Box is designed to help you share content as simply and effectively as possible – while keeping that content completely secure. To that end, one of your indispensable administrative tools is your ability to add, edit, and delete both internal (managed) users and external users in your account. This guide covers the best practices for user management.
Managed Users and External Users
First off, it’s important that you understand the difference between managed and external users.
Managed users are Box accounts that you directly control through your Admin Console. Employees and close partners should be managed users since they require a greater amount of control and oversight.
Managed users often share your email domain, such as “@box.com.” With managed users, you can:
Specify their storage allocation
Place them in a group to manage their access permissions
Instantly log in to their account to oversee activity (Business Plus and Enterprise accounts only)
Control which apps they can work with
Be notified if the user attempts to reset their password or accesses Box through an unauthorized browser (Enterprise accounts, or through SSO integration)
Temporarily suspend or completely revoke a user’s access if they ever leave the company, while preserving their content
External users are contacts who’ve been invited to collaborate on one or more of your – or your users’ – folders. Prospects, clients, or partners who only need access to specific information in your account should be invited as external users. You can always invite external users to join as managed users if the nature of your work or partnership changes.
Take a look at this handy chart to see some arrangements that have worked well for other Box admins:
Customers and clients
SMEs or consultants
Users that need to abide by your Box account’s security policies
Adding Managed Users
As an admin, you will have the ability to add managed users; edit, delete, and enforce their security settings; and run activity reports on these users. Any files these users upload into folders they own will count against your total storage allocation.
To add a managed user:
Click Admin Console.
In the lefthand navigation click Users and Groups.
Ensure the Managed Users tab (toward the top) displays. If it does not, click it.
Click + Users.
The New User Account sections display. Enter the user's name, e-mail address, storage quota, and language.
In the Access Permissions section, you can pre-populate the user’s account with folders you own; add the user to groups; and configure the user's access to the rest of the account -- that is, enable/disable Box Sync or restrict external collaboration.
Click Add User. You've just added a new managed user.
When you complete this process, the new user will receive an email containing a confirmation link, prompting them to create a password and log in to their account.
If you select "Shared Contacts" this user will see all other managed users in their Contacts and Collaborators tab. If you uncheck this box, the user will only see the people they are actively collaborating with, and will need to manually fill their own Contacts list.
In the Groups section, you can assign the user to a group you have created.
Assigning Roles to Managed Users
Not all managed users are created equal: Below, you’ll see the different roles users can play in your account, and points to consider when you’re assigning these roles in the Users and Groups menu.
Admin - As the top authorities in their Box accounts, Admins can:
Log in to any user’s account (Enterprise only)
Configure account-wide settings for sharing, apps, notifications, security and more
Run reports to monitor account activity
Run reports to audit changes in security settings (Enterprise only)
Your ideal Admin candidate? You, or someone else who needs full control over your Box account and its administration.
Tip You may want to share your admin duties with another person, particularly if you have a large number of users.
To change the admin:
Open the Admin Console in your account, and in the lefthand navigation click Users and Groups.
Locate your account in the list of users and click your name.
In the Edit user Access Permissions section, click Change Account Admin.
Co-admins: These users can perform the same duties as the Admin, but they cannot make changes to the Admin’s own permissions. The default setting for your co-admins will allow for all admin tools and functions, except that co-admins:
do not have access to billing information
cannot log in to the Admin’s (or another co-admin’s) account
do not have access to the Silent Mode tool
cannot edit the primary admin's settings or reset the primary admin's password
cannot invite collaborators into folders (if Restrict Invites is selected with the Enterprise Settings)
As the primary admin, you can also decide to turn off certain co-admin capabilities on a case-by-case basis. This enables you to customize the role to fit each individual on your admin team.
