User Group Authorization rules are created to grant read access to Live internal KB site.
Please know that adding these rules to your KB will not auto-populate the Active Users table in the KB Admin Tools. Should a member of your Group Authorization want to edit/ publish documents, please follow the instructions in this document to add a new user to your KB site.
Creating an Authorized Group
To use this feature, go to Users tab > Group Authorization link this will lead you to the User Group Authorization screen. The image below shows the User Group Authorization screen.
From the User Group Authorization screen, you may enter an Attribute name, choose a Condition from the dropdown list (e.g. is equal to, starts with, contains), and add the Attribute value.
Finally, click on the Add button and a line will be appear to the Group Authorization entry you just created.
In addition to working with Manifest (aka Grouper), the KB can also act upon any attribute that Shibboleth is capable of delivering.
Rules can also be added allowing read-only access to the Live internal site to members of specific Grouper/Manifest groups that you (or someone in your department/team) personally manages. To use Manifest with the KB, you will need to release your Manifest group to the KB's Shibboleth Service Provider. To do so, please follow the steps outlined in Manifest - Manage SAML2 EntityIDs, entering https://kb.wisc.edu/shibboleth as the EntityID.
Read-only access based on Unit Division Department Sub-department (UDDS) numbers, or any other Shibboleth attribute, can be granted. Using Shibboleth is most ideal for institutional departments that would like to authorize large groups of employees, even if they are not using Manifest/Grouper.
Note: For institutions outside of UW-Madison, additional work must be performed to map a specific Shibboleth attribute to the KB for use with Group Authorization. Please contact firstname.lastname@example.org to request a new attribute.
The examples below demonstrate different attributes used for Group Authorization.
eppn(eduPersonPrincipalName) attribute grants the institution of uchicago.edu authorization.
isMemberOfattribute grants members of the DoIT Help Desk KB to authorization to the KB User's Guide (kbGuide).
wiscEduUDDSattribute grants all members of
***Note: For those at the University of Wisconsin - Madison, here is a link leading to the UW-Madison Departmental Look-up tool. https://www.rsp.wisc.edu/services/udds.cfm. Enter your Department name in the field provided and you will see a table listing the UDDS/ DeptID, Short Name and Long Name of the Department. You may select the UDDS/DeptID covering a range as wide or as narrow as you require.
Result of Applying Group Authorization Rules
There is no limit to the number of Group Authorization rules that can be created. Once they are applied, users to whom the rules apply may access Internal Site Live documents. Should the rule no longer apply (e.g. the user gets another position or leaves your institution entirely) they will lose access to the documents in the Live Internal KB site.
Users who access the KB Internal Site via a Group Authorization rule:
- may not edit/publish KB documents
- may not be added to a User Access group
There is no conflict if a user who has been manually entered into the User's Tab of the KB Admin Tools is also a member of an Authorized Group. The KB first checks user permissions in the Users tab and then checks the KB site for Group Authorization rules.
Collaborating with Users who Access the KB via a Group Authorization
There may be occasion for a KB Admin to collaborate with a member of an Authorized Group who is content expert. That user may not review documents in the status of In Review nor In Progress. To remedy this, the KB Admin may create a privately shared link to share one or many unpublished documents with a member of an Authorized Group. Should it be more practical for the content expert to edit the document, the KB Admin need only add the user to the KB.