On the Definitions & Users > Users & Groups > Groups page you can add user groups to Sophos UTM on AWS. In its factory default configuration, Sophos UTM on AWS has one user group called SuperAdmins. If you want to assign administrative privileges to users, that is, granting access to WebAdmin, add them to the group of SuperAdmins; this group should not be deleted.
Tip – When you click on a group definition in the Groups list, you can see all configuration options in which the group definition is used.
To add a user group, proceed as follows:
On the Groups tab, click New Group.
The Add Group dialog box opens.
Make the following settings:
Group name: Enter a descriptive name for this group. Note that this name does not need to correspond to the names of your backend groups.
Group type: Select the type of the group. You can choose between a group of static members and two group types promoting dynamic membership.
- Static members: Select the local users who shall become member of this group.
- IPsec X509 DN mask: Users are dynamically added to an IPsec X509 DN group definition if they have successfully logged in to the gateway through an IPsec connection and if specific parameters of their distinguished names match the values specified in the DN Mask box.
Backend membership: Users are dynamically added to a group definition if they have been successfully authenticated by one of the supported authentication mechanisms. To proceed, select the appropriate backend authentication type:
- Active Directory: An Active Directory user group of Sophos UTM on AWS provides group memberships to members of Active Directory server user groups configured on a Windows network. For more information, see Definitions & Users > Authentication Services > Servers.
- eDirectory: An eDirectory user group of Sophos UTM on AWS provides group memberships to members of eDirectory user groups configured on an eDirectory network. For more information, see Definitions & Users > Authentication Services > Servers.
- RADIUS: Users are automatically added to a RADIUS backend group when they have been successfully authenticated using the RADIUS authentication method.
- TACACS+: Users are automatically added to a TACACS+ backend group when they have been successfully authenticated using the TACACS+ authentication method.
- LDAP: Users are automatically added to an LDAP backend group when they have been successfully authenticated using the LDAP authentication method.
Limit to backend group(s) membership (optional; only with backend groups Active Directory or eDirectory): For all X.500-based directory services you can restrict the membership to various groups present on your backend server if you do not want all users of the selected backend server to be included in this group definition. The group(s) you enter here once selected this option must match a Common Name as configured on your backend server. Note that if you select this option for an Active Directory backend, you can omit the CN= prefix. If you select this option for an eDirectory backend, you can use the eDirectory browser that lets you conveniently select the eDirectory groups that should be included in this group definition. However, if you do not use the eDirectory browser, make sure to include the CN= prefix when entering eDirectory containers.
Check an LDAP attribute (optional; only with backend group LDAP): If you do not want all users of the selected backend LDAP server to be included in this group definition, you can select this checkbox to restrict the membership to those users matching a certain LDAP attribute present on your backend server. This attribute is then used as an LDAP search filter. For example, you could enter groupMembership as attribute with CN=Sales,O=Example as its value. That way you could include all users belonging to the sales department of your company into the group definition.
Comment (optional): Add a description or other information.
The new user group appears on the Groups list.
To either edit or delete a group, click the corresponding buttons.