Managing Accounts

Home/Managing Accounts

Managing Accounts

Document is not restricted to the admin/user paradigm. Members are free to create their own accounts provided they have been granted access to do so. However, in many contexts, having an “official” group or responsible party for account administration is expected.

Managing Access Control #

Four types of access restrictions are available for an account: Private, Workspace, Member Only, and Security Group. The type of restriction set for a user is editable at any time from the account form.

Access the account form to edit:

  1. Open Document
  2. Select “Manage Accounts” along the top of the page
  3. Click the edit icon 
  4. Select the desired restriction located under “Security Model”

Note: Depending on the selected access restriction, there will be different options for assigning which members or security groups are allowed access.

Restriction Options:

  • All Workspace Members: This access is the simplest since it provides access to all members of the workspace and does not require any additional assignment of members.
  • Specific Members Only: This access setting requires assignment of each member to an account. This option is particularly useful when combined with the single sign-on option of assigning members based on a list of groups sent with the authentication. However, for workspaces with large numbers of members, this approach can often require more effort than desired, which is where security groups become useful. To choose specific members only:
    1. Click the members icon
    2. Drag the desired members from the “Unassigned Members” column on the left, to the “Assigned Members” column on the right
    3. To remove members, do the opposite
  • Specific Security Groups Only: With this option, permission to access an account can be granted to specific security groups rather than just individuals. With access restrictions relying on association with a security group or groups, the administration of accounts with much larger groups becomes much simpler. To edit assigned groups:
    1. Click the groups icon
    2. Drag the desired groups from the “Unassigned Groups” column on the left, to the “Assigned Groups” column on the right
    3. To remove groups, do the opposite
  • Remote agents: They will often use Document accounts to store files or move files among systems. To allow remote agents access to Document accounts, agents MUST have permission granted. This is a security feature to limit unwanted access to potentially sensitive information. To add agents:
    1. Click the agent icon
    2. Drag desired agents from the “Unassigned Agents” column on the left, to the “Assigned Agents” column on the right
    3. To remove agents, do the opposite

Managing Ownership #

The member who creates the account is assigned as the owner by default. However, Document accounts are designed to support multiple owners. This feature is helpful when a team of people is responsible for managing account access or when there is member turnover. Adding and removing owners is similar to adding and removing access permissions.

To add owners:

  1. Click the owners icon (located under “Manage Accounts” tab under the Document page)
  2. Drag new owners from the “Unassigned Members” column on the left to the “Assigned Members” column on the right
  3. To remove owners, do the opposite

Because only owners have the ability to view and edit an account, account administration is set up with two levels:

  • The member needs security access to view and manage accounts in general, and
  • The member must be an owner of the account to view, manage, and change settings of accounts

Note: The list of accounts to manage will show a member only the accounts to which they are assigned as an account owner.

Managing Backup Sets #

Document enables the backup of any account on a nightly basis. This feature permits backup across different cloud storage providers and on local systems. Essentially, any account is a valid target for the backup of another account.

Note: You cannot backup to the same account.

The backup process is not limited to a single backup destination. It is possible to have multiple redundant backup locations specified if this is a desired approach. For example, the backup of an internal server to another server may be one location with a second backup sent to Amazon S3 for off-site storage.

By using the prefix feature, it’s possible to have a single backup account contain the backups from multiple other accounts. Each account backup set begins its top level folder(s) with a different prefix, making it easy to distinguish the originating location and the restoration process. For example, if you have three different Document accounts but want to set their backup destination to the same location, using a prefix would allow all three accounts to properly backup without the fear of a name collision.

To reach the backup set table:

  1. Open Document
  2. Select “Manage Accounts”
  3. Click the backup icon

Creating a Backup Set #

To create a new backup set:

  1. Open Document
  2. Select “Manage Accounts”
  3. Click the backup icon
  4. Click the “New Backup Set” button
  5. Complete the required fields
  6. Click “Create”

The backup process is now scheduled to run nightly (US Time).

Updating a Backup Set #

To update a backup set:

  1. Open Document
  2. Select “Manage Accounts”
  3. Click the backup icon
  4. Click the edit icon of the desired backup set
  5. Adjust the desired information
  6. Click “Update”

Deleting a Backup Set #

To delete a backup set:

  1. Open Document
  2. Select “Manage Accounts”
  3. Click the backup icon
  4. Click the delete icon of the desired backup set 
  5. Click “delete” again

Note: The backup sets already present will not be deleted but the backup process will no longer run. You can remove the existing backups using Document file and directory management processes.

Managing Accounts #

Accounts access grants various cloud-based storage services, including Amazon S3, Wasabi, Dropbox, Google Drive, Azure Blob Storage Swift, Ceph, and SFTP. To access the accounts, access credentials must be provided. Depending on the service, providing access credentials occurs via various methods. Please refer to the individual service to understand how to generate the required credentials.

The account management form allows the configuration of the storage connection information and a start path. A start path allows those who use the account to begin browsing the directory structure further down the directory tree. This particular option is useful when you have multiple teams that need segregated file storage, but you only want one underlying storage service account.

For example, you could set a start path of teams/team_1/ for team 1 and teams/team_2 for team 2. When a member opens the Team 1 Document account they will begin file navigation inside team/team_1. They will not be able to move up the tree and see anything above teams/team_1.

The below screenshot illustrates the directory structure as seen by the administrator with no start path applied.

Using the same storage account credentials as the account above but assigning a start path for the Team 1 Document Account reveals this directory structure to the members using the account:

Controlling individual access is normally onerous and usually requires each member to have an individual account with the storage provider. In addition, most cloud storage providers only restrict access at a top level, so controlling access at various levels is not possible. Managing access with PlaidCloud, and using Document for cloud storage, simplifies access management for Amazon S3 and various other storage services.

To manage accounts, first:

  1. Open Document
  2. Select “Manage Accounts”

Creating a Document Account #

To create a document account:

  1. Open Document
  2. Select “Manage Accounts”
  3. Click the “New Account” button
  4. Complete the required fields
  5. Click “Create”

Updating a Document Account #

To update a document account:

  1. Open Document
  2. Select “Manage Accounts”
  3. Click the edit icon of the desired account 
  4. Update the account form as desired
  5. Click “Update”

Deleting a Document Account #

To delete a document account:

  1. Open Document
  2. Select “Manage Accounts”
  3. Click the delete icon of the desired account 
  4. Click “Delete” again

Note: This will not delete files stored in the account, only the account that provides access. Please delete all files and directories prior to deleting the account, or you may continue to incur storage charges.

Controlling Ownership of a Document Account #

To control ownership of an account:

  1. Open Document
  2. Select “Manage Accounts”
  3. Click the owners icon of the desired account 
    • You must be an owner to do this.
  4. In the management form, add or remove owners as needed by dragging them between lists
  5. Click “Update Access Control List”

Controlling Access to a Document Account #

Access to accounts is controlled through three different approaches:

  • Workspace wide access
  • Member specific list
  • Security group specific list

To control access to an account:

  1. Open Document
  2. Select “Manage Accounts”
  3. Either create a new account or edit an existing one
    • Steps for how to do this are listed above
  4. In the account form, select the desired Security Model
  5. Click “Create” or “Update” depending on the current operation

Note: The current owner will be added automatically to the Member list if a member based security model is selected and the current owner’s security groups will be added automatically to the Security Group list if security group based security model is selected

Controlling Access by PlaidLink Agents #

Since PlaidLink agents operate on remote systems, it is desirable to have explicit access to control that can be revoked if those external systems are compromised or simply to understand which external systems have access to documents.

Note: Members never have knowledge of, or access to, the storage account credentials. This is a vast improvement over other applications or browsers plugins that require sharing of these credentials.

Go to Top