For example, if the user connects from local network, he can connect to "Device-1, Device-2" but if connects from VPN he can connect to only "Device-1"
If the user connects from local , can connect to "Device-1" SSH and WEB, but if connects from VPN, can connect to only "Device-1" WEB UI
We created 2 user groups named "test-vpn" and "test-local" and limited IP ranges to source IPs. Then created 2 device groups named "test-vpn" amd test-local. Then we created two different policies for vpn and local user groups and devices.however, the user can see the devices or passwords he / she is authorized in both policies, regardless of the source IP it is connected to, whether it is connected from vpn or from the local network.