Best Practices - Managing Users

One of your indispensable administrative tools is your ability to add, edit or delete users in your account: both internal (managed) users and external ones. This guide covers the best practices for user management. Our goal is to help you share content as simply and effectively as possible – while keeping that content completely secure.



Managed Users v. External Users

Managed users are created by account admins in the Users and Groups tab. You can access this tab by clicking Admin Console at the left of your page

In the menu bar, click the users icon: First off, it’s important that you understand the difference between managed and external users.


Quick Tip: Employees and close partners should be managed users since they require a greater amount of control and oversight.


Managed users often share your email domain, such as “” Below, you’ll see some of the settings you can apply to these users:

  • Specify their storage allocation
  • Place them in a group to manage their access permissions
  • Instantly log in to their account to oversee activity (Business Plus and Enterprise accounts only)
  • Control which apps they can work with
  • Be notified if the user attempts to reset their password or accesses Box through an unauthorized browser (Enterprise accounts, or through SSO integration)
  • Temporarily suspend or completely revoke a user’s access if they ever leave the company, while preserving their content


External users are contacts who’ve been invited to collaborate on one or more of your – or your users’ – folders. Prospects, clients or partners that only need access to specific information in your account should be invited as external users. Plus, you always have the option to invite external users to join as managed users if the nature of your work or partnership changes.


Take a look at this handy chart to see some arrangements that have worked well for other Box admins:


Managed Users

External Users

Team members

Short-term Contractors

Long-term contractors

Customers and clients


SMEs or consultants

Users that need to abide by your Box account’s security policies

Short-term partners

Long-term partners



Adding Managed Users

A managed user is a Box account that you directly control through your Admin Console. As an admin, you will have the ability to edit, delete, enforce security settings, and run activity reports on these users. Any files that these users upload into folders they own will count against your total storage allocation.


To add a managed user, follow these steps:

  1. Log in to your account and navigate to the Admin Console
  2. Click on the Users icon
  3. Click the "+ Users" button 

bestpractices - 1

  1. The interface will slide down and reveal new user entry fields. Enter the user's name, e-mail address, and storage quota.
  2. In the section marked Access Permissions, you can pre-populate the user’s account with folders you own, add the user to groups, and configure their access to the rest of the account (e.g. enable/disable Box Sync or restrict external collaboration).
  3. Click Add User to confirm the user’s addition

Once you complete this process, the newly added user will receive an email containing a confirmation link to create a password and log in to their account.



  • If you select "Shared Contacts" this user will see all other managed users in their Contacts and Collaborators tab. If you uncheck this box, the user will only see the people they are actively collaborating with, and will need to manually fill their own Contacts list.
  • In the Groups section, you can assign the user to a group you have created. 


Assigning Roles to Managed Users

Not all managed users are created equal: Below, you’ll see the different roles users can play in your account, and points to consider when you’re assigning these roles in the Users and Groups menu.


AdminAs the top dogs in their Box accounts, Admins can:

  • Log in to any user’s account (Enterprise only)
  • Configure account-wide settings for sharing, apps, notifications, security and more
  • Run reports to monitor account activity
  • Run reports to audit changes in security settings (Enterprise only)

Your ideal Admin candidate? You, or someone else who needs full control over your Box account and its administration. (Tip: You may want to share your admin duties with another person, particularly if you have a large number of users.)


To change the admin in Box, follow these steps:

  1. Open the Admin Console in your account and choose the Users and Groups tab
  2. Locate your account in the list of users and click your name
  3. In the Edit user Access Permissions section, select Change Account Admin

Co-adminThese users can perform the same duties as the Admin, but they can’t make changes to the Admin’s permissions.  The default setting for your co-admins will allow for all admin tools except:

  • Co-admins do not have access to billing information
  • Cannot log in to the Admin’s (or another co-admin’s) account
  • Do not have access to the Silent Mode tool
  • Cannot edit the primary admin's settings or reset the primary admin's password
  • If "Restrict Invites" is selected with the Enterprise Settings, they cannot invite collaborators into folders

As the primary admin, you can also decide to turn off certain capabilities on a co-admin by co-admin basis to customize the role to fit each individual on your admin team.


