DocsAPI

Granting Access to Your VPN

OverviewCopied!

Now that you’ve set up your network, it’s time to invite users to begin using it. Netmaker’s User Management streamlines the process of inviting users, setting roles and permissions on the platform, and granting access to your VPN.

Users can be granted a role that gives them access to the platform, to directly manage networks, or access to the VPN, at particular points of entry.

In this section of the guide, we’ll cover how to invite users and grant them access to the VPN. For a full overview to invite other platform administrators and set other sorts of users, check out the full documentation.

RolesCopied!

Permissions on Netmaker are either server-wide, or network-specific. For instance, you can make someone an Admin of the platform, or a Network Admin, to manage a specific network.

Platform Roles (Server-wide access level)Copied!

Platform-level roles in Netmaker Professional are a mechanism to define user permissions across the entire platform, rather than on a per-network basis. They determine a user's overall access level and capabilities.

Here's a breakdown of platform roles and their associated capabilities.

Super Admin

  • Highest level of privilege. Considered the “platform owner”

  • Complete control over the platform: Can manage all users, networks, configurations, and system settings.

Admin

  • A “platform manager” with most privileges.

  • Does not need to be assigned groups or network roles since they have full access.

Platform User

  • Limited access to the platform.

  • Can interact with assigned resources and perform specific tasks.

  • Must be added to a group or given network roles to have any platform or network access.

  • In the context of VPN access, can be used to grant the ability to deploy the netclient (typically should be a network administrator) or to deploy static config files.

Service User

  • Meant for “VPN Users”

  • No Platform access

  • Primarily used for remote access via the RAC application.

  • Must be added to a group or given network roles to have any network access

For the purposes of this guide we’re concerned with Platform Users and Service Users, and how to grant them access to deploy VPN endpoints.

GroupsCopied!

Groups are a collection of users and network roles. It makes permissioning easier since, rather than granting the same network roles to every new user, you can just add them to a group.

Here's how it works:

  1. Create a Group: Define a group based on criteria such as department, role, or project.

  2. Add Roles: Add roles to the group that define its permissions

  3. Add Users: Add the relevant users, and they will inherit the permissions.

A user can be in multiple groups, and the inherited permissions are additive.

Default GroupsCopied!

There are some pre-defined groups that you can assign to users, to simplify setup:

<network name>-network-admin-grp: Contains the network role <network id>-network-admin and grants admin privileges on the network.

<network name>-network-user-grp: Contains the network role <network id>-network-user and grants end user access to the network

Network Resource Access Control with ACL PoliciesCopied!

New ACLs (Pro)

Easily manage network access with the new Netmaker ACLs

Authentication OptionsCopied!

Users can either be created with a username and password (Basic Auth) or Invited, allowing them to log in with an authentication provider like Google, Microsoft, Okta, or others. Note, on SaaS, you must use the provided options, and with On-Prem, you must first set up OAuth integration.

Basic Auth: Users are created with a password, and managed directly by admins within the Netmaker platform. This is not available on SaaS.

OAuth: Users are invited to the Netmaker server via email, and log in using the integrated authentication mechanism. 

Note, users can also be invited via email, and set a username/password, to allow invitation, but still use basic auth.

Adding and Inviting UsersCopied!

Setting up Email Notifications On-Prem

Netmaker On-Prem will only send email notifications to any invited user if it is configured to do so. Check our documentation on how to configure email notifications.

Inviting Users via EmailCopied!

  1. In the user management page, click on Add a User > Invite User

  2. Enter the admin email address(es) and select “Platform User” or “Service User” as Platform Access Level

    1. If users should only have access to the RAC (the usual option) they should be Service Users

    2. If they need access to the dashboard to, for instance, create and download their own config files, make them Platform Users

  3. Select between “Groups” to assign access

  4. Click on “Create User invite(s)”
    The user(s) will get notified through the entered email address(es)

Creating Users via Basic AuthCopied!

  1. In the user management page, click on Add a User > Add a User

  2. Provide a username and initial password for the user

  3. Select a Platform Access Level

  4. Specify permissions if necessary (same as the invite process above)

  5. Click on “Create User”

  6. Share the credentials with the intended user for them to log in

Updating User Permissions

  1. Click on a username

  2. Update the user’s permissions

  3. Click on “Update User” to save

Next StepsCopied!

Now that users have been added to the VPN, we will show you how they will access the VPN as end users.