Permissions

A user can be assigned one of the following permission levels (listed in order of increasing privilege): Anonymous, Temporary User/Guest, User, GroupAdmin, FileAdmin, Admin, SysAdmin.

The following table lists the tasks allowed by each permission level. Y = always allowed; asterisk (*) = allowed if permitted/configured.

Anonymous users (that is, users who have not signed on) can only submit Webposts and attempt to sign on to the system as an authenticated user.

Activity	SysAdmin	Admin	FileAdmin	GroupAdmin	User	TempUser
Manage Organizations	Y	-	-	-	-	-
Manage Schemes	Y	-	-	-	-	-
Set/Download Debug Logs	Y	-	-	-	-	-
Set IP Lockout Policy	Y	-	-	-	-	-
Set User Lockout Policy	Y	Y	-	-	-	-
Manage Organization-Wide Settings (e.g., Branding)	Y	Y	-	-	-	-
Configure and Run Reports	Y	Y	-	-	-	-
View Audit/Transfer Logs	Y	Y	Y	`*`	`*`	`*`
Manage Users and Groups	Y	Y	-	`*`	-	-
Manage Address Books	Y	Y	-	`*`	-	-
Create/Delete Folders	Y	Y	Y	`*`	`*`	-
Grant Permissions to Folders	Y	Y	Y	`*`	-	-
Manage Other Folder Settings	Y	Y	Y	`*`	`*`	-
Delete Files	Y	Y	Y	`*`	`*`	-
Upload/Download/Move/Copy Files	-	Y	Y	`*`	`*`	-
Send/Read Packages	-	Y	*	`*`	`*`	Y
See a Restricted View Because of Display Profiles	-	-	-	`*`	`*`	`*`

Tip: Permission to download or upload files from specific folders is controlled in the Permissions and Settings section of those folders.
Permission to send packages to specific users is controlled by "Address Books." Users can also inherit various rights from the groups of which they are members.

Anonymous

Anyone who has not signed onto the system is an anonymous user. A user who has signed onto the system becomes an authenticated user.

File Rights: An anonymous user can submit web forms into specific MOVEit Transfer "webpost" folders. Anonymous users cannot upload/download files or send/receive packages.

Administrative Rights: An anonymous user can view the login screen of any Organization. Users who sign in with a valid username and password are granted additional rights. Anonymous users are prohibited from viewing the current version number of product.

Example(s):

Nancy notices an advertisement on Woodstock First Bank's web site for a CD with a great rate. She clicks on a "sign me up" link which displays a form the bank created. Nancy fills out the form and submits it. The form opens a secure connection across the internet into the MOVEit Transfer system and deposits the information Nancy provided into an encrypted file on the MOVEit Transfer system. Nancy never needed to sign onto the MOVEit Transfer system but she nonetheless took advantage of a MOVEit Transfer feature. Therefore, Nancy is an anonymous user.
Melissa is an IS employee of Woodstock First Bank and has an account on the MOVEit Transfer system. She opens a browser bookmark on her local system which pops up the MOVEit Transfer system login page. As long as Melissa sees the login page, Melissa is an anonymous user. After she successfully logs in through this page Melissa will be an authenticated user.

Temporary User/Guest User

Temporary Users are an optional class of user that can be enabled and disabled per organization. They are only available in organizations where Ad Hoc Transfer is enabled. Temporary Users are user accounts that can be created by selected users on the MOVEit Transfer system, and provide a minimal level of access to <MICMZ> resources. Temporary Users are only allowed to participate in Ad Hoc Transfer; they do not have access to folders on the MOVEit Transfer system and cannot upload and download files, except when those files are associated with packages. They are only allowed to sign in to MOVEit Transfer through the web and API interfaces, not the FTP or SSH interfaces. Temporary users (like other users) can be configured to expire after a certain amount of time has passed. (See the Expiration Policy Feature Focus page for more information about expiration policies)

File Rights: A temporary user may view packages sent to them, download files from the package, and may send packages to users who they are authorized to send to. Temporary users may not participate in any other form of file transfer, and have no rights to any folders on the MOVEit Transfer system.

Administrative Rights: Temporary user can change their password.

If the organization administrator configures Ad Hoc Transfer to create 'Temporary Users', when a registered user sends a package, the temporary-user recipients will receive a password for that package only. The temporary-user recipients will log on with that password, and can view a package, download files in it, and reply to the package. The Temporary User will have an account on the MOVEit Transfer system; the Temporary User suits limited-time use scenarios.

If the administrator enables Unregistered Senders along with 'Temporary Users', an unregistered user can self-register as a temporary-user sender. The temporary-user senders will either be automatically logged on after self-registering with a "Captcha" or they will manually log on with password using either a password or "password link" sent by email after they self-register. Then they can create a package, upload files to it, and send it.

Example(s):

Mary is a registered Ad Hoc Transfer user. She is on the phone with Thomas, who is not a registered user, but she has a need to send a package and/or some files to Thomas. Normally, Mary would need to get her administrator to add Thomas to the system, but because temporary users have been enabled, Mary can send her package to an email address rather than someone in her drop-down address book of registered users. When composing her new package, Mary is prompted for Thomas' email address, full name and a password; Mary gives Thomas that password over the phone.

