Restrict Access
Parts or all of a CMS site can have access restricted if it contains content that should be viewed by select website visitors only. This is accomplished using an .htaccess file which is placed within a specified folder; the folder becomes restricted to only those specified in the .htaccess file.
Site owners and managers are not exempt from .htaccess file restrictions. Be sure to include the site owners and managers so that they may access the protected pages.
This restriction method requires a website visitor to have an Andrew ID to gain access to a restricted area. Other services are available to provide restricted information to those without an Andrew ID such as CMU Box or G Suite.
Create the .htaccess File
- Select the folder in the asset tree you want to restrict
- Click Add Content > File
- For File Name enter .htaccess; leave all other settings at the default or leave blank
- Submit to save
- Click Edit to edit the .htaccess file
- Scroll to the text editor and copy and paste the appropriate snippet of code from below. There are three options:
Option 1: Allow access to anyone with an Andrew ID
AuthType Shibboleth
<limit POST GET OPTIONS>
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
ShibRequestSetting redirectToSSL 443
require shib-user ~ ^.+@andrew.cmu.edu$
</limit>
Option 2: Allow access to only select Andrew IDs
AuthType Shibboleth
<limit POST GET OPTIONS>
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
ShibRequestSetting redirectToSSL 443
require shib-user ~ ^juser1@andrew.cmu.edu$
require shib-user ~ ^juser2@andrew.cmu.edu$
require shib-user ~ ^juser3@andrew.cmu.edu$
</limit>
When copying and pasting the example above, replace all instances of juser@andrew.cmu.edu with the individuals' actual Andrew email address (all lowercase, use full @andrew.cmu.edu).
Tip: You may add comments between entries. Begin each comment on a new line and start it with a hashtag (#). Comments can be useful for referencing the person's full name as shown in the example below, or to divide individuals into groups to keep your list organized.
# Joe User
require shib-user ~ ^juser1@andrew.cmu.edu$
# Jane User
require shib-user ~ ^juser2@andrew.cmu.edu$
# Jesse User
require shib-user ~ ^juser3@andrew.cmu.edu$
IMPORTANT: Other email variations such as @cmu.edu, @department.cmu.edu and external email addresses will not work; it must be formatted as juser@andrew.cmu.edu
The .htaccess file should include the Andrew email addresses of the project sponsor and lead, as well as the site managers.
Option 3: Allow access to a group using Grouper
Grouper is a role-based provisioning service where university populations are defined based on attributes such as affiliation, department, class-level and school college name. When Grouper is used in conjunction with an htaccess file, privileges are automatically applied when individuals are added to or removed from a group.
Using Grouper
Submit a request to it-help@cmu.edu stating that you want to use Grouper to restrict access on your CMS site and provide details on the group you wish to restrict access to (if you already have a Grouper group established that can be used for this purpose, please specify this). You will be provided with a group name; this is needed when creating the htaccess file.
Follow the steps above for creating the .htaccess file and paste the following snippet of code for step 6; replace group-name with the group name provided to you.
AuthType ShibbolethContinue with the steps below.
<limit POST GET OPTIONS>
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
ShibRequestSetting redirectToSSL 443
require shib-attr member cn=apps:web:cms:group-name:users,ou=groups,dc=cmu,dc=edu
</limit>
Note: You can specify both a Grouper group and list individuals manually in your htaccess file; see tip.
- Submit to save the .htaccess file
- To prevent restricted content from appearing in the navigation, disable the settings as follows:
- To disable the entire restricted section from appearing in the navigation, edit the folder and for the setting Include in Navigation select No
- To keep the restricted section label in the navigation for ease of access but hide pages within it, use the following settings:
- For the folder setting Include in Navigation, select yes; for the index page setting Hide From Navigation select No
- For all other pages within the folder, the setting Hide From Navigation should be set to Yes
- Populate the restricted folder with pages and files as needed
- Publish the restricted folder and test it to ensure the restriction is properly in place; we recommend opening a new browser window using incognito mode and accessing the page. If restriction is set properly, you will see the university's Web Login; log in to gain access.
Tips
Can I add individual users to an htaccess file in addition to a Grouper group?
Yes, you may include both a group and list of individuals. Follow the example below.
AuthType Shibboleth
<limit POST GET OPTIONS>
ShibRequireSession On
ShibApplicationId default
ShibExportAssertion On
ShibRequestSetting redirectToSSL 443
require shib-attr member cn=apps:web:cms:group-name:users,ou=groups,dc=cmu,dc=edu
require shib-user ~ ^juser1@andrew.cmu.edu$
require shib-user ~ ^juser2@andrew.cmu.edu$
require shib-user ~ ^juser3@andrew.cmu.edu$
</limit>
I want to use Grouper but want control over the members of the group. Is this possible?
Yes. While a group can be defined based on official university attributes (e.g., affiliation, student class level, school college name) custom groups can be created for unique circumstances (e.g., staff members in your office). When requesting a group, Computing Services will work with you to determine the appropriate type of group needed and what level of management is expected from you.