User Management: Group Permissions

About the Page

User Management: Group Permissions allows you to configure group settings for Access Server clients. These configurations take precedence over any global settings. If a user setting isn’t defined, then the group configurations are used.

Group Permissions

Group Permissions provides you with a table to configure group permissions for authentication options. To finalize any changes, click Save Settings and Update Running Server.

Group

To enter a new group, enter the name into the New Group text field on the last row in the table. Whenever you add a new group, click Save Settings and Update Running Server.

Admin

Check Admin to grant login access to the Admin Web UI for the entire group.

Allow Auto-login

Check Allow Auto-login to enable auto-login profiles for the entire group. This client configuration enables connecting to the VPN without authenticating with a password. This is useful to connect Gateway Clients or machines that should always have a VPN connection.

Deny Access

Check Deny Access to revoke a group's privileges.

Delete

Check Delete to delete a group record. This won't delete the individual users in that group.

More Settings

You can configure additional settings by clicking More Settings. These settings are group specific; they take precedence over any global settings when individual user settings aren’t defined.

Configure user authentication method

You can assign users and groups to different authentication methods. You must configure and enable LDAP, RADIUS, SAML, or PAS-only methods to select them as the authentication method. If they are not configured, they are disabled for users.

For more information, refer to OpenVPN Access Server’s User Authentication System.

TOTP-based Multi-Factor Authentication

You can control TOTP-based MFA at the group level by enabling or disabling it here.

For more information, refer to TOTP Multi-factor Authentication.

Local Password Settings

You can manage password options for each group set to local authentication. You can choose to allow password changes and enable password strength checking in the Client Web Server (CWS).

Allow password change from CWS:

  • Default = Inherit the global setting (defined in CWS settings).
  • Yes = Users within the group can change their password after signing in to the CWS.
  • No = Users within the group can’t change their passwords, and an administrator must manage passwords.

Enable password strength checking in CWS:

  • Default = Inherit the global setting (defined in CWS settings).
  • Yes = Passwords for users within the group must meet these rules: must be at least eight characters and must contain a digit, an uppercase letter, and a symbol from !@#$%&’()+,-/[\]^_{|}~<>.
  • No = Users within the group can create any password of any length that they choose.

VPN IP Addresses

VPN IP Addresses allows you to define a subnet from which Access Server assigns all group addresses. You can also define the range within that subnet.

Note: If you assign a user a static IP and assign that user to a group with the VPN IP addresses defined, then that IP address must be within the range of the group subnet. Refer to Notes about groups for more information regarding this configuration.

Access Control

If you enable group access control, you can permit group access to specific subnets and services.

  • Allow Access To networks and services: You can define the subnets and services to permit group access:
    • List subnets in network/nbits — example: 10.60.25.0/24.
    • List services as 
      network/nbits:services
      — example: 10.60.25.0/24:tcp/80,icmp-echo-request.
    • List subnets with port range as 
      network/nbits:protocol/startport-endport
      — example: 10.60.25.0/24:udp/60000-61000.
  • Allow Access To groups: Grant access for users in the selected group to communicate with users in another group by selecting them here. To select more than one group, hold down Ctrl on Windows or Command ⌘ on macOS and click on all desired groups. Access Server, by default, isolates groups if you use separated subnets for each, which means that users from group A can communicate only with users in the same group.
  • Allow Access To users: Grant access for users in the selected group to communicate with a particular user or selected users. To select more than one user, hold down Ctrl on Windows or Command ⌘ on macOS and click on all desired users.

Note: The functionality for Allow Access To group and Allow Access To users only works when you use separated subnets for each group on Access Server.

Client Scripting

You have the option to allow Client Scripting which pushes scripts to VPN clients. 

Click Yes and the options to push scripts for Windows, macOS, and Linux display. These scripts execute based on when users and admins connect and disconnect respectively. Therefore, you have the option to push scripts for all four scenarios.

Click one of the options and more settings appear. You can push scripts executed by the client and you can define the environment variables that any of these scripts depend on. For more information about client scripting, refer to Explanation of client-side scripting.

Default Group

You can assign a default group for users not assigned to specific groups. Users inherit the group permissions from the defined group set as the default. You can also leave this set to No Group Selected.

Summary

User Management: Group Permissions allows you to configure group-specific settings easily. It gives you control of group authentication methods, local password settings, group subnets and ranges, access control, and client scripting. You can also define default group permissions for any users not specifically assigned to a group.