Stanford
Stanford Sites User Guide

Workgroup Mapping and User Roles

Workgroup role mapping allows you to easily maintain site editing permissions by assigning a user role to an entire workgroup.

What’s a workgroup?

A Stanford workgroup is a list of members in a group, identified by their SUNet IDs, and given a name that uniquely identifies it. A workgroup may also contain subgroups — other workgroups identified by their name.

Note: For the purposes of mapping Workgroups to Drupal roles, Workgroup administrators will receive the role regardless of whether they are explicitly listed as members of the Workgroup.

Stanford workgroups come in two flavors: 

  1. Organization workgroups owned and managed groups of people in departments, divisions, or projects (e.g., its:directors, gsb:affiliates, helpdesk:consultants)
  2. Individual workgroups owned and managed by individuals (e.g., ~jdoe:book_exchange)

Learn more about Stanford workgroups.

Where do I go to create or manage workgroups?

All Stanford community members with active SUNet IDs are able to create personal workgroups with their ~sunetid stem. To add members to an existing workgroup, you must be an administrator of that workgroup. To create a group with an organizational stem, you must be a designated maintainer for that stem. Log in to Workgroup Manager.

Learn more about creating and managing workgroups.

How can I use workgroups?

You can use workgroups to assign editing rights for your website through role mapping. We recommend using organizational workgroups for continuity as staffing changes.

The editing roles for a new site include:

  • Contributor
  • Site Editor
  • Site Manager

Only Site Managers can assign roles. Stanford Sites has set permissions for each of these roles to support a consistent editing experience across websites. It is not possible to create new roles unique to your site or modify permission for these roles.

Learn more about managing user accounts.

Set up workgroup role mapping

  1. From the admin menu bar, navigate to Configuration > Users> SimpleSAML.
  2. Select the Role, enter the Workgroup, then click Add Mapping button:
Screenshot illustrating how workgroup mapping to set up user roles

Role(s) are assigned automatically to people who log in via Web Login with their SUNetID, based on their workgroup membership(s).

When adding a new workgroup group role mapping, logged-in users may need to log out and back in again to receive the new role.

Removing access

Workgroup mapping is only for adding a role. When a user logs in, it will add a role if they are in the workgroup. If they have been removed from the workgroup, you will still need to remove the role manually.

Roles for page access on intranets

In addition to the editing roles mentioned above, sites on the Stanford Sites Intranet platform can have custom roles used to control access to individual pages on the intranet.  The roles are added by Stanford Web Services when your site is built or can be created later. These roles can be assigned to individual users, or you can use the same role-mapping technique listed above with a workgroup.

If you have a Stanford Sites intranet and need help with roles, contact SWS for assistance.

Related Topics