Managing Intranet Access
Stanford Sites Intranet allows you to protect your intranet site to a group or groups of people. This guide describes how to grant access to your intranet.
Access Eligibility
Stanford Sites Intranet access can be granted to anyone with a Basic or Full Service SUNet ID. At this time, we do not support other kinds of user accounts.
Access vs. user accounts
It is a common misconception that creating a user account will provide access to an intranet. Users can have an account on the intranet, and yet still not meet the access conditions, which are described below.
Access is evaluated each time a user logs in. If the user meets a condition, like being in the access workgroup, or having the proper affiliation, they will be let through. This will create a user account, but the account is not what grants them access.
Granting access to your Stanford Sites Intranet
There are several methods for controlling access to your intranet. Stanford Web Services will set up an initial set of access roles when your site is provisioned. However, you may decide to change access rules over time.
Access is controlled via SAML. You can reach the settings by going to Configuration > Users > SAML
The top portion of the form is NOT used to control access. To control access, you need to go to Login Restrictions, on the lower part of the page.
Configuring Login Restrictions
The Login Restrictions settings allow you to determine who can access your intranet as a whole. These methods can be used alone or in combination. This is an allowed list, not a restricted list. The order of process is:
- User ID: if the user has a matching SUNetID, they will be allowed.
- Affiliations: if a user is a member of the chosen affiliations, they will be allowed.
- Workgroups: If a user is a member of the configured workgroups, they will be allowed. Workgroups must be public. Private workgroups can only be used with additional configuration of the workgroup.
If the user does not satisfy any of the three scenarios, they will be denied access. Be sure to configure the settings to allow yourself access in some form, otherwise on your next login, you will be denied access.
Stanford-only access
By default, if no settings exist on the Login Restrictions form, the intranet will be available to anyone with a valid SUNet ID.
Access by affiliation
All SUNet ID holders also have a Stanford affiliation. This is provided via login. You can learn more about these roles here: SAML Affiliation Information.
Using this method for access control is great if you want to restrict access to a broad category of individuals. One common example is an administrative intranet that allows access to Faculty and Staff only.
The affiliations are as follows:
- Affiliate
- Staff
- Students
- Faculty
- Member. This is not currently used.
You can select one of these options, or cmd-click to select more than one. The allowed affiliations will be highlighted.
You can cmd-click a second time if you wish to remove an affiliation from the allowed list.
Access by workgroup
You can also use a workgroup to control access to your site. This is the preferred method for granting more narrow access to your intranet.
Workgroup access is great for organization-level intranets. The workgroup can also be used to control access to the Google Drive to store documents and to a Google Group for mailing, which is a great way to keep all of your internal communication channels in synch.
The workgroup needs to be an organizational level workgroup, not a personal workgroup.
To add a workgroup to the list, simply enter the name of the workgroup to the list and save the form.
You may add as many workgroups as you'd like. If you need to remove one, you can erase it and resave the form.
Access by User ID
You can also add individual SUNet IDs by adding them to the Allowed Users list and then saving the form. You may add as many individual users as you'd like. If you need to remove one, you can erase it and resave the form.
This method is not recommended for adding large numbers of people, but can be helpful when you need to give someone outside of your main workgroup access to the site.
Please ensure that you are adding their actual SUNet ID. If in doubt, you can look it up in the Stanford-Only view for StanfordWho. Email aliases will not work and may interfere the Login Restrictions as a whole.
Removing access
Individuals with deactivated SUNet IDs will not be able to access the site. However, sometimes someone will change jobs in the University. In these cases, you will need to either remove them from the workgroup via the Workgroup Manager, or delete their SUNet from the list of Allowed Users.
If the user had accessed the site previously, they will still show up on your list of user accounts for the site. This is fine. Having a user account, as mentioned above, does not grant access to the site.