Thomas is now set up as a temporary user. Thomas has limited access to Ad Hoc Transfer (he can only communicate with Mary) and his account automatically expires after 7 days of inactivity (or according to the temporary user expiration settings established by Mary's administrator).

In a few seconds Thomas receives an email message containing a link to the new package Mary posted for him. He can use his email address and the password Mary provided him over the phone to sign on, view the package, download files, and reply and send files to Mary.
David is an unregistered user, but he has access to a MOVEit Transfer sign on page or equivalent that must be configured to enable self-registration as a temporary user. He needs to send a package and/or files to Mary, a registered Ad Hoc Transfer user. Normally, Mary would need to get her administrator to add David to the system, but because self-registration as a temporary user has been enabled, David can self-register and send Mary a package to her email address. After David self-registers, as configured by the organization administrator, David enters Mary's email address, his email address, and the letters in the"Captcha" question (which shows distorted letters and requires correct entry). David is then prompted for a password.

David has now been set up as a temporary user. For this package, he has limited access to Ad Hoc Transfer (he can only communicate with Mary) but he has been set up to have wider access (the ability to send to other users) until his account expires. His account will automatically expire after 7 days of inactivity (or according to the temporary user expiration settings established by Mary's administrator).

In a few seconds Mary receives an email that contains a link to the new package David sent to her. She can use her email or MOVEit Transfer account to view the package, download files, and reply and send files to David.

A Guest User has capabilities similar to a Temporary User, except that the Guest User is further restricted to viewing or sending a single package. If the administrator configures Ad Hoc Transfer to use 'Package Passwords', when a registered user sends a package, the guest-user recipients receive a password for that package only. The guest user recipients log on with that password, and can view a package, download files in it, and reply to the package. The Guest User does not have an account on the MOVEit Transfer system. The Guest User suits one-time use scenarios.

If the administrator enables Unregistered Senders along with 'Package Passwords', an unregistered user can self-register as a guest-user sender. The guest-user senders are either be automatically logged on after self-registering with a "Captcha", or they manually log on using a password sent by email after they self-register. Then they can create a package, upload files to it, and send it.

User

User accounts provide a basic level of access to the clients, customers and partners of an organization. Each user account has a home directory into which users can upload files for the organization and into which the organization copies files for the user. Through the use of secure sockets, an encrypted channel is used to transport files between a user's home folder and the user's local computer across the Internet.

Users can be granted additional privileges to read files from organizational distribution folder.

A user cannot view the files or activities of other users.

Each user has online access to an audit of every activity that took place against their files or account. In any active organization most MOVEit Transfer accounts are user accounts.

File Rights: Users can transfer files between their local computer and their home folder. If granted permission, a user can read files from one or more distribution folders.

Administrative Rights: Users can track their own files and see when changes were made to their account details. Users can change their own password, contact information, and email address..

Examples:

Max is an employee in the human resources department of Argyle Industries. Argyle Industries uses Woodstock First Bank to process its payroll. Max wants to securely send his highly sensitive payroll file to Woodstock First Bank. Max should not be allowed to see the payroll files sent in by other companies. Max is an ideal candidate for a user account.
Fred is a customer of Plaid Software who purchased Kilt software and related support. Plaid Software wants to make the latest version of Kilt available to its customers at all times so it sets up a "Kilt" distribution folder and allows Kilt licensees to download files from this folders. Fred is an ideal candidate for a user account with additional rights to read from the Kilt distribution folder.

GroupAdmin

GroupAdmin permission is granted to Users on specific Groups. This class of permission does not appear in the "Permission" field of a user's record, but is indicated in the list of groups this user belongs to. Specific permissions of GroupAdmin depend on the specific group settings, but typically a GroupAdmin has a limited ability to add/remove/modify other users in the GroupAdmin's group.

GroupAdmins are typically promoted to their position to allow remote administrators access control over a group of related users. For example, an insurance company might delegate GroupAdmin control to an IT staffer at a partner provider with twenty separate users on the insurance company's MOVEit Transfer. This would allow the IT staffer to control access by employees of his own company.

See Web Interface - Groups - GroupAdmins for more information.

Tip: To allow your help desk to change passwords, but not access the MOVEit file system, add all users to an "All Users" group and make the help desk Users GroupAdmins of the "All Users" group.

FileAdmin

FileAdmin accounts allow selected people in the offices of a single MOVEit Transfer Organization to work with ALL files received from multiple Users and multiple anonymous web form submissions. Because of its relative power, FileAdmin is an optional access level designed as a convenience for small organizations who want to give a small number of individuals access to any file that passes through their organization. Larger organizations will find it useful to divide sections of file authority by assigning privileges to user groups. One exception to this rule are accounts set up to allow MOVEit Automation to connect; Central accounts are commonly FileAdmin accounts.

