Creating user groups within SpiderOak Enterprise

Last updated

Creating groups within the Management Console allows you to segment users and customize settings within each user group.

Local Groups

 alt

A default group is automatically created using your company name. (For example, if your company is named "Burbank", your default user group will also be named "Burbank".)

Create a Local Group:

To set up a local user group, follow the steps below:

  • Select Manage Groups. Here you can see the default group and any other groups that have already been created.
  • Select Add Group to create a new group.

When the pop up box appears, you will have the option of customizing access and settings.

  • Name the group.
  • Choose a storage limit for users assigned to it or assign them Unlimited storage.
  • Unchecking Webapi Enable allows you to restrict members of a group from logging in through SpiderOak.com or their mobile devices.

    NOTE: In order to fully retain Zero Knowledge privacy, SpiderOak recommends users only access their data via the desktop application, which downloads the data before decrypting it locally. When accessing data via SpiderOak.com or on a mobile device, a user must enter their password. The password will then exist in the server memory for the duration of the browsing session. For this amount of time, the password is stored in encrypted memory and never written to an unencrypted disk. The moment the browsing session ends, the password is destroyed and no further trace is left. This represents the only situation where data could potentially be readable to someone else with access to the SpiderOak servers.

  • Check "Admin group" if you would like a group to have administrative privileges. A list of selectable permissions will appear when Admin Group is checked. Any user in an admin group will be able to log into the Management Console using the same credentials they use in their desktop client and will be given the access permissions selected for the group.

Once you have made the appropriate selections, select the Create Group button.

LDAP Groups

In addition to the options available for local groups, when an Enterprise customer creates a group synced with LDAP, additional settings will need to be addressed:

  • The LDAP DN field should contain the full DN of the group or organizational unit that will be synced with the Management Console.
  • If Check Domain is selected, the desktop application will ensure that the computer it is installed on is within the domain configured in the Restrict Client Installs to Domain field on the Account page. If it is not, an error will be displayed and the user will not be allowed to authenticate.
  • In the case of a group synced with LDAP, the User Source drop-down should be set to LDAP.
  • Priority determines which SpiderOak group a user will be sorted into if that user is a member of multiple LDAP groups that are being synced with the Management Console. These users will be put into the group with the highest priority number. For example, if there is a user in a group called Finance (priority 2) and a group called Accounting (priority 5), the user will be sorted into the Accounting group in SpiderOak.

LDAP groups automatically sync every hour. This process will create any new users, alter any user information that has changed, and disable any users who have been deactivated or removed since the last sync. An administrator can manually sync the Management Console with LDAP by navigating to the Account page and selecting Sync Virtual Appliance.

Edit Group Settings

 alt

To edit settings for a user group, navigate to the Manage Groups page and select Details in the right hand column of that group's row. Here you can edit all the same selections as were available during group creation.

Delete a Group

 alt

In the Group Details view, select the red Delete Group button on the bottom left. You will need to select which existing group you wish to migrate users to. For example, if you want to delete group Default that contains users a, b, and c, you will need to select another group to move those users into. This ensures that your users do not get accidentally removed in a Group deletion. In the case of a group synced with LDAP, if it is deleted and the users it contains are not members of another LDAP group, they will be moved to the selected group and disabled.