Under the Services page, click Add to create a group for SFTP users.

Figure 5.10. Start creating the SFTP user group

On the Basic tab, name the group SFTP-users and choose Deny or Deny all for all the listed services, Terminal, Commands, Local Tunnels, and Remote Tunnels. For more information on restricting terminal access, see Settings for the Rest of Users.

Figure 5.11. Name the group 'SFTP-users' and deny all services

On the Selectors tab, click Add Selector and choose the selector type User Group, and click OK.

Figure 5.12. Define the group selector as user group

When the User Group Selector view opens, attach the relevant existing operating-system-related user group (named staff in this example) to the group.

Figure 5.13. Attach user group 'staff'

Data on the newly created group selectors appears on the Selectors tab.

On the SFTP tab, allow the SFTP service for the SFTP-users and define the User Home Directory for the user group. This is the SFTP starting directory. Use the default %USERPROFILES%, as shown in the following figure.

Figure 5.14. Allow SFTP service for group SFTP-users

To define Virtual Folders for the user group, first clear the Use defaults check box on the SFTP tab. Then select C: from the Virtual Folder list and click the Edit button. When the SFTP Virtual Folder dialog opens, define the virtual folder as C:, and its destination as the user-specific subdirectory under the SFTP directory on the C: drive (when users change directory to C:, they are actually directed to their user-specific SFTP directory). The session starts in the user's home directory. No other directory can be accessed via SFTP.

Figure 5.15. Define virtual folders for group SFTP-users

By default, file access by the user using the SFTP subsystem is restricted by the file system access controls. You can define more restrictions by defining virtual folders on Windows.

By default, if no virtual folders are explicitly defined in the configuration, the user can access all drives via SFTP and SCP operations, the user's SFTP session starts in the C:\SFTP\%username% directory, and that is the target directory for SCP operations.

When any virtual folders are defined, the user access is limited to the specified folders only. Note that the user's home directory must be under one of the defined virtual folders.

	Note
	The virtual SFTP root directory is not an actual directory on disk and no files can be written there.

The value of virtual folder can contain the same special strings as the value of home (%username%, %username-without-domain%, %homedir%, and %hostname%).