OpenVPN is excited to announce the release of Multiple Group Assignment for CloudConnexa®, a powerful new feature designed to meet the needs of today’s cross-functional workforce. In many organizations, employees don’t fit neatly into a single role or department. They may be part of multiple teams, contribute to several projects, or collaborate across business lines — all requiring different sets of applications and services.
With Multiple Group Assignment, administrators can easily ensure that each user — no matter how many teams they’re part of — has the right access to the right resources without sacrificing security or creating administrative headaches.
A single user can now belong to one Primary User Group (PUG) and up to 20 Secondary User Groups (SUGs), making it faster and more consistent to provision access in line with the real-world structure of your organization.
The challenge: managing access for cross-functional users
Collaboration between teams and departments is essential to business success, but it creates complex access needs. Without a flexible group structure, administrators often resort to workarounds — duplicating configurations, granting overly broad permissions, or manually adjusting access for each user. These approaches are time-consuming, error-prone, and can introduce security risks.
The solution: Multiple Group Assignment for streamlined, accurate provisioning
Multiple Group Assignment solves this challenge by enabling dynamic group membership. Users inherit baseline settings from their PUG’s group configuration and gain supplemental access through SUGs. The user group mapping can happen dynamically from your Identity Provider’s role, group, or department assignments on the user’s authentication. This model keeps core security policies consistent while allowing precise resource access for different projects, roles, or collaborations — perfect for cross-functional team members.
Primary User Group for core configuration
A user’s PUG defines their core configuration, including:
- Allocated WPC Subnet(s)
- Regions the user can connect to
- Internet access method — Split Tunnel on, Split Tunnel off, or Restricted
- Connection authentication policy — No, On prior authentication timeout, or Every time
- Maximum devices per User allowed
- Active Location Context policies
- Active Device Posture policies
These settings ensure that no matter how many teams a user belongs to, their security and connectivity remain consistent.
Secondary User Groups for additive resource access
On top of the PUG, a user can belong to multiple SUGs — up to 20 — each granting access to Applications, IP Services, and other Users and their Devices via Access Groups. This lets Admins give users only the resources they need for a specific project or role without reworking their primary configuration.
Enhanced User Group Mapping for automation
Multiple Group Assignment integrates seamlessly with User Group Mapping in CloudConnexa. Using custom mapping rules, Admins can assign User Groups through the Admin UI, API, or automatically via SAML/LDAP integration with your Identity Provider (IdP). This flexibility allows you to support both manual configuration and fully automated provisioning at scale.
For example, you could assign a user to a “Design Team” PUG while automatically placing them in SUGs for “Marketing,” “Sales,” and “Engineering” to reflect their cross-functional responsibilities.
The highest priority mapping rule that matches will continue to determine the user’s PUG, while all subsequent matching rules will determine the user’s SUGs (up to a maximum of 20).
New mapping logic will apply when existing users re-authenticate, so group membership is always up to date.
Multiple Group Assignment eliminates repetitive manual configuration, reduces errors, and ensures that cross-functional users always have the right access from day one.
Why this matters for cross-functional teams
For IT teams, Multiple Group Assignment directly addresses the challenges of managing complex access needs:
- Eliminates the need for user-specific groups — Users can now belong to multiple groups, reducing the need to create and maintain groups dedicated to individual users.
- Supports complex, real-world access needs — Users in cross-functional or hybrid roles can inherit access from multiple groups across departments, roles, or functions.
- More accurate access based on identity attributes — CloudConnexa now assigns both Primary and Secondary User Groups using IdP-provided attributes, ensuring users receive the right access automatically.
- Enhances the scalability of access management — Flexible group assignments reduce configuration sprawl and make it easier to manage large or growing user bases.
Whether you’re managing developers who work across multiple product lines, marketing staff who need access to different regional resources, or project teams spanning departments, Multiple Group Assignment ensures your users can collaborate effectively while staying secure.
Start using Multiple Group Assignment today
Multiple Group Assignment is available now in CloudConnexa. Learn more about configuring Primary and Secondary User Groups — and optimizing User Group Mapping — in our CloudConnexa documentation.
Learn more about Multiple Group Assignment:
Get step-by-step instructions for configuring Multiple Group Assignment for your team’s unique needs:
New here? Ready to take your business to the next level with CloudConnexa? Work from anywhere and from any device with confidence. Create an account today for three free connections.