LiquidFiles features a flexible group based configuration. Most user configurable settings are in fact setup on a per group basis.
You can reach the groups configuration in Admin → Groups in the web interface. The basic overview screen will look something like this:
A couple of things to note about Groups in LiquidFiles:
- You can add as many groups as you need.
- You cannot delete any of the default groups, but you don't have to use them if you don't want to.
- All Users needs to belong to a group.
- Users will be assigned to groups automatically if they don't already belong to a group.
- The group assignment works from top to bottom as the groups are listed in this page.
- The easiest way to see what group a user will/would belong to is to use the test user function at the bottom of this page (not covered in this screenshot).
Users can only belong to one group!
Every so often we get asked the question if it's possible to add users to multiple groups, and it isn't. If for instance we have a Group A with User Filedrops enabled, and a Group B with User Filedrops disabled. If a user belonged to both Group A and Group B, should User Filedrops be enabled for this user or not?
If we supported users in multiple groups, it can easily lead to situations which non-obvious results. If you have a situation where a user needs configuration that doesn't match either Group A or Group B, you will have to create a new group that matches this requirement.
The following groups are available as default in LiquidFiles:
|The Sysadmins groups is for System Administrators. System Administrators can administer all aspects of the LiquidFiles system.
|Domain Admins are only available if you add domains, and only for domains other than the default domain. It's the highest level administrator for a domain, that can change anything except things that affect the system itself (ip addresses, ...).
|The Admins group is for Administrators that should be able to administer normal user activity in the LiquidFiles system, but does not have access to system administration functions like changing ip addresses, hostname, certificates and other system administrator functions.
|The User Admins group is for Administrators that should be able to administer only user's accounts, but does not have access to any other LF's settings and system administration functions like changing ip addresses, hostname, certificates and other system administrator functions.
|The Pool Admins group is for Administrators that should be able to administer pool files, but does not have access to User Admin function, or any other LF's settings or system administration functions.
|The Local Users group is the default group for your local users. Local Users can send and receive files to and from anyone.
|Local Users Receive Only
|The Local Users Receive Only group is a group for Local Users that you don't want to send any files, only Receive Files. Receiving files include access to Filedrops, File Requests and can be the recipient of Emaildrops and FTPdrops if you want.
|The External Users group is for external users that should be able to send files back to your local users.
|External Users Receive Only
|The External Users Receive Only group is for users that will only download files, i.e. that only has the capability to login an download files sent to them.
|External Users Share Write Access
|This group is for External Users you wish to give Write Access to Shares.
The default use case with LiquidFiles is that you have all your local users being able to send files any external user, like an extension to your email system. And similar with email, there's very seldom any restrictions to who can email whom.
Using groups, LiquidFiles has the ability of far more granular control than that though.
The settings available in each group include:
|Max File Size
|The max combined file size in each message (should possibly be more accurately be called max message size).
|Default Message Expiration
|All messages in LiquidFiles has an expiration date. This is the default value for users in this group. This value must be equal to or lower than the max message expiration.
|Max Message Expiration
|The longest message expiration the user in this group can set. The maximum max expiration date you can set is 10 years (3650 days).
|Users can change expiration
|If set to false, all messages sent from users in this group will have the default expiration date set. The option to set expiration date will also be removed on the compose page.
|User can change expires after
|In addition to the expiration date, it is also possible to limit downloads to a certain number of times. If set to false, users in this group won't be able to set the expires after limit.
|Max Expires After
|If set, this is the maximum expires after value that users in this group can set.
|Delete inactive Users after
|If set, inactive users will be deleted if they haven't logged in for this many days. Please note that when users are deleted, all messages they have sent, all attachments, message and download log, user dropbox configuration and api keys, ... for that user will be deleted as well.
|If set, users can only login from these specified ip addresses or networks.
|Users can change message permission
|If disabled, all messages sent for users in this group will be sent using the default message permission and the option to set message permission will not be visible in the compose page.
|Default Message Permission
|Only Specified Recipients
|The default permission for messages for users in this group.
|If any permission setting is unselected, users in this group will not be able to select this permission setting in the compose page.
|Default copy to myself
|If unselected, users will not automatically be copied on messages they send.
|Users can change copy to myself
|If unselected, users will not be able to change the setting and all messages will use the default setting if they should receive a copy on each message.
|Limit Recipient Domains
|If set, users in this group can only send messages to users in these listed email domains.
|Can send to local users
|By default, all users can send to users that are, or would be, in the local users group. (Please see the section on automatic group assignment for more information on users that would be in the local users group)
|If set, users in this group can only send files with these listed file extensions (like: doc, xls, png, zip). Please note that you can only set either limit extensions or blocked extensions in each group.
