User Management for your SaaS-based applications does not have to be a difficult chore. Generally, it requires a lot of experience and hard work to build a secure authorization system for the applications you deploy. You need to be aware of recent upgrades and be up to date all the time. At some point, you think that you have finished everything and you’re done, but don’t be surprised when your management or security teams task you to manage yet another solution. With each new solution comes managing access and permissions for different types of users and groups. Fortunately, Citrix Content Collaboration (formerly known as ShareFile) allows your IT organization to choose from several options to manage the creation and account permissions of licensed users, making your life easier.
Need for User Management
Why care about user management? Well of course, you could just manually create users either one by one or by uploading their email addresses, first and last names in an Excel Spreadsheet to the web application. However, applying these methods still requires some planning to organizing permissions and specifying who is allowed to do what. In addition, one must take into account the features of Citrix Content Collaboration you may be using like: single sign-on, multiple storage zones, file retention, and expiration policies.
So, is there a more scalable way? Yes! More on that in soon, but in order to plan for user management, let’s first consider three basic roles for users in Citrix Content Collaboration:
- Clients: Client user types include external customers, partners, and vendors. These users do not require licenses to download, upload or share data; however, they cannot hold ownership in folders. Account administrators can also restrict their ability to access certain folders and the option to share data with third parties. Unfortunately, creating clients is still a manual process; but luckily, clients are automatically created when an employee user shares or requests files to their email address.
- Employees: Account administrators are able to apply a wide range of permissions to employee users to grant full functionality to the Content Collaboration platform. Each employee has full ownership to his or her own Personal Folder and administrators will have control over which Shared Folders employees will have access. A large percentage of employees will only need uniform permissions that perhaps would allow them to manage clients, change their password, and access to a temporary file box that enables them to share and request files.
- Administrators: Users that need full account access to create folders in multiple zones, create and run reports, manage other employee users and global settings, as well as, troubleshoot technical issues are most suited to receive the permissions that typical employees would not need. These Administrator roles typically include:
- Billing Admin — Administrators that can access account billing data but do not need to modify users or other account settings.
- Reporting Admins — Administrators that access reporting and audit features, but may not likely need to modify users or other account settings.
- Super User Group Admins — Administrators that belong to the Super User group have complete access to all Shared Folders and are able to manage access permissions in those folders. You can add members to the Super User group after the user is created. Super User Group Admins can be excluded from making other user or account setting changes.
- Folder Owner Admin — Administrators that have the permission to “create root level Shared Folders” will be able to manage the Shared Folders structure but do not necessarily need full Super User Group access or the ability to manage other employee users.
- Master Admin or Full Admin — The Master Admin has all available account permissions and is the account owner. When new features are added to the account, the Master Admin usually receives access first. He or she would need to grant that new feature permission to another user. The Master Admin can assign account ownership to another user at any time in the Account Admin Settings. A Full admin has all the available account permissions too but cannot delete the Master Admin until account ownership is reassigned.
A Scalable Solution for User Management
So, what is the best way to create a scalable solution that creates users based on their role type and assigns them the proper permissions accordingly? You may already be aware that Citrix Content Collaboration has a lightweight tool called the User Management Tool (UMT). The User Management Tool is installed on domain-joined machines and allows IT organizations to create security groups specifically designated for Content Collaboration membership. For instance, you can create groups based on department or work group type that will scale when more users need access to Citrix Content Collaboration. The tool can be configured to provision new users and synchronize any changes (i.e. name changes and whether or not a user is disabled in Active directory) to your account.
In addition, when you use the User Management Tool in conjunction with Policy Based Administration (please contact support to enable on your account), administrators possess the ability to create policies based on the user role types they have identified.
Policy Considerations
Content Collaboration Policy Based Administration (PBA) includes three policy categories: User Access, File and Folder Management, and Storage Location. Let’s take a moment to consider which policies are best to use based on user roles.
User Access
The below chart illustrates three example user roles and which User Access permissions might be appropriate for their access to your organization’s Content Collaboration solution.
Typically, employee users only need access to login to their account with their email address and Content Collaboration password. Allowing them to change their password gives them a self-service tool to reset the password if they forget. If your company integrates with a single sign-on provider, I suggest to limit the “Can change password” permission to administrator users only. Additional permissions allow them to share and request files (“Can use personal file box”), access personal settings, and create client users.
Some administrative duties can be delegated to other groups in your IT organization. For instance, a help desk user can create a new Shared folder (“Create root-level folder in Shared Folders”) by request from an employee user. As well, they can troubleshoot or correct some minor user or access issues (“Manage client and employee users,” “access reporting,” and “view notification history”).
Be sure to review all the behaviors of each User Access permission so you limit any consequential account changes that can be made after Citrix Content Collaboration is in full production.
File and Folder Management
A File and Folder Management Policy will let you control the Advanced Folder settings users can access in the root-level folders they create. Keep in mind, each employee user will have access to their own root-level personal folder. It may be necessary to control the following in their folders:
- Storage Quotas
- Folder expiration
- File retention
- File versioning
Storage Locations
An account managing multiple zones will need to define a default storage location for every employee. Each employee user’s personal folder and file box will be stored in that storage location. It is important to create and register any zones that will be used as a default storage location before provisioning users. Create a Storage Location policy for each zone and assign users accordingly.
Data Access Control
Unfortunately, Policy Based Administration will not allow you to set permissions on data. Fortunately, you are half-way there with the creation of distribution groups based on role. Your folder structure in Citrix Content Collaboration can be mirrored to accommodate several work groups in your organization. By giving a distribution group access in a root level folder, their permissions are inherited when additional sub-folders are created. If a new employee needs access to Citrix Content Collaboration, they can be added to an existing AD security group and the User Management Tool (which has been configured to schedule synchronization of changes) will create their account. The user also inherits any access to folders the existing distribution group already has. This concept also applies if a user no longer needs access to Citrix Content Collaboration. If removed from the AD security group or their AD account has been disabled, the user is disabled and loses login access to their account.
Validate and Test
As you become more familiar with the features of Content Collaboration and how they work, you will likely decide on a baseline functionality that every user can do—and where you should place limitations. A lot of my customers decide to roll out their solution in phases to validate then the full deployment can continue. In the early phases, I believe work groups and role types that have a critical business need to store and share files are best to use for pilot groups. They will most likely use these tools regularly and find any gaps in permissions you may have missed. Of course, only test with these groups after all technical and security components have been validated by your IT organization.
So while I’m sure protecting company data is a big reason why you are introducing Content Collaboration; with a little bit of planning and design (and the use of UMT and PBA!) you can easily implement policy-based controls that take you several steps forward in meeting regulations, safeguarding confidential information, and better securing key business processes.
Vanessa Hiett
Cloud Success Engineer
