Access Restriction

On any site, section, or page you have the ability to require CAS sign-in and specify who can view the content. You can easily restrict pages to broad groups like students or employees, but you can also get more granular and use GRO groups or even specific Net IDs.

If you need to know how to add or remove access to edit pages, see the User Management article.

You can create variations of pages that appear for specific groups rather than just limiting access. This is found under Audiences in the administration menu.

Most of the setup options for access restriction are covered in the access restriction video training and instructions (click the button below to get there). It includes information on how to create a site authentication manager with the correct settings that connect to BYU CAS, as well as specific settings for who should be able to view content.

Access restriction setup instructions

Access options explained

When setting up authorization for a site, section, or page you'll need to specify who should be allowed to view the content.

Limit access by category (i.e. student or employee)

This is the broadest way to limit access.

• All (both authenticated and non-authenticated users can access) is the default setting, which is the same as having no access restrictions at all.
• All (users with valid login) requires that someone have a BYU Net ID and be signed in with CAS. This does not prevent former students and employees from having access—it essentially still allows access if they're willing to sign up for a BYU Net ID (which anyone can do).
• Student access includes only those students who are currently active and eligible to register for classes.
• Faculty access should more appropriately be labeled Employee, since it allows anyone who is a BYU employee to have access. It includes full-time, part-time, contract, on-call, special, and temporary employees. Note that it does not limit access to current employees by default. That can be added in the Advanced tab (outlined below).

One of these items should be chosen if GRO groups or other advanced settings are used. It will act as an initial filter, with the GRO group or other settings applied as an additional filter.

Further limits under the Advanced tab

The Access Category is a good start, but sites, sections, or pages may also need additional specifications for who can access them. The advanced tab gives Additional Access criteria that can be extremely helpful.

One important thing to note is that employee access in the Access Category on the main tab is not limited to active employees by default. You should use the Standing Codes section here to add that limit.

• Department IDs are 4-digit codes used by department controllers. They are also used in university APIs to identify departments. If you enter one or more department IDs there, only employees of those departments will be allowed access.
• Classification Codes are 3-letter codes used to define employee classifications (Faculty, Administrative, Staff, Student, etc). The Access Category on the main page does not make any limitations on that, so they can be added here if needed.
• Status Codes are 2-letter codes that define an employee's status (full-time, part-time, contract, on-call, special, temporary). The Access Category on the main page allows all valid status codes. They can be further restricted here.
• Standing Codes are 3-letter codes that define an employee's current standing (active, retired, etc). The Access Category on the main page allows all standing codes. If you want to limit to only active employees, add the code ACT to this section.

Limit access by GRO Group (SAML Access Group)

If you have the Access Category set, you can further limit access to users that are in a BYU GRO group. Brightspot calls these SAML access groups, but both terms refer to groups managed at gro.byu.edu. These groups can include anyone with a Net ID. Group members' access can be set to expire on a certain date, which can help you to automate security by removing members who no longer need access after a time.

When adding a new group to the list, Brightspot must be configured to recognize that group first. You can email websites@byu.edu to add a group to the list. Once it's added you should see it listed on the New BYU Provo SAML Access page.

Limit access by Net ID

You can specify that certain Net IDs always have access. This will override any other settings. It works well for allowing certain people access who would not otherwise be in an allowed group or category (developers, testers, secretaries, etc). This setting should be used carefully and regularly audited, since the people listed here will retain access even after they are no longer in a particular position.

Adding a Sign-In Button

To add a sign-in button to the top right of your site's header, follow these steps:

1. Go to "Sites and Settings".
2. Within the settings, locate and click on the "Page Defaults" tab.
3. Scroll down until you see the "Header" dropdown and open it.
4. In the dropdown, you will find an option called "Sign-in Enabled." By default, it is set to "Inherit".
5. To override this setting and enable the sign-in button specifically for the header, change the option from "Inherit" to "Override" by selecting it.
6. Once you have chosen "Override," a toggle switch should appear. Click on the toggle to activate it.
7. After making the changes, scroll to the bottom of the page.
8. At the bottom, you will find a "Save" button. Click on it to save the modifications you made to the header settings.

Setting up access restrictions before a site has launched

Brightspot is currently configured only to support access restriction on production websites. If you set up the access restrictions as outlined above or in the tutorial, the pages will no longer be viewable at the pre-launch test URL. If you need to set up access restriction upon site launch, you can work with the Brightspot support team (websites@byu.edu).