or within the new user template to ensure that all new users have a unique home directory. When it is combined with a directory access rule for %HOME%, a new user can be configured with a unique home directory and the appropriate access rights to that location with a minimal amount of effort.

    You can also use the %DOMAIN_HOME% macro to identify the user's home directory. For example, to place a user's home directory into a common location, use %DOMAIN_HOME%\%USER%.

    The home directory can be specified as "\" (root) in order to grant system-level access to a user, allowing them the ability to access all system drives. In order for this to work properly, the user must not be locked in their home directory.

  3. Select the Administration Privilege for this users in this group. This can be:

    No Privilege A regular user account that can only transfer files to and from the File Server. The Serv-U Management Console is not available.
    Group Administrator A Group Administrator can only perform administrative duties relating to their primary group (the group that is listed first in their Groups memberships list). They can add, edit, and delete users which are members of their primary group, and they can also assign permissions at or below the level of the Group Administrator. They may not make any other changes.
    Domain Administrator

    A Domain Administrator can only perform administrative duties for the domain to which their account belong, and is also restricted from performing domain-related activities that may affect other domains. The domain-related activities that may not be performed by Domain Administrators are:

    • configuring their domain listeners
    • configuring or administering LDAP groups
    • configuring ODBC database access for the domain
    System Administrator A System Administrator can perform any file server administration activity including creating and deleting domains, user accounts, and even updating the license of the file server. A user account with System Administrator privileges logged in through HTTP remote administration can administer the server as if they had physical access to the server.
    Read-only Group/Domain/Server Administrator Read-only administrator accounts can allow administrators to log in and view configuration options at the group, domain or server level, greatly aiding remote problem diagnosis when working with outside parties. Read-only administrator privileges are identical to their full-access equivalents, except that they cannot change any settings, and cannot create, delete or edit user accounts.
  4. If you have the MFT edition of Serv-U, you can specify a SSH public key to be used to authenticate users in this group when logging in to the the Serv-U File Server. The public key path should point to the key file in a secured directory on the server. This path can include the following macros:

    %HOME%

    The home directory of the user account.

    %USER%

    The login ID, used if the public key will have the login ID as part of the file name.

    %DOMAIN_HOME%

    The home directory of the domain, set in Domain Details > Settings, used if the keys are in a central folder relative to the domain home directory.

    Examples:

      %HOME%\SSHpublic.pub

      %HOME%\%USER%.pub

      %DOMAIN_HOME%\SSHKeys\%USER%.pub

    For information on SSH public key authentication, adding a SSH key pair, and creating an key pair for testing, see New SSH Key Pair Creation.

  5. Select the default web client to be displayed when a user in this group logs in.

    If your Serv-U license enables the use of FTP Voyager JV, then users connecting to the file server through HTTP can choose which client they want to use after logging in. Instead of asking users which client they want to use, you can also specify a default client. If you change this option, it overrides the option specified at the server or domain level. It can also be inherited by a user through group membership. Use the Inherit default value option to reset it to the appropriate default value.

  6. Check or uncheck the following checkboxes:

    Always allow login

    Enabling this option means that users in this group are always permitted to log in, regardless of restrictions placed upon the file server, such as maximum number of sessions. It is useful as a fail-safe in order to ensure that critical system administrator accounts can always remotely access the file server. As with any option that allows bypassing access rules, care should be taken in granting this ability.

    Enabling the Always Allow Login option does not override IP access rules. If both options are defined, the IP access rules prevail.

    Enable account

    Deselect this option to disable user accounts in this group. Disabled accounts remain on the file server but cannot be used to log in. To re-enable accounts in this group, select the Enable account option again.

    Lock user in home directory

    Users locked in their home directory may not access paths above their home directory. In addition, the actual physical location of their home directory is masked because Serv-U always reports it as "/" (root).

    Apply group directory access rules first

    Deselect this option to place the directory access rules of the group below the user access rules.

    The order in which directory access rules are listed has significance in determining the resources that are available to a user account. By default, directory access rules specified at the group level take precedence over directory access rules specified at the user level. However, there are certain instances where you may want the user level rules to take precedence.

  7. Enter an optional description for this group account.
  8. Click Availability if you want to place limits on when users in this group can log in.
    1. Check Apply limit and select the start and end time to specify the period users in this group may log in.
    2. Tick the checkboxes for the days of the week on which users in this group may log in.
  9. Click Welcome Message if you want to sent a welcome message to the users in this group when they log in.

    The welcome message is a message traditionally sent to FTP clients during a successful user login. Serv-U extends this ability to HTTP so that users accessing the file server through the Web Client or FTP Voyager JV also receive the welcome message. This feature is not available to users logging in through SFTP over SSH2, because SSH2 does not define a method for sending general text information to users.

    1. Check Include if you want to include the response code in the welcome message test when an FTP connection is made.
    2. Either:
      • Select or navigate to a message file if you have already created a text file containing a welcome message.

      or:

      • Check the Override box, and enter a message specific to this user in the text box above it.
    3. Click Save.

Advanced settings

Once you have added the Group information you can use the following tabs on this window to complete setup.

Directory Access Directory access rules define the files and directories that users in this group have permission to access. At the group level, these rules are inherited from the domain and server level.
Virtual Paths Virtual paths are used to link a physical path that is outside the directory structure of the home directory of users in this group into the directory listings received by that user.
Logging This tab provides checkboxes to configure what information you want to be logged.
Members Displays the list of users in this group. This tab is display only - you need to use the Groups tab in the individual User Properties to select the groups to which that user belongs.
Events MFT only: Events let you automatically run programs, send email and show messages when triggered by Serv-U activities.
IP Access Set up and maintain Server IP access rules so that specific IP address can be allowed or denied access to all your file server domains for users in this group. These are checked when a physical connection is established with the file server, but before a welcome message is sent.
Limits & Settings There are various options that can be applied at the group level. You can specify on which days and at which time these limits apply.

Edit a group

Select a group and click Edit to open the Group Properties window, allowing you to edit that information for users in this group.

The group template

You can configure a template for creating new groups by clicking Template. The template group can be configured just like any other group, with the exception of giving it a name. After the settings are saved to the template, all new groups are created with their default settings set to those found within this template. This way you can configure the basic settings that you want all of your groups to use by default.