There are three built in groups in the Smoothwall authentication system:
- Default users
- Banned users
- Unauthenticated IPs
These groups cannot be deleted or renamed. Each is used for a specific purpose by the authentication system.
- On-Premise Appliance: You can see these groups in Services > Authentication > Groups.
- Cloud Filter: You can’t see these groups in Admin Panel > Smoothwall Groups, but they exist in the background.
Default users
This group is for when a user has been authenticated but Smoothwall is not seeing a group membership for the user. After connecting to a directory, user groups from that directory are mapped to local Smoothwall groups - this is where the authentication system gets the users group membership from. If a user is not a member of any mapped group, but does exist in the directory, their group membership will be set to the Default users group.
Users that have their group membership set to the Default users group will have a hyphen(-) listed as their group membership in the "Services - authentication - User activity" list. This can be used to see what users have not been mapped to a local Smoothwall group yet. See: Users aren't showing up in the right groups. There's a hyphen(-) in the user activity list next to their usernames.
Tip: This group will include users with an alias, where their User Principal Name has not been used.
Banned users
This group is used in conjunction with the user ban features on the admin UI and the user portal. When a user is banned, the authentication service overrides the users group membership, if any, and places the user in the Banned users group.
For this feature to work correctly, a policy to block content for the Banned users group also need to be configured.
Unauthenticated IPs
This group is assigned to any client IP which runs over a non-authenticating proxy by design, or any normally authenticated client which makes a web request where the domain requested is identified as being part of a category listed in the Authentication Exceptions, found at Web proxy > Authentication > Exceptions. This is the default setting for unauthenticated requests. This group membership can be overridden in the proxy configuration itself by selecting a different group to use for unauthenticated access permissions. Applies (by default) to any request from a client device that has not authenticated, or any request from an authenticated client for contents that are in an Authentication Exception.