|exe, vbs, pif, scr, bat, cmd, com, cpl
|Users in this group cannot send files with these file extensions. Please note that you can only set either limit extensions or blocked extensions in each group.
|Match LDAP Groups
|If a user belongs to any of these LDAP groups, assign the user to this group. Please see the section on automatic group assignment for more information on how users are assigned to groups.
|If a user has an email address in any of these listed email domains, assign the user to this group. Please see the section on automatic group assignment for more information on how users are assigned to groups.
|Users have access to the API
|True for local users
|If enabled, users in this group can use the API when sending files. This include any plugins available with LiquidFiles or any custom API integrations.
|This is a hint sent to the Outlook plugin (and other functions can use this as well as needed) as to how big attachments should automatically be sent using LiquidFiles instead of the standard channel.
|Users are permitted to change Size Override
|If disabled, users will not be able to change this setting in the Outlook plugin.
|Enable Send Folders in the Outlook plugin
|If disabled, the function to send folders in the Outlook plugin will be disabled.
|Enable Secure Send in the Outlook plugin
|If disabled, users in this group will not be able to use the Secure Send feature in the Outlook plugin.
|If you build your own API integration and wish to have different settings for different groups, you can set those settings here. The easiest is probably to use a simple key/value pair like: enable_feature=true, or max_something=20, but anything you enter here will be added to the API response message.
|Users in this group has access to User Filedrops with Random URLs
|If enabled, users in this group will be able to use the User Filedrop function with randomized URLs.
|Users in this group has access to User Filedrops with email URLs
|If enabled, users in this group will be able to use the User Filedrop function with email URLs.
|Only Specified Recipient
|Files sent with User Filedrops for users in this group will have this permission setting.
|When messages expires after they have been sent using the User Filedrop for users in this group.
|Filedrop Max Size
|The maximum combined file size when someone send files using the User Filedrop for users in this group.
|Users in this group have access to File Requests
|If enabled, users in this group can send File Requests. If disabled, this function will be removed from the compose page.
|File Request Permission
|Only Specified Recipients
|When a File Request is responded to, who has permission to download the files.
|File Request Expiration
|The time the File Request recipient has to respond to a File Request.
|File Request Expire Download
|The time when files sent using a File Request will expire from the system.
|If selected, users in this group will have Sysadmin privileges.
|If selected, users in this group will have Admin privileges. Sysadmins are automatically admins.
|If users in this group should be treated as External users or not. External users are not counted towards your license users but have restrictions. Please see the license section for information on External Users and restrictions.
|If users in this group should be able to send files or not.
|Users in this group can invite other users
|If disabled, the function to invite users will be disabled for users in this group and the button will be removed from the compose page.
As you can see, there are many options available to set for users in the group configuration. The defaults are sensible so you should not have to change too many settings to get started, but will allow for great flexibility if your requirements dictates that.
Enabling Filedrop and File Requests
In order to enable Filedrops and File Requests, neither the "External" or "Sending Disabled" can be ticked for users in that group.
On the surface, it may seem that Sending Disabled would just disable sending and that a Filedrop would be a "receive" function that would still be possible to enable. But what happens is actually that with a Filedrop, the external user sending the file is actually sending the file "on behalf of" the owner of the Filedrop. By disable sending of files, it is therefore not possible to send "on behalf of" that user.
The exact same logic applies to File Requests. The files are sent "on behalf of" the sender of the File Request so this user needs to be permitted to send files.
Automatic Assignment of Users
LiquidFiles is built to be self administrating as far as possible and you can configure LiquidFiles to automatically assign users to group matching LDAP/AD groups, SSO/SAML Groups or email addresses. Please see the Automatic Group Assignment documentation for more information.
Please see the License Overview section for license considerations and how it relates to user and group configurations.
Common Use Cases
Here are some of the more common use cases, and how you would configure them in LiquidFiles.
All external users should be able to send files to ourcompany.com
To make sure that all external users can send files to specified domains, regardless if there are users configured or not:
- In the External Users group, add ourcompany.com (and any other internal domain) to the limit recipient domains.
Some internal users should only be allowed to send to other internal users
The easiest way to set this up is to:
- Add a new internal group: Restricted Local Users
- Set the limit domains to your internal domains: company.com, sistercompany.com
- Optionally set the Limit Networks to your internal network(s): 10.0.0.0/8
- Create an LDAP group: Restricted LiquidFiles Users
- Configure the LiquidFiles LDAP group match to: Restricted LiquidFiles Users
Local users authenticated with LDAP should only be able to login from internal addresses
The easiest way to set this up is to:
- Change the Local Users group to limit internal networks to your network(s): 10.0.0.0/8