Document is not restricted to the admin/user paradigm. Members are free to create their own accounts provided they have been granted access to do so. However, in many contexts, having an “official” group or responsible party for account administration is expected.
Four types of access restrictions are available for an account: Private, Workspace, Member Only, and Security Group. The type of restriction set for a user is editable at any time from the account form.
Access the account form to edit:
Note: Depending on the selected access restriction, there will be different options for assigning which members or security groups are allowed access.
The member who creates the account is assigned as the owner by default. However, Document accounts are designed to support multiple owners. This feature is helpful when a team of people is responsible for managing account access or when there is member turnover. Adding and removing owners is similar to adding and removing access permissions.
To add owners:
Because only owners have the ability to view and edit an account, account administration is set up with two levels:
Note: The list of accounts to manage will show a member only the accounts to which they are assigned as an account owner.
Document enables the backup of any account on a nightly basis. This feature permits backup across different cloud storage providers and on local systems. Essentially, any account is a valid target for the backup of another account.
Note: You cannot backup to the same account.
The backup process is not limited to a single backup destination. It is possible to have multiple redundant backup locations specified if this is a desired approach. For example, the backup of an internal server to another server may be one location with a second backup sent to Amazon S3 for off-site storage.
By using the prefix feature, it’s possible to have a single backup account contain the backups from multiple other accounts. Each account backup set begins its top level folder(s) with a different prefix, making it easy to distinguish the originating location and the restoration process. For example, if you have three different Document accounts but want to set their backup destination to the same location, using a prefix would allow all three accounts to properly backup without the fear of a name collision.
To reach the backup set table:
To create a new backup set:
The backup process is now scheduled to run nightly (US Time).
To update a backup set:
To delete a backup set:
Note: The backup sets already present will not be deleted but the backup process will no longer run. You can remove the existing backups using Document file and directory management processes.
Accounts access grants various cloud-based storage services, including Amazon S3, Wasabi, Dropbox, Google Drive, Azure Blob Storage Swift, Ceph, and SFTP. To access the accounts, access credentials must be provided. Depending on the service, providing access credentials occurs via various methods. Please refer to the individual service to understand how to generate the required credentials.
The account management form allows the configuration of the storage connection information and a start path. A start path allows those who use the account to begin browsing the directory structure further down the directory tree. This particular option is useful when you have multiple teams that need segregated file storage, but you only want one underlying storage service account.
For example, you could set a start path of teams/team_1/ for team 1 and teams/team_2 for team 2. When a member opens the Team 1 Document account they will begin file navigation inside team/team_1. They will not be able to move up the tree and see anything above teams/team_1.
The below screenshot illustrates the directory structure as seen by the administrator with no start path applied.
Using the same storage account credentials as the account above but assigning a start path for the Team 1 Document Account reveals this directory structure to the members using the account:
Controlling individual access is normally onerous and usually requires each member to have an individual account with the storage provider. In addition, most cloud storage providers only restrict access at a top level, so controlling access at various levels is not possible. Managing access with PlaidCloud, and using Document for cloud storage, simplifies access management for Amazon S3 and various other storage services.
To manage accounts, first:
To create a document account:
To update a document account:
To delete a document account:
Note: This will not delete files stored in the account, only the account that provides access. Please delete all files and directories prior to deleting the account, or you may continue to incur storage charges.
To control ownership of an account:
Access to accounts is controlled through three different approaches:
To control access to an account:
Note: The current owner will be added automatically to the Member list if a member based security model is selected and the current owner’s security groups will be added automatically to the Security Group list if security group based security model is selected
Since PlaidLink agents operate on remote systems, it is desirable to have explicit access to control that can be revoked if those external systems are compromised or simply to understand which external systems have access to documents.
Note: Members never have knowledge of, or access to, the storage account credentials. This is a vast improvement over other applications or browsers plugins that require sharing of these credentials.