Assignment of a User to multiple User Groups
A User can belong to multiple User Groups. One of these User Groups will be the primary for the User, while the other assigned User Groups will be secondary.
A User can belong to multiple User Groups. One of these User Groups will be the primary for the User, while the other assigned User Groups will be secondary.
The Primary User Group (PUG) defines the group configuration settings inherited by the user assigned to it. Each user can be assigned to only one PUG.
Note
With the introduction of the ability to assign a user to multiple user groups, the sole User Group that a User has been assigned to will automatically be used as the Primary User Group.
The PUG governs the following user settings:
Allocated WPC Subnet(s)
Regions
Internet Access
Connect Authentication
Maximum Devices per User
Location Context Policies
Device Posture Policies
In addition to the required Primary User Group (PUG), a User can be optionally added to a maximum of twenty other User Groups, referred to as Secondary User Groups (SUG).
Once added to one or more SUGs, the User's inherited settings from the PUG do not change, but the access granted to the User by using Access Groups will change. The use of Secondary User Groups provides the User with additive access to resources, such that the User now has access to all the resources granted to all the User Groups that the User belongs to.
User access to a resource is granted if any of the User’s assigned User Groups (either PUG or any SUG) is listed as a Source in an Access Group that allows access to the desired Destination. When a User Group is used as a Destination in an Access Group, access is granted to all users and devices within that group, regardless of whether the group is assigned as PUG or SUG.
Assignment of PUG and SUG with LDAP or SAML Authentication
The User Group Mapping feature allows automatic assignment of CloudConnexa User Groups based on identity attributes received from an external Identity Provider (IdP), such as SAML or LDAP. This Group Mapping has been revised to support Primary and Secondary User Groups through IdP-based mapping.
The User Groups Mapping Rules have a Processing Order to reflect the sequential nature of rule evaluation. Lower numbers (e.g., "1") mean higher priority. The first matching rule defines the User's Primary User Group. All subsequent matching rules define Secondary User Groups (max 20) for the User.
Note
User Group Mapping Rules that existed before the introduction of this enhancement will continue to assign the User to a single User Group based on the first matched rule.
To activate Multiple User Group Mapping, click the Enable button in the info message.
Caution
Before enabling Multiple User Group mapping, it is critical to review the mapping rules and evaluate the access rights granted by each CloudConnexa User Group. If multiple IdP User Groups are received, all the received groups will be mapped, assigning users to multiple CloudConnexa User Groups and expanding their access. This may result in broader permissions than originally intended, introducing potential security risks.
New mapping logic will apply only when new users log in or existing users reauthenticate.