User groups vs application groups - best practice


#1

We’re beginning to get a Duo deployment for our IT department off the ground, with 2FA planned for our VPN and Citrix services first, with SSH and some web services coming shortly after.

Can anyone shed some light on best practices for user/group management? I’m struggling with the advantages/issues to setting up user groups that contain different areas or the IT department as a whole, or resource groups setup for each application to be protected. Or, maybe, a combination of both.


#2

Typical reasons to use groups with Duo are…

So, some use cases for multiple groups might be…

  • The default policy for an application lets unenrolled users bypass Duo, but you have a pilot group that you do want to enroll when accessing the application
  • To restrict access to a certain Duo application only to a group of IT admins
  • To temporarily disable Duo access for users on long-term leave by adding them to a group
  • To only show users applications to which they have access and hide others when using the Duo Access Gateway launcher

I hope that helps you plan your groups strategy. Thanks for trying Duo!


#3

Kristina,

Thanks for your reply. We will be using groups for several of the use-cases that you mention, including:

The default policy for an application lets unenrolled users bypass Duo, but you have a pilot group that you do want to enroll when accessing the application.
To restrict access to a certain Duo application only to a group of IT admins.

In these use cases, do you see organizations using user groups or resource groups? For example, if you wanted to protect Palo Alto GlobalProtect and Citrix Access Gateway, would you place every user in one group and assign that group to both of those applications, or would you create a group of each of these applications and add people to the appropriate groups?

Thanks!


#4

Typically we’ll see some of both, even in one organization. So, an org may have a large “Duo Users” group that contains everyone, and then have additional groups with smaller memberships to layer on top of that.

For your example of protecting both Palo Alto and Citrix, assuming the same users have access to those resources they could be assigned to just one group.

For the pilot group example, this could be done with a group policy with the “Allow access” or “Allow access without 2FA” user policy setting assigned to the large “Duo Users” group on an application, and then an additional policy assigned to a “Duo Pilot” group with the same user policy setting set to “Require enrollment”.

If you do plan to import users into Duo from Azure or Active Directory keep in mind that synced users can’t be manually added to other Duo groups, so you’d need to create your groups structure and populate members in your directory and then sync all the groups you want to use for management into Duo when setting up your sync.