Admin Guide

Managing tenants, clients, users, and platform settings.

Roles Overview

TrustMFT has three roles with different levels of access:

Managing Tenants (SuperAdmin only)

Tenants are top-level organisations on the platform. Each tenant is isolated — its data, users, and clients are not visible to other tenants.

• Go to Tenants in the sidebar to view all tenants.
• Click New Tenant to onboard a new organisation. You will be prompted for the tenant name and the initial administrator's email. A verification email is sent to that address — the administrator must click the confirmation link before they can log in for the first time.
• You can Suspend a tenant to temporarily disable all access, or Cancel to mark it as inactive.
• Clicking a tenant row opens its detail page where you can manage its clients and users directly.

Managing Clients

Clients represent a group of files and users within a tenant — for example, a customer or a project. Each client has its own storage container, quota, and file size limit.

• Go to Clients in the sidebar.
• Click New Client and provide a name, storage quota, and maximum file size.
• Edit a client to change its quota or file size limit.
• Delete a client to permanently remove it and all associated files and users. This action is irreversible.

IP Allowlists Pro

You can restrict which IP addresses may access a client's files by adding CIDR ranges to the client's IP allowlist. When at least one entry is configured, only requests from those ranges will be permitted. Entries accept both IPv4 and IPv6 CIDR notation (e.g., 203.0.113.0/24).

Storage Quotas

Each client has an individual storage quota. When a client's usage approaches its quota, upload attempts will be rejected. The dashboard shows current usage as a percentage of the quota. Adjust the quota in the client's edit page.

Managing Users

Users belong to a tenant and can be assigned to one or more clients.

• Go to Users in the sidebar to see all users in your tenant.
• Click New User to create a user. A welcome email with a temporary password is sent to their email address.
• Edit a user to update their name, role, or client assignments.
• Delete a user to remove their access immediately.

SFTP Credentials

Each user has a separate SFTP username and password, independent of their portal login. To manage them, open the user's detail page and click SFTP Credentials.

Password

Set or change the user's SFTP username and password from the SFTP Password card. Share the new password with the user through a secure channel — it is stored hashed and cannot be retrieved after saving.

SSH Public Keys Pro

SSH key authentication is the recommended method for automated workflows and scripts. No password is transmitted or stored in plaintext on the connecting machine. SSH key auth is available on the Pro and Business plans.

There are two ways to register a key for a user:

Option A — Generate a key pair in the portal (recommended)

1. Open the user's SFTP Credentials page.
2. In the SSH Public Keys card, click Generate Key Pair.
3. The portal generates an Ed25519 key pair. The private key downloads as a .pem file immediately — this is the only time it is shown.
4. Send the .pem file to the user through a secure channel (encrypted email, password manager share, etc.).
5. Instruct the user to run chmod 600 on the file before using it.

Option B — Register a key the user provides

1. Ask the user to generate a key pair on their machine (ssh-keygen -t ed25519) and send you the contents of their id_ed25519.pub file.
2. Paste that line into the Add Public Key field, add a Label (e.g., "Work laptop"), and click Add Key.

Multiple keys can be registered for the same user — useful when a user connects from several machines or when a CI pipeline needs its own dedicated key. Each key is listed with its fingerprint and can be revoked individually.

Require Key Authentication

Once a user has at least one SSH key registered, you can enforce key-only access by enabling the Require key auth toggle in the SSH Public Keys card header. When enabled:

• Password login is completely disabled for that user — any SFTP password attempt is rejected immediately.
• A warning banner is displayed on the SFTP Credentials page as a reminder that the password card has no effect.
• The toggle cannot be enabled unless at least one key is already registered, preventing accidental lockout.
• To re-enable password login, flip the toggle off. The existing SFTP password remains set and works again immediately.

MFA Enforcement

TenantAdmins can require all users in their tenant to set up MFA. Go to Organization in the sidebar and toggle Require MFA for all users. Once enabled, users who have not set up MFA will be redirected to the MFA setup page on next login.

Folder Permissions

By default, a ClientUser can access all folders in a client. You can restrict this by assigning folder-level permissions:

• Open the user's detail page and go to Client Permissions.
• Select the client and the folders the user is allowed to access.
• Supported permission types: Upload, Download, Delete, Create Folders.

Audit Logs

TrustMFT records an audit trail of all significant actions including logins, file uploads/downloads, and administrative changes.

• Go to Audit Logs (available to TenantAdmins and SuperAdmins).
• Filter by action type, protocol, or outcome (success / failed).
• Click Export CSV to download the filtered log as a spreadsheet for compliance or incident review.

What is logged

Filtering by protocol

Use the Protocol dropdown to narrow the log to SFTP events only — useful for investigating file transfer activity or reviewing connection attempts from automated systems. Combine with the Action filter (e.g., SftpLoginFailed) to quickly surface repeated failed attempts that may indicate a misconfigured client or a brute-force attempt.