In Winter Quarter, ITSS made a change to SUNet ID sponsorship policy that makes it easy for regular Stanford faculty or staff to sponsor a base SUNet ID for anyone with a legitimate business need for network identification credentials or basic SUNet services. (You can find out more about this at http://itss.stanford.edu/services/sponsorship.) The change does, however, spotlight the fact that SUNet IDs are not limited to faculty, staff and students, which may require web sites providing Stanford services to limit access to those services using a finer filter than the basic WebAuth requirement of a SUNet ID.
So, for instance, you may be providing an online web service licensed for use only by Stanford faculty, staff and students. If you restrict access to the web site using basic Stanford Web Authentication (or WebAuth as it's known casually), anyone with a SUNet ID can use your web site, meaning access to your service is available not just to faculty, staff and students, but also to hundreds of consultants, contractors, non-registered students, recent students, NDO (non-degree option) students, and others.
How to Change Access Limits
If this is an issue for your web site, there is an easy solution that works perfectly in many situations, again using WebAuth. With WebAuth, it's easy to be more restrictive, limiting web site access to broad subsets of the Stanford community, based on an individual's official status.
The 6 available subsets, called "system privilege groups" (privgroups), are
- stanford:students
- stanford:faculty
- stanford:staff
- stanford:stanford - a combination of #1, 2 & 3
- stanford:academic - more or less a combination of #1 and 2
- stanford:administrative - more or less a combination of #2 and 3.
With WebAuth, you restrict a web site to SUNet ID holders by creating an AFS file named ".htaccess", whose content looks like this:
AuthType WebAuth
To request the further limitation by a system privgroup, you simply add a line naming the desired privgroup:
AuthType WebAuth
require privgroup stanford:stanford
Under that example, the person surfing the web must not only be authenticated as a Stanford user (via SUNet ID and password, which the first line demands) but then must also be a member of the students, faculty or staff privgroups.
Create Your Own Privgroups
You can instantly create your own privgroups of specified SUNet ID holders to give the members of that group access to restricted portions of your personal Stanford web site. Departments can do the same for their web space, though they may face an initial step that requires some setup by ITSS.
For More Information
More information about privgroups, including detailed definitions of the six system privgroups, is available at:
http://itss.stanford.edu/services/workgroup/
And for details on creating an htaccess file for use with WebAuth, see:
