I am evaluating Pritunl and have signed up for Pritunl Premium.
The User Groups feature would appear to provide the ACL capability I would like have but I cannot find how to implement it.
Is it available on the Premium version?
Assuming it is available, where can I find detail on how to set it up?
If it is not available on Premium, is there another practical way to limit clients access to some resources?
An enterprise subscription is required for the groups option. Organizations should be used as groups. If there are overlapping access control requirements the groups option can be used instead.
To use user groups all singe sign-on users must be in one organization. The organization then needs to be attached to all servers. Then the groups option in each server can be configured to select which user groups will have access to that server.
To apply user groups the following commands will switch the single sign-on from matching organizations to copying the groups from the single sign-on provider to the Pritunl user. For SAML providers the groups SAML attribute can be used to set the user groups.
sudo pritunl set app.sso_azure_mode '"groups"'
sudo pritunl set app.sso_authzero_mode '"groups"'
sudo pritunl set app.sso_google_mode '"groups"'
It is also possible to manually set user groups in the user settings but this would be overwritten if the user is using single sign-on.
Thank you for your extremly prompt response (as always!).
The combination of US$ and the price per month makes the Enterprise option a “bridge too far” for our small organisation. With the rapidily changing rate between AU$ and US$, too hard to even budget!
Organizations are intended to function as groups. Users will only have access to the servers that the users organization are attached to. Multiple servers can be created to handle different sets of routes. The user groups are only intended for configurations that can’t be handled by multiple organizations.
The Azure groups would be matched to an existing Pritunl organization by default. If the groups mode is used then the Azure groups would be copied to the Pritunl user groups. Assuming the server has groups configured then both the organization and at least one group must match. If the server has no groups configured user groups are ignored and only the organization must match.
How does the system behave when a user belongs to multiple Azure groups and each one of those groups are defined as an Organization in Pritunl? For example:
Let’s say user1 belongs to Azure groups, vpn-group1, vpn-group2 and vpn-group3. In Pritunl, there are three organizations also called vpn-group1, vpn-group2 and vpn-group3. Also, in Pritunl, there are three servers. Server1 is attached to vpn-group1, server2 is attached to vpn-group2, etc.
When user1 logs into the Pritunl web portal, which organization/sever will the user be assigned to?
Regarding this User Azure Group mapping to Pritunl Organizations; is it only done on the initial user login to the Pritunl web portal?
For example, if the user initially logs in with Azure group “vpn-group1” and is mapped to organization “vpn-group1” ; what happens if the user’s Azure group changes to “vpn-group2” ? Will the user automatically get re-mapped to organization “vpn-group2” on the pritunl side?