Controlling Access by Group

From the Group Access Control pane, you control which domain or local groups have access to the server. You can allow or deny access, or use a combination of allow and deny. For information about how the server handles allow and deny rules, see Using Allow and Deny Rules for Access Control.

You can add groups to the list by specifying individual groups, or use regular expressions to match multiple groups. Group name matching is not case sensitive.

To ensure a greater degree of security, it is advisable to configure global settings that are more restrictive than group settings. With this model, you use group settings to increase, rather than decrease, access. Doing this helps to ensure settings that are more restrictive for a user whose group membership cannot be determined.

Notes:

• To specify a group that is a member of a Windows Active Directory domain, use either a single forward slash (/) or two backward slashes (\\) between the domain name and the group name.
• To specify a local group, either omit the domain name or use the local computer name as the domain name.
• To include a space in a group name, use [ ] (a space character enclosed in brackets). For example, to specify the Power Users group, use Power[ ]Users.

  If you use a period (Power.Users), the expression matches the group name successfully. However, the expression also matches other group names that use any other character in place of the space (for example, PowerXUsers).

Examples

The following configuration denies access to any user who is a member of the local group called Red. Users from any other group are allowed to connect unless they match a deny list item on another pane.

Note: Users in the Red group are always denied access, even if they match an allowed item listed on this pane or on the User Access Control pane.

The following configuration limits access to members of the Administrators group in the Acme domain. Other users are denied access unless they match an allowed user or client host rule.

The following configuration allows access to all members of local and domain groups called Test and Developer.

Note: This configuration also allows access to groups that the administrator might not want to allow; for example, in addition to allowing access from Acme\Test, this configuration also allows access from Acme\NotTest and NotAcme\Test.

By removing the wildcards, the following configuration ensures that access is provided only to the specific groups called Test and Developer on the local computer and in the Acme domain.