User groups vs application groups - best practice

Plundstedt · ‎02-10-2017

We’re beginning to get a Duo deployment for our IT department off the ground, with 2FA planned for our VPN and Citrix services first, with SSH and some web services coming shortly after.

Can anyone shed some light on best practices for user/group management? I’m struggling with the advantages/issues to setting up user groups that contain different areas or the IT department as a whole, or resource groups setup for each application to be protected. Or, maybe, a combination of both.

DuoKristina · ‎02-13-2017

Typical reasons to use groups with Duo are…

To restrict which users can access which applications with the Permitted Groups setting.
To import sets of users via directory sync.
To change how multiple users authenticate to Duo (changing the group’s status to let members bypass Duo or disable the group to block Duo auth for members).
To apply different settings on an application to a certain group while users not in the group receive different settings.

So, some use cases for multiple groups might be…

The default policy for an application lets unenrolled users bypass Duo, but you have a pilot group that you do want to enroll when accessing the application
To restrict access to a certain Duo application only to a group of IT admins
To temporarily disable Duo access for users on long-term leave by adding them to a group
To only show users applications to which they have access and hide others when using the Duo Access Gateway launcher

I hope that helps you plan your groups strategy. Thanks for trying Duo!

Duo, not DUO.

Plundstedt · ‎02-13-2017

Kristina,

Thanks for your reply. We will be using groups for several of the use-cases that you mention, including:

The default policy for an application lets unenrolled users bypass Duo, but you have a pilot group that you do want to enroll when accessing the application.
To restrict access to a certain Duo application only to a group of IT admins.

In these use cases, do you see organizations using user groups or resource groups? For example, if you wanted to protect Palo Alto GlobalProtect and Citrix Access Gateway, would you place every user in one group and assign that group to both of those applications, or would you create a group of each of these applications and add people to the appropriate groups?

Thanks!

DuoKristina · ‎02-14-2017

Typically we’ll see some of both, even in one organization. So, an org may have a large “Duo Users” group that contains everyone, and then have additional groups with smaller memberships to layer on top of that.

For your example of protecting both Palo Alto and Citrix, assuming the same users have access to those resources they could be assigned to just one group.

For the pilot group example, this could be done with a group policy with the “Allow access” or “Allow access without 2FA” user policy setting assigned to the large “Duo Users” group on an application, and then an additional policy assigned to a “Duo Pilot” group with the same user policy setting set to “Require enrollment”.

If you do plan to import users into Duo from Azure or Active Directory keep in mind that synced users can’t be manually added to other Duo groups, so you’d need to create your groups structure and populate members in your directory and then sync all the groups you want to use for management into Duo when setting up your sync.

Duo, not DUO.