Basic Groups Configuration in EZproxy
Symptom
- How to configure and test groups in EZproxy
Applies to
- EZproxy
Resolution
Groups can be used in EZproxy to restrict access to specific resources for specified users.
Refer to this page for documentation on Groups.
Before starting, it helps to make sure your Audit is set to show the group(s) the user is assigned to when they log in:
Audit Most Login.Success.Groups
Go here for more information on configuring the Audit.
When approaching using Groups in EZproxy, it helps to view it in two parts: assigning groups during user authentication and then configuring what resources those groups can access.
- When users log in to EZproxy, it can be configured so users are assigned to a group based on some value returned by the authentication method used.
Most authentication methods would have this set in the user.txt. The configuration to add the group would normally be in the user.txt block for that method. Specifics for different authentication methods can be checked here:
https://help.oclc.org/Library_Manage...cation_methods
If using SAML, this would instead be set in the shibuser.txt file:
https://help.oclc.org/Library_Manage...n#shibuser.txt
There are also options to add the user only to the indicated group, add to the group while keeping an existing group membership (+), or add to a group and remove a group membership (-).
For these examples, the authentication method used is returning an attribute of 'Group' with the value 'Student', and the user will be set to the group GroupName1.
To just set the user to the group would use a line like:
If auth:Group eq Student; Group GroupName1
To add this group and keep the membership to a group already set, use:
If auth:Group eq Student; Group +GroupName1
To add to multiple groups, use:
If auth:Group eq Student; Group GroupName1+GroupName2
To add to a group AND remove from an already set group, use:
If auth:Group eq Student; Group GroupName1-GroupName2
Groups can also be set on other criteria, such as IP. A common setup for this is if using AutoLoginIP, but certain resources require a user to authenticate (and not use AutoLogin). This is explained in Selective AutoLoginIP.
To test that groups are set properly when users log in, the group still needs to be added to the config.txt to enable the group in EZproxy.
There are two ways to do this:
- Before the first stanza in the config.txt, add all the groups so they all access everything in EZproxy:
Group Default+GroupName1+GroupName2
- Or, add the new groups at the bottom of the config.txt after all the stanzas, just to activate the group:
Group Groupname1+GroupName2
Once these are set with the Audit settings mentioned earlier, then you can test logging in to see if users are shown in the Other column of the audit (found in the EZproxy admin page https://help.oclc.org/Library_Manage...Administration) to be in the group(s) required.
The second part of setting up groups is what resources (in config.txt) do these groups have access to?
For these examples, the groups used will be Default (which all users are normally added to unless configured otherwise), GroupName1, and GroupName2.
To set what group(s) can access a stanza, simply set it before the stanza. This will set EZproxy to only allow users in GroupName1 to access the stanza titled 'Resource Title':
Group GroupName1 T Resource Title U stanza.url.com ...
This group configuration will continue for all stanzas following this until a new Group directive is added. For example, this will change the groups to access the resource for 'Resource Title2' to be the groups Default and GroupName2, but GroupName1 would not have access to this resource:
Group Default+GroupName2 T Resource Title2 U stanza.url2.com ...
It is easiest to order the stanzas in config.txt by the groups that access them, but it is possible to set the groups as needed.
Once these are set and EZproxy has been restarted, then in the EZproxy admin page, go to 'View database group assignments' to check that the resources are assigned to the proper groups.
For hosted EZproxy systems, support will configure this for you. Contact OCLC Support
For stand-alone EZproxy systems that need additional help, contact OCLC Support
Additional information
x