Set up a People Group

Set up a people group to make it easier to manage the people accessing your secure network.

Using a People Group, you can configure the User onboarding options, including Profile name, Conductor, and Airwall Gateways and resources these people have access to.

Note: If you are combining people groups with a third party authentication service such as LDAP or OIDC, you manage permissions in that service with group membership.

What you can do with People groups:

  • Manage trust – You can assign trust dynamically to a people group using tags and a smart device group, or use the tag applied to Airwall Agents and Servers used by people in the group to easily find devices to add to a device group directly.
  • Onboard users – You can use the User onboarding tab to send Airwall Invitations to people in the group and as they are added to the group. (You can also send invitations from the Airwalls page to the people currently in the people group).
  • Set Overlay network permissions – Use the people to set overlay network editors and viewers.
  • Set groups to get alerts – Send event monitor alerts to a people group.
  • Manage groups coming in from a third-party OIDC authentication provider – Create people groups in the Conductor that exactly match the groups on your authentication provider to automatically add members of the group in the authentication provider to the group in the Conductor.
For more information on the types of users, see Understand People Roles and Permissions or Understand People Roles (v2.2.13 and earlier).
  1. In Conductor, go to People>People groups.
  2. Select New People Group.
  3. Set a name for this people group and add a description or tags, if desired.
    Setting up a group for Third-party authentication: If you are managing people groups with a third-party authentication service, make sure the people group name matches your group on that service. Then, when you add people on that service, they are included in the people group when they log in.
  4. Select Create.
  5. If you are using a Third-party Authentication service, skip the rest of this procedure. On the People groups page, open the People group you just created.
  6. Under People, select Add people and select the people you want to be a member of this group.
    People group people tab
  7. If you are using this group to onboard users, open the Airwall onboarding tab.
  8. Next to Configuration, select the pencil icon to edit.
  9. Check Provide an activation code for each member of <groupname>, and then set up how to onboard the users added to this group:
    Set People group User Onboarding General tab
    1. Under Configuration:
      • Profile name – Set the name of the profile created on the Airwall Agent or Server for the user.
      • Conductor hostname or IP – Enter the Conductor hostname or IP.
      • Send onboarding email to users – Check to send new users of the group a notice that they have an activation code to connect.
    2. Under All Airwalls:
      • Generated Airwall name – Set the name to assign to the Airwall Agent or Server in the Conductor when the user activates it. The default value sets it to the Airwall Agent or Server type. See the help when you select this box to see other options for autogenerating names.
      • Use bypass gateway – Select the bypass gateway you want this group to use.
      • Airwall groups – Select the Airwall groups to add people's devices to. For example, you might assign this group to the Employee, Admin, or Vendor group.
      • People group permissions – Automatically add Airwall Agents and Servers to these people groups when activated. This option gives members of the group editor rights to the Airwall.
      • Tags – Create or assign tags to people’s devices as they connect. For example, if you’re using tags to create Smart Device Groups that add people’s devices to the right overlays, enter these tags now.

      People group User onboarding Airwall tab

    3. Under Airwall agents:
      • Require authenticated Airwall session – Check to require an authenticated Airwall session to connect.
      • Overlay device IP network (CIDR) – (Optional) Select the network from which to assign IP addresses to devices as the connect.
        Note: If you use the same IP network in subsequent Invitations, IP addresses will keep incrementing. For instance, if you send out one Invitation starting at 192.168.1.15 with 10 emails and then another with the same IP with 10 emails they all just get a free IP from the network as they come online.
      • Overlay device IP netmask – Netmask in the form 255.255.255.0. Only applied if the Airwall Agent or Server has an overlay device IP assigned.
      • Overlay networks – (Optional) The Overlay networks to add people's devices to.
      • Device groups – Select the Device groups to add people's devices to.
    4. Under Airwall Gateways, if you want to set the Airwall Edge Service's name using Airshell prior to provisioning, check Allow Airshell to set name.

  10. Control access – If you want to grant or block access for this group at particular times, go to the Airwall agent authentication tab and set up Access windows for the group. For more details, see Set Times Authenticated Users can Access the Secure Network:
  11. Manage trust with tags – If you want to manage trust for the people group using tags, go to the Airwall agent authentication tab and under Authentication tags, enter the tags you want to use to manage trust.
    Note: These tags are applied to the Airwall Agent or Server when people in this group log in to authenticate their session. Tags are removed when the remote session ends. Combined with smart device groups, you can use these tags to dynamically create trust.
  12. Manage Airwall permissions – If you want to set what Airwall Edge Services this group has access to, go to the Airwall permissions tab, and add any you want them to have edit permissions to.
  13. Manage Cloud permissions – If you want to give permissions to create cloud Airwall Gateways to this group, go to the Cloud providers tab, and add any cloud providers that you want them to have edit permissions to.