Depends on what you want them to have FTP/SSH access to.
If you want to create additional users to manage website content, you want to use the "Add a website FTP access user." link to create your user–this creates a user that has FTP (and optionally ssh) access to the website data.
If you want mailbox users to be able to upload/download files from their home directory via FTP/SSH you’d set their access to “Mail and FTP” in the “Login permissions” field in the Other User Permissions section of the create user page.
To allow virtual server administrative users to create FTP users (which I think is the default, but maybe not), you’d set the option labeled “Can create FTP users?” in the Module Configuration “Server administrator permissions” section.
Note that all “administrative” class users–the kind that edit web pages or manage Virtualmin–are different and separate from Mailbox users…by design. It’s kinda like the differentiation of “root” from non-privileged users on a UNIX/Linux system. The goal being to make sure people know they’re doing something that effects the website.
Note also that some types of access are not entirely intuitive, as they are based on the shell that the user has (normally the system default shell for SSH users, nologin or false for FTP users, and /dev/null for mailbox users), though we do now include a page specifically for managing shells–it’s in the System Customization menu.
FTP access is determined by the shell of the user, and optionally inclusion in various access files. Virtualmin can manage both the shells and the access files, but the shells aspect is the easiest/simplest. Basically, when you enable FTP Virtualmin chooses the shell you’ve configured (or the default) in the Custom Shells page. Likewise for other types of access.
One more thing to be aware of is that when using suexec for applications, the executable files in cgi-bin and public_html cannot be group writable, as suexec will refuse to run them. Thus, a user that doesn’t share UID with the administrative user cannot possibly edit anything executable. And, of course, we don’t advise creating mailbox users with the same UID as the administrative user (actually that’d be kinda crazy).
Anyway, this is why the model works the way it does, and why you don’t create mailbox users to manage website content within the domain. There is a special account type just for that purpose. Giving up suexec to avoid that limitation isn’t worth the significant loss of security.
Confused yet? I know it’s intimidating. It’s one more area where Virtualmin’s flexibility gets in the way of “easy”. The Custom Shells page is pretty new, and doesn’t have as much documentation as it should. I’ll see about getting that corrected soon.