Best Practices for Migration of Device Permissions from a User to a Group

Written by Rohit Nayak on March 8, 2022

Share This Article

JumpCloud is the one-stop solution for centralizing access for users across devices, applications, directories, and endpoints. Customers can now manage privileged access and/or permissions across multiple devices to ensure sensitive, administrative rights are maintained by leveraging the power of User Groups.

JumpCloud enables administrators to manage permissions on devices requiring Administrator/Sudo or Passwordless Sudo permission (the latter is only available on Mac and Linux). This allows administrators to have better control and visibility over who has access to which devices. Recently, JumpCloud released two new features that allow administrators to control these permissions at the User Group level, as well as per User Group to Device Group bind for more granular control. As a result, any user that’s a member of the User Group automatically inherits permissions set at the group level.

This best practices blog:

  • Illustrates types of associations,
  • Shows you how to check what binds you have as a user,
  • Covers the two ways you can set permissions on users (globally on a user vs. individually on a device),
  • Recommends migration to groups by first using the No Elevated Permissions on a user, and
  • Shows you how to migrate a device to a Device Group and a user.

Types of Associations

There are four different ways a user can have Administrator/Sudo permissions applied for a given device. The following illustration is a visual representation of how these permissions can be applied and/or cascaded based on where the permission is configured.

The administrator can choose any of these methods based on the organization’s need to control individual devices and the roles the users will hold through the lifecycle of the identity.

Path 1: Global Administrator/Sudo Enabled on User Group

Result: The Administrator/Sudo permission is being applied to all bound Device Groups and their bound devices, which grants all users within the User Group Administrator/Sudo access to all bound devices.

Path 2: Administrator/Sudo Enabled on Select Device Group(s) Assigned to a User Group

Result: The Administrator/Sudo permission is being applied on the User Group’s bind to selected Device Groups. Devices that are bound to a Device Group with Administrator/Sudo enabled receive Administrator/Sudo access. As a result, bound users in the User Group will inherit Administrator/Sudo access on those select devices

Path 3: Global Administrator/Sudo Enabled on an Individual User

Result: This user has Administrator/Sudo permissions for all devices they are bound to, both indirectly and directly

Path 4: Administrator/Sudo Enabled on User’s Direct Bind to a Device

Result: The Administrator/Sudo permission is being applied to the user’s direct bind to a specific device.

Checking What Binds You Have

Direct Bind

Direct bind (indicated by the darker blue checkbox) indicates direct permissions that were applied on the association with selectable user inputs from the UI or the API (as illustrated below).

Indirect Bind

An indirect bind (indicated by the lighter blue checkbox) indicates that the device is indirectly bound to the user through a Device Group which is, in turn, bound to a User Group. (as illustrated below)

Why is this important?

These differences are crucial in determining if the device would be needed to get converted into a new type of association using groups.

Initially, we recommend administrators check the type of bind users may already have in the JumpCloud Admin Portal.

Complete the following steps to check what devices are bound to the user:

  1. Log in to the JumpCloud Admin Portal
  2. Go to USER MANAGEMENT > Users and select a user.
  3. Click the Device tab to check the status of the checkbox next to the applicable device(s). 

If the checkbox for devices (first column on the Devices tab) is checked and darker in color, this indicates a direct bind exists between the device and the user. If the checkbox for a device is checked and lighter in color, this indicates an indirect bind exists between the user and the device.

Setting Global Permissions on a User

You can also enable privileged access on all devices by checking Enable as Global Administrator/Sudo on all device associations on a user, which elevates permissions on all devices associated with that user.
Note: This setting takes the highest precedence for all the user’s devices and overrides all other settings that individual devices may have with the user.

Complete the following steps to enable global permission on a user

  1. Log in to the JumpCloud Admin Portal
  2. Go to USER MANAGEMENT > Users, and select a user.
  3. Click the Details tab, navigate to the User Security and Settings area, and check the Permission Settings.
  4. Click the Enable as Global Administrator/Sudo on all device associations checkbox and save user.

This will result in the user having Administrator/Sudo permissions on all devices associated with that user.

This illustrates that a global setting takes precedence over associations on all devices that the user is associated with. One can use this setting if the desire is to promote all devices for a user with global Administrative/Sudo or Passwordless Sudo with a direct or indirect bind of the devices with the user.

Removing this direct association on the user will result in a state where the user still shows a combination of direct and indirect binds for devices and the states of these devices. This is due to the group-based association newly introduced within JumpCloud that allows management of devices using User Groups and Device Groups. One can proceed to undo the above change if there is a preference to control individual devices or inherit and manage permissions using groups.

Complete the following steps to remove Global Administrator/Sudo permissions between users and devices:

  1. Log in to the JumpCloud Admin Portal
  2. Go to USER MANAGEMENT > Users, and select a user.
  3. Click the Details tab, navigate to User Security and Settings Section, and check the Permission Settings.
  4. Uncheck the Enable as Administrator/Sudo on all device associations checkbox, and click save user.
  5. Navigate to the Devices tab. You will see the permissions change to a combination of direct and indirect binds.

Setting Administrative Permissions on Individual Devices

Complete the following steps to manage individual devices:

  1. Log in to the JumpCloud Admin Portal
  2. Go to USER MANAGEMENT > Users > Devices.
  3. Select the applicable device by clicking on it.
  4. Click the dropdown arrow directly under the Permissions column, select the desired permission, and click save user. The Administrator/Sudo permission is now set for the user on that device.

To manage multiple individual devices, we suggest using Device Groups, to which individual devices can be bound. Permissions can then be applied to Device Groups when the Device Group is bound to a User Group. Group-level permissions can be set on a User Group to Device Group bind, or globally at the User Group level, applying to all Device Groups.

Elevated permissions that are set on an individual device bind or globally for the user should be removed for any group-level permission to take effect.

Complete the following steps to downgrade individual devices to having no elevated permissions:

  1. Log in to the JumpCloud Admin Portal
  2. Go to USER MANAGEMENT > Users, and select a user.
  3. Click the Devices tab.
  4. Click the dropdown for the applicable device under the Permissions column.
  5. Select No Elevated Permissions to remove the permission for the device on the user.

Note: The No Elevated Permissions option removes the Sudo permissions, but leaves the bind.

Important Considerations

  • A direct bind association can only be removed if a device is chosen to be disassociated with a user (unchecking the direct bind). The previous state associated with the user due to elevated User Group or User Group bind permissions can still exist, which is illustrated below.

After saving the user, the user will still have an indirect bind to that device.

  • Alternatively, when a device that has no permissions is selected and chosen to be directly unbound, the device will fall off the list of the bound devices as shown below. The device can be located by unchecking the filter show bound devices, which in this case will let you locate the unbound device.


Note: For API users, an easy way to identify a user’s direct and indirect permissions is to refer to List the Systems bound to a User.

Migrating Devices to Individual Groups

Armed with all the knowledge of the above points, the administrator needs to decide if the device can be migrated to the group-based association. A quick tip to decide when to migrate a device from direct user association to a User Group > Device Group association is to check if the device associated with the user is not part of any other User Group.

Note the direct association of the device takes the highest precedence over the devices that get inherited using groups.

You can have a user be directly bound or indirectly bound to a specific device, although it’s strongly recommended to always have users be indirectly bound to a specific device via migrating individual devices to Device Groups, connecting users to User Groups, and then connecting a User Group to a Device Group to control access centrally.

Here, we show you how to convert a user’s access to a specific device by making that user part of a specific User Group that not only is already connected to this device via a Device Group, but also automatically applies Administrator/Sudo permissions to that user via that User Group.

Complete the following steps to indirectly bind a user to a device:

  1. Log in to the JumpCloud Admin Portal 
  2. Go to USER MANAGEMENT > Users, and select a user by clicking anywhere on a user’s row.
  3. Click the Devices tab to see what devices that user is connected to and what permissions they have on each device. Note: In the following image, the user, Markus Ipsum, is directly bound (see dark blue checked box) to the device called “(GCE) Win2008-2” and has Administrator/Sudo permissions.
  1. Uncheck the box located on the same row as the device and next to the Status column and click save user.
  2. Click the User Groups tab, click the checkbox of the User Group that has this device connected to it (Admin – GCE), and click save user. The user is now part of this specific User Group.
  1. The user will still have the device, “(GCE) Win2008-2”, assigned to them but now as an indirect bind via the User Group they are now a part of called Admin – GCE. Notice the lighter blue checked box, indicating an indirect bind to the device. This illustrates how the device has been migrated to utilize User Groups for centralized administration and better governance.

Migrating Devices to Users

To migrate a device back to a user, you would need to first remove the association the user has to a User Group for the device where you would prefer direct control over it. This is typical in situations where you would prefer control over devices for the user, or provide temporary device access to certain users in the organization..

Complete the following steps to migrate a device to a user:

  1. Log in to the JumpCloud Admin Portal
  2. Go to Device Management > Device Groups.
  3. Select a device group by clicking anywhere on the device group’s row.
  4. Click on the Devices tab.
  5. Click the checkbox next to the device you want to remove.
  6. Click save.
  7. Ensure the device is not part of any other Device Group.
  8. Go to the User Management > Users.
  9. Select a user by clicking anywhere on a user’s row.
  10. Click the Devices tab and look for the specific device that should be directly bound to the user.
  11. Click the checkbox for that specific device, and select the applicable permission that the user should have to that device under the Permissions column.

Note: If the device is still part of any other groups, the direct bind of that device to the user won’t be permitted.

In conclusion, the direct binds are best used if the direct association on the device needs to be individually managed. Additionally, a group-based bind is best used if several devices need similar rules and properties that can be centrally managed, using the flexibility of the User Group to Device Group association. Both the users and the User Groups can also be used to leverage all devices and Device Groups collectively via a global administrator bind, which overrides the individual permissions that override all underlying permissions on the device and Device Groups respectively.

JumpCloud

Enable Secure Hybrid Work Anywhere, Anytime

Identity, access, and device management from a single cloud-based console

Rohit Nayak

Rohit Nayak is a Sr. Product Manager on Cloud Directories at JumpCloud. Rohit is responsible for the overall authorization product strategy and roadmap around group based access control for JumpCloud. Rohit brings 14 years of experience in building Identity Governance and Administration(IGA) products and Identity Management technologies with Directories, Access Management across multiple cloud platforms.

Continue Learning with our Newsletter