Best Practices - Managing Users

Box is designed to help you share content as simply and effectively as possible – while keeping that content completely secure.  To that end, one of your indispensable administrative tools is your ability to add, edit, and delete both internal (managed) users and external users in your account.  This guide covers the best practices for user management. 



    Managed Users and External Users


    First off, it’s important that you understand the difference between managed and external users.


    Managed users are Box accounts that you directly control through your Admin Console.   Employees and close partners should be managed users since they require a greater amount of control and oversight.


    Managed users often share your email domain, such as “”  With managed users, you can:

    • Specify their storage allocation
    • Place them in a group to manage their access permissions
    • Instantly log in to their account to oversee activity (Business Plus and Enterprise accounts only)
    • Control which apps they can work with
    • Be notified if the user attempts to reset their password or accesses Box through an unauthorized browser (Enterprise accounts, or through SSO integration)
    • Temporarily suspend or completely revoke a user’s access if they ever leave the company, while preserving their content

    External users are contacts who’ve been invited to collaborate on one or more of your – or your users’ – folders. Prospects, clients, or partners who only need access to specific information in your account should be invited as external users. You can always invite external users to join as managed users if the nature of your work or partnership changes.


    Take a look at this handy chart to see some arrangements that have worked well for other Box admins:


    Managed Users

    External Users

    Team members

    Short-term Contractors

    Long-term contractors

    Customers and clients


    SMEs or consultants

    Users that need to abide by your Box account’s security policies

    Short-term partners

    Long-term partners



    Adding Managed Users

    As an admin, you will have the ability to add managed users; edit, delete, and enforce their security settings; and run activity reports on these users. Any files these users upload into folders they own will count against your total storage allocation.


    To add a managed user:

    1. Click Admin Console.
    2. In the left-hand navigation click Users and Groups.
    3. Ensure the Managed Users tab (toward the top) displays.  If it does not, click it.
    4. Click + Users

    bestpractices - 1

      1. The New User Account sections display.  Enter the user's name, e-mail address, storage quota, and language.Best Practices, Managing Users - New User Account Details.png


      2. In the Access Permissions section, you can pre-populate the user’s account with folders you own; add the user to groups; and configure the user's access to the rest of the account -- that is, enable/disable Box Sync or restrict external collaboration.
      3. Click Add User.  You've just added a new managed user.

    When you complete this process, the new user will receive an email containing a confirmation link, prompting them to create a password and log in to their account.


    • If you select "Shared Contacts" this user will see all other managed users in their Contacts and Collaborators tab. If you clear this box, the user will only see the people they are actively collaborating with, and will need to manually fill their own Contacts list.
    • In the Groups section, you can assign the user to a group you have created. 

    Assigning Roles to Managed Users

    Not all managed users are created equal: Below, you’ll see the different roles users can play in your account, and points to consider when you’re assigning these roles in the Users and Groups menu.


    AdminAs the top authorities in their Box accounts, Admins can:

        • Log in to any user’s account (Enterprise only)
        • Configure account-wide settings for sharing, apps, notifications, security and more
        • Run reports to monitor account activity
        • Run reports to audit changes in security settings (Enterprise only)

    Your ideal Admin candidate? You, or someone else who needs full control over your Box account and its administration.

    Tip   You may want to share your admin duties with another person, particularly if you have a large number of users.


    To change the admin:

        1. Open the Admin Console in your account, and in the left-hand navigation click Users and Groups.
        2. Locate your account in the list of users and click your name.
        3. In the Edit user Access Permissions section, click Change Account Admin.

    Co-admins:  These users can perform the same duties as the Admin, but they cannot make changes to the Admin’s own permissions.  The default setting for your co-admins will allow for all admin tools and functions, except that co-admins:

        • do not have access to billing information
        • cannot log in to the Admin’s (or another co-admin’s) account
        • do not have access to the Silent Mode tool
        • cannot edit the primary admin's settings or reset the primary admin's password
        • cannot invite collaborators into folders (if Restrict Invites is selected with the Enterprise Settings) 

    As the primary admin, you can also decide to turn off certain co-admin capabilities on a case-by-case basis.  This enables you to customize the role to fit each individual on your admin team.


