Creating Automated Roles with MyAccess

Once you have the Enabled MyAccess sign-on you can create roles based on information in the MyAccess.

The simplest way to create roles is with the persons email.

Create the Role

    1. Create the role you want to assign at http://mysite.ucsf.edu/admin/people/permissions/roles
    2. Note the role number. You can see the role number in the URL if you edit the role.

Where to add rules

    1. Go to http://mysite.ucsf.edu/admin/config/people/simplesamlphp_auth
    2. Go to the Add Automatic role population from simpleSAMLphp attributes field

Assigning a role to one person

Let say you want to assign Jane Doe (email of jane.doe@ucsf.edu) the role of a admin (role number 16) when she logins in with MyAccess. Add the following rule to the Add Automatic roles from simpleSAMLphp attributes

16:mail,=,jane.doe@ucsf.edu>

Assigning the UCSF role (26) a role to everyone with a similar email.

If you want to add everyone with an email then ends with ucsf.edu to the UCSF role add the following role.

26:mail,@=,ucsf.edu 

The above rule would add access to everyone with a ucsf.edu email address.

To add all ucsf and medical center emails to the UCSF role (26) use the following rule:

26:mail,@=,ucsf.edu|26:mail,@=,ucsfmedctr.org

Note the examples above might not match the numeric values of roles on your site.

Syntax Tips

 
Function What it does
| inserts an "or" statement
@ exact match
@= like match

Basic Syntax

role#,evaluator,condition

Code Example:

26,@=,ucsf.edu

English Translation:

Assign Role 26 if the email is like ucsf.edu.