Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 5071 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enable User Portal components based on Groups?

Rudy Baker

Hi, I am not sure if this is the right section to post this. Looked like the best choice. 

We hooked up our UTM to our LDAP server. All seems to work great.

 

Is there a way to control what users will see in the portal depending on their LDAP group memberships?

 

For example:

bob1 is a member of the "email" ldap group so he is only able to see SMTP related stuff

suzie2 is a member of the "remote" ldap group so when she logs in she can only see the "Remote access" tab

ronald3 is a member of the "email" and "remote" ldap group so when he logs in, he sees both the SMTP stuff and Remote access tab?

 

Is this possible? I could have sworn I saw the section for this a while back but I might just be making it up in my mind. It would be pretty nice to have a feature like this if it's not already there.

 

Thanks for your help



This thread was automatically locked due to age.
  • 0

    Yes.   See my write-up on LDAP in the WIKI section of this forum.

  • 0

    Hi Mike and welcome to the UTM Community!

    The article that Douglas wrote is at Using LDAP with Active Directory, but you can't use that to restrict users in the User Portal.  In fact, WebAdmin already restricts things based on the individual configuration...

    If the bob1 User object is not an allowed User in Remote Access, he won't see the 'Remote Access' tab.  If the suzie2 object does not contain an email address in a domain handled by the SMTP Proxy, she won't see the SMTP tabs.  See #6 in Rulz to understand a bit better.

    If you have further questions about using Backend Groups in the various sections of WebAdmin, please ask individual questions in the appropriate forums.  If you're not sure of the forum to choose, a mod will eventually move your thread to the appropriate one.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Not often that I dare to correct you Bob, but his configuration can all be accomplished using only groups (and I have).

    The hard part is getting the groups configured, which is why I pointed to my document.   Once the groups exist, they behave like any other group.   So you:

    Configure which groups are allowed to User Portal in Management... User Portal... Allowed Users

    Configure which groups require OTP in Definitions and Users... Authentication Services... One-Time Password... Authentication Settings

    Configure which groups are allowed to WAF using the groups on the Reverse Authentication object

    Configure which groups are allowed Remote Access on the SSL, HTML5 VPN, and other objects

    Configure which groups are allowed specific HTML5 VPN connections on the connection definition.

    Control which features are disabled for all users on User Portal... Advanced... Disabled Portal Items   (They are only enabled if one of the above qualifying items is also enabled.)

    The first time that the user logs onto the User Portal, UTM creates a local account that is tied to the back-end account.   The other services cannot be used until the local account has been created.   I recommend requiring OTP for any remote access, which also ensures that User Portal is accessed to set up the QR code and create the linked local account.

  • 0 in reply to DouglasFoster

    I don't think we disagree, Doug.  I was saying the same thing - that he can achieve what he wants, just not directly in the User Portal configuration alone.

    Rather than having the Remotely-Authenticated User object created automatically, I prefer to pre-fetch the desired User Group members using the configuration on the 'Advanced' tab of 'Authentication Services' where I also like to select 'Enable backend sync on login'.  This has the advantage of keeping the User objects updated even if the User doesn't login for awhile.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML