The pfSense HEAD system uses an authentication layer which differs quite a bit from the auth layer found in a RELENG system. Basically it is possible to add users and groups as shown in the below figure.

http://www.pfsense.com/~dsh/diagrams/authlayer.png∞

A pfSense systems comes preconfigured with the user 'admin' and the group 'admins'. Each user that belongs to the 'admins' group is able to administer the system (i.e. full access to each pfSense web page). If you are going to add individual groups to the pfSense system, you would be able to assign a set of 'allowed pages' to a group. That way you are able to limit access to particular pages of the pfSense system per group.

At the time it is possible to assign permissions to a particular user. It is not possible to assign permissions to a group (!). For example you could assign the permission HasShellAccess to a particular user to allow SSH access. It is also possible to define custom permissions (atm the DSPAM package uses custom permisions).

Authentication takes place either by using traditional HTTP based authentication or using PHP's session based auth mechanism. It's possible using the PAM layer, the traditional passwd file, a htpasswd file or a radius backend for authentication purpose (the pfSense webGUI allows you to set which auth backend should be used).