With group permissions, you can further restrict access to only certain groups of users. This works by defining an attribue for LibAuth to check and providing a list of allowed values. Here are some examples:
- Restrict to a specific type of user: for example, if you have an attribute called "type", you could tell LibAuth to only allow users with a type of "faculty"
- Restrict users in a specific department (such as the library): similar to the above, perhaps you have an attribute called "department". You could tell LibAuth to only allow users with a department of "library".
- Restrict to specific users by ID or email: if you want to allow access to a specific set of users, but they don't belong to a subgroup in your SSO, you can tell LibAuth to only allow users with a specific ID, email address, or similar identifier. This can be done when adding your group permission by:
- Uploading a CSV file of allowed values, or
- Providing a URL to a hosted CSV file (recommended if you update the list of users regularly)
You can currently create group permissions for the following authentication types:
Each group you create can check one or more attributes from your authentication system. If a user meets one of the allowed values, then authentication will be successful.
With the above configuration types, you can also use group permissions with the LibApps Login feature. This would allow you to let only certain groups to use LibAuth to log into their LibApps accounts.
Getting to your LibAuth settings
LibApps admin users can add & manage LibAuth configurations and group permissions within LibApps.
- From the LibApps Dashboard, go to Admin > LibAuth Authentication.
- Click on the Edit () icon in the Action column for the configuration you want to manage.
- Click on the Group Permissions tab.
- Click on the Add Group button.
- Give your group a descriptive name.
- Enter the name of the first attribute you want to check against. Your IT staff can provide you with the name of specific attributes in your authentication system.
- Enter one or more acceptable values for that attribute (one per line). Again, your IT staff can provide you with the names of allowed values for a particular attribute.
- Alternatively, click on the Select CSV button to upload a CSV file containing the allowed values. This CSV file should contain a single column, with one value per line.
- You can also specify the URL of a hosted CSV file, instead of uploading it.
- To add additional attributes to this rule, click the Add Attribute button and repeat Steps 3-4.
- An attribute only needs to have one of the listed Allowed Values to pass.
- IMPORTANT: if you assign multiple attributes to a rule, each one must contain an allowed value to pass.
- Save your changes.
Managing group permissions
- To verify that your group is working as expected, click on the Test Group button.
- You will then be prompted to sign in to your authentication system.
- Once you're signed in, you'll be presented with debug info confirming whether or not you met the group requirement.
- To modify your group's configuration, click on the Edit Group button.
- To permanently remove a group, click on the Delete Group button.
Group permissions & LibApps logins
If you'd like, you can allow users to log into their LibApps accounts using LibAuth, in addition to using their LibApps username & password. To set this up, edit your configuration and click on the LibApps Login tab.
When enabled, users will be given the option to use either their LibApps username & password or LibAuth to log into their LibApps accounts. For a login to be successful, keep in mind the following:
- The user must already have a LibApps user account (i.e. LibAuth will not create a new account if one does not exist).
- The email address returned by your authentication system to LibAuth must match the email address of the user's LibApps account.
You can also restrict the LibApps Login feature to a specific group of users. Simply select the group permission rule from the LibAuth Group dropdown.
For example, if you have a group permission rule that will only allow logins from specific library staff members, you could select that group here to restrict the LibApps Login feature to those users.