    You can choose from any of the following abilities for your co-admins:

        • Manage Users: Add new users or edit existing user information and access levels
        • Manage Groups: Create new groups, assign Group Managers, or edit existing groups
        • View Managed User’s Files and Folders: Access any user’s content (read—only access)
        • Edit Managed User’s Files and Folders: Modify any user’s content
        • Instant Login: Log in to any managed user’s account
        • View Enterprise Settings: Read-only access to your organization’s settings
        • Edit Enterprise Settings: Ability to modify your organization’s settings
        • Run and View Reports: Access existing reports and create new reports
        • View policies set up for your company: Read-only access to existing policies for your organization
        • Create, edit, and delete policies for your company: Change, add to, or modify your organization policies
        • View automations set up for your company: Read-only access to existing automation processes  for your organization
        • Create, edit, and delete automations for your company: Change, add to, or modify your organization's automation processes.
        • Create and edit metadata templates for your company: Create and modify metadata templates used throughout your organization.

    The ideal co-admin candidate: an IT professional or partner who has the time and security clearance required to administer your account.


    Note   Co-admins and non-Enterprise admins are not able to see all the folders and content in the account; to do so, they must log in to users’ accounts as an Enterprise Admin.)


    Group Admin - This is a good role to assign if there’s someone on your team who needs to manage only a subset of your users. Group Admins can:

        • Pull reports on usage, file and user statistics on their specific group
        • Add managed users into the account under their specific group
        • Manage the members and folder permissions in their specific group

    Regular usersThese people don’t get any of the permissions above, but they do have the ability to take actions that you specifically allow, depending on your account-wide settings. By default, regular users can also invite collaborators and groups to folders, although account permissions can be configured such that only folder owners and admins can send invitations to shared folders. Permissions for individual groups can be modified under the groups tab in the Admin Console as well.



    Sorting and Filtering the List of Managed Users

    To sort and filter your list of Managed Users:
    1. In the top right corner of the Managed Users window, click the Up-Down icon.  Box displays the filter menu.
    2. In the filter menu, you can select a Sort by category, a Filter by category, or a Role category.


    When you select one of these categories, Box displays the list of Managed Users, filtered and sorted as you've selected.

    Sort by

    You can sort your list of Managed Users by selecting one of the following:

    • Login,
    • Name,
    • Date Added,
    • Space Used,
    • Last Login.

    Filter by

    You can filter your list of Managed Users by selecting one of the following:

    • All Groups, or
    • whether they are Exempt From Device Limits.


    You can filter by Roles by selecting select one of the following:

    • All Roles,
    • Admins and Non-admins,
    • Admins — including main admin, co-admins, and group admins,
    • Non-Admins,
    • App Users.
    When filtering Managed Users by Role, Box selects Admins and Non-Admins by default. To filter by any other role, you need to select the role.

    User Access and Permissions

    What content will users be able to access in Box? The short answer: whatever content you want them to.

    Users will never be able to see the entire folder structure of your Box account, unless you have given them access to all content. You can give users access at both the root and subfolder levels, or invite them only to particular folders in Box. You can also control which users have the ability to invite other users or specific groups into shared folders. Plus, you can always determine what permissions they have in individual folders. 


    In fact, users won’t even be aware of folders they aren’t invited to, nor will they be aware of folders above that which they’ve been given access to if their access is granted at the subfolder level.


    Quick Tip:

    While you can’t delete an external user’s account, you can determine what access they have to your content. You can also remove them from your network or invite them as a managed user.


