https://man.liquidfiles.com
LiquidFiles Documentation

LiquidFiles is built to be self administrating as far as possible. When it comes to user management, the easiest way to deal with users is to divide users into groups and use automatic group assignments to assign users into different groups.

When assigning users, users are matched in the following order:

  1. If the user is found in LDAP and has a group that match any of the listed LDAP groups, assign the user to that group. If the user belongs to several groups, the user will be assigned to the first listed group.
  2. If the user is found in LDAP but does not belong to any of the listed LDAP groups, assign the user to the default group for LDAP users.
  3. If the user is not found in LDAP and has an email address that match any of the listed matched email domains, assign the user to that group. If the user has an email address that match several domains, assign the user to the first listed group.
  4. If the user is not found in LDAP and does not have an email address that match any of the listed email domains, assign the user to the default group for non-ldap users.
Please note that in LiquidFiles v2.x group assignment would only happen when the user is created (typically with they authenticate for the first time), in LiquidFiles v3.x, group assignment happens each time a user logs in (so if you change group assignment you don't have to manually move users to different groups). But that means that if you don't properly match users to groups, all users will be moved to the default LDAP group next time they login.

If we look at an example system (https://liquidfiles.springfield.com), we can see the following Admin → Groups configuration:

images/configuration/groups/groups_05.png
Please note that you can add as many groups as you need, and you can rearrange the order of the groups by dragging and dropping in this interface.

The configuration in this example would be:

  • There's no automatic assignment of Sysadmins.
  • Users in the LDAP/AD group "LiquidFiles Admins" will be automatically assigned to the Admins Group.
  • Next is the "Partners" group, which is quite interesting. Users in the LDAP/AD Group "Accounting" will be automatically assigned to this group, together with users with an email domain @auditors.com. Also, since it's listed above the Local Users Group, LDAP/AD Users in both the Accounting and LiqudiFiles Users LDAP/AD group will be assigned to the Partners group.
  • Local Users are automatically assigned from the LDAP/AD Group LiquidFiles users.
  • External Users can only send to the email domains @powerplant.com and @springfield.com.
  • Nothing really to note about the Receive Only group.
  • The Default Group for LDAP and SSO Users is "Receive Only". This means that users who login with LDAP or SSO and belong to the LDAP Groups Accounting, LiquidFiles Admins and LiquidFiles Users will be assigned to their respective group, anyone else who logs in with LDAP or SSO will be assigned to the Receive Only Group.
  • Anyone else who logs in will be assigned to the "External Users" Group.

If you have a lot of groups with lots of matching going on, it can quickly become difficult to get a complete overview exactly what will happen. In order to make testing this easier, there's a User Test function at the bottom of the Admin → Groups page.

By entering whatever the user would type on the login page, you can test what would happen.

Here are a couple of examples:

images/configuration/groups/groups_03.png

If anyone with an email address in the domain: @auditors.com, they would be assigned to the "Partners" group.

images/configuration/groups/groups_04.png

In this case the email address does not match any existing user and does not match any existing email domain, they would be assigned to the default group for non-ldap users: External Users.

And so on. Please make sure that you test thoroughly so that all users are assigned to the correct groups.