Cerberus Group Accounts
Using groups simplifies the administration of multiple accounts by letting you assign permissions once to a group, instead of multiple times to each individual user. You can add Virtual Directories and basic user settings to a group and have users inherit those permissions. By default, when a user is assigned a group, that user inherits all of the group’s settings. However, those settings can still be overridden for the user account.
When a user is a member of a group, the user’s settings on the Users page will be grayed out, and the actual value displayed for each grayed setting is the value of the group that the user belongs to.
Virtual directories for the user account are a combination of the group’s virtual directories, and any virtual directories you assign specifically to the user account.
Overriding Group settings for a User
You can always override the group settings for a user by clicking on that user in the User Manager and then selecting toggling the group icon to the right of the setting to the user icon. Once you have toggled to the user setting, select your setting different from the group value and click ‘Update User’. You can revert back to the group setting by clicking on the user icon and toggling it back to the group icon.
Adding a new group
A group can be added and modified in Cerberus by opening up the User Manager and selecting the Groups tab. To add a group, select the New button. A new group will appear under the group list box. All group names must be unique and are case insensitive.
Once you have entered the new group name, press "Update Group" to commit the change. The group can then be configured by clicking on the group name in the group list box. A list of configurable properties for that group will appear below the Cerberus Group list.
Those properties are:
ProfileGroup Name The unique name for the group.
Description A brief summary or way to identify the group.
MembersGroup Member List This list displays native Cerberus members of the group as well as any LDAP and AD user and group mappings.
Anonymous If checked, the password for any user that is part of this group is ignored and the user can be logged in using any password.
Disabled Determines whether the account can log in or not. A disabled account cannot log in to the server.
User Can Change Password Controls, whether a user's that, belong to the group can change their password through the HTTP/S web client or through SSH SFTP or FTP commands.
Max Logins The maximum number of connections this user can make to the server at the same time.
Disable Date If a date is set here then the group will become disabled after the date specified. All users that are members of this group will also become disabled.
Note: The granularity of the timer is 30 minutes. The account will be disabled within 30 minutes of the time set.
Maximum Upload File Size This field can be used to limit the maximum size of an uploaded file. This value defaults to unlimited. The file size is specified in bytes. Specify 0 or any non-positive value to reset the maximum file size to unlimited.
Allowed IP Addresses A comma-separated list of IP addresses that members of this group can log in from. If no IP addresses are specified then no per-group IP address filtering is enforced. IP addresses can be specified as a single IP, a range of IP addresses separated by a dash, e.g. 192.168.0.100 - 192.168.0.150, or a CIDR-formatted IP address range. Multiple formats can be combined, with each single IP or range separated by a comma. Note, global IP address deny lists or allow ists are always enforced first, regardless of this setting.
SSH Authentication Method Determines the SSH authentication requirements for users that are members of this group. Valid options are:
Password Only: Require only a password for authentication.
Public Key Only: Require only a valid public key for authentication
Public Key and Password: Require both a valid public key and a valid password for authenticating a user.
Password or Public Key Either a valid password or a valid public key can authenticate a user.
Permitted Login Protocols
Allow FTP Both FTP and FTPES connections will be allowed to attempt to login over an FTP listener
Require Secure Control (Applies to FTP only) If enabled, members of this group can only log in to the server using a secure TLS/SSL encrypted connection.
Require Secure Data (Applies to FTP only) If enabled, members of this group can only initiate file transfers over secure TLS/SSL encrypted connections.
Allow Protocols to Login Controls which protocols a member of this group is allowed to log in with. If a protocol is not checked then the user will not be allowed to log in using that protocol.