Tip: Use a FileAdmin account to connect MOVEit Automation to MOVEit Transfer.

File Rights: A FileAdmin can view, edit, move, delete and download files from any folder in their Organization, create new folders, delete folders, upload files from their local computer into the MOVEit Transfer system.

Administrative Rights: A FileAdmin can track any files in his or her Organization including all files uploaded by the Organization's Users. FileAdmins can see when changes were made to their own account details, and change their own password, contact information, or email address

Examples:

Erik is a corporate accounts specialist with Woodstock First Bank. Erik wants to pick the payroll files from Argyle Industries and several other customers off the MOVEit Transfer system. Erik should not have the power to change the corporate color scheme or add new users. Erik is an ideal candidate for an FileAdmin account.
A corporation wants to set up MOVEit Automation inside their private network to automatically download and process files received from various customers. IT staff would like MOVEit Automation to browse and pull files from any folder on the MOVEit Transfer system. MOVEit Automation will most likely require a FileAdmin account.

Admin

Admin users control the appearance, users, groups and security settings of their Organization. An Administrator can add and delete other users, change colors and specify who users should contact with problems or questions. There will normally be only one or two Administrators for each MOVEit Transfer organization.

File Rights: (same as FileAdmin) An Administrator can view, edit, move, delete and download files from any folder in the Organization. Administrators can create and delete folders, and upload files from their local computer into the MOVEit Transfer system.

Administrative Rights: An Administrator can track any files in the Organization, including all files uploaded by the Organization's Users. An Administrator can see when changes were made to any account in the Organization, add or delete Users, FileAdmins, and Administrators, and can change the password, contact information and email address of any user in the Organization. Administrators can change Organizational settings such as colors, corporate logo, contact information and the "Message of the Day" displayed to everyone who signs in to the Organization.

Example(s):

Linda is an IT manager of Woodstock First Bank who is in charge of adding and removing user accounts, matching the appearance of the MOVEit Transfer system with the Woodstock First Bank theme, and occasionally needs to figure out what happened to a certain file. Linda is an ideal candidate for an Administrator account.

SysAdmin

SysAdmin accounts have the highest access level. SysAdmin accounts allow people from the organization(s) hosting and/or sponsoring the MOVEit Transfer server to create, configure and remove Organizations. A SysAdmin can also act as an Administrator of any Organization on the MOVEit Transfer system with one important exception: SysAdmins cannot read or write files to or from any particular organization. This restriction enforces the privacy and confidentially of each organization and ensures that the administrators of each system remain in control over those users who work with the local filesystem.

SysAdmin accounts must be protected carefully and used only to establish, configure, or remove organizations, or to change global settings that cannot be changed by any other account. (By default SysAdmins are allowed onto the system only if they are seated at the MOVEit Transfer console.)

Tip: Unless you run a data center with multiple MOVEit Transfer organizations, it is generally easier to do most of your administrative tasks (such as add/delete users) as an Admin in your default organization instead of as a SysAdmin.

File Rights: A SysAdmin can view, download and delete system-wide audit files. SysAdmins cannot view, upload or download files to or from institutions, although SysAdmins can perform these tasks within their own restricted "Org #0".

Administrative Rights: A SysAdmin can track any significant errors which occurred on the system as well as any activities he or she or any other SysAdmin performed. A SysAdmin may enable or disable any file processing service and may add, modify or delete entire Organizations. (More power is available after assuming the role of Administrator for a particular Organization.)

Special Abilities: A SysAdmin can assume the role of an Administrator for any Organization. When a SysAdmin "drills down" into an Organization, a SysAdmin temporarily loses the abilities of a SysAdmin and gains those of that Organization's Administrator, minus the ability to work with files. A SysAdmin can return to full SysAdmin mode by leaving that Organization.

Example(s):

Standard Bank Services purchased MOVEit Transfer to provide secure data transport and collection services to three member banks. Jason is an employee of Standard Bank Services and has been given the task of setting up and maintaining Organizational accounts. As part of his duties Jason also provides help over the phone and he occasionally finds it useful to view Organizational settings. Jason is an ideal candidate for a SysAdmin account.

Navigation Links

The navigation links that appear on the left side of the screen are determined by the current user's permission.

Embedded OLE File Template, D75, H100

The table lists the links that are visible, based on the user's permission level. Y= always visible, asterisk (*) = visible if licensed and org-level option enabled

Link	GuestUser	TempUser	User	GroupAdmin	FileAdmin	Admin	SysAdmin
Home	-	Y	Y	Y	Y	Y	Y
Users	-	-	-	Y	-	Y	Y
Groups	-	-	-	-	-	Y	Y
Folders	-	-	Y	Y	Y	Y	Y
Packages	Y	`*`	`*`	`*`	`*`	`*`	-
Logs	-	-	Y	Y	Y	Y	Y
Reports	-	-	-	-	-	Y	Y
Settings	-	-	-	-	-	Y	Y
Orgs	-	-	-	-	-	-	Y
Schemes	-	-	-	-	-	-	Y