Using Groups

An advanced feature of Ability FTP Server comes from the ability to assign a user to a particular group. This capability allows much easier and quicker management of the users and also helps ensure the FTP server remains secure. The relationship between a user and its group is that all associated users inherit all settings and limits from the group. However, this concept can often be a little confusing and so to ease understanding this page clarifies a few important details.

The Concept #

The best way of understanding the relationship between a user and a group is to understand the purpose of groups. Groups exist for only two reasons:

  • To allow sharing of similar settings amongst multiple users which will help speed up administration.
  • To help protect against human error and keep the FTP server secure.

If a user is part of a group, the user can then only behave within the limitations set by the group. This idea ensures that if a group disallows a particular feature (i.e. file writing), then all associated users will also disallow it. This idea also extends to parameter type limits (e.g. maximum upload speed), which ensures that a limit set by a group will also be placed on associated users. This means that a user is always limited to the group settings, or if required, can set further limitation but cannot remove / reduce the group limits. If a user defines a reduced limit, then this is capped to the group limit. The list below defines the behavior of each available setting for users:

  • General Access Rights - Users can only enable the rights which are also enabled by the group. For a user to be allowed certain access rights, both the user and group must enable the access right.
  • Password Changing - Both the user, group and overall settings must have this enabled for it to be allowed.
  • Root Folder - If a group does not define a root folder, the user is allowed to define any folder of its choice. If a group sets a root folder, then all associated users will share this same root folder. It is also permitted to include the marco ####USER#### in the file path. This results in each user's folder being dynamically generated. If the folder path does not exist, the FTP server will attempt to create the folder when the user logs in.
  • Virtual Folders - A user can define any virtual folder of its choice. Any group defined virtual folder is inherited into all associated users. Should the user and group define the same named virtual folder, the group's virtual folder will hide the user's virtual folder. It is also permitted to include the marco ####USER#### in the file path. This results in each user's folder being dynamically generated. If the folder path does not exist, the FTP server will attempt to create the folder when the user logs in.
  • Start in Folder - This behaves exactly the same as the 'root folder' setting.
  • Limits and Credits - If a group does not define a limit, then the user setting is used. If a group defines a limit, then all the associated users can either obey the limit or set a lower limit.
  • IP Control - If a group does not define any IP controls, then just the user settings are used. If a group defines any, then the group list is executed first and if no match is found, the users list will be processed next. This ensures groups can take priority over which IPs are allowed, but if a group does not define a 'Deny/Allow All' type entry, then the user can add to the list.
A group's purpose is to define any commonly shared settings and also define the upper limits to which all associated users are allowed.

Nested Groups #

Another benefit of Ability FTP Server is that not only can users be part of a group, groups can also be part of another group. This functionality allows commonly shared settings amongst groups to be placed into a higher group to further speed and help management. The relationship between two groups is exactly the same as a user and a group (the parent group takes precedence).

See Also: Users and Groups.