Users and Groups

Ability FTP Server has been designed to offer a large amount of control over users while avoiding unnecessary complexity. This control is made quicker, easier and safer by the use of groups (which help to manipulate multiple users at the same time). The relationship between a user and a group is documented in detail in Using Groups. Users and groups have almost identical control options and therefore once you understand how to set up a user, all you need to learn for groups is how they affect users belonging to them.

Users / Groups #

  • Add - This allows you to add a user / group.
  • Edit - Once created, this allows you to edit an existing user / group.
  • Copy - This allows you to easily mimic the settings of an existing user / group to help save time creating additional users / groups with similar settings.
  • Delete - This allows you to delete a user / group. You will be warned of deletions to prevent unnecessary removals.

User / Group #

  • Enable User / Group - If you uncheck this option, the user (or in a group all the users associated with the group) will become disabled. This can be used to temporarily disable a user without having to delete the user.
  • User / Group Name - For a user, this is the login name and also the user name. For a group, this is simply the group name.
  • Password - This allows you to control the password of the user (not available in group controls).
  • Part of Group - This allows you to set the user / group to be part of a group. The effect of this is documented in Using Groups. It is possible for groups to be part of other groups. This opens up the possibility of nested groups and complex tree like structures. However, the most common use is just to assign a user to a group.
  • Only Allow Login With SSL - With this enabled, only users who are connecting via SSL or TLS will be allowed access. This is useful if you want to protect important files by forcing users to login securely.
  • Allow Users to Change the Password - With this enabled, any logged in user can send the 'SITE CPWD (newpassword)' command to change the user password. If this option is disabled in a group, then none of the associated users would be allowed to change the password. Please note that this option is also controlled via the overall FTP settings security option which also has to be enabled for password changing to work.
  • Allow Users to Execute (Run/Open) Files - With this enabled, any logged in user can send the 'SITE EXEC (filepath) (parameters)' command to execute a file on the server. If this option is disabled in a group, then none of the associated users would be allowed this access right. It is recommended that any user which has this enabled should have a strong password that is known only by trusted users.
  • Always Allow Login (Ignore Login Limits) - If you set a restriction on the number of users, this will ensure that those limits are ignored. This option is not available for groups and is usually only applied to a special user (such as the account owned by you).
  • Log User Activities Separately - If required, you can set a user to log a copy of all its activities into a separate log file (for easier analysis).

Access Rights #

  • Access Rights - This allows you to control the overall access permissions the user has. These settings not only affect the root folder but also any virtual folders in the user. So by disabling 'File Read', all virtual folders will also disallow file reading (even if they are set to allow it). If 'File Read' was enabled here but not in a virtual folder, then that virtual folder would still disallow file reading. If a group did not enable 'File Read' then all the associated users and their virtual folders would not be granted file read access. By enabling 'File Read' in a group, all associated users do not automatically get 'File Read' access, but instead are just allowed to enable 'File Read'. Please note that 'File Append' requires the 'File Write' permission to also be set. Additionally, 'File Delete' will also allow files to be renamed.

Folders #

  • Root Folder - If a user requires a root folder this is where it is set. If a user is not given a root folder then the users will only be able to access and write to the assigned virtual folders. If this option is set in a group then all associated users will share this same root folder. Groups are also permitted to include the marco ####USER#### in the file path. This results in each user's folder being dynamically generated. If the entered folder does not exist, the FTP server will attempt to create the folder when the user logs in.
  • Start in Folder - When a user first logs in, by default they are placed in the root folder. However, if you want them to be placed in a certain sub-folder (i.e."latest news", to ensure users have a chance to read your latest news updates) you can set the start folder.
  • Virtual Folders - This is the list of virtual folders which will appear and be accessible as though they were real folders in the user's root folder. When setting the name of a virtual folder you can set it to be a sub-folder (i.e."/uploads/special files"). This would cause a logged in user to see an "uploads" folder in the root folder and then a "special files" folder would appear in the "uploads" folder. However, in most cases a simple name like "/uploads" is used. If a group defines a virtual folder, all associated users will inherit the virtual folder. Should the group define a virtual folder which has the same name as a virtual folder in an associated user, the user's virtual folder is ignored and only the group's virtual folder will be accessible. Groups are also permitted to include the marco ####USER#### in the file path. This results in each user's folder being dynamically generated. If the entered folder does not exist, the FTP server will attempt to create the folder when the user logs in.

