Groups

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

Groups are how users are authorized to access Resources. Groups have three aspects to them:

A set of Users that are members of the Group. Users may be part of multiple Groups.
A set of Resources that users in the Group are authorized to access. For each Resource, an expiration time can be set, at which point the Group will lose access.
A single Security Policy that determines which security controls apply to access any Resource in the Group.

In order for a user to be authorized to access a Resource, the user must:

Be a member of a Group that includes the Resource.
Be able to successfully authenticate against the configured Security Policy, which can require re-authentication with your IdP, or apply additional security controls including 2FA.

Built-in Groups

The Everyone group is a built-in group that automatically includes all users. Any Resources assigned to this group will be authorized for all users. Examples of Resources that might make sense for this Group are:

Any company-wide resources such as a metrics dashboard.
Domain controllers or other shared infrastructure components that authorized users require access to on a company network.

Custom Groups

Custom groups are manually created and managed in the Twingate Admin console. When you manually add a group in the Admin console, you are creating a custom group that will not be modified by any automated processes.

Custom groups may also be managed via the Twingate Admin API.

Synced Groups

Synced groups are automatically synchronized from your configured IdP. Both Resources and Access policies may be set on Synced groups, but user management is controlled from your IdP and reflected in Twingate.

Some differences apply depending on your IdP:

Entra ID, Okta, and OneLogin support scoping which users and groups are synced with Twingate via SCIM.
Google Workspace does not natively allow granular configuration of which users and groups are synchronized to Twingate. Group sync is disabled by default. If enabled, it will synchronize all Google Workspace groups.

Last updated 2 months ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Understanding Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance