Web Interface - Users - Permissions

There are seven different levels of access a user may possess in the MOVEit DMZ system. The seven levels in order of increasing privilege are Anonymous, Temporary User/Guest, User, GroupAdmin, FileAdmin, Admin and SysAdmin.

The following table summarizes what each class of user permission can and cannot do. ("Y" = yes, "*" = if allowed/configured) Anonymous users (i.e., users who have not signed on) may only submit Webposts and attempt to sign on to the system as an authenticated user.

Activity SysAdmin Admin FileAdmin GroupAdmin User TempUser
Manage Organizations Y - - - - -
Manage Schemes Y - - - - -
Set/Download Debug Logs Y - - - - -
Set IP Lockout Policy Y - - - - -
Set User Lockout Policy Y Y - - - -
Manage Organization-Wide Settings (e.g., Branding) Y Y - - - -
Configure and Run Reports Y Y - - - -
View Audit/Transfer Logs Y Y Y * * *
Manage Users and Groups Y Y - * - -
Manage Address Books Y Y - * - -
Create/Delete Folders Y Y Y * * -
Grant Permissions to Folders Y Y Y * - -
Manage Other Folder Settings Y Y Y * * -
Delete Files Y Y Y * * -
Upload/Download/Move/Copy Files - Y Y * * -
Send/Read Packages - Y * * * Y
See a Restricted View Because of Display Profiles - - - * * *

Hint: Permission to download or upload files from specific folders is controlled in the "Permissions and Settings" section of those folders. Permission to send packages to specific users is controlled by "Address Books." Users can also inherit various rights from the groups of which they are members.

Anonymous

By definition anyone who has not signed onto the system is an anonymous user. Anyone who has signed onto the system becomes an authenticated user. As expected, an anonymous user enjoys the narrowest set of rights on the MOVEit DMZ system.

File Rights: An anonymous user may submit web forms into specific MOVEit DMZ "webpost" folders. Anonymous users may not upload/download files or send/receive packages.

Administrative Rights: An anonymous user may view the login screen of any particular Organization. If the user provides a valid username and password on the sign on screen, the user will be granted additional rights. Anonymous users are also barred from seeing the current version number of product. (Authenticated users may see the version number.)

Example(s):

Temporary User/Guest User

Temporary Users are an optional class of user that can be enabled and disabled per organization. They are only available in organizations where Ad Hoc Transfer is enabled. Temporary Users are user accounts that can be created by selected users on the DMZ system, and provide a minimal level of access to DMZ resources. Temporary Users are only allowed to participate in Ad Hoc Transfer; they do not have access to folders on the DMZ system and cannot upload and download files, except when those files are associated with packages. They are only allowed to sign in to DMZ through the web and API interfaces, not the FTP or SSH interfaces. Temporary users (like other users) can be configured to expire after a certain amount of time has passed. (See the Expiration Policy Feature Focus page for more information about expiration policies)

File Rights: A temporary user may view packages sent to them, download files from the package, and may send packages to users who they are authorized to send to. Temporary users may not participate in any other form of file transfer, and have no rights to any folders on the DMZ system.

Administrative Rights: A temporary user may change his or her password.

If the organization administrator configures Ad Hoc Transfer to create 'Temporary Users', when a registered user sends a package, the temporary-user recipients will receive a password for that package only. The temporary-user recipients will log on with that password, and can view a package, download files in it, and reply to the package. The Temporary User will have an account on the MOVEit DMZ system; the Temporary User suits limited-time use scenarios.

If the administrator enables Unregistered Senders along with 'Temporary Users', an unregistered user can self-register as a temporary-user sender. The temporary-user senders will either be automatically logged on after self-registering with a "Captcha" or they will manually log on with password using either a password or "password link" sent by email after they self-register. Then they can create a package, upload files to it, and send it.

Example(s):

A Guest User has capabilities similar to a Temporary User, except that the Guest User is further restricted to viewing or sending a single package. If the administrator configures Ad Hoc Transfer to use 'Package Passwords', when a registered user sends a package, the guest-user recipients will receive a password for that package only. The guest user recipients will log on with that password, and can view a package, download files in it, and reply to the package. The Guest User will not have an account on the MOVEit DMZ system; the Guest User suits one-time use scenarios.

If the administrator enables Unregistered Senders along with 'Package Passwords', an unregistered user can self-register as a guest-user sender. The guest-user senders will either be automatically logged on after self-registering with a "Captcha" or they will manually log on with password using a password sent by email after they self-register. Then they can create a package, upload files to it, and send it.

User

User accounts provide a basic level of access to the clients, customers and partners of a particular organization. Every user account comes with a home directory into which users can upload files for the organization and into which the organization will copy files for the user. Through the use of secure sockets, an encrypted channel is used to transport sensitive files safely between a user's home folder and the user's local computer across the Internet.

Frequently users are granted additional privileges to read files from organizational distribution folder.

A user lacks the power to view the files or activities of other users, but a user does have online access to an extensive audit of every activity which took place against their files or account. In any active organization most MOVEit DMZ accounts will be user accounts.

File Rights: A user may transfer files between his or her local computer and his or her home folder. A user also frequently has the ability to read files from one or more distribution folders.

Administrative Rights: A user may track his or her files and may see when changes were made to his or her account details. A user may change his or her own password, contact information and email address.

