Skip to main content
Developer Portal
Brightspot
Feature Guides

Access Restriction

Updated: July 26, 2024 06:43 PM

On any site, section, or page you have the ability to require CAS sign-in and specify who can view the content. You can easily restrict pages to broad groups like students or employees, but you can also get more granular and use GRO groups or even specific Net IDs.

If you need to know how to add or remove access to edit pages, see the User Permissions article.

You can create variations of pages that appear for specific groups rather than just limiting access. This is found under Audiences in the administration menu. If you would like to use this feature, contact websites@byu.edu for assistance.

Most of the setup options for access restriction are covered in the below access restriction video training and instructions. It includes information on how to create a site authentication manager with the correct settings that connect to BYU CAS, as well as specific settings for who should be able to view content.

Access Restriction Video Training

Site Authentication

This will connect your Brightspot site with CAS and allow the site to receive data about who is signed in. This must be configured before more tailored access restriction settings can be enabled.

You can follow the below steps to set up site authentication for your website:

authorizationManager.png

  1. Open the Sites and Settings tab in the Admin section of the hamburger menu in the top left corner. If you cannot access this menu, contact your website administrator.
  2. Click on the Front-End tab.
  3. At the top of the page, make sure the Site Group is set to BYU-Provo.
  4. Scroll down to the Authentication menu and open it.
  5. Change Authentication Settings to "Set:"
  6. Click the + button to add an Authentication Manager, then select the magnifying glass next to the resulting menu. The search window will appear, but there will likely be no authentication manager to choose.
  7. In the bottom left of that window, under Create, make sure the dropdown says BYU, then click the New button.
  8. In the resulting page, add a name for the authentication manager.
  9. Choose (or create) landing pages as desired.
    1. Authenticated Landing Page is where someone will be directed as soon as they sign in.
    2. Unauthenticated Landing Page is where someone will be directed as soon as they sign out. It will also be visible to anyone who visits the site.
  10. Click the link in the top left Back to Select Authentication Settings → Authentication Managers to close the page.
  11. Click the name of the Authentication Manager that you just created, and close the window.
  12. You should now see your Authentication Manager under Authentication Managers in the Edit Site page.
  13. Click Save.

Add a Login Button

After configuring site authentication, CAS login functionality can be enabled by following the below steps:

  1. Open the Sites and Settings tab in the Admin section of the hamburger menu in the top left corner.
  2. Select the Page Defaults tab and scroll until you find the Header option. You can also find this setting by searching Header in the search bar underneath the bell icon.
  3. Scroll until you find the setting labeled Sign In Enabled and select the Override option in the dropdown menu. By default, it is set to Inherit.
  4. Once Override has been selected, a toggle switch will appear. Click on the toggle to activate it.
  5. After making the changes, scroll to the bottom of the page.
  6. At the bottom, you will find a Save button. Click on it to save the modifications you made to the header settings.

Once this setting has been enabled, a new Sign In button will appear in your website header. Clicking this button will take you to a CAS login page, and after login the name of the current user will be displayed in place of the Sign In button.

loginHeader.png

Authentication Before Launch

Note that enabling site authentication before launch will make your content accessible only from the Brightspot editor. You can disable this setting before site launch by following the below steps:

  1. Open the Page Defaults tab in the Sites and Settings menu.
  2. Open the Authorization section.
  3. Click the dropdown and choose Inherit.
  4. Click the Save button at the bottom of the page.

If you previously created an authentication manager, this will not be deleted when Authorization is set to Inherit. Once your site is live, you can follow the previous steps for creating an authentication manager to reenable login.

Site Authorization

Once site authentication has been configured, authorization settings define which signed-in users have permission to view content on your site. You can set up different access levels for different parts of your site.

Limit Access by Net ID

You can specify that certain Net IDs always have access. This will override any other settings. It works well for allowing certain people access who would not otherwise be in an allowed group or category (developers, testers, secretaries, etc). This setting should be used carefully and regularly audited, since the people listed here will retain access even after they are no longer in a particular position.

Image of Brightspot Authorization Settings page.

Limit Access by Access Category

Brightspot has default access categories that limit access to site or page content. These options are explored below:

  • All (both authenticated and non authenticated can access) allows any user to access your content, regardless of if they are logged in or not.
  • All (users with valid login) requires only that someone have a Net ID and sign in. This will include all students, alumni, employees, former employees, and anyone else who has signed up for a Net ID. Note that Net ID creation is free, thus this is functionally similar to the previous setting.
  • Students Only (no access for Employees) includes all active, eligible to register students.
  • Employees Only (no access for Students) includes all university employees that are not students (faculty, staff, and admin).
  • Only Students or Employees (no access for other users) includes all current students and university employees.
  • Specified Users Only (no access unless listed under "Specified User NetIds") blocks access for all individuals not listed on the manual access list. If you only want certain users to have access, choose this option.

Limit Access by GRO Group (SAML Access Group)

If an Access Category has been set, you can further limit access to users that are in a BYU GRO group. Brightspot calls these SAML access groups, but both terms refer to groups managed at gro.byu.edu. These groups can include anyone with a Net ID. Group members' access can be set to expire on a certain date, which can help you to automate security by removing members who no longer need access after a time.

When adding a new group to the list, Brightspot must be configured to recognize that group first. You can email websites@byu.edu to add a group to the list. Once the group has been added you should see it listed on the New BYU Provo SAML Access page.

To configure SAML Access Groups, you can follow the below steps:

  1. Click the plus button under the SAML Access Groups heading.
  2. If there is already a defined group that meets your access criteria, select this group. Otherwise, select Create New in the dropdown menu.
  3. In the resulting group creation window, specify a Title for your group. This is useful for identifying which GRO groups are associated with a particular SAML Access Group.
  4. Below the list of GRO groups currently in Brightspot, click the plus button to specify which of the listed GRO groups should be granted access to your content. Note that only groups that are already in this list will be usable. If you would like a new GRO group added to the list, please contact websites@byu.edu.
  5. Once all relevant GRO groups have been added, click the Save button in the upper right corner and verify that your new SAML Access Group appears in the dropdown menu.
Screen Shot 2021-01-27 at 10.55.51 AM.png

Create a New Authorization Manager

Authorization Managers are where Brightspot filters access by net ID, access category, and SAML groups. If there are no Authorization Managers on your website or if you would like to set up a new authorization manager, you can follow the below steps:

  1. Open the Sites and Settings tab in the Admin section of the hamburger menu in the top left corner.
  2. Select the Page Defaults tab and scroll until you find the Authorization option. You can also find this setting by searching Authorization in the search bar underneath the bell icon.
  3. In the dropdown menu, choose the Override option and click the magnifying glass option next to the AuthorizationSettings menu.
  4. In the search window that appears, under Create, click the dropdown and choose BYU Authorization Settings.
  5. Click New.
  6. Give your authorization settings a name. It is helpful to name it based on who will have access (i.e. "Faculty/Staff" or "Students").
  7. Choose or add an Access Denied page if you would like one. This is helpful to let people know they've come to a section they don't have permission to view.
  8. If only specific people should access the content, or if there are specific people who should access the content in addition to the other groups you specify here, add their Net ID here under Specified User NetIds.
  9. Select an Access Category for your website based on the needs of your users.
  10. If you have a GRO group where your users are defined, you can specify this group under SAML Access Groups. Note that only GRO groups that have been added to Brightspot are usable when creating a new SAML Access Group.
  11. When your Authorization Manager has been configured to your liking, click Save.
  12. Click the Back link at the top of the page.
  13. In the select window, click the name of the Authorization Settings you just created. The window will close.
  14. If you are editing site default settings, click Save. If you are editing page or section overrides, click Publish or Save.

Site Access Restriction

To configure access restriction settings for your entire website, follow the steps below:

  1. Open the Sites and Settings tab in the Admin section of the hamburger menu in the top left corner.
  2. Select the Page Defaults tab and scroll until you find the Authorization option. You can also find this setting by searching Authorization in the search bar underneath the bell icon.
  3. Under Authorization - If not set all users will have access, change the dropdown to say Override.
  4. Choose an Authorization Manager. If you don't have one set up already, see the previous steps under Create a New Authorization Manager. if you do have one or more authorization managers, they will be listed in the dropdown and can be used anywhere on the site.

Section or Page Access Restriction

Access to specific pages or sections of your site can be further configured using the below steps:

  1. Open the section or page in the editor interface.
  2. Open the Overrides tab.
  3. Open the Authorization section.
  4. Under Authorization - If not set all users will have access, change the dropdown to say Override
  5. Choose an Authorization Manager. If you don't have one set up already, see the previous steps under Create a New Authorization Manager. if you do have one or more authorization managers, they will be listed in the dropdown and can be used anywhere on the site.

Access Hierarchy

When a user is successfully logged into a Brightspot site or page that has configured an Authorization Manager, Brightspot will determine whether the user can access said content in the following order:

  • If the net ID of the user is included in the Specified User Net Ids list, they will be granted access to the page even if they are not included in the later access category or SAML group.
  • If the net ID of the user has not been specified, Brightspot will check if the user is included in the Access Category for the site.
  • If the user is included within the Access Category, then Brightspot will check if the user is a member of any of the listed SAML Access Groups. Note that if a user is not included within the Access Category that they will not be able to access the page, regardless of whether they are included in an enumerated SAML access group.

Advanced Settings

Access categories and SAML groups allow for tailored access to site content, but sites, sections, or pages may also need additional specifications for who can access them. The advanced tab gives Additional Access criteria that can be extremely helpful.

One important thing to note is that employee access in the Access Category on the main tab is not limited to active employees by default. You should use the Standing Codes section here to add that limit.

Screen Shot 2021-01-27 at 11.13.51 AM.png

  • Department IDs are 4-digit codes used by department controllers. They are also used in university APIs to identify departments. If you enter one or more department IDs there, only employees of those departments will be allowed access.
  • Classification Codes are 3-letter codes used to define employee classifications (Faculty, Administrative, Staff, Student, etc). The Access Category on the main page does not make any limitations on that, so they can be added here if needed.
  • Status Codes are 2-letter codes that define an employee's status (full-time, part-time, contract, on-call, special, temporary). The Access Category on the main page allows all valid status codes. They can be further restricted here.
  • Standing Codes are 3-letter codes that define an employee's current standing (active, retired, etc). The Access Category on the main page allows all standing codes. If you want to limit to only active employees, add the code ACT to this section.
  • Retired employees are not included by default in employee categories, but they can be included by toggling the Retired Employee switch.

A list of employee types and statuses can be found at this link.

Tags
Access Restriction