You can choose from any of the following abilities for your co-admins:

  • Manage Users: Add new users or edit existing user information and access levels
  • Manage Groups: Create new groups, assign Group Managers, or edit existing groups
  • View Managed User’s Files and Folders: Access any user’s content (read—only access)
  • Edit Managed User’s Files and Folders: Modify any user’s content
  • Instant Login: Log in to any managed user’s account
  • View Enterprise Settings: Read-only access to your organization’s settings
  • Edit Enterprise Settings: Ability to modify your organization’s settings
  • Run and View Reports: Access existing reports and create new reports

The ideal co-admin candidate: an IT professional or partner who has the time and security clearance required to administer your account. (Note: Co-admins and non-Enterprise admins are not able to see all the folders and content in the account; to do so, you’ll need to log in to users’ accounts as an Enterprise Admin.)


Group Admin - This is a good role to assign if there’s someone on your team who needs to manage only a subset of your users. Group Admins can:

  • Pull reports on usage, file and user statistics on their specific group
  • Add managed users into the account under their specific group
  • Manage the members and folder permissions in their specific group

Regular usersThese people don’t get any of the permissions above, but they do have the ability to take actions that you specifically allow, depending on your account-wide settings. By default, regular users can also invite collaborators and groups to folders, although account permissions can be configured such that only folder owners and admins can send invitations to shared folders. Permissions for individual groups can be modified under the groups tab in the Admin Console as well.


User Access and Permissions

What content will users be able to access in Box? The short answer: whatever content you want them to.

Users will never be able to see the entire folder structure of your Box account, unless you have given them access to all content. You can give users access at both the root and subfolder levels, or invite them only to particular folders in Box. You can also control which users have the ability to invite other users or specific groups into shared folders. Plus, you can always determine what permissions they have in individual folders. 


In fact, users won’t even be aware of folders they aren’t invited to, nor will they be aware of folders above that which they’ve been given access to if their access is granted at the subfolder level.


Quick Tip:

While you can’t delete an external user’s account, you can determine what access they have to your content. You can also remove them from your network or invite them as a managed user.


The default access level for folder collaborators is Editor, a good starting point for most managed users. An editor can upload, download, preview, share, edit and delete files, but does not have access to the folder’s security settings. The access level allows them to work in a folder and create subfolders inside it.


The other access levels are useful when you want to invite an external user, as they allow you to closely tailor the user’s permissions to suit your needs. For example, the Uploader role only allows the user to upload content. 


If you’re creating a Virtual Deal Room, consider assigning the Viewer role to collaborators in the deal room folder.


Here’s a handy chart that describes the various roles and their permissions:


Subfolders inherit permissions from parent folders via a waterfall permission model

All permissions – from Owner all the way down to Uploader – will always “waterfall” down to the folder’s subfolders.


This means that users who are granted access at a certain level – whether in a root folder or subfolder – will have that same access for all files in that folder, as well as every subfolder beneath it. This ensures that the owner of a root folder also owns all subfolders and content below, regardless of whether or not the owner created the lower-level content.


So when you’re inviting collaborators to a folder, be sure to invite them at the lowest possible folder level, to avoid granting access to content those collaborators shouldn’t be seeing.


Deleting Users

You may need to delete a managed user in Box if they have left the company or no longer need access to your content. (For more detailed information about terminating employees, see our Best Practices for Terminating Employees guide.


If you’re deleting a user who does not own any files in Box, you can simply open their user profile, look to the Edit User Account Details section, then click Delete this user. A dialog box will open, asking you to confirm:


If the employee has left your company and does own content in Box, click the Transfer content to another user option in the dialog box and designate a different user:


Any content the user had in trash will not be transferred. If you’re an Enterprise Admin, you can also reassign content with a bit more granularity by logging in to the terminated employee’s account. Once you’re there, reassign any of their folders to another user by opening it, then promoting one of the collaborators to Folder Owner.


Quick Tip:

A less permanent action you can take to lock a user out of Box and freeze their content is to set them to Inactive in the Edit User Access Permissions section of their user profile.


However, if you have already made a user inactive, you will see the same view as the user, which will indicate that the account is inactive. At that point, to access the user's content, use the Content Manager.


Version history
Revision #:
19 of 19
Last update:
‎11-01-2017 01:23 PM
Updated by:
Tags (1)