Show Contents / Index / Search

Customize Directory Access for File Transfers

Use the SFTP Directories pane to customize directory access for file transfer. By default, when a client user starts an SFTP session, the user has access to files and directories located within the configured Login directory (the Windows profile folder by default). You can configure SFTP directories to:

  • Provide users with access to additional local or network resources using their own credentials.
  • Provide users with access to network resources based on the rights associated with an alternate user.



  • Customized directory settings affect all SFTP and SCP2 connections.
  • By default, customized directories do not affect SCP1 connections. This means that users executing scp transfers from older OpenSSH clients have access to all files and folders allowed to them by the operating system, regardless of the current SFTP Directories settings. To apply customized directory settings to SCP1 transfers, go to the Permissions tab and select Use SFTP accessible directory settings for SCP1.

To customize directory access

  1. Start the server console, and then click Configuration.
  2. Click Permissions and clear Allow SCP1 to disable access using this protocol.
  3. Click SFTP Directories.
  4. Click Add.

    The Accessible Directory Settings dialog box opens.

  5. Specify virtual and physical directory values:


    Do This

    Virtual directory

    Enter the directory name that you want your users to see; for example, Downloads.

    Physical directory

    Enter the actual directory path; for example, C:\Users\Downloads

    Use UNC paths to specify directories on remote servers; mapped drives are not supported.

    The following options are available for specifying user directories:



    The user's User profile folder.



    The user's Home folder.



    The user’s login name.



    The user's domain name and login in the format domain.username.


    Note: Do not use %u or %U to point to a location within a user's Windows profile folder. Neither of these options works correctly for this purpose. Use these options to create your own user-specific locations in some other location, for example on a shared network file server. For details, see Pattern Strings in Directory Paths.

  6. (Optional) Modify the options under Accessible directory permissions. You can use this feature to limit user file access to one or more of the following: browse, download, upload, delete, and rename.
  7. (Optional) By default Use the credential of the client user is selected. With this default option, the drive you specify is available to the client user only if he or she has access rights to that network location. To grant access rights based on the rights associated with an alternate user, select Use a specific credential. (This option is available only if the Physical directory specifies a UNC path.) The user you select must be joined to the same domain as the server or to a domain that is trusted by the server's domain.

    Caution: Be careful when configuring access with any credential other than the client user's own credential. When you configure an alternate credential to provide access to any folder on a server, Windows will allow access to other folders on the same server that are accessible to the alternate credential. For more information about this risk and how to handle it securely, see Best Practices for Using Cached Credentials.

  8. Click OK.
  9. Save your settings (File > Save Settings).

Related Topics

Control Upload and Download Access

Specify the User Login Directory

Virtual Root Directory in Reflection for Secure IT

Access Control Settings

Understanding How Credentials Affect User Access to Resources

Configure Mapped Drives for Terminal Sessions

Working with Subconfigurations