You can choose from any of the following abilities for your co-admins:
Manage Users: Add new users or edit existing user information and access levels
Manage Groups: Create new groups, assign Group Managers, or edit existing groups
View Managed User’s Files and Folders: Access any user’s content (read—only access)
Edit Managed User’s Files and Folders: Modify any user’s content
Instant Login: Log in to any managed user’s account
View Enterprise Settings: Read-only access to your organization’s settings
Edit Enterprise Settings: Ability to modify your organization’s settings
Run and View Reports: Access existing reports and create new reports
View policies set up for your company:Read-only access to existing policies for your organization
Create, edit, and delete policies for your company:Change, add to, or modify your organization policies
View automations set up for your company:Read-only access to existing automation processes for your organization
Create, edit, and delete automations for your company:Change, add to, or modify your organization's automation processes.
Create and edit metadata templates for your company: Create and modify metadata templates used throughout your organization.
The ideal co-admin candidate: an IT professional or partner who has the time and security clearance required to administer your account.
Note Co-admins and non-Enterprise admins are not able to see all the folders and content in the account; to do so, they must log in to users’ accounts as an Enterprise Admin.)
Group Admin - This is a good role to assign if there’s someone on your team who needs to manage only a subset of your users. Group Admins can:
Pull reports on usage, file and user statistics on their specific group
Add managed users into the account under their specific group
Manage the members and folder permissions in their specific group
Regular users - These people don’t get any of the permissions above, but they do have the ability to take actions that you specifically allow, depending on your account-wide settings. By default, regular users can also invite collaborators and groups to folders, although account permissions can be configured such that only folder owners and admins can send invitations to shared folders. Permissions for individual groups can be modified under the groups tab in the Admin Console as well.
User Access and Permissions
What content will users be able to access in Box? The short answer: whatever content you want them to.
Users will never be able to see the entire folder structure of your Box account, unless you have given them access to all content. You can give users access at both the root and subfolder levels, or invite them only to particular folders in Box. You can also control which users have the ability to invite other users or specific groups into shared folders. Plus, you can always determine what permissions they have in individual folders.
In fact, users won’t even be aware of folders they aren’t invited to, nor will they be aware of folders above that which they’ve been given access to if their access is granted at the subfolder level.
While you can’t delete an external user’s account, you can determine what access they have to your content. You can also remove them from your network or invite them as a managed user.
The default access level for folder collaborators is Editor, a good starting point for most managed users. An editor can upload, download, preview, share, edit and delete files, but does not have access to the folder’s security settings. The access level allows them to work in a folder and create subfolders inside it.
The other access levels are useful when you want to invite an external user, as they allow you to closely tailor the user’s permissions to suit your needs. For example, the Uploader role only allows the user to upload content.
If you’re creating a Virtual Deal Room, consider assigning the Viewer role to collaborators in the deal room folder.
Here’s a handy chart that describes the various roles and their permissions:
Subfolders inherit permissions from parent folders via a waterfall permission model <&mdash> that is, all permissions – from Owner all the way down to Uploader – will always “waterfall” down to the folder’s subfolders. This means that users who are granted access at a certain level – whether in a root folder or subfolder – will have that same access for all files in that folder, as well as every subfolder beneath it. This ensures that the owner of a root folder also owns all subfolders and content below, regardless of whether or not the owner created the lower-level content.
IMPORTANT When inviting collaborators to a folder, be sure to invite them at the lowest possible folder level, to avoid granting access to content those collaborators shouldn’t be seeing.
You may need to delete a managed user in Box if they have left the company or no longer need access to your content. (For more detailed information about terminating employees, see our Best Practices for Terminating Employees guide.
If you’re deleting a user who does not own any files in Box, you can simply open their user profile, look to the Edit User Account Details section, then click Delete this user. A dialog box will open, asking you to confirm:
If the employee has left your company and does own content in Box, click the Transfer content to another user option in the dialog box and designate a different user:
Note Any content in the user's trash will not be transferred.
If you’re an Enterprise Admin, you can also reassign content with a bit more granularity by logging in to the terminated employee’s account. Once you’re there, reassign any of their folders to another user by opening it, then promoting one of the collaborators to Folder Owner.
A less permanent action you can take to lock a user out of Box and freeze their content is to set them to Inactive in the Edit User Access Permissions section of their user profile.
However, if you have already made a user inactive, you will see the same view as the user, which will indicate that the account is inactive. At that point, to access the user's content, use the Content Manager.