User Accounts Provisioned by Just-In-Time (JIT) Provisioning

Group Permissions

A SAML user belonging to multiple groups is given the permissions and settings of all groups it belongs to with permissions overriding restrictions. For example, if Group A disallows sending to external users but Group B does not, users who belong to both groups are allowed to send to external users. Settings that require specific handling are as follows:

• Account expiration is only enabled if all groups to which a user belongs specify account expiration. If account expiration is enabled, the expiration date is set to the latest expiration date from among all groups.
• For any settings that use Server Default, Yes or Allow, and No or Deny, the setting is set to Yes if any group specifies Yes, and it is set to No if all groups are set to No. Otherwise, it is set to use the server default.
• For package deletion policy, override is enabled if all groups specify override, or if the least restrictive group setting is less restrictive than the server-wide setting. If override is enabled, the least restrictive group setting is used. Do nothing is less restrictive than Delete files after all recipients download all files, which in turn is less restrictive than Delete files after any recipient downloads all files.
• For advanced transfer settings, override is enabled if all groups specify override or if any group specifies any transfer rate that is higher than the server default. If override is enabled, each transfer rate is set to the higher of the highest value from among the groups and the server default. The minimum rate policy is locked only if all groups specify the setting.