Skip to main content Skip to secondary navigation

Workgroup Mapping and User Roles

Main content start

Workgroup role mapping allows you to easily maintain site editing permissions by assigning a user role to an entire workgroup.

These instructions also apply to custom Stanford Sites Intranet roles.

What’s a workgroup?

A Stanford workgroup is a list of members in a group, identified by their SUNet IDs, and given a name that uniquely identifies it. A workgroup may also contain subgroups — other workgroups identified by their name.

Note: For the purposes of mapping Workgroups to Drupal roles, Workgroup administrators will receive the role regardless of whether they are explicitly listed as members of the Workgroup.

Stanford workgroups come in two flavors: 

  1. Organization workgroups owned and managed groups of people in departments, divisions, or projects (e.g., its:directors, gsb:affiliates, helpdesk:consultants)
  2. Individual workgroups owned and managed by individuals (e.g., ~jdoe:book_exchange)

Learn more about Stanford workgroups.

Where do I go to create or manage workgroups?

All Stanford community members with active SUNet IDs are able to create personal workgroups with their ~sunetid stem. To add members to an existing workgroup, you must be an administrator of that workgroup. To create a group with an organizational stem, you must be a designated maintainer for that stem. Log in to Workgroup Manager.

Learn more about creating and managing workgroups.

How can I use workgroups?

You can use workgroups to assign editing rights for your website through role mapping. We recommend using organizational workgroups for continuity as staffing changes.

The editing roles for a new site include:

  • Contributor
  • Site Editor
  • Site Manager

Only Site Managers can assign roles. Stanford Sites has set permissions for each of these roles to support a consistent editing experience across websites. It is not possible to create new roles unique to your site or modify permission for these roles.

Learn more about managing user accounts.

Set up workgroup role mapping

  1. From the admin menu bar, navigate to Configuration > Users> SAML.
  2. Select the Role, enter the Workgroup, then click Add Mapping button:

Role(s) are assigned automatically to people who log in via Web Login with their SUNetID, based on their workgroup membership(s).

When adding a new workgroup group role mapping, logged-in users will need to log out and back in again to receive the new role.

Workgroup integration preferences

You have two options for determining how often the workgroup is checked

Grant new roles only

This option is good for site owners who want to have the convenience of a workgroup(s) for quickly granting roles, but who also may want to grant  a role to users who are not in the workgroup(s) manually. The user will be assigned the role when they first log in. If they are later removed from the workgroup, they will still continue to have the role. 

Re-evaluate all roles on every login

This option is good for site owners who want to rely on their workgroup(s) as the single place for granting roles. Workgroup membership is evaluated during each login. If a user is no longer in the workgroup, the role will be removed. 

This method is not compatible with manually granting roles. If this method is selected, any users not in the mapped workgroup(s) would have their roles removed at login.

Removing access

If you are using the Grant new roles only option, you will need to remove them from the workgroup AND remove the role from from their user account.

If you are using the Re-evaluate all roles on every login option, you only need to remove them from the workgroup. When they next try to log in, they will be denied access.

Roles for page access on intranets

In addition to the editing roles mentioned above, sites on the Stanford Sites Intranet platform can have custom roles used to control access to individual pages on the intranet.  The roles are added by Stanford Web Services when your site is built or can be created later. These roles can be assigned to individual users, or you can use the same role-mapping technique listed above with a workgroup.

If you have a Stanford Sites intranet and need help with roles, contact SWS for assistance.

Related Topics