02-10-2017 12:38 PM
We’re beginning to get a Duo deployment for our IT department off the ground, with 2FA planned for our VPN and Citrix services first, with SSH and some web services coming shortly after.
Can anyone shed some light on best practices for user/group management? I’m struggling with the advantages/issues to setting up user groups that contain different areas or the IT department as a whole, or resource groups setup for each application to be protected. Or, maybe, a combination of both.
02-13-2017 01:08 PM
Typical reasons to use groups with Duo are…
So, some use cases for multiple groups might be…
I hope that helps you plan your groups strategy. Thanks for trying Duo!
02-13-2017 01:23 PM
Kristina,
Thanks for your reply. We will be using groups for several of the use-cases that you mention, including:
The default policy for an application lets unenrolled users bypass Duo, but you have a pilot group that you do want to enroll when accessing the application.
To restrict access to a certain Duo application only to a group of IT admins.
In these use cases, do you see organizations using user groups or resource groups? For example, if you wanted to protect Palo Alto GlobalProtect and Citrix Access Gateway, would you place every user in one group and assign that group to both of those applications, or would you create a group of each of these applications and add people to the appropriate groups?
Thanks!
02-14-2017 06:33 AM
Typically we’ll see some of both, even in one organization. So, an org may have a large “Duo Users” group that contains everyone, and then have additional groups with smaller memberships to layer on top of that.
For your example of protecting both Palo Alto and Citrix, assuming the same users have access to those resources they could be assigned to just one group.
For the pilot group example, this could be done with a group policy with the “Allow access” or “Allow access without 2FA” user policy setting assigned to the large “Duo Users” group on an application, and then an additional policy assigned to a “Duo Pilot” group with the same user policy setting set to “Require enrollment”.
If you do plan to import users into Duo from Azure or Active Directory keep in mind that synced users can’t be manually added to other Duo groups, so you’d need to create your groups structure and populate members in your directory and then sync all the groups you want to use for management into Duo when setting up your sync.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide