Manage Local Groups¶
Groups manage sets of user privileges so they do not need to be maintained individually on every user account. For example, a group can be used for IPsec xauth users, or a group that can access the firewall dashboard, a group of firewall administrators, or many other possible scenarios using any combination of privileges.
Groups are managed under System > User Manager on the Groups tab.
Note
The all
and admins
groups cannot be deleted.
Groups and Remote Authentication¶
When working with group privileges while authenticating against LDAP and RADIUS
(Authentication Servers), local groups must exist with names that exactly
match groups from the server. For example, if an LDAP group named
firewall_admins
exists then the firewall must also contain a identically
named group, firewall_admins
, with the desired privileges.
If a user attempts to authenticate against a remote authentication server and there are no matching groups, the user will not have any privileges from groups, and cannot access resources which require privileges.
Creating and Editing Groups¶
As with users, the first step is to add the group and save. Privileges can only be added to existing groups, they cannot be added when creating a new group.
To add a new group:
Navigate to System > User Manager, Groups tab
Click Add
To edit an existing group:
Navigate to System > User Manager, Groups tab
Click on the row containing the group
Group Settings¶
- Group name:
The name of the group.
For groups in the Local scope, this setting has the same restrictions as a username: It must be 16 characters or less and may only contain letters, numbers, and a period, hyphen, or underscore.
Groups in the Remote scope do not have strict name restrictions, for example they may have longer names.
- Scope:
The scope in which this group is available for use.
Note
LDAP and RADIUS groups can match names in both local and remote scopes.
- Local:
Groups on the firewall itself, such as those for use in the shell, filesystem, and other local uses. These groups are added to the operating system, so they are subject to naming restrictions imposed there.
- Remote:
Groups from remote sources, such as authentication servers (RADIUS or LDAP). These groups are not exposed to the operating system, and thus are only available for use in the GUI and other similar uses not involving the operating system layer. This scope has relaxed name restrictions, for example, group names may be longer and may contain spaces.
- Description:
Optional free-form text for reference and to better identify the purpose of the group in case the Group name is not sufficient.
- Group Memberships:
This set of controls defines which existing users will be members of the new group. Firewall users are listed in the Not Members column by default.
To add a user to this group:
Click the user name in the Not Members column
Click to move it to the Members column
To remove a user from this group:
Click the user name in the Members column
Click to move it to the Not Members column
- Assigned Privileges:
A list of privileges assigned to this group. Appears only when editing an existing group.
See also
See Privileges earlier in this for information on managing privileges.