Show Contents / Index / Search

SFTP Directories Pane

Getting there

Use the SFTP Directories pane to customize directory access for file transfer. By default, when a client user starts an SFTP session, the user has access to files and directories located within the configured Login directory (the Windows profile folder by default). You can configure SFTP directories to:

  • Provide users with access to additional local or network resources using their own credentials.
  • Provide users with access to network resources based on the rights associated with an alternate user.

Note: Items on this pane can be configured globally or as part of a subconfiguration.

SFTP accessible directories


Inherit directories

This option is available only if you are creating or editing a subconfiguration. When Inherit directories is checked, the client user inherits directory settings from any applicable configuration higher in the following order of inheritance:

client host

For example, if you enable Inherit directories for a user and disable it for a group to which that user belongs, the user inherits directories configured for the group, but does not inherit client host and global directories.

Note: Inherited global directories show up in the directory list as read-only entries. Applicable group directories may also be visible as read-only entries. Inherited client host directories are applied when the user connects, and are not visible in this list.


Allow all

Use Allow all to select or clear the allow box for all listed directories.

Note: This option is not inherited by user or group subconfigurations.



Determines whether a listed directory is accessible to users. This option is selected by default when you create a new list item. Clear to leave an item on the list without providing access to the specified directory.


Virtual directory

The directory name that users see and access.


Physical directory

The actual directory path on the Reflection for Secure IT server or in the Windows domain.



The user whose rights determine what access is granted.

[Client user] indicates that the user has access to directories based on the access rights of his or her own Windows account. If any other credential is specified the user is granted the rights associated with the specified credential.

User login directory


User login directory specifies which directory a user sees after connecting to the server using SFTP or SCP2. The default is %D, which specifies the Windows user profile folder.

The list of available directories consists of <virtual root directory> and all currently configured and allowed directories.

  • The value <virtual root directory> sets the login directory to be a virtual directory that contains all user-accessible directories.
  • If you have configured a chrooted environment (Virtual directory = /), the user login directory is set automatically and can't be edited.

    For additional information on virtual root and chroot directories, see Virtual Root Directories in Reflection for Secure IT.



  • The customized directory settings you configure from the SFTP Directories pane affect all SFTP and SCP2 connections.
  • By default, customized directories do not affect SCP1 connections. This means that users executing scp transfers from older OpenSSH clients have access to all files and folders allowed to them by the operating system, regardless of the current SFTP Directories settings. To apply customized directory settings to SCP1 transfers, go to the Permissions tab and select Use SFTP accessible directory settings for SCP1.
  • The directory settings you configure from the SFTP Directories pane do not affect which directories are accessible from a terminal session. To ensure that users cannot access files using a terminal session, clear Allow terminal shell from the Permissions pane.
  • You can disallow all SFTP and SCP2 access by clearing Allow SFTP/SCP2 from the Permissions pane. The Permissions pane setting overrides all SFTP Directories pane settings.

Related Topics

Customize Directory Access for File Transfers

Pattern Strings in Directory Paths

Virtual Root Directory in Reflection for Secure IT

Cached Credentials

Mapped Drives