Example(s):

GroupAdmin

GroupAdmin permission is granted to Users on specific Groups. This class of permission will NOT appear in the "Permission" field of a user's record, but it will be indicated in the list of groups this user belongs to. GroupAdmin permission can mean different things depending on the specific group settings, but it generally means that a GroupAdmin has a limited ability to add/remove/modify other users in the GroupAdmin's group.

GroupAdmins are typically promoted to their position to allow remote administrators access control over a group of related users. For example, an insurance company may delegate GroupAdmin control to an IT staffer at a partner provider with twenty separate users on the insurance company's MOVEit DMZ. This would allow the IT staffer to control access by employees (or ex-employees!) of his own company. (This is particularly useful when dealing with companies with high turnover.)

See the "Web Interface - Groups - GroupAdmins" documentation for more information.

Hint: Add all users to an "All Users" group and make help desk Users GroupAdmins of the "All Users" group to allow your help desk to change passwords but not access the MOVEit filesystem.

FileAdmin

FileAdmin accounts allow selected people in the offices of a single MOVEit DMZ Organization to work with ALL files received from multiple Users and multiple anonymous web form submissions. Because of its relative power, the FileAdmin access level is an optional access level designed as a convenience for small organizations who wish to give a small group of trusted people complete access to any file which passes through their organization. (Larger organizations will find it useful to divide sections of file authority by assigning privileges to user groups.) One exception to this rule are accounts set up to allow MOVEit Central to connect; Central accounts are commonly FileAdmin accounts.

Hint: Use a FileAdmin account to connect MOVEit Central to MOVEit DMZ.

File Rights: A FileAdmin may view, edit, move, delete and download files from any folder in his or her Organization. A FileAdmin may create new folders or delete old folders. A FileAdmin may also upload files from his or her local computer into the MOVEit DMZ system.

Administrative Rights: A FileAdmin may track any files in his or her Organization including all files uploaded by his or her Organization's Users. A FileAdmin may see when changes were made to his or her account details. A FileAdmin may change his or her own password, contact information and email address.

Example(s):

Admin

The most powerful account in any Organization is an Admin account. These accounts allow people in the office of a MOVEit DMZ Organization to control the appearance, users, groups and security settings of their particular Organization. An Administrator has the power to add and delete other users, change colors and specify who users should contact with problems or questions. There will normally be only one or two Administrators for each MOVEit DMZ organization.

File Rights: (same as FileAdmin) An Administrator may view, edit, move, delete and download files from any folder in his or her Organization. An Administrator may create new folders or delete old folders. An Administrator may also upload files from his or her local computer into the MOVEit DMZ system.

Administrative Rights: An Administrator may track any files in his or her Organization including all files uploaded by his or her Organization's Users. An Administrator may see when changes were made to any account in his or her Organization. An Administrator may add or delete Users, FileAdmins and Administrators and may change the password, contact information and email address of any user in his or her Organization. An Administrator may change Organizational settings such as colors, corporate logo, contact information and the "Message of the Day" displayed to everyone who signs onto his or her Organization.

Example(s):

SysAdmin

The most powerful accounts on any MOVEit DMZ server are SysAdmin accounts. SysAdmin accounts allow people from the organization(s) hosting and/or sponsoring the MOVEit DMZ server itself to create, configure and remove Organizations. A SysAdmin also has the power to act as an Administrator of any particular Organization on the MOVEit DMZ system with one important exception: SysAdmins are not allowed to read or write files to or from any particular organization. This restriction not only enforces the privacy and confidentially of each organization, but also ensures that the administrators of each system remain in control over those users who may work with the local filesystem.

Because of their great power, SysAdmin accounts should be protected carefully and used only to establish, configure or remove organizations or to change global settings which no other account can. (By default SysAdmins are allowed onto the system only if they are actually seated at the MOVEit DMZ console.)

Hint: Unless you run a data center with multiple MOVEit DMZ organizations, it is generally easier to do most of your administrative tasks (e.g., add/delete users) as an Admin in your default organization instead of as a SysAdmin.

File Rights: A SysAdmin may view, download and delete system-wide audit files. SysAdmins may NOT view, upload or download files to or from institutions, although SysAdmins certainly do have this power within their own restricted "Org #0".

Administrative Rights: A SysAdmin may track any significant errors which occurred on the system as well as any activities he or she or any other SysAdmin performed. A SysAdmin may enable or disable any file processing service and may add, modify or delete entire Organizations. (More power is available after assuming the role of Administrator for a particular Organization.)

Special Abilities: A SysAdmin may assume the role of an Administrator for any Organization. When a SysAdmin "drills down" into an Organization, a SysAdmin temporarily loses the abilities of a SysAdmin and gains those of that Organization's Administrator, minus the ability to work with files. A SysAdmin may "pop up" into full SysAdmin mode by leaving that Organization.

Example(s):

Navigation Links

The navigation links displayed on the left side of the screen are determined by the current user's permission.

mainlinks1.png (5978 bytes)

The following table summarizes the relationship between permission and visible links. ("Y" = yes; "*" = if licensed and org-level option enabled)

Link GuestUser TempUser User GroupAdmin FileAdmin Admin SysAdmin
Home - Y Y Y Y Y Y
Users - - - Y - Y Y
Groups - - - - - Y Y
Folders - - Y Y Y Y Y
Packages Y * * * * * -
Logs - - Y Y Y Y Y
Reports - - - - - Y Y
Settings - - - - - Y Y
Orgs - - - - - - Y
Schemes - - - - - - Y