    The default access level for folder collaborators is Editor, a good starting point for most managed users. An editor can upload, download, preview, share, edit and delete files, but does not have access to the folder’s security settings. The access level allows them to work in a folder and create subfolders inside it.


    The other access levels are useful when you want to invite an external user, as they allow you to closely tailor the user’s permissions to suit your needs. For example, the Uploader role only allows the user to upload content. 


    If you’re creating a Virtual Deal Room, consider assigning the Viewer role to collaborators in the deal room folder.


    Here’s a handy chart that describes the various roles and their permissions:


    Subfolders inherit permissions from parent folders via a waterfall permission model <&mdash> that is, all permissions – from Owner all the way down to Uploader – will always “waterfall” down to the folder’s subfolders.  This means that users who are granted access at a certain level – whether in a root folder or subfolder – will have that same access for all files in that folder, as well as every subfolder beneath it. This ensures that the owner of a root folder also owns all subfolders and content below, regardless of whether or not the owner created the lower-level content.


    IMPORTANT   When inviting collaborators to a folder, be sure to invite them at the lowest possible folder level, to avoid granting access to content those collaborators shouldn’t be seeing.


    Deleting Users

    You may need to delete a managed user in Box if they have left the company or no longer need access to your content. (For more detailed information about terminating employees, see our Best Practices for Terminating Employees guide.


    If you’re deleting a user who does not own any files in Box, you can simply open their user profile, look to the Edit User Account Details section, then click Delete this user. A dialog box will open, asking you to confirm:


    If the employee has left your company and does own content in Box, click the Transfer content to another user option in the dialog box and designate a different user:



    Note   Any content in the user's trash will not be transferred.


    If you’re an Enterprise Admin, you can also reassign content with a bit more granularity by logging in to the terminated employee’s account. Once you’re there, reassign any of their folders to another user by opening it, then promoting one of the collaborators to Folder Owner.

    Quick Tip:

    A less permanent action you can take to lock a user out of Box and freeze their content is to set them to Inactive in the Edit User Access Permissions section of their user profile.

    However, if you have already made a user inactive, you will see the same view as the user, which will indicate that the account is inactive. At that point, to access the user's content, use the Content Manager.



    Managed Users Report

    The Managed Users report provides an overview of user account details, permissions, and groups for all your managed users in Box. 

    To export the Managed Users report:

    1. In Admin Console, click Users & Groups.
    2. In the Managed Users tab, click Export Users.
    3. Box exports the report as an Excel file to your Box folder. When Box finishes, a message notifies you.
    4. To see the report, click Go to folder.







    Information Available in the Managed Users Report

    Name Name of the managed user


    Primary email address of the managed user

    Secondary Emails

    List of secondary email addresses for the managed user
    Groups List of the groups the managed user belongs to
    Storage Storage allocation for the managed user
    Restrict external collaboration Enabled or disabled

    Status of the managed user's Box account.  Possible values are

    • Active,
    • Inactive,
    • Cannot delete and edit,
    • Cannot delete, edit and upload
    Storage Used Storage used by the managed user's account

    Last Password Change


    Date when the managed user most recently changed his or her password

    Storage Policy

    Data residency zone of the managed user

    Last Login

    Date when the managed user most recently logged in and started a new session in the web application, Sync, Drive, or mobile.  Last Login is not an indicator of latest user activity, which can be found in the User Activity Report.


    The role of this managed user in your company.  A managed user can be an admin, co-admin, or member.

    Managed User Permissions

    List of access permissions assigned to this managed user, such as Shared Contacts, or Restrict External Collaboration.  You can change these settings when viewing user details in the Edit Access User Permissions section.

    Co-admin Permissions

    List of access permissions assigned to a co-admin, such as Manage Users or Manage Groups.  You can change these settings when viewing co-admin details in the Edit Access User Permissions section.





    Version history
    Revision #:
    33 of 33
    Last update:
    ‎04-04-2019 09:06 AM
    Updated by:
    Tags (1)