Box helps you manage and share your enterprise content as simply and effectively as possible while keeping that content secure. User management is your administrative tool to add, edit, and delete both internal (managed) users and external users in your account and is where you define when, where, and how users access your enterprise content. In addition, you can identify any unmanaged users in your organization, and convert them to managed users.
User management also includes user groups. Group are collections of users and allow you to share folders and assign folder permissions to all members of a group at once. For more information about groups, see Creating and Managing Groups.
In Box, there are three types of users, also known as user accounts:
Understand the differences and limitations of what a managed user can do, what an external user can do and what an unmanaged user is.
Managed Users
Managed users are Box accounts that you directly control through your Admin Console. As an admin or co-admin, you can edit, delete, enforce security settings, and run activity reports on these users. Any files these users upload into folders they own will count against your total storage allocation.
More information on creating and editing Managed Users:
Employees and close partners should be managed users because they require a greater amount of control and oversight. Managed users often share your email domain, such as [yourcompany].com . With managed users, you can:
- Specify their storage allocation
- Place them in a group to manage their access permissions
- Log in to their account to oversee activity (Business Plus and Enterprise accounts only)
- Control which apps they can work with
- Be notified if the user attempts to reset their password or accesses Box through an unauthorized browser (Enterprise accounts, or through SSO integration)
- Temporarily suspend or completely revoke a user’s access if they ever leave the company, while preserving their content
Unmanaged Users
Unmanaged users are unpaid personal Box accounts used to collaborate on your company-owned content and are within your organization’s managed domain, such as harrypotter@[yourcomapny].com. Unmanaged users do not belong to your Box enterprise and their Box accounts are unlicensed. Most importantly, unmanaged users increase your security and compliance risk because their accounts are not constrained by your enterprise's Box security policies. You can:
- Identify your unmanaged users by running the User Details report.
- Close this security gap by converting unmanaged users to managed users.
Unmanaged users may or may not also be external users.
External Users
External users are Box users with accounts that were not created directly from within your own Box Admin Console, typically contacts who have been invited to collaborate on one or more of your enterprise folders. While you can share and collaborate with external users, your management capabilities over external user accounts are limited to the folders to which you have invited them.
Prospects, clients, or partners who only need access to specific information in your account should be invited as external users.
With certain paid accounts, both external users and managed users contribute towards your overall purchased user seat count. Business Plus, Enterprise, and Elite accounts have unlimited external collaboration, so only managed users contribute to your seat count.
External users may or may not also be unmanaged. You can always invite external users to join as managed users if the nature of your work or partnership changes.
The table below is an example of user categorization that have worked well for other Box admins:
|
Managed Users |
External Users |
|
Team members |
Vendors |
|
Long-term contractors |
Customers and clients |
|
Co-workers |
SMEs or consultants |
|
Users that need to abide by your Box account’s security policies |
Short-term partners |
|
Long-term partners |
Bidders |
User Roles
User roles define what managed users can do in Box. Any of the following roles can be assigned to a managed user:
- Admin
- Co-admin
- Group admin
- Member
Admin Role
The Admin role has the highest level of authority and access within your enterprise. Only one managed user can be assigned the Admin role, although one or more managed users can be assigned co-admin roles. Admins can:
- Log in to any user’s account (Enterprise only)
- Configure account-wide settings for sharing, apps, notifications, security and more
- Run reports to monitor account activity
- Run reports to audit changes in security settings (Enterprise only)
As the Box admin, you can change the Admin role to another managed user account.
Co-admin Role
If your Box organization is large, you may want to share administrator duties with one or more co-admins. Co-admins have the same access as the Admin, except they
- Cannot make changes to the Admin’s own permissions
- Do not have access to billing information
- Cannot log in to the Admin’s (or another co-admin’s) account
- Do not have access to the Silent Mode tool
- Cannot edit the primary admin's settings or reset the primary admin's password
- Cannot invite collaborators into folders (if Restrict Invites is selected with the Enterprise Settings)
You can otherwise customize access for co-admins. See the User Access Permissions section in Users & Groups Settings for details of each permission you can assign to a co-admin.
Group Admin Role
This is a good role to assign if there’s someone on your team who needs to manage only a subset of your users. Group Admins can:
- Pull reports on usage, file and user statistics on their specific group
- Add managed users into the account under their specific group
- Manage the members and folder permissions in their specific group
Member Role
These users don’t get any of the permissions above, but they do have the ability to take actions that you specifically allow, depending on your account-wide settings. By default, regular users can also invite collaborators and groups to folders, although account permissions can be configured such that only folder owners and admins can send invitations to shared folders. Permissions for individual groups can be modified under the groups tab in the Admin Console as well.
See Also