12. Device groups

Device groups are a feature which allow access control of firewall devices for different users.

12.1. Default group

Each DynFi instance can contain many device groups and will always contain the default group named ALL. The default ALL device group is always present, cannot be deleted or renamed. Users assigned the ALL group can manage all devices attached to given DynFi instance.

Additionally, users not assigned to the ALL group cannot access some system-wide settings, including (but not limited to): log events not related to devices, alias update requests, schedule actions requests, OS upgrade requests, etc.

12.2. Custom device group(s)

In case of need custom device groups can be added in DynFi. To create a group user needs to have a proper privilege. A new group needs a unique name.

Each device group can have from zero to many devices assigned (there is no limit). Each device must belong to exactly one device group (default or custom one), it is not possible to have device(s) assigned to many device groups at the same time or not assigned to any device group at any time.

12.3. Assigning users to device groups

Each user in DynFi can be either assigned to

  • the default ALL device group, which means the user can access/manage all devices attached to DynFi,
  • any number of custom groups, which means the user can access/manage only the devices attached to the assigned groups.

It is not possible for a user to have the default ALL group and custom device groups assigned at the same time. However, it is possible that a user is not assigned to any device group and thus effectively such a user cannot access/manage any firewalling devices.

12.4. Device groups vs. user roles

Device groups and user roles (and thus user privileges) are independent concepts in DynFi, they do not depend on each other and are not replacing each other. User roles (and privileges) define WHAT users can do in the system, whereas the device groups define the WHERE part, limiting the devices user can access. Also, users need to be assigned to device groups and roles independently.

Device groups and roles the users get assigned to can be mixed.

E.g. user A can be assigned a role “device-admin” which can do everything with devices, but limited to one custom device group only. In such case the user A can do everything with the devices, but their scope of the devices is limited only to the ones in the device group they assigned to. On the contrary, used B can be assigned a role “device-reader” which does not allow updating devices or attaching a new ones and the default ALL device group. In this case the user can read details of all devices, but cannot add a new ones in any device group.

Currently it is not possible to make user roles and device groups dependent on each other. E.g. it is not possible to grant user two custom device groups so that the user can do everything with devices from the first group and limit user’s actions for devices from the second group.

12.5. Managing device groups

To start managing device groups (which require proper privileges), the users needs to select the “people” icon in the right side of the top menu and then select “Manage device groups” submenu, as shown below:

_images/go-to-device-groups-management.png

Opening device groups management

12.6. Resetting user’s device groups in CLI

Please refer to Resetting user’s roles and device groups in CLI.