Netgate is offering COVID-19 aid for pfSense software users, learn more.


Managing privileges for users and groups is done similarly, so both will be covered here rather than duplicating the effort. Whether a user or group is managed, the entry must be created and saved first before privileges can be added to the account or group. To add privileges, when editing the existing user or group, click fa-plus Add in the Assigned Privileges or Effective Privileges section.

A list of all available privileges is presented. Privileges may be added one at a time by selecting a single entry, or by multi-select using ctrl-click. If other privileges are already present on the user or group, they are hidden from this list so they cannot be added twice. To search for a specific privilege by name, enter the search term in the Filter box and click fa-filter Filter.

Selecting a privilege will show a short description of its purpose in the information block area under the permission list and action buttons. Most of the privileges are self-explanatory based on their names, but a few notable permissions are:

WebCfg - All Pages

Lets the user access any page in the GUI

WebCfg - Dashboard (all)

Lets the user access the dashboard page and all of its associated functions (widgets, graphs, etc.)

WebCfg - System

User Password Manager Page: If the user has access to only this page, they can login to the GUI to set their own password but do nothing else.

User - VPN - IPsec xauth Dialin

Allows the user to connect and authenticate for IPsec xauth

User - Config - Deny Config Write

Does not allow the user to make changes to the firewall config (config.xml). Note that this does not prevent the user from taking other actions that do not involve writing to the config.

User - System - Shell account access

Gives the user the ability to login over ssh, though the user will not have root-level access so functionality is limited. A package for sudo is available to enhance this feature.

After login, the firewall will attempt to display the dashboard. If the user does not have access to the dashboard, they will be forwarded to the first page in their privilege list which they have permission to access.

Menus on the firewall only contain entries for which privileges exist on a user account. For example, if the only Diagnostics page that a user has access to is Diagnostics > Ping then no other items will be displayed in the Diagnostics menu.