By default, Twingate is set up to use social logins (Google, Microsoft, GitHub, and LinkedIn) to control access. You are able to invite users through the Teams page in the Admin Console, as well as deactivate users that are no longer active. For more information on managing social logins, see the Social Logins page.

If you choose to connect a third party Identify Provider (IdP), then users are automatically synchronized from your Identity Provider and cannot be modified in the Twingate Admin Console. Any changes to users — for example, creation or deactivation — are received directly from your configured IdP via SCIM and will update Twingate immediately. For more information on managing Identity Providers, see the Identity Providers page.

When added to Twingate, all users only have access to the “Everyone” group, and unless Resource(s) are added either to the Everyone group, or users are specifically assigned to a Group, users will not have access to any Twingate Resources.

You can view which Resources a user can access via the user’s detail page, either in a list form or an Access Graph.

Viewing the Access Graph will allow you to see a mapping of the groups, Resources, and the paths and policies applied. You can also apply filters to limit the graph to specific Groups, Remote Networks, or Resources.

When a user no longer requires access to Twingate, you can disable or delete them. For more information see the Offboarding Users page.

Admin Users

Twingate supports three admin roles, each providing different levels of write capabilities across the Twingate Admin Console.

• Admin users have full read and write capabilities across the entire Admin Console.
• DevOps users have read and write capabilities in the Network tab of the Admin Console. Permissions are read-only on all other sections of the Admin Console.
• Support users have read-only access across the entire Admin Console.

For more information, see the Admins page, which describes the different admin roles in detail and how to assign roles to users.