CT-Ops

SFTP Security Settings

Global CT-Ops settings for SFTP availability and path policy enforcement.

The SFTP settings page controls the Host Editor/SFTP feature across the instance. Open it from Settings -> Security -> SFTP at /settings/security/sftp.

These settings decide whether CT-Ops applies its own path allowlist and denylist before file operations, and which hosts can launch SFTP at all. Remote operating system permissions always still apply because CT-Ops connects over SSH/SFTP as the supplied target-host user.

Access and scope

Only instance administrators can open and change this page. The settings apply to every host in the current CT-Ops instance.

Non-admin users do not manage these settings. SFTP use still requires an eligible CT-Ops role, a host allowed by the global SFTP availability rule, a valid SSH username and password for the target host, and SSH host-key trust.

Path policy

Field or controlDefaultWhat it does
SFTP path policy modeRequire CT-Ops allowlists and denylistsChooses whether CT-Ops checks the host-level path policy before remote file operations.
Require CT-Ops allowlists and denylistsSelected by defaultPreserves the existing governed mode. The host must enable Host Editor/SFTP and define matching allowed paths before files can be opened, saved, uploaded, downloaded, deleted, or rolled back. Denied paths override allowed paths.
Use host permissions onlyOff by defaultDisables the extra CT-Ops path policy layer. CT-Ops still validates absolute paths, role access, host availability, SSH host-key trust, file size limits, and the supplied SSH credentials, but file read/write success is decided by the remote host permissions for that SSH user.

Use Require CT-Ops allowlists and denylists when CT-Ops should enforce a separate administrative boundary for browser-based file maintenance. Use Use host permissions only only when the SSH account model on the managed hosts is already the intended security boundary.

Host availability

Field or controlDefaultWhat it does
Availability modeAvailable for all hosts except selectedControls whether the host list is a deny list or an allow list.
Available for all hosts except selectedSelected by defaultSFTP can launch for every host except those checked in the host list. Use this when SFTP is generally allowed but a small number of sensitive hosts must opt out.
Unavailable for all hosts except selectedOff by defaultSFTP is denied for every host except those checked in the host list. Use this when SFTP should be opt-in for a controlled set of hosts.
Filter hostsEmptyNarrows the host checkbox list by display name or hostname.
Host checkbox listEmptySelects the hosts affected by the current availability mode. The list label changes to show whether selected hosts are disabled or enabled by the list.
SaveDisabled until local changes existPersists the instance SFTP security settings and records an audit event.

Host-level effects

AreaEffect
Host Tools -> SFTPShows a denial state when the global availability rule blocks the host. When path policy is disabled globally, the launcher no longer requires host-level allowed paths.
Host Management -> Host Editor AccessStill defines the CT-Ops path policy used when global path policy mode requires allowlists and denylists. When global path policy mode uses host permissions only, these path rules are not applied to SFTP file operations.
File browserDirectory browsing starts at / and follows the SSH user’s Linux permissions. With CT-Ops path policy enabled, opening or changing a file still requires a matching host policy rule.
AuditingGlobal SFTP setting changes and file operations remain audited. The audit records the policy decision and target host context without storing plaintext SSH credentials.

Operator guidance

For most governed operations deployments, keep CT-Ops path policy enabled and use host-level allowed paths for the directories engineers are expected to maintain. This gives CT-Ops a narrow browser-file-maintenance boundary even when the SSH account has broader Linux permissions.

Use host-permissions-only mode for environments where SSH accounts are already scoped tightly on each host, or where operators need CT-Ops SFTP to behave like a normal SFTP client. Pair that mode with the host availability allow list if only a small set of hosts should expose browser-based SFTP.