AuthPoint & Multiple Groups Per User

Something I find very frustrating is the fact a user can only be a member of one group within AuthPoint. This is causing administrative complexity when it comes to (for example) accessing resources such as the Access Portal (and using AuthPoint to authenticate), where there are a number of applications, and different combinations of users, using each app/set of apps:

App A
App B
App C
App D
App E

User 1
User 2
User 3
User 4
User 5
User 6

App A - All Users
App B - User 1,2,3
App C - User 4,5,6
App D - User 1,3,5
App E - User 1,2,5,6

In an ideal world (one where a certain well-known competitive product is available).. I'd just sync the equivalent AD groups into AuthPoint - regardless that a number of users belong to more than one group, and assign those groups to the Access Portal as necessary.

From what I can make out, I'd need a separate AuthPoint group for every possible combination of access - not very scalable, and complicated.

If Access Policies were done at the Resource level instead of on Groups - the whole problem goes away, if I read it right?

Cheers, James

All XTM, T-Series, M-Series, FireboxV, Firebox Cloud, Authpoint, Secure WiFi, Dimension, WSC, WatchGuard Cloud etc. Manage a few hundred devices.

Comments

  • Daniele_MammanoDaniele_Mammano WatchGuard Representative

    Hello James,

    thanks for writing in the WatchGuard community.

    Regarding your post, this is something that our AuthPoint team is already evaluating.
    We have an internal request opened tracked under:

    • AAAS-5330: Allow Assigning Users/Groups to Resources

    that could avoid the conflict to have one user on different groups at the same time.

    Have a great day.
    Regards,
    -Daniele M.

  • Hi Daniele

    Good news, thanks - that'll be useful..

    Cheers, James

    All XTM, T-Series, M-Series, FireboxV, Firebox Cloud, Authpoint, Secure WiFi, Dimension, WSC, WatchGuard Cloud etc. Manage a few hundred devices.

  • This appears to still be a problem, or undelivered feature, over 18 months later. I just got locked out of my test server because I'm a member of both "domain admins" and "domain users". I guess the solution might be to create a new OU called Authpoint Groups to keep all of the authpoint specific groups in? This is a pretty big gotcha and, so far, the only thing uncovered during my testing of the product which gives me serious pause.

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @chagerhg

    I'm a bit confused why you wouldn't give your "admins" at least the same access as your "users" group. Ensuring that your admins have access to whatever required resources they need should allow you to access resources as needed.

    Most issues have been addressed via the AuthPoint authentication policies since that initial post:
    (About AuthPoint Authentication Policies)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/policies_about.html

    -James Carson
    WatchGuard Customer Support

Sign In to comment.