In my organization, users have the rights to transfer files to and from servers using SSH File Transfer protocol for a variety of reasons; e.g. application troubleshooting, BAU, etc.
Although our servers are configured with logging to keep track of what users have done, we would still like to control the file transfer operation done by the users in a sense that we would like to make it as a privileged operation and is allowed when a user have raised a valid request; not as and when they please.
The most effective way that I could think of is manually enabling / disabling the SFTP service whenever there is a request and having the user perform the file transfer operation on a dedicated workstation. But it does sound a bit strenuous though.
For FSI institutions, how do they control such operation?