Virtual Folder #

  • Name - This is the name and also the remote path description of the virtual folder. When setting the name of the virtual folder you can set it to be a sub-folder (i.e."/uploads/special files"). This would cause a logged in user to see an "uploads" folder in the root folder and then a "special files" folder appear in the "uploads" folder. However, in most cases a simple name like "/uploads" is used.
  • Path - This is the physical location of the virtual folder on the computer or network.
  • Max Size (MiB) - If a virtual folder should require a maximum limit of the amount of storage space it can use then you can set this value here. Once a virtual folder reaches this limit then no more files can be written into the virtual folder until some space is freed.
  • Visible in Folder View - If you disable this option, the virtual folder will become 'invisible'. This is useful if you want a particular folder and its contents to remain secret. Although the virtual folder is not visible, it is still accessible.
  • Counts Towards Current Account Size - If the user has a limitation on its hard drive space use (Max Size on the Limits page), then the virtual folder will be taken into account when calculating the current disk space used. For shared virtual folders this is often disabled but if a virtual folder is private to particular user then it is often enabled.
  • Exempt From Credit Rules (Free Files) - If you use the credits system, this allows you to create a 'free' access folder. This folder will operate independently of the credit rules and will allow users (subject to access rights) to upload and download without restriction.
  • Access Rights - These controls allow you to restrict the access permissions for the virtual folder. However, these access rights are still limited by the user's overall access rights (i.e. if the user's overall 'File Read' permission is disabled, then the virtual folder will not be allowed 'File Read' access regardless). Please note that 'File Append' requires the 'File Write' permission to also be set. Additionally, 'File Delete' will also allow files to be renamed.

Limits #

  • Max Size (MiB) - This restricts the user to a fixed amount of disk usage (disk quota control). Once the user contains or exceeds the amount of data specified here, no more file writing will be permitted until space is freed.
  • Max Upload Speed (KiB/s) - This option allows you to restrict the bandwidth allowance for the uploading of files. This value is shared amongst all the sessions of this user, so if the limit was set to 10 KiB/s, the result would be that 2 simultaneous uploads on the same user be limited to 5 KiB/s each.
  • Max Download Speed (KiB/s) - This option allows you to restrict the bandwidth allowance for the downloading of files. This value is shared amongst all the sessions of this user, so if the limit was set to 10 KiB/s, the result would be that 2 simultaneous downloads on the same user be limited to 5 KiB/s each.
  • Max Users - This option allows a restriction to be placed on the maximum allowed number of sessions logged in at the same time.
  • Enable Credits - This enables or disables the credit system for this user. For more information on credits you can look at Using Credits. If a group enabled credits then all associated users would also have credits enabled.
  • Credits Per Uploaded KiB - This allows you to specify how many credits are given or taken on uploads. This value can be either positive or negative.
  • Credits Per Downloaded KiB - This allows you to specify how many credits are given or taken on downloads. This value can be either positive or negative.
  • Current Credits - This allows you to adjust the current number of credits or preset the credits on a new user. This option is not available to groups because the current credits are only relevant to a particular user.

IP Control #

  • Enable IP Control - If enabled, the entries within the list box will be enforced.
  • IP Control - This is the list of allowed/denied IPs, in order of execution from top to bottom. If an entry matches the client IP, then the provided 'Allow' or 'Deny' option will be enforced.

IP Control Entry #

  • Allow - If selected, and the provided IP or range matches the connection's IP, then the connection will be allowed access.
  • Deny - If selected, and the provided IP or range matches the connection's IP, then the connection will be denied access and disconnected.
  • IP Address - Will evaluate true if the connection's IP exactly matches this IP address.
  • IP Address and Subnet Mask - Will evaluate true if the connection's IP matches this IP address. Both IPs will be filtered by the provided subnet mask before comparison.
  • IP Address Range - Will evaluate true if the connection's IP falls between the provided IP addresses.
  • IP of Host or Domain - Will evaluate true if the connection's IP matches one of the IPs of the provided host/domain.
  • Reverse IP Lookup Matches - Will evaluate true if the connection's reverse IP lookup matches the provided host/domain. This match permits the use of *'s (eg. *.codecrafters.com).
  • Any Locally Assigned IP - Will evaluate true if the connection is local (i.e. the client and server processes are running on the same computer).