KB User's Guide - Users Tab - Group Authorization

This document describes how to create User Group Authorization rules in order to grant a select group automated read access to either your Live internal KB site or read and write access to a specific KB documents.

NoteInformation symbol

Adding these rules to your KB will not auto-populate the Active Users table in the KB Admin Tools. Should a member of your Group Authorization want to edit/ publish documents, please follow the instructions in this document to add a new user to your KB site.

Creating an Authorized Group

  1. In the KB Admin Tools, go to the Users tab > Group Authorization link. The image below shows the User Group Authorization screen. 

    Group Authorization screen in the Users tab of the KB admin tools

  2. From the User Group Authorization screen, enter a Group authorization name.

  3. Specify the Scope from the dropdown list 

    Dropdown showing the options for group authorization scope

    • Internal site: Allows users that the meet the rule criteria to log in to the Internal Live KB site. These users will have the same level of access as a user account that has the "Internal KB" ("iKB") permission under the Users tab.

    • Document specific: The group will appear as a option under the WriteAccess and ReadAccess sections of the document editor screen. Users to whom the rule applies will gain read and/or write access to the documents associated with the group.

      • Note: For group-authorized WriteAccess to work, the user will first need to have a user account in your space with basic author permissions.

        For group-authorized ReadAccess to work, the user will first need to have a user account in your space with Internal site access, or they need to meet the criteria for a separate "Internal site" scoped authorization rule.

  4. Enter an Attribute name. Please see the Rule Attributes section for guidance on what attributes can be used.

  5. Choose a Condition from the dropdown list (e.g. is equal to, starts with, contains)

    dropdown showing the condition options for a new group authorization

  6. Add the desired Attribute value.

  7. The Active checkbox is enabled by default.

  8. Finally, click on the Add button to save the Group Authorization entry you just created.

    Options and fields for specifying a new group authorization

Rule Attributes

Read-only access based on Unit Division Department Sub-department (UDDS) numbers, or any other Shibboleth attribute, can be granted.

Note: For institutions outside of UW-Madison, additional work must be performed to map a specific Shibboleth attribute to the KB for use with Group Authorization. Please contact kb-team@doit.wisc.edu to request a new attribute.

The examples below demonstrate different attributes used for Group Authorization.

group authorization attribute examples with each attribute name circled in red

Updating Group Authorization Scope

Updating an existing Group Authorization rule and changing the Scope dropdown from Document specific to Internal site will result in the following alert:

Popup message confirming the scope change from document specific to internal site

Note that updating a Group Authorization rule's scope to Internal site will remove all document specific read and write access restrictions associated with that rule. If this is not the intended outcome, click OK to dismiss the popup and change the Scope dropdown back to Document specific

If you wish to experiment with Group Authorization rules but do not wish to remove document specific restrictions, consider changing the attribute name, condition, and value instead, or create a new rule entirely.

Deleting Group Authorization Rules

To delete a Group Authorization Rule, click the Delete button corresponding the the desired rule. A dialog window will popup confirming you would like to delete this rule. Note that deleting a Group Authorization rule will remove all read and write restrictions associated with it.

Dialog window shown when deleting a group authorization rule

Click OK to confirm the deletion.

Other Considerations

See Also: