Box helps you manage and share your enterprise content as simply and effectively as possible while keeping that content secure. User management is your administrative tool to add, edit, and delete both internal (managed) users and external users in your account and is where you define when, where, and how users access your enterprise content.
User management also includes user groups. Group are collections of users and allow you to share folders and assign folder permissions to all members of a group at once. For more information about groups, see Creating and Managing Groups.
In Box, there are three types of users, also known as user accounts:
Note
User accounts may be defined using different terminology in your service agreement with Box but the principles outlined in this article apply to all Box customers.
The following sections will help you understand the differences and limitations of what a managed user can do, what an external user can do, and what an unmanaged user is.
Managed Users
Managed users are Box accounts that you directly control through your Admin Console. As an Admin or Co-admin, you can edit, delete, enforce security settings, and run activity reports on these users. Any files these users upload into folders they own will count against your total storage allocation.
More information on creating and editing Managed Users:
With managed users, an Admin or Co-admin can:
- Specify their storage allocation
- Place them in a group to manage their access permissions
- Log in to their account to oversee activity (Business Plus and Enterprise accounts only)
- Control which apps they can work with
- Be notified if the user attempts to reset their password or accesses Box through an unauthorized browser (Enterprise accounts, or through SSO integration)
- Temporarily suspend or completely revoke a user’s access if they ever leave the company, while preserving their content
Unmanaged Users
Unmanaged users are Box users who:
- Have Box service accounts that are acquired independently of an Admin or Co-admin,
- Possess email addresses from your domain or verified domains (domains owned or
controlled by your organization), and - Collaborate on your enterprise content
Unmanaged users are not controlled or monitored by your Admin, Co-admin or your organization's
security policies, meaning that they represent a potential security and compliance risk. When
these accounts are deleted, all content owned by these users is deleted and not retained by your
organization. To gain full visibility into External Company users and mitigate potential risk due
to intentional or unintentional threat, or data leakages, Box Administrators Users can:
- Identify and regularly monitor your unmanaged users by running the User Details
report. - Close this security gap by converting unmanaged users to managed users.
- Enable Auto Enrollment for your Box Service instance to prevent the creation of
unmanaged users.
All unmanaged users require a paid account license.
There is a subset of users that have Box service accounts that are acquired independently of an
Admin or Co-admin and possess email addresses from your domain or verified domains but do
not collaborate on your organization's content. While these are not Unmanaged Users (sometimes
referred to as Freemium Users), they still are uncontrolled members of your organization and
Box encourages you to convert these users to Managed Users and enable Auto Enrollment to
gain visibility into their activity and avoid security and compliance risks
External Users
External users are Box users with accounts that were not created directly from within your own Box Admin Console and do not use email addresses that are associated with your email domain(s). These are typically contacts who have been invited to collaborate on one or more of your enterprise folders. While you can share and collaborate with external users, your management capabilities over external user accounts are limited to the folders to which you have invited them.
An Admin or Co-admin may at any time invite an external user to join your instance of Box and
become a managed user controlled by your organization.
External users do not require you to purchase Box Service account licenses. However, for
account plans that do not have unlimited collaborators (e.g. Starter and Business plans), External
user accounts in excess of your permitted number of collaborators will contribute to your
purchased user seat count.
The table below is an example of user categorization that have worked well for other Box Admins:
Managed Users |
External Users |
Team members |
Vendors |
Long-term contractors |
Customers and clients |
Co-workers |
SMEs or consultants |
Users that need to abide by your Box account’s security policies |
Short-term partners |
Long-term partners |
Bidders |
User Roles
User roles define what managed users can do in Box. Any of the following roles can be assigned to a managed user:
- Admin
- Co-admin
- Group admin
- Member
Admin Role
The Admin role has the highest level of authority and access within your enterprise. Only one managed user can be assigned the Admin role, although one or more managed users can be assigned co-admin roles. Admins can:
- Access the entire Box Admin Console (Business Plans and above)
- Assign Co-admins, group admins and define Co-admin access permissions
- Log in to any user’s account (Business Plus and above plans only)
- Configure account-wide settings for sharing, apps, notifications, security and more
- Run reports to monitor account activity
- Run reports to audit changes in security settings (Enterprise only)
As the Box Admin, you can change the Admin role to another managed user account.
Co-admin Role
If your Box organization is large, you may want to share administrator duties with one or more co-admins. Co-admins have the same access as the Admin, except they
- Cannot make changes to the Admin’s own permissions
- Do not have access to billing information
- Cannot log in to the Admin’s (or another co-admin’s) account
- Do not have access to the Silent Mode tool
- Cannot edit the primary admin's settings or reset the primary admin's password
- Cannot invite collaborators into folders (if Restrict Invites is selected with the Enterprise Settings)
You can otherwise customize access for Co-admins. See the User Access Permissions section in Users & Groups Settings for details about each permission you can assign.
Group Admin Role
This is a good role to assign if there’s someone on your team who needs to manage only a subset of your users. Group Admins can:
- Pull reports on usage, file and user statistics on their specific group
- Add managed users into the account under their specific group
- Manage the members and folder permissions in their specific group
Member Role
These users don’t get any of the permissions above, but they do have the ability to take actions that you specifically allow, depending on your account-wide settings. By default, regular users can also invite collaborators and groups to folders, although account permissions can be configured such that only folder owners and admins can send invitations to shared folders. Permissions for individual groups can be modified under the groups tab in the Admin Console as well.
See Also