Understanding How Credentials Affect User Access to Resources

For both file transfer and terminal sessions, access to remote directories (any location specified using a UNC path) can be affected by the user authentication method and the credential used for accessing that drive. This is summarized in the table below.

Caution

Be careful when configuring access with any credential other than the client user's own credential. When you configure an alternate credential to provide access to any folder on a server, Windows will allow access to other folders on the same server that are accessible to the alternate credential. For more information about this risk and how to handle it securely, see Best Practices for Using Cached Credentials.

Note

User access to directories for file transfers (sftp connections) is configured from SFTP Directories. (SFTP Directories settings also apply to scp connections made using SCP2. Depending on your configuration these directories may also apply to SCP1 connections.)

• User access to remote directories for ssh terminal sessions is configured using Mapped Drives.

• Access described here for password authentication also applies to sessions configured to use GSSAPI authentication. Access described here for public key authentication also applies to other authentication methods (certificate, SecurID, RADIUS) for which the user doesn't provide Windows credentials during login.

• Reflection Gateway supports access by Reflection Gateway users. When this feature is enabled, access is determined by the configured Reflection Gateway user access account . Terminal access is disabled by default for these users and this is recommended, so users will see only those directories configured from SFTP Directories

Authentication method	Credential	Mapped drive or directory ccess
Password (default)	[Client user] (default)	The user sees both local and remote drives and directories that are allowed to that user's Windows account.
Public key	[Client user] (default)	If no credential cache is configured (the default), the user sees only local directories. If a drive or virtual directory is mapped to a remote network location, the user won't see that path, even if it is allowed for the user's account. If the Credential Cache is configured to record and use credentials, the user sees both local and remote paths that are allowed for the user's account.
Password and Public key	Specific cached credential, for example: mydomain\Joe	The user has access to a directory if Joe's account has access to this location.

More information

• Best Practices for Using Cached Credentials

• Record and Use Cached Credentials

• Configure Mapped Drives for Terminal Sessions

• Customize Directory Access for File Transfers