ºÚÁϺ£½Ç91Èë¿Ú

Connect New Users to Resources

All resources in ºÚÁϺ£½Ç91Èë¿Ú are implicitly denied, which means that by default, new users don't have access to a resource endpoint until they are explicitly connected to it directly or through group membership. You can bind the user to any of the resources connected to ºÚÁϺ£½Ç91Èë¿Ú from a device to applications, networks, etc. If the user is created in a Staged user state, they won't gain access to their assigned resources until they're activated. See Manage User States for specific information about when a user is provisioned or assigned resources.

Prerequisites:

  • The ºÚÁϺ£½Ç91Èë¿Ú Agent must be installed and active on the system. 
  • The user must be connected to the system in the Admin Portal.
  • The user must not exist as a local user account on the Linux System.

User Bindings

Access to resources may be granted by connecting a user to any of the following:

  • User Groups
  • Devices
  • Directories

User Groups

Binding a user to a group of users is an organizational construct. No access is granted until that group has been bound to a resource. You can edit group membership in this view. 

Devices

Binding a user directly to a device is good practice if this will be a one-to-one relationship. For example, a single user is bound to their work device to which no one else can have access. A user bound via a (user) group can also be bound directly to the device to enable a custom permission to be set on only that device. UI behavior for group and direct connection is explained further in Get Started: Devices.ÌýWhen a user is bound to a device, it either creates a new local user account or takes over an existing account of the same username. See Take Over an Existing User Account with ºÚÁϺ£½Ç91Èë¿Ú.

You can also let new users provision their account to macOS and Windows devices directly from the login screen. See Provision New Users on Device Login.Ìý

Directories

This can include Google Workspace, Microsoft 365, and/or ºÚÁϺ£½Ç91Èë¿Ú LDAP. These resources are generally accessed by groups of people. So binding directly to the user, while possible, isn't generally recommended. Rather, bind the user to a group that has already been granted access to the directory. A direct connection can't be made if the user is already bound to the resource via a group of users.

Note:

Activate Google Workspace or Microsoft 365 to make them available in the list of Directories. See:

User Group Bindings

Access to resources may be granted by connecting a User Group to any of the following:

  • Users
  • Device Groups
  • Applications
  • RADIUS
  • Directories

Users

Binding a user to a group of users is an organizational construct, no access is granted until that group has been bound to a resource. You can edit group membership via the User tab. 

Device Groups

Binding via device group is recommended when there are one-to-many or many-to-many relationships. For example, a group of admins needs access to a production environment. All members of the User Group will be granted access to all devices in the Device Group. When a user is connected to a device, a new local user account will be created or an existing account of the same username will be taken over. See Take Over an Existing User Account with ºÚÁϺ£½Ç91Èë¿Ú. It's possible to be bound to the device both directly and via group membership. UI behavior for group and direct binding is explained further in Get Started: Devices.

Admins know that they can bind a user to resources through groups, but that this is the mechanism by which they can assign permissions to those groups. 

Warning:

Binding a user group to a device group will create a local user account for each user in the user group on each device in the device group. Adding a large number of user accounts to a device may prevent it from operating correctly. Proceed with caution.

Applications and RADIUS Servers

To grant access, a user must be a member of a group. You may create one or many groups of users to bind to one or many resource types. After the group is bound to the application, any member of that group will be allowed to log in.

Directories

This can include Google Workspace, Microsoft 365, or ºÚÁϺ£½Ç91Èë¿Ú LDAP to Create an LDAP Group. Binding a User Group to a directory is possible even if a user has already been granted direct access to that directory.

Note:

Activate Google Workspace or Microsoft 365 to make them available in the list of Directories. See:

Binding Matrix

The following table illustrates which ºÚÁϺ£½Ç91Èë¿Ú resources can be bound.

 UserDeviceUser GroupDevice Group
User âœ“✓X
Device✓ X✓
User Group✓X âœ“
Device GroupX✓✓ 

✓ - The resources can be bound.
X - The resources can't be bound.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case