Skip to content Skip to site navigation

How to Restrict Access to Webpages Using Workgroups

Protecting websites with Shibboleth (mod_shib)

If your web server uses Shibboleth (mod_shib) for authentication, you can restrict resources to individuals in specific workgroups by using a special file called .htaccess.

  1. Using a text editor, create a plain text file named .htaccess (note the dot before the name).
  2. Enter the following lines in the file:
    AuthType shibboleth
    ShibRequestSetting requireSession true
    Require shib-attr entitlement helpdesk:consultants helpdesk:managers
    List all the workgroup names you want to include on the same line, separated by a space.
    Enter the complete workgroup name (stem:id), including the tilde (~) for personal workgroups, and end with a blank line.

    Please Note: The configuration above does not work with websites hosted on web.stanford.edu. If you are hosting on web.stanford.edu, see below for instructions on how to protect your website with WebAuth.
     
  3. Transfer the file to the directory you want protected (using Fetch, Dreamweaver or any other file-transfer method).
  4. When anyone attempts to access the directory containing this .htaccess file, they'll be asked to login via Weblogin. Only members of the workgroup you have entered in the .htaccess file will be given access to the directory.

Protecting websites with WebAuth

If your web server uses WebAuth for authentication, you can restrict resources to individuals in specific workgroups by using a special file called .htaccess. Note: WebAuth is deprecated, but is currently the only supported way to restrict access on the central web servers (i.e. web.stanford.edu).

  1. Using a text editor, create a plain text file named .htaccess (note the dot before the name)
  2. Enter the following lines in the file:​

    AuthType WebAuth
    require privgroup helpdesk:consultants helpdesk:managers
    
    List all the workgroup names you want to include on the same line, separated by a space. Enter the complete workgroup name (stem:id), including the tilde (~) for personal workgroups, and end with a blank line.
  3. Transfer the file to the directory you want protected (using Fetch, Dreamweaver or any other file-transfer method).
  4. When anyone attempts to access the directory containing this .htaccess file, they'll be asked to login via Weblogin.
  5. Only members of the workgroup you have entered in the .htaccess file will be given access to the directory.

System-maintained groups

There is a set of system-maintained privgroups and workgroups.

These privgroups can be used in a .htaccess file:

stanford:faculty includes regular faculty, emeritus faculty, faculty on leave, incoming faculty, faculty affiliates, and other teaching faculty; 
does not include nonactive faculty
stanford:staff includes regular staff, academic staff, staff on leave, emeritus staff, and other teaching staff; 
does not include casual staff (less than 50% time), temporary staff (less than a 6-month appointment), affiliate staff, Medical Center staff (sumc), retired staff, student staff or nonactive staff
stanford:student includes regular students, students on leave, and MLA students;
does not include NDO (non-degree option) students, incoming students, contingent students, students not registered, recent students, or nonactive students
stanford:stanford union of faculty, staff, and student groups above
stanford:academic faculty and student groups above, plus NDO (non-degree option) students, retired faculty, and academic staff
stanford:administrative faculty and staff groups above, plus retired faculty, casual staff (less than 50% time), temporary staff (less than a 6-month appointment), and sponsored affiliates (anyone sponsored for a full or base SUNet ID)
Last modified April 26, 2021