KB User's Guide - Users Tab - Group Authorization
This document describes how to create User Group Authorization rules in order to grant a select group automated read access to your Live internal KB site.
Note: Adding these rules to your KB will not auto-populate the Active Users table in the KB Admin Tools. Should a member of your Group Authorization want to edit/ publish documents, please follow the instructions in this document to add a new user to your KB site.
Creating an Authorized Group
In the KB Admin Tools, go to the Users tab > Group Authorization link. The image below shows the User Group Authorization screen.
From the User Group Authorization screen, enter an Attribute name.
Choose a Condition from the dropdown list (e.g. is equal to, starts with, contains)
Add the Attribute value.
The Active checkbox is enabled by default.
Finally, click on the Add button to save the Group Authorization entry you just created.
Read-only access based on Unit Division Department Sub-department (UDDS) numbers, or any other Shibboleth attribute, can be granted.
The Manifest service is recommended for UW-Madison KB groups who wish to provide access based on UDDS or student affiliation data. For information on setting up and configuring a Manifest group for use with the KB, please see KB User's Guide - Using Manifest to Authorize Users for the KB.
Shibboleth attributes may be used for some data that is not covered by Manifest, though uses are more limited.
Note: For institutions outside of UW-Madison, additional work must be performed to map a specific Shibboleth attribute to the KB for use with Group Authorization. Please contact email@example.com to request a new attribute.
The examples below demonstrate different attributes used for Group Authorization.
eppn(eduPersonPrincipalName) attribute grants authorization to the institution domain "uchicago.edu".
isMemberOfattribute grants members of the "uw:domain:kb.wisc.edu:help_desk_west" Manifest group authorization.
wiscEduUDDSattribute grants all members under the UDDS code
- Note: Manifest UDDS group membership is now recommended instead of the wiscEduUDDS attribute.
Result of Applying Group Authorization Rules
There is no limit to the number of Group Authorization rules that can be created. Once they are applied, users to whom the rules apply may access Internal Site Live documents. Should the rule no longer apply (e.g. the user gets another position or leaves your institution entirely) they will lose access to the documents in the Live Internal KB site.
Users who access the KB Internal Site via a Group Authorization rule:
- may not edit/publish KB documents
- may not be added to a User Access group
There is no conflict if a user who has been manually entered into the User's Tab of the KB Admin Tools is also a member of an Authorized Group. The KB first checks user permissions in the Users list before checking for Group Authorization rules, so permissions granted for an individual via the Users list will always take precedence.
Collaborating with Users who Access the KB via a Group Authorization
There may be occasion for a KB group admin or author to collaborate with a member of an Authorized Group who is a content expert. However, if that individual is not in the Users list, they will be unable to access the KB Admin Tools to view draft (In Progress or In Review) documents. To remedy this, you may create a privately shared link to share one or many unpublished documents with a member of an Authorized Group. Should it be more practical for the content expert to edit the document, the KB group admin need only add the user to the KB.