Netgate is offering COVID-19 aid for pfSense software users, learn more.

Manage Local Groups

Groups are a great way to manage sets of permissions to give users so that they do not need to be maintained individually on every user account. For example, a group could be used for IPsec xauth users, or a group that can access the firewall’s dashboard, a group of firewall administrators, or many other possible scenarios using any combination of privileges.

As with users, a group must first be created before privileges can be added. After saving the group, edit the group to add privileges.

Groups are managed under System > User Manager on the Groups tab. To add a new group from this screen, click fa-plus Add. To edit an existing group, click fa-pencil next to its entry in the list.


When working with LDAP and RADIUS, local groups must exist to match the groups the users are members of on the server. For example, if an LDAP group named “firewall_admins” exists then pfSense must also contain a group named identically, “firewall_admins”, with the desired privileges. Remote groups with long names or names containing spaces or other special characters must be configured for a Remote Scope.

Start the process of adding a group by clicking fa-plus Add and the screen to add a new group will appear.

Group name

This setting has the same restrictions as a username: It must be 16 characters or less and may only contain letters, numbers, and a period, hyphen, or underscore. This can feel somewhat limited when working with groups from LDAP, for example, but usually it’s easier to create or rename an appropriately-named group on the authentication server instead of attempting to make the firewall group match.


Can be set Local for groups on the firewall itself (such as those for use in the shell), or Remote to relax the group name restrictions and to prevent the group name from being exposed to the base operating system. For example, Remote scope group names may be longer, and may contain spaces.


Optional free-form text for reference and to better identify the purpose of the group in case the Group name is not sufficient.

Group Memberships

This set of controls defies which existing users will be members of the new group. Firewall users are listed in the Not Members column by default. To add a user to this group, find it in the Not Members column, select it, and click fa-angle-double-right to move it to the Members column. To remove a user from the group, select it from the Members column and click fa-angle-double-left to move it to the Not Members column.

Assigned Privileges

Appears only when editing an existing group. This section allows adding privileges to the group. See Privileges earlier in this for information on managing privileges.