Skip to content
Permalink
Browse files

gte and content updates for 401.4

  • Loading branch information
wgthom committed Jun 8, 2019
1 parent 2adc619 commit 01335e7aac7b2ad26eed3bb1bc439024142c4f30
@@ -316,4 +316,4 @@ The End

.. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program
.. _Grouper ESB Connector: https://spaces.at.internet2.edu/display/Grouper/Grouper+ESB+Connector
.. _COmanage: https://www.internet2.edu/products-services/trust-identity/comanage/
.. _COmanage: https://www.internet2.edu/products-services/trust-identity/comanage/
@@ -3,24 +3,24 @@
401.4 Untangling Legacy Access Policies - Example Solution
==========================================================

The follwing solution uses techniques demonstrated in the other 401 series
labs in order to create an independent policy for the LMS service.
The following solution uses techniques demonstrated in the 201 and 401 labs.
The general solution is to create an independent access policy for the LMS
service based on the legacy community members LDAP group and a new visiting
scholars reference group.

#. Use Grouper Loader to import existing LDAP cohort group into a "community
members" reference group-- `ref:legacy:community_members`
#. Add loader job to populate `communtiy_members` from
`cn=community_members,ou=groups,dc=example,dc=edu`.
#. Run loader job to import members into reference group.
#. Create a Grouper service folder for the LMS with a policy for LMS
authorization: `app:lms:lms_authorize|allow|deny`
#. Add the "institutional people" reference group, `ref:community_members`,
to the allow policy for the LMS, `app:lms:lms_allow`.
#. Create `app:lms:ref:visiting_scholars`. Import the NetIDs for the visiting
scholors into this reference group.
#. Add `visiting_scholars` to `lms_allow`.
#. Provision this policy to a new group in the LDAP DIT that the LMS group can
use to allow access to the service.
#. Create a new application folder `lms`
#. Create a new access policy group `lms_access`
#. Configure PSPNG attributes to `provision_to` `groupOfNames` on `lms_access`
#. Create a new institutional reference `ref:legacy:community_members`.
#. Configure `community_members` with an LDAP loader job.
#. Add `community_members` to `lms_access_allow`
#. Create an application-specific reference group for the visiting scholars
`app:lms:service:ref:visiting_scholars`
#. Import the NetID list into `visiting_scholars`
#. Add `visiting_scholars` to `lms_access_allow`
#. File a ticket with Vicky to switch the LMS LDAP access control group
#. Head to your happy place! :)

Congrats! You are now a certified Grouper Guru associate level 1!
And remember nothing gets'em going like chum!
.. figure:: ../figures/401-lms-solution.png

Congrats! You are now a certified Grouper Guru associate level 1!
@@ -14,54 +14,121 @@ Lab Components
--------------

* Grouper
* OpenLDAP
* `Grouper Deployment Guide`_


--------
Overview
--------

A baseline of core services services are enabled by default for a broad range of
community cohorts. The current approach uses a hodge-podge of scripts and
manual intervention to establish a group of "institutional people" that are
granted access to a wide range of services. The system can best be described as
fragile, brittle, and difficult, if not impossible, to evolve and maintain. In
other words-- state of the industry.
A baseline of core services services are enabled by default for a broad range
of community cohorts. The current approach uses a hodge-podge of scripts and
manual intervention to establish a group of "community members" that are
granted access to a wide range of services. The system can best be described
as fragile, brittle, and difficult, if not impossible, to evolve and maintain.
In other words-- state-of-the-industry!

Last year your CIO came back from Internet2 Summit and declared that your
institution is going to deploy TIER. You've just managed to get the Grouper
software up and running, when the head of your LMS group, Vicky, bursts into your
office space and tells you that there are 50 visiting scholars showing up on
campus tomorrow, and they all need access to the LMS for a campus-wide lecture
series.
Last year your CIO came back from Internet2 Summit, and declared that your
institution was going to deploy the InCommon Trusted Access Platform. You have
just managed to get Grouper up and running, when the head of your Learning
Management System group, Vicky, bursts into your office and tells you that
there are 50 visiting scholars showing up on campus tomorrow, and they all need
access to the LMS for a campus-wide lecture series.

Your co-worker had mentioned this to you before she left for her month long
vacation. She had told you she had taken care of creating the guest accounts,
and not to worry. You just need to grant access to the LMS when the time comes.
No problem.

But suddenly, you realize that access is controlled via the "institutional
people" group in your Enterprise Directory Information Tree! If you add the
scholars to that group, they'll have access to everything on campus!
vacation. She had told you she had taken care of creating the sponsored
accounts in `COmanage`_, and not to worry. You just need to grant access to the
LMS when the time comes. No problem.

Before panic sets in, you remember your Grouper training. You'll need a little
help from Vicky, but with Grouper, you've got this covered. "OK, Vicky," you say
in a calm, steady voice. "Here's what I'm going to need your team to do ..."
But suddenly, you realize that access to the LMS is controlled via the dreaded
"community members" group in your Enterprise LDAP! If you add the scholars
to that group, they'll have access to everything on campus!

----------------
Exercise 401.4.1
----------------
Before panic sets in, you remember your Grouper training. You will need a
little help from Vicky, but with Grouper, you've got this covered. "OK,
Vicky," you say in a calm, steady voice. "Here's what I'm going to need your
team to do ..."

*Untangling Policies from Cohorts*
--------------------------------------------------------
Exercise 401.4.1 Untangling policies from legacy cohorts
--------------------------------------------------------

The goal of this exercise is to grant access to the LMS for the 50 visiting
scholar guest accounts *without* granting additional access to those accounts.
Since access control does not happen in a vacuum, you'll need some minimal
assistance from the LMS team. Vicky's team can configure the LMS to point to a
new group in the LDAP DIT, but that's all the help you'll get.

The basic issue is that the legacy access control mechanisms are based on a
cohort of loosely defined "institutional people". All your institution's services
are using this cohort directly to determine who is supposed to have access.

You'll need to use your new Grouper skills to resolve this issue.


scholar sponsored accounts *without* granting any additional unnecessary
access. Since access control does not happen in a vacuum, you'll need some
minimal assistance from the LMS team. Vicky's team can configure the LMS to
point to a new authorization group in LDAP, but that's all the help you'll get.

The basic issue is that the legacy access control mechanisms are based on a
cohort of loosely defined "institutional people". All your institution's
services are using this cohort directly to determine who is supposed to have
access, so any changes or additions have far reaching impact.

The dreaded "community members" group that the LMS currenty uses for access
control is in LDAP at "cn=community_members,ou=groups,dc=internet2,dc=edu". You
can log in to https://localhost:8443/phpldapadmin/ to review the group.

Here are the 50 visiting scholar NetIDs:

.. code-block::

adoe852
agonazles804
alopez751
alopez802
anielson378
anielson51
athompson526
athompson713
athompson866
awalters247
awhite131
awhite631
bdavis150
bdavis999
bgasper2
bgonazles239
bgrady115
blee298
cjohnson933
clangenberg923
clee357
cthompson231
cthompson287
cwalters316
cwalters536
cwilliams606
danderson959
dbrown402
ddavis762
ddoe822
dwhite663
dwilliams299
eanderson919
escott173
gbutler381
ggrady118
ggrady649
glangenberg234
gwalters810
gwhite647
hpeterson10
jgrady499
jlee308
jnielson505
jsmith466
jvales111
jvales645
jwalters24
kdavis686
kjohnson872

You will need to use your new Grouper skills to resolve this issue. Your next
step is up to you!

If you get stuck or bored, check out the `401.4 example solution`_!

.. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program
.. _COmanage: https://www.internet2.edu/products-services/trust-identity/comanage/
.. _401.4 example solution: 401.4-example-solution.html
@@ -17,6 +17,5 @@ experience.
401.3
401.4
401.4-example-solution
appendix

.. _InCommon Trusted Access Platform: https://www.incommon.org/tap/
Binary file not shown.
@@ -1,2 +1,3 @@
gs = GrouperSession.startRootSession();

delStem("401.3.end")
addRootStem("401.4.1", "401.4.1")

0 comments on commit 01335e7

Please sign in to comment.
You can’t perform that action at this time.