Shared User Access Server Setup Guide
Shared User Access Server Setup Guide
Please note, this feature will be retired after version 6.0.1 of MyWorkDrive. It has been superceded by External B2B File Sharing of Windows file shares with MyWorkDrive and Azure Active Directory Guest Accounts.
A video of these instructions is available on our YouTube channel as part of our 5.3 preview webinar.
MyWorkDrive version 5.3 includes a new feature titled Shared User Access, which allows you to define an active directory user account which has limited access to the share and permits multiple simultaneous logins.
This feature is not available for server versions prior to 5.3
Use this in situations where you need to provide limited access to a wide number of people without creating Active Directory accounts for all of them.
For each share in MyWorkDrive, you can assign a single active directory user as the Shared User Access user. You’ll then distribute that username and password to the appropriate parties, along with the logon URL for your MyWorkDrive server. Anyone with the user/pass will have access via the web client to view the files and folders in the MyWorkDrive online viewer. You may also choose to allow them upload/download access.
Some possible use cases include
- Schools, providing students access to course materials or a repository to turn in assignments
- Working with Vendors/Suppliers to distribute and collect information
- Distribution of information to employees via secure channel who are not active directory members
- Distribution of information to customers
Unlike regular users with full access, the limited access Shared User Access account permits multiple concurrent logins to the MyWorkDrive web client.
- Allows a user account to login multiple times concurrently via the web client.
- Uses a standard NTFS user with specific permissions and group membership.
- Does not permit login from map drive or mobile install clients (mobile web ok)
- Once used as a Shared User Access account, User can only be used as a Shared User Access on other shares.
- Can be used as Shared User Access on multiple shares – all will show on login.
- Limited functionality to view/upload/download files. No Sharing, Online Editing, etc.
- Upload/download can be enabled/disabled per share
- DLP features override – blocking downloads, watermarking
- Supports ADFS/SSO Login
To create a Shared User Access, you must first create and correctly define a user in Active Directory.
We strongly recommend you configure a new user with limited permissions and membership in a group which does not have any other access to any other shares than the ones it is used on for Shared User Access.
We strongly advise you do not use a regular user account as the Shared User Access feature; create a new dedicated one for the purpose. Once assigned as a Shared User Access in MyWorkDrive, the user account is restricted to only being available as a Shared User Access and will not have regular user access to any other shares.
That process may look something like
- Create a new user in Active Directory
- Add the user to Domain Guests
- Change the user’s default group for Domain Users to Domain Guests
- Remove the user from Domain Users
- Assign them as a user to the Share with appropriate permissions
This ensures the user account is locked down in NTFS and you are not dependent on MyWorkDrive or configuration mistakes to ensure limited access.
You can read more about best practices for user and share creation in our File Sharing Best Practices article.
With the user created and assigned to the share, edit the share in MyWorkDrive Admin and scroll to the bottom to enable Shared User Access. Toggle the slider on and select the appropriate settings for download and upload.
Turning on Download means that anyone logging in with the Shared User Access account can pull down the files which are on the share. Leaving download off means the user can only view them in the online viewer.
Turning on Upload means that anyone logged in with the Shared User Access account can upload files and create folders in the share, if they have been granted write permissions in NTFS.
The user can now login to the Web Client, and will only have access to the shares assigned. The Shared User Access account does not have access to login to the mobile install or desktop clients.
The functions they see in the Menu will be governed by the permissions you granted them with regard to download, upload or view.
In this example, the shared user access account has Upload and Download enabled
To ensure security, features such as Sharing, Office 365 integration and Zip Downloads are disabled for the Shared User Access account.
Once a domain user is assigned as the Shared User Access account on any share, they are ALWAYS restricted to being used for Shared User Access ONLY on any other share. If you attempt to add a user who is defined for Shared User Access as a regular user to another share, you will be warned and prohibited from saving
You can use the same Shared User Access account on multiple shares, if, for example, you wanted one with files for download and a second with upload only for them to return completed forms. They would see both shares on Login to the web client
In this example, the Shared User Access account is assigned on both the Sales and Support shares
Data Leak Prevention (DLP)
If you have DLP Enabled, your watermark will show in the online viewer for the Shared User Access account.
Globally preventing downloads will block downloading regardless of share settings, as it does for regular users.
Shared User Access fully supports SSO logins. If you are using ADFS, AzureAD or another SSO provider, MyWorkDrive will redirect through the SSO provider as it would for normal users. Please be sure to configure your Shared User Access account in your SSO provider.
A reminder that if you have MFA configured either through Duo in MyWorkDrive or your SSO provider, put in an exclusion for your Shared User Access account.