Netgate is offering COVID-19 aid for pfSense software users, learn more.
Managing privileges for users and groups is done similarly, so both will be covered here rather than duplicating the effort. Whether a user or group is managed, the entry must be created and saved first before privileges can be added to the account or group. To add privileges, when editing the existing user or group, click Add in the Assigned Privileges or Effective Privileges section.
A list of all available privileges is presented. Privileges may be added one at a time by selecting a single entry, or by multi-select using ctrl-click. If other privileges are already present on the user or group, they are hidden from this list so they cannot be added twice. To search for a specific privilege by name, enter the search term in the Filter box and click Filter.
Selecting a privilege will show a short description of its purpose in the information block area under the permission list and action buttons. Most of the privileges are self-explanatory based on their names, but a few notable permissions are:
- WebCfg - All Pages
Lets the user access any page in the GUI
- WebCfg - Dashboard (all)
Lets the user access the dashboard page and all of its associated functions (widgets, graphs, etc.)
- WebCfg - System
User Password Manager Page: If the user has access to only this page, they can login to the GUI to set their own password but do nothing else.
- User - VPN - IPsec xauth Dialin
Allows the user to connect and authenticate for IPsec xauth
- User - Config - Deny Config Write
Does not allow the user to make changes to the firewall config (config.xml). Note that this does not prevent the user from taking other actions that do not involve writing to the config.
- User - System - Shell account access
Gives the user the ability to login over ssh, though the user will not have root-level access so functionality is limited. A package for sudo is available to enhance this feature.
After login, the firewall will attempt to display the dashboard. If the user does not have access to the dashboard, they will be forwarded to the first page in their privilege list which they have permission to access.
Menus on the firewall only contain entries for which privileges exist on a user account. For example, if the only Diagnostics page that a user has access to is Diagnostics > Ping then no other items will be displayed in the Diagnostics menu.