UW Home > UWIN > Computing and Networking > Identity and Access Management

Identity and Access Management

UW Authorization Module (mod_uwa)

On this page:

Overview
System Requirements
Getting Started
Authorization Syntax
UW Affiliation Type Reference

Overview

The UW Authorization module is a resource manager for Apache HTTP servers running on Unix systems. Authorizations are defined using standard Apache configuration directives which work in tandem with authentication provided by Pubcookie and Shibboleth. The module makes access control decisions to allow or deny access based on data obtained from the UW Groups Directory.

System Requirements

Apache (version 1.3 or 2.0, Unix only)
OpenSSL library
OpenLDAP library
SASL2 library
Kerberos library (required by SASL2)

Getting Started

Sign up - UW Groups Directory Registration
Download - mod_uwa-3.2.1.tar.gz
Installation - see doc/install.html in the tarball
Configuration - see doc/mod_uwa.html in the tarball

Authorization Syntax

The UW Authorization module extends the capabilities of Apache's require directive when Pubcookie or Shibboleth is used for user authentication. It supports the following syntax for its authorization conditions:

Condition	Argument Type	Authorization Description
`valid-user`	(none)	User must have authenticated somewhere somehow.
`user`	UW NetID	User must have authenticated using one of the specified UW NetIDs (via Pubcookie), e.g.: require user rford bobm sue23
`user`	EPPN	User must have authenticated using an Identity Provider capable of asserting one of the specified EduPersonPrincipalName attributes (via Shibboleth), e.g.: require user netid@washington.edu netid@examplest.edu netid@uofexample.edu
`type`	affiliation type	User must have the specified type of UW affiliation. e.g.: require type student or type employee Current affiliation types are described below.
`group`	group name	User must be a member of the specified UW Group, e.g.: require group u:cac:all Note: tools for creating and managing UW Groups are under development.
`course`	course identifier	User must be the in the specified UW Course membership, e.g.: require course WIN2005.1234 Note: Course groups are identified by the quarter, year and SLN, e.g., `SPR2005.2345`. Quarter prefixes are `WIN`, `SPR`, `SUM` and `AUT`. Note: Course authorizations are only available on servers registered and approved for use of UW Course data.

Note: authorization conditions can be combined with logical operators and, or, and not (abbreviated, &, |, and ~, respectively). Expressions can also be grouped with parentheses. Where conditions of the same kind are repeated, shorthand notation is acceptable; the omitted operation is assumed to be or.

UW Affiliation Type Reference

The following table identifies and describes each UW affiliation type supported by the module.

Affiliation Type	Description
`student`	UW undergraduate and graduate students who are enrolled for the current quarter, the previous quarter, or a future quarter; also includes onleave graduate students and UW Extension students.
`staff`	UW staff members, including undergraduate and gradute student employees, who are currently employed.
`faculty`	UW faculty members who are currently employed.
`employee`	UW faculty and staff members. (See definitions above.)
`member`	UW faculty, staff, and students. (See definitions above.) Plus, retired faculty and staff.
`alum`	People who have graduated from the UW.
`affiliate`	People who work on campus but are not working for the UW. People who have applied for undergraduate or graduate school, i.e. student applicants. People affiliated through the UW Developement Office, who have not graduated from the UW. People identified with UW Medicine, e.g. clinicians and patients. Digital Learning Commons students and educators. Other people who have a UW NetID. MyUW.net paid subscribers.