localgovdrupal · dedavidson · Apr 8, 2026
diff --git a/docs/src/.vuepress/config.js b/docs/src/.vuepress/config.js
@@ -89,6 +89,10 @@ export default defineUserConfig({
       {
         text: 'Microsites',
         link: '/microsites/'
+      },
+            {
+        text: 'Intranets',
+        link: '/intranets/'
       },
       {
         text: 'Main site',
@@ -301,6 +305,11 @@ export default defineUserConfig({
           ]
         },
       ],
+      '/intranets/': [
+        '',
+        'access-control',
+      ],
+
       '/contributing/': [
         '',
         'development',

diff --git a/docs/src/intranets/access-control.md b/docs/src/intranets/access-control.md
@@ -0,0 +1,74 @@
+---
+title: Access control
+---
+
+# Access control
+
+LocalGov Drupal gives you several options for controlling who can access content on your intranet. These can be used independently or in combination depending on the needs of your organisation.
+
+The main approaches are:
+
+1. **Single sign-on (SSO)**: require all users to authenticate before accessing any part of the intranet, using the same credentials they use for other council systems.
+2. **Passwordless login**: staff authenticate by entering their email address and receiving a single-use login link, with no password required.
+3. **Selective content restriction**: keep most of the site publicly accessible but restrict specific content to logged-in users only.
+4. **Role-based paragraph visibility**: restrict specific sections of a page to users with particular roles, even once they are logged in.
+
+---
+
+## Single sign-on
+
+For a fully private intranet, the most common approach is to require authentication for the entire site using single sign-on (SSO). Staff log in with the same credentials they use for email, Microsoft 365, or other council systems, without needing a separate Drupal username and password.
+
+LocalGov Drupal supports SSO via OpenID Connect (OIDC), with specific support for Microsoft Azure Active Directory (the most common provider in UK councils) and Azure B2C. Configuration details, settings recommendations, and guidance on mapping identity provider groups to Drupal roles are covered in the developer documentation:
+
+[Single Sign-On — Developer docs](/devs/security/sso)
+
+---
+
+## Passwordless login
+
+Passwordless login is an alternative to SSO for councils without a central identity provider, or where a simpler setup is preferred. Staff enter their email address and receive a single-use login link by email, valid for 24 hours. No password is required.
+
+Access is controlled via an email domain whitelist: only addresses from approved domains (such as `@yourcouncil.gov.uk`) can register. User accounts are created automatically on first login if the email domain is whitelisted.
+
+This is implemented using three Drupal modules: `passwordless`, `domain_registration`, and `email_registration`, along with a small custom integration module. Full setup instructions are in the developer documentation:
+
+[Passwordless login — Developer docs](/devs/security/passwordless)
+
+---
+
+## Selective content restriction
+
+Not every intranet needs to be entirely private. You may want a site that is mostly public where only certain pages or content types require a login, for example a staff-facing section of your main council website.
+
+The [`localgov_restricted_content`](https://www.drupal.org/project/localgov_restricted_content) module provides this capability. Editors can mark individual pieces of content as restricted, so that anonymous visitors see a login prompt or are redirected, while authenticated users can access the content normally.
+
+This suits situations where:
+
+- Your intranet content lives alongside public council content on the same site.
+- You want staff-only pages discoverable in navigation but protected behind login.
+- You need a lightweight solution without requiring full site authentication.
+
+---
+
+## Role-based paragraph visibility
+
+For more granular control, you may want to restrict specific sections within a page to certain groups of staff, even once they are logged in. A page might have general content visible to all staff, but a section containing sensitive HR information visible only to managers.
+
+The [`paragraphs_role_visibility`](https://www.drupal.org/project/paragraphs_role_visibility) contrib module allows editors to set role-based visibility on individual paragraphs within layout builder. Each paragraph component can be configured to show only to users with one or more specified Drupal roles.
+
+Useful when:
+
+- You have mixed-sensitivity content that would otherwise need to live on separate pages.
+- You want to reduce the number of pages to maintain by combining content for different audiences.
+- Role-based access is already being managed in Drupal, whether manually or via SSO group mapping.
+
+---
+
+## Combining approaches
+
+These approaches can be used in combination. A typical setup for a fully private intranet might use:
+
+- SSO to authenticate all users and map them to Drupal roles based on Active Directory group membership.
+- `localgov_restricted_content` to keep a small number of pages public, such as a pre-login landing page.
+- `paragraphs_role_visibility` to restrict sensitive content within pages to specific staff roles.
diff --git a/docs/src/intranets/index.md b/docs/src/intranets/index.md
@@ -0,0 +1,28 @@
+---
+title: Intranets
+---
+
+<div class="banner">
+  <h1>LocalGov Drupal as an Intranet</h1>
+</div>
+
+<div class="alpha"><span>Beta</span> This documentation is a work in progress</div>
+
+--------------
+
+LocalGov Drupal can be used as the foundation for a council intranet, giving staff a central place to find information, manage documents, and collaborate. Because it is built on the same platform as the public-facing LocalGov Drupal website, councils already using LocalGov Drupal can benefit from shared infrastructure, familiar tooling, and a single codebase to maintain.
+
+Six UK councils are currently running intranets built on LocalGov Drupal: Blackburn and Darwen, Croydon, Cumberland, Essex County Council, Rutland, and Sheffield.
+
+## What LocalGov Drupal provides as an intranet
+
+- **Content management**: staff can create, edit, and publish content including documents, images, videos, and news articles using familiar Drupal editorial tools.
+- **Document management**: support for HTML publications, version control, document tagging, and search, so staff can find what they need quickly.
+- **Integrated forms**: councils can build forms to streamline internal processes such as leave requests, feedback submissions, and service requests.
+- **Employee directory**: staff can find and contact colleagues, supporting internal communication.
+- **Access control**: content can be restricted to authenticated users only, to specific roles, or left publicly accessible, giving councils fine-grained control over what staff and the public can see.
+- **Accessibility**: content meets or exceeds WCAG 2.1 Level AA standards, ensuring the intranet is usable by all staff.
+
+## In this section
+
+1. [Access control](access-control.md): approaches to restricting content to authenticated users, using single sign-on, or limiting visibility to specific roles.