Customize Directory Access for File Transfers

Use the SFTP Directories pane to customize directory access for file transfer. By default, when a client user starts an SFTP session, the user has access to files and directories located within the configured Login directory (the Windows profile folder by default). You can configure SFTP directories to:

  • Provide users with access to additional local or network resources using their own credentials.
  • Provide users with access to network resources based on the rights associated with an alternate user.
  • Provide users with access to resources on a remote SFTP server.

     

Notes:

  • Customized directory settings affect all SFTP and SCP2 connections.
  • By default, customized directories do not affect SCP1 connections. This means that users executing scp transfers from older OpenSSH clients have access to all files and folders allowed to them by the operating system, regardless of the current SFTP Directories settings. To apply customized directory settings to SCP1 transfers, go to the Permissions tab and select Use SFTP accessible directory settings for SCP1.

To customize directory access

  1. Start the server console, and then click Configuration.
  2. Click SFTP Directories.
  3. Click Add.

    The Accessible Directory Settings dialog box opens.

  4. Specify virtual and physical directory values:

    For

    Do This

    Virtual directory

    Enter the directory name that you want your users to see; for example, Downloads.

    Local or UNC directory

    Enter the actual directory path; for example, C:\Users\Downloads

    UNC paths must include a server name and share. For example:

    \\server\share\public

    Mapped drives are not supported.

    The following options are available for specifying user directories:

     

    %D

    The user's User profile folder.

     

    %H

    The user's Home folder.

     

    %u

    The user’s login name.

     

    %U

    The user's domain name and login in the format domain.username.

     

    Note: Do not use %u or %U to point to a location within a user's Windows profile folder. Neither of these options works correctly for this purpose. Use these options to create your own user-specific locations in some other location, for example on a shared network file server. For details, see Pattern Strings in Directory Paths.

  5. (Optional) Modify the options under Permissions. You can use this feature to limit user file access to one or more of the following: browse, download, upload, delete, and rename.
  6. (Optional) By default Use the client user account to connect to this directory is selected. With this default option, the drive you specify is available to the client user only if he or she has access rights to that network location. To grant access rights based on the rights associated with an alternate user, select Use a specified account to connect to this directory. (This option is available only if Local or UNC directory specifies a UNC path.) The user you select must be joined to the same domain as the server or to a domain that is trusted by the server's domain.

    Caution: Be careful when configuring access with any credential other than the client user's own credential. When you configure an alternate credential to provide access to any folder on a server, Windows will allow access to other folders on the same server that are accessible to the alternate credential. For more information about this risk and how to handle it securely, see Best Practices for Using Cached Credentials.

  7. Click OK.
  8. Save your settings (File > Save Settings).

Related Topics

Configure Access to Directories on a Remote Server

Control Upload and Download Access

Specify the User Login Directory

Virtual Root Directories and Chrooted Environments

Access Control Settings

Understanding How Credentials Affect User Access to Resources

Configure Mapped Drives for Terminal Sessions

Working with Subconfigurations