Allow specifying the groups that are allowed/blocked from using the VPN

[MohammedNoureldin]

Hi,

It would be great if we can specify which users are allowed/blocked from using the VPN at all on the level of IdP. I think that having a configuration to specify which group(s) is allowed to login to the VPN Is going to be the best solution for this. In this case, every user that is part of any of these allowed group(s) will be able to login.

For example, we sync groups called VPN Users and Administrators from the IdP, and all users that are part of these two groups should be able to use the VPN, then it comes to the access control judgment to see what this logged in user is allowed to access.

A bit more detailed example, we add the following combo box / radio box:

• Allow by default and block the members of the following groups.
• Block by default and allow the members of the following groups.
  and beneath we have a text box to specify which groups will allowed/blocked depending of the radio box.

Of course, the user can be part of other groups, which may potentially change the behavior depending of access control rules, in case the user was able to use the VPN at all according to the VPN Allow/Block rules.

[horzadome]

Suggestion: rename this ticket to "Allow mapping additional OIDC claims to netbird groups".

IMHO everything else that's needed to accomplish the OP's goals already exists in policies and is in use by direct user invitation flow (default groups).

I also need this mechanism in order to apply group-based policies new users.
Looking at the code, this one is IMHO unlikely to be implemented any time soon, so my plan is to not wait for this feature and instead assign groups to users using some external mechanism. I'm guessing I'll need to constantly poll the API events endpoint to figure out whether a new user was created. Or maybe my idP (Azure AD) can trigger some event notification; I'll need to figure it out.

[MohammedNoureldin]

Hi, @horzadome

it a good point, but let us say this issue the entrypoint to start mapping between claims and other functionalities in this software. Renaming this issue to something bigger will probably extend its implementing time, that is why I prefer keeping it limited to a specific functionality. Or what would you say?

Do you have any suggestion or workaround for my use-case to block or enable specific users to use the VPN when they have a specific group in their group claim?

[MohammedNoureldin]

Hey, @mlsmaycon @braginini!

I am just wondering if there are any plans to implement this soon or to prioritize it. Any official statement would be helpful for me to be able to prioritize my work. Thank you.