Understanding How Credentials Affect User Access to Resources
For both file transfer and terminal sessions, access to remote directories (any location specified using a UNC path) can be affected by the user authentication method and the credential used for accessing that drive. This is summarized in the table below.
Caution: Be careful when configuring access with any credential other than the client user's own credential. When you configure an alternate credential to provide access to any folder on a server, Windows will allow access to other folders on the same server that are accessible to the alternate credential. For more information about this risk and how to handle it securely, see Best Practices for Using Cached Credentials.
Notes:
- User access to directories for file transfers (sftp connections) is configured from SFTP Directories. (SFTP Directories settings also apply to scp connections made using SCP2. Depending on your configuration these directories may also apply to SCP1 connections.)
- User access to remote directories for ssh terminal sessions is configured using Mapped Drives.
- Access described here for password authentication also applies to sessions configured to use GSSAPI authentication. Access describe here for public key authentication also applies to other authentication methods (certificate, SecurID, RADIUS) for which the user doesn't provide Windows credentials during login.
- Reflection for Secure IT Web Edition supports access by Web Edition users. When this feature is enabled, access is determined by the account name you have specified for Web Edition users to run under. Terminal access is disabled by default for these users and this is recommended, so users will see only those directories configured from SFTP Directories.
Authentication |
|
|
|---|---|---|
Password (default)
|
[Client user] (default) |
The user sees both local and remote drives and directories that are allowed to that user's Windows account. |
Public key |
[Client user] (default) |
If no credential cache is configured (the default), the user sees only local directories. If a drive or virtual directory is mapped to a remote network location, the user won't see that path, even if it is allowed for the user's account. If the Credential Cache is configured to record and use credentials, the user sees both local and remote paths that are allowed for the user's account.
|
Password and |
Specific cached credential, for example: mydomain\Joe |
The user has access to a directory if Joe's account has access to this location. |
 |