Starting February 18, 2020, CAS will begin enforcing a default authorization policy on applications (also known as CAS clients).
Check back here periodically as this information is subject to change.
February 11, 2019: Implemented in auth-test.berkeley.edu
February 18, 2020: Implement in auth.berkeley.edu
If your application is already registered, meaning you have provided the application URLs to the CalNet team, then you will not be impacted by this change. If, however, you are using CAS and you have not registered your application you will be subject to the new default authorization policy.
New applications will be subject to the default authorization policy. There will be an option to opt-out of default authorizations if your application provides its own authorization logic, or if you wish to have more specific authorizations provided by CAS. Find out more about the CAS registration process.
The intent of CAS authorizations is to ensure that all registered services are providing some level of authorization, and configuring a CalNet default authorization if they are not.
All services should have a Default AuthZ or some combination of CAS Service AuthZ and application AuthZ.
This is applied as a required attribute in the CAS Service Definition. The attribute will check that the authenticating principal is a member of the default authZ group.
The current makeup of the Default AuthZ CalGroups group is:
All SPA UIDs (SPAs are allowed if both the SPA UID and User UID is allowed)
CalNet Test Accounts and rSPAs with AFFILIATE-TYPE-TEST
CalNet Departmental Accounts
Active Employees, UCPath Affiliates, and Students
Employees, UCPath Affiliates, and Students in Grace Period
Note: Guests and Alumni are not allowed.
CAS Service AuthZ
Service AuthZ can be provided several different ways, and typically, all of these ways can be combined together in the service registration to achieve the desired result.
CalGroups Access Group
CalGroups Official Groups: Add the CalGroups Official group to the service definition.
CalGroups Allow/Deny Groups
If the application owner has opted out of CAS or Default AuthZ, then the only authorization rules will be performed at the application level.
The application may decide to mix CAS Service AuthZ and Application AuthZ as well.