Access Groups
Access groups control which users can reach which applications.
How access works
Access in Cetegra Connect – Private Access is always group-based:
User → Access Group → Application → Network Segments
A user can reach an application only if they are a member of an access group that is assigned to that application. There is no direct user-to-application assignment.
This means:
- Granting access = adding a user to an access group
- Revoking access = removing a user from an access group
- The same group can be assigned to multiple applications
Viewing access groups
Go to Access Groups in the sidebar. The list shows all access groups configured for your organisation. For each group you can see:
- Display name and description
- Number of members
- Applications the group is assigned to
- Membership type (assigned or dynamic)
- Creation date
Click any group to open its detail view.
Group detail view
The detail view shows:
- Applications assigned to this group — the connections users in this group can reach
- Membership type — whether members are manually assigned or automatically added via a rule
- Member count
Group membership itself (the list of individual users) is managed in Microsoft Entra, not in this console. To see a user’s group memberships, go to Users and open their detail view.
Checking a user’s access
To find out which applications a specific user can reach:
- Go to Users and search for the user.
- Open the user’s detail view and check their group memberships.
- Return to Access Groups and look up each of those groups to see which applications they are assigned to.
Alternatively, use the Access Report (in the sidebar) for a complete visual map of the access chain.
Dynamic membership groups
Some groups use a dynamic membership rule — for example, “all users in the Finance department”. These groups are managed automatically by Microsoft Entra based on user attributes. You can identify them by the Dynamic membership type indicator in the group list.