KB User's Guide - Using Manifest to Authorize Users for the KB

This document describes how you can use the UW-Madison Manifest service to provide access to your KB, either to automatically authorize a group of users for your internal KB, or to provision NetIDs for external collaborators that need access.

Granting Internal KB Access

  1. Create a new group in Manifest: Manifest - Create a Group. Please take care to only use lowercase characters and underscores in your group name, as spaces and other characters may prevent authorization from working as expected.

  2. Add the users you would like to authorize for your internal KB as group members. Users may be authorized as individuals, or authorized based on their membership to other groups. The latter is useful if your unit is already using Manifest and maintaining other groups, or if you would like to authorize users based on their university affiliation, such as their HR-designated affiliation (i.e. UDDS groups) or enrollment data (i.e. student groups).

    For more information on using UDDS groups or student groups in Manifest, please see Manifest - Data Driven Groups. If you are unsure of what UDDS code to refer to, it is best to check with your HR department, or trying searching for the code.

  3. Release your Manifest group to the KB's Shibboleth Service Provider. To do so, please follow the steps outlined in Manifest - Manage SAML2 EntityIDs, entering https://kb.wisc.edu/shibboleth as the EntityID.

  4. Make note of your group's path. This will appear at the top of the group page in Manifest directly below your group's name, with colons as the path delimiters. All UW-Madison Manifest group paths will start with the "uw" folder and ultimately terminate in the group name. For example, the group depicted below has the path "uw:domain:kb.wisc.edu:demo_group".

    Image showing the group path below the group name in Manifest
  5. Follow the steps in KB User's Guide - Users Tab - Group Authorization to set up a Group Authorization rule in the KB Admin Tools, where the Attribute name is entered as "isMemberOf", the Condition is set to "is equal to", and the Attribute value is the group path you copied in the previous step.

Provisioning NetIDs for KB Collaborators

If you work with someone who needs access to your internal KB, but they do not have a NetID, there are two ways to approach this:

  1. First, reach out to your HR to find out if the user in question to find out if the user in question should be part of an Affiliate Population that would be eligible for a NetID.
  2. If HR does not believe they should be assigned a formal Affiliate Population, follow the instructions in Manifest - Using a Manifest Group to Invite People to Create Identities (NetIDs). When you reach the step where you request permission to invite external users, note that the group is being used to grant access to the KnowledgeBase service and describe the relevant user base as appropriate (e.g. visiting researchers who will be contributing to KB documentation).

Once those external users have gone through the NetID activation process, you will be able to add them to your users list like any other UW-Madison affiliate: KB User's Guide - Users Tab - Adding a User

Alternatively, you may also set up a Group Authorization rule for the new Manifest group as described in KB User's Guide - Users Tab - Group Authorization.



Keywords:
automated provisioning provide access group authorization internal knowledgebase non-affiliates external collaborators non-NetID holder no doesn't have NetID generate grant 
Doc ID:
110558
Owned by:
Leah S. in KB User's Guide
Created:
2021-04-28
Updated:
2024-06-18
Sites:
KB User's Guide