Stanford
Stanford Sites User Guide

Grant or Remove Intranet Access

Stanford Sites Intranet allows you to protect your intranet site to a group or groups of people. This guide describes how to grant access to your intranet. 

This guide assumes you are on a Stanford Sites Intranet (not a public site) and that you are a Site Manager.

Set up access rules to grant access

Stanford Web Services will set up an initial set of access roles when your site is provisioned. You may change access rules at any time. 

There are several methods for controlling access to your intranet. 

Access is controlled via SAML. You can reach the settings by going to Configuration > Users > SAML

 

The top portion of the form is NOT used to control access. To control access, you need to go to Login Restrictions, on the lower part of the page.

Stanford-only access

By default, if no settings exist on the Login Restrictions form, the intranet will be available to anyone with a valid SUNet ID.

Configure Login Restrictions

If you wish to narrow access, you can use Login Restrictions settings allow you to determine who can access your intranet. These methods can be used alone or in combination.  This is an allowed list, not a restricted list. The order of process is:

  1. User ID: if the user has a matching SUNetID, they will be allowed.
  2. Affiliations: if a user is a member of the chosen affiliations, they will be allowed.
  3. Workgroups: If a user is a member of the configured workgroups, they will be allowed. Workgroups must be public. Private workgroups can only be used with additional configuration of the workgroup.

If the user does not satisfy any of the three scenarios, they will be denied access. Be sure to configure the settings to allow yourself access in some form, otherwise on your next login, you will be denied access.

Watch a quick video that demonstrates how to control access

Learn more about Login Restrictions

Access by affiliation

All SUNet ID holders also have a Stanford affiliation. This is provided via login. You can learn more about these roles here: SAML Affiliation Information.

Using this method for access control is great if you want to restrict access to a broad category of individuals. One common example is an administrative intranet that allows access to Faculty and Staff only.

The affiliations are as follows:

  • Affiliate
  • Staff
  • Students
  • Faculty
  • Member. This is not currently used.

You can select one of these options, or cmd-click to select more than one.  The allowed affiliations will be highlighted.

You can cmd-click/ctrl-click a second time if you wish to remove an affiliation from the allowed list.

Access by workgroup

You can also use a workgroup to control access to your site. This is the preferred method for granting more narrow access to your intranet.

Workgroup access is great for organization-level intranets. The workgroup can also be used to control access to the Google Drive to store documents and to a Google Group for mailing, which is a great way to keep all of your internal communication channels in synch.

The workgroup needs to be an organizational level workgroup, not a personal workgroup.

To add a workgroup to the list, simply enter the name of the workgroup to the list and save the form.

You may add as many workgroups as you'd like. If you need to remove one, you can erase it and resave the form.

Please note: Workgroup admins will also get access

Access by User ID

You can also add individual SUNet IDs by adding them to the Allowed Users list and then saving the form. You may add as many individual users as you'd like. If you need to remove one, you can erase it and resave the form.

This method is not recommended for adding large numbers of people, but can be helpful when you need to give someone outside of your main workgroup access to the site. 

Please ensure that you are adding their actual SUNet ID. If in doubt, you can look it up in the Stanford-Only view for StanfordWho. Email aliases will not work.

 

Remove access

Individuals with deactivated SUNet IDs will not be able to access the site. However, individuals who change jobs in the University will retain their SUNet IDs. In these cases, you will need to either remove them from the workgroup via the Workgroup Manager, or delete their SUNet from the list of Allowed Users. 

If the user had accessed the site previously, they will still show up on your list of user accounts for the site. This does not grant access to the site.