26.4: Users, Groups, Privileges

[JohnDoe17]

Greetings.

I am a licensed user of the 26.4 Business edition.

How do Privileges work for a User that is a member of multiple Groups - each with a different set of Privileges?

For example, suppose a User, FOOBAR, is in the "admins" Group with "All pages" Privileges and also a member of the "RemoteAccessVPN" Group that has no Privileges at all.  (Btw, I have NOT configured any Privileges at all in FOOBAR's User settings.  It is my understanding that one should use Group Privileges instead?)

1) What is their effective set of Privileges?  What determines those?

The end goal I'm trying to achieve is that when FOOBAR is connected to the RemoteAccess VPN, they have no Privileges, but when they are physically connected to the LAN network, the have full privileges.

I thought I might be able to achieve this by specifying "Enforce local group" on the RemoteAccess VPN (OpenVPN), but I'm also using external authentication (Active Directory) to do the authentication, so my understanding is that "Enforce local group" cannot be used in this scenario.

2) Should I use two different User accounts to achieve this?  FOOBAR-Admin with "All pages" Privileges and FOOBAR-VPN with no Privileges?

I'd appreciate it if someone could help answer questions 1) and 2).

Thank you.

[sopex]

Hello,

Essentially all privileges are additive. So FOOBAR would have all pages permissions.


You can use 2 users, trust encryption, or have a firewall rule that users from the VPN ip range cannot access opnsense itself.

[Monviech (Cedrik)]

You can also add ip ranges to groups so that eg one group is not accessible via the source IP of the vpn, but another is.