diff --git a/TODO.md b/TODO.md
index f8c5d29..0f89178 100644
--- a/TODO.md
+++ b/TODO.md
@@ -5,5 +5,34 @@ TODO
202202
-------
-- Upgrade Shibboleth IDP to latest 4.1.4 (low priority)
+- (NO IT REQUIRES JAVA 11+) Upgrade Shibboleth IDP to latest 4.1.4 (low priority). But the configs have been modified to reduces
- Remove folders for unused images; in Sept. 2021 we were fine with 101.1, 201.end and 401.end
+- How to get rid of the LDAP warnings that come up the first time the page comes up?
+- The All Faculty/Staff group is missing the ref type
+- Fix this error
+
+ Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered via the SPI and manual loading of the driver class is generally unnecessary.
+- maturity0 container: "Your source IP address (192.168.16.1) is not allowed to access the Configuration UI (in grouper-ui configuration)"
+- Main wiki page doesn't have a link to container configure, install, etc.
+
+Slide updates:
+201.1.1
+- Years need to be +1. Then grace period graduate should be 9 months (end date 2022/03/01)
+201.1.2
+- The slide says exchange students are not in SIS. Are they a loaded basis group, ref group, what?
+- Should transfer students be a basis group? Is there such a thing as an ad hoc basis group?
+- slide 6, why is Create Digital Policy there twice?
+- should we do away with the All Staff being a rollup of 100's of groups? Hard to see visualization that way
+201.2
+- Add some visualization steps to easily understand the app structure
+- (DONE) Already has an All Faculty/Staff group, don't need to add faculty and staff separately
+201.3
+- We can either add the type to the policy folder, or autoassign types to the folder above, which will do the same
+- the ePA_full_sync daemon job has already been created
+201.5
+- (DONE) ref:role:financeManager needs to add the ref type
+- after adding Carrie Campbell, should go to the policy group to show it's there
+
+
+211.3
+- TEST: What privs do you need to add an assignment to an assignment
diff --git a/base/Dockerfile b/base/Dockerfile
index c9694ce..22cd95f 100644
--- a/base/Dockerfile
+++ b/base/Dockerfile
@@ -1,7 +1,7 @@
FROM tier/shib-idp:3.4.3_20190201 as idp
# Grouper version for the entire GTE
-FROM i2incommon/grouper:2.6.5
+FROM i2incommon/grouper:2.6.5.3
# Disable docker HEALTHCHECK inherited from tier/shib-sp
HEALTHCHECK NONE
diff --git a/base/container_files/conf/grouper-loader.properties b/base/container_files/conf/grouper-loader.properties
index 2d8cd56..aa21dfe 100644
--- a/base/container_files/conf/grouper-loader.properties
+++ b/base/container_files/conf/grouper-loader.properties
@@ -47,27 +47,39 @@ ldap.demo.pass = password
#optional, if you are using tls, set this to true. Generally you will not be using an SSL URL to use TLS...
ldap.demo.tls = false
-
+
+# When testing the connection in the UI...
+ldap.demo.uiTestSearchDn = dc=internet2,dc=edu
+ldap.demo.uiTestSearchScope = ONELEVEL_SCOPE
+ldap.demo.uiTestFilter = cn=admin
+ldap.demo.uiTestAttributeName = cn
+ldap.demo.uiTestExpectedValue = admin
+
#optional, if using sasl
#ldap.personLdap.saslAuthorizationId =
#ldap.personLdap.saslRealm =
-#optional (note, time limit is for search operations, timeout is for connection timeouts),
-#most of these default to vt-ldap defaults. times are in millis
-#validateOnCheckout defaults to true if all other validate methods are false
-#ldap.personLdap.batchSize =
-#ldap.personLdap.countLimit =
-#ldap.personLdap.timeLimit =
-#ldap.personLdap.timeout =
-#ldap.personLdap.minPoolSize =
-#ldap.personLdap.maxPoolSize =
-#ldap.personLdap.validateOnCheckIn =
-#ldap.personLdap.validateOnCheckOut =
-#ldap.personLdap.validatePeriodically =
-#ldap.personLdap.validateTimerPeriod =
-#ldap.personLdap.pruneTimerPeriod =
-#if connections expire after a certain amount of time, this is it, in millis, defaults to 300000 (5 minutes)
-#ldap.personLdap.expirationTime =
+#ldap.personLdap.batchSize =
+#ldap.personLdap.countLimit =
+#ldap.personLdap.timeLimit =
+#ldap.personLdap.timeout =
+#ldap.personLdap.pagedResultsSize =
+#ldap.personLdap.referral =
+#ldap.personLdap.searchResultHandlers=org.ldaptive.handler.DnAttributeEntryHandler,edu.internet2.middleware.grouper.ldap.ldaptive.GrouperRangeEntryHandler
+#ldap.personLdap.searchIgnoreResultCodes=
+#ldap.personLdap.enabled =
+#ldap.personLdap.customizePooling =
+#ldap.personLdap.minPoolSize =
+#ldap.personLdap.maxPoolSize =
+#ldap.personLdap.validateOnCheckIn =
+#ldap.personLdap.validateOnCheckOut =
+#ldap.personLdap.validatePeriodically =
+#ldap.personLdap.validateTimerPeriod =
+#ldap.personLdap.pruneTimerPeriod =
+#ldap.personLdap.validator =
+#ldap.personLdap.validatorCompareDn =
+#ldap.personLdap.validatorCompareAttribute =
+#ldap.personLdap.validatorCompareValue =
#make the paths fully qualified and not relative to the loader group.
loader.ldap.requireTopStemAsStemFromConfigGroup=false
diff --git a/base/container_files/shibboleth-idp/conf/attribute-resolver.xml b/base/container_files/shibboleth-idp/conf/attribute-resolver.xml
index 33607fc..5ea8d79 100644
--- a/base/container_files/shibboleth-idp/conf/attribute-resolver.xml
+++ b/base/container_files/shibboleth-idp/conf/attribute-resolver.xml
@@ -1,244 +1,237 @@
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
@@ -247,47 +240,47 @@
-
-
+
-
+
-
+
-
\ No newline at end of file
+
diff --git a/docs/copy-paste-markdown/201.1.1.md b/docs/copy-paste-markdown/201.1.1.md
new file mode 100644
index 0000000..ce6736b
--- /dev/null
+++ b/docs/copy-paste-markdown/201.1.1.md
@@ -0,0 +1,71 @@
+# Grouper Training Environment - text to copy and paste - 201.1.1
+
+# Basis and Reference Groups (part 1)
+
+## Learning Objectives
+
+- Understand the difference between reference groups and basis groups
+- Create and manage reference and basis groups
+- Implement subject attribute lifecycle requirements
+
+## Exercise: All Students Reference Group
+
+Create an all students reference group to be used in access policy and the “all students” mailing list.
+
+### Create folder ref:student
+
+Create in this folder: `ref`
+
+Folder name: `student`
+
+### Create ref:student:students
+
+Group name: `students`
+
+Description:
+```
+This group contains contains all students for the purpose of access control. Members automatically get access to a broad selection of student services. You can view where this group is in use by selecting "This group's memberships in other groups" under the "More" tab
+```
+
+### Add ref type to group
+
+Find menu item _Types_
+
+Type name: `ref`
+
+Type: Yes, has direct type configuration
+
+Data owner: `Registrar`
+
+Member description: `All student subjects for the purpose of access control`
+
+
+### Add class years to ref:students
+
+Navigate to group `ref:student:students`
+
+Add the following groups to ref:students
+
+- `basis:sis:prog_status:year:ac:2022`
+- `basis:sis:prog_status:year:ac:2023`
+- `basis:sis:prog_status:year:ac:2024`
+- `basis:sis:prog_status:year:ac:2025`
+
+
+### Filter for Direct Membership
+
+Filter for: Has direct membership → Apply filter
+
+### Filter for Indirect Membership
+
+Filter for: Has indirect membership → Apply filter
+
+How many students are in the group (look near the bottom)?
+
+### Recently Graduated Students
+
+You suddenly remember that recently graduated students have a 9 month grace period where they retain full access to student services.
+
+Add `basis:sis:prog_status:year:cm:2021` to students
+
+Edit the membership and set the end date to `2021/12/31` (March 31, 2022)
diff --git a/docs/copy-paste-markdown/201.1.2.md b/docs/copy-paste-markdown/201.1.2.md
new file mode 100644
index 0000000..89c15a6
--- /dev/null
+++ b/docs/copy-paste-markdown/201.1.2.md
@@ -0,0 +1,73 @@
+# Grouper Training Environment - text to copy and paste - 201.1.2
+
+# Basis and Reference Groups (part 2)
+
+## Learning Objectives (continued)
+
+- Understand the difference between reference groups and basis groups
+- Create and manage reference and basis groups
+- Implement subject attribute lifecycle requirements
+
+## Exercise: All Students Reference Group (continued)
+
+### Include students with no class year
+
+Not all students have class years assigned. This includes part-time students, employees taking course, and non-matriculated students.
+
+Fortunately, data about these students is available in the SIS, and basis groups have already been created for us.
+
+* Add group _basis:sis:prog\_status:year:ac:no\_year_ (name Active No Year) to _ref:student:students_
+
+How many students are there now?
+
+### Include exchange students
+
+Exchange students from your sister school can take classes, but never have official records in the SIS. However, they do have a local NetID and a basis group is maintained or them.
+
+* Add group _basis:sis:prog\_status:all:es_ (name Exchange Student) to _ref:student:students_
+
+How many students are there now?
+
+### Include ad-hoc transfer students
+
+Students who transfer to your campus often need access well ahead of SIS data being fully updated.
+
+* In folder _ref:student_, create group:
+ - name: `Transfer Student`
+ - id: `transfer_student`
+ - description: `Students recently transfered but not yet in SIS`
+
+* Add the _manual_ object type to this group
+ - Type name: `manual`
+ - Type: Yes, has direct type configuration
+ - Data owner: `Registrar`
+ - Member description: `Ad-hoc recent transfer students not yet in SIS`
+
+* Add the following subjects to transfer_student
+ - whawkins
+ - hyoung
+ - jmejia
+
+
+* Add transfer_student to “students” group
+
+How many students are there now?
+
+The number of students did not go up by 3 as you might have expected. Why? One of the transfer students was already a member of students.
+
+* Trace the membership of each of the transfer students to determine which subject was already students and why.
+
+### Include Leave of Absence students
+
+Students take a leave of absence for a variety of reasons. These students may or may not return, but retain student access for an extend period of time. Basis groups for leave of absence students already exist.
+
+* Add _basis:sis:prog\_status:all:la_ (Leave of Absence) to students
+
+How many students are there now?
+
+
+### Visualization: What do you mean by “student”?
+
+Review the students reference group by using group visualization
+
+The students reference group is used in access policy for student services. Being a “student” means access to a broad array of student services. This institutionally meaningful cohort is well defined, easily understood, and capable of being extended in a rational way.
diff --git a/docs/copy-paste-markdown/201.2.md b/docs/copy-paste-markdown/201.2.md
new file mode 100644
index 0000000..181a965
--- /dev/null
+++ b/docs/copy-paste-markdown/201.2.md
@@ -0,0 +1,80 @@
+# Grouper Training Environment - text to copy and paste - 201.2
+
+# Access Policy Groups
+
+## Learning Objectives
+
+- Understand the difference between policy groups and reference groups
+- Translate natural language policy into digital policy using access policy groups
+
+## Introduction to Access Policy Groups
+
+NIST SP 800-162: natural language policy must be converted to digital policy.
+
+Digital policy is implemented with access policy groups in Grouper.
+
+Access policy group is ideally a composite group whose factors are an allow and a deny group.
+
+The access policy group can in practice contain whatever the policy specifies (e.g. this one ad hoc subject is the only subject with access).
+
+Subject membership in the allow and deny groups should be indirect (through reference groups).
+
+Exceptions to policy in most case should be handled by application scoped reference groups (e.g. ad hoc groups).
+
+Using reference groups in policy ensures that as subject attributes change, the effective membership is up to date and access control decisions are correct.
+
+## Hands on
+
+### Create a new application template
+
+* Navigate to the _app_ folder
+* create a new application (More actions -> New template -> Application)
+ - Key: `gitlab`
+ - Friendly name: `GitLab`
+ - Description: `Access policies for the ITS GitLab version control system`
+
+### Create a new policy template
+
+* Navigate to the _app:gitlab:service:policy_ folder
+* Create a new policy group (More actions -> New template -> Policy group)
+ - Key: `gitlab_access`
+ - Friendly name: `GitLab Access`
+ - Description: `Overall access policy for the ITS GitLab version control system`
+
+### Create digital policy
+
+The natural language policy is “all faculty and staff have access to GitLab, unless denied by the CISO, or the account is in a closure state. Reference groups are already available.
+
+* Add _ref:role:all_facstaff_ (All Faculty/Staff) to _gitlab\_access\_allow_:
+* Review _gitlab\_access\_deny_, it should already have _ref:iam:global\_deny_ as a member
+
+### Review the gitlab_access policy definition
+
+* Navigate to _gitlab\_access_
+* Edit visualization settings, change *Show number of sibling objects* from 50 to 5
+* Close the configuation
+* Click Generate
+* Click fullscreen
+
+### Update policy to include Research Computing contractors
+
+* Add basis group for "Research Computing affiliate" (_basis:hr:employee:dept:10901:affiliate_) to _gitlab\_access\_allow_
+* Trace membership for Johnny Gardner from gitlab_access (Filter for Johnny Gardner -> Choose action -> Actions -> Trace membership)
+* View the audit log on gitlab_access_allow (gitlab_access -> More actions -> View audit log)
+* Visualize the _gitlab\_access_ policy definition
+
+### Manage security
+
+Administrative access to the application template folders and groups is controlled by security groups in app:gitlab:security. Security groups are essentially policy groups for Grouper access.
+
+Review the default privileges on gitlab_access_allow.
+
+* Navigate to gitlab_access_allow
+* Click on the Privileges tab
+
+The GitLab application is owned by the ITS Infrastructure group. They should have access to update the policy once it is in production.
+
+* Navigate to the _GitLab Updaters_ group.
+* Add group _basis:hr:employee:dept:10903:staff_ (Infrastructure staff) to this group
+* Navigate to gitlab_access_allow
+* Click on the Privileges tab and review
diff --git a/docs/copy-paste-markdown/201.3.md b/docs/copy-paste-markdown/201.3.md
new file mode 100644
index 0000000..566669d
--- /dev/null
+++ b/docs/copy-paste-markdown/201.3.md
@@ -0,0 +1,101 @@
+# Grouper Training Environment - text to copy and paste - 201.3
+
+# eduPerson Affiliation for Authorization
+
+
+## Learning Objectives
+
+- Understand how to do subject attributes management with policy groups
+- Configure provisioning to reflect group membership (aka subject attributes) into OpenLDAP
+- Configure Shibboleth to release eduPersonAffiliation for loosely defined authorization use cases
+
+## Hands on
+
+### Create a new application template
+
+* Navigate to the _app_ folder
+* create a new application (More actions -> New template -> Application)
+ - Key: `eduPersonAffiliation`
+ - Description:
+
+ ```eduPersonAffiliation (defined in eduPerson 1.0); OID: 1.3.6.1.4.1.5923.1.1.1.1 Specifies the person's relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.```
+
+### Create app folder for eduPersonAffiliation
+
+* Assign object type “policy” to the _service:policy_ folder
+* Create the following groups in app:eduPersonAffiliation:service:policy
+ - student
+ - faculty
+ - staff
+
+### Add reference groups to policy
+
+The eduPerson specification states: "...each institution will decide the criteria for membership in each affiliation classification. What is desirable is that a reasonable person should find an institution’s definition of affiliation plausible"
+
+* Add _ref:student:students_ to the policy for _student_
+* Add the _All Staff_ reference group to _staff_
+* Add the _All Faculty_ reference group to _faculty_
+
+The eduPerson specification states: "The 'member' affiliation MUST be asserted for people carrying one or more of the following affiliations: faculty or staff or student or employee"
+
+* Create new group under app:eduPersonAffiliation:service:policy
+ - name: `member`
+* Add faculty, staff, and student to member
+* Visualize the new _member_ group
+
+### Configure external system for provisioning
+
+Provisioning targets depend on an external system that includes basic connection and configuration. For this lesson, the LDAP system has already been set up with config id "demo".
+
+* Navigate to Miscellaneous > External Systems.
+* Location entry for "demo"
+* Under Actions, view the details, then test the system
+
+
+### Configure (review) provisioner
+
+A provisioner has already been set up, “eduPersonAffiliation”. Review its properties
+
+* Go to Miscellaneous -> Provisioning -> eduPersonAffiliation -> Actions -> Edit provisioner
+
+
+### Create a full sync provisioning job (TODO may already be set up)
+
+The provisioner exists, but needs to have either a full sync or incremental job to perform the provisioning.
+
+* Go to Miscellaneous -> Daemon jobs
+* Under More actions, choose Add daemon
+* Create a job called ePA_full_sync, of type Provisioning full sync
+ - Config id: `ePA_full_sync`
+ - Enable: Yes
+ - Daemon type: Provisioning full sync
+ - Provisioner config id: *eduPersonAffiliation*
+ - Quartz cron: `0 0 4 * * ?`
+
+### Configure provisioning on folder
+
+* Navigate back to the _app:eduPersonAffiliation:service:policy_ folder.
+
+* Under More actions, choose Provisioning
+* Assign the new provisioner
+ Target name: ePA
+ Type: Yes
+ Provision: Yes
+ Folder scope: All objects in the folder or subfolder
+
+### Run provisioner job
+
+* In Miscellaneous -> Daemon jobs, look for job _OTHER\_JOB\_ePA\_full\_sync_
+* Under job actions, choose *Run job now*
+* Click on the hyperlink for the job to go to the job log
+* Click on *Apply filter* until the job completes
+
+### Verify Provisioning results
+
+* From the GTE Jump page (https://localhost:8443/) launch the LDAP manager and login.
+* Verify that subjects in the _member_ group now have a "member" affiliation in the LDAP record (e.g. uid=aadams)
+
+### Configure Shib to release ePA
+
+* Open a private browser, and log in to https://localhost:8443/app with username _aadams_ and password _password_
+* Look at value for _eduPersonAffiliation_
diff --git a/docs/copy-paste-markdown/201.4.md b/docs/copy-paste-markdown/201.4.md
new file mode 100644
index 0000000..14c131d
--- /dev/null
+++ b/docs/copy-paste-markdown/201.4.md
@@ -0,0 +1,89 @@
+# Grouper Training Environment - text to copy and paste - 201.4
+
+# Policy Groups and Static Application Permissions
+
+## Learning Objectives
+
+- Understand ACM Policy groups and static application permissions
+- Implement grouper security model
+- Configure provisioning to LDAP for eduPersonEntitlement
+- Configure Shibboleth to release eduPersonEntitlement
+
+## Hands On
+
+### Create policy for wiki application
+
+* Navigate to the _app_ folder
+* create a new application (More actions -> New template -> Application)
+ - Key: `wiki`
+ - Description:
+ ```Student wiki```
+
+### Create policy for wiki application
+
+wiki_user is an application-specific role. Subjects in this role have general access to the wiki. The natural language policy is "All students have access to the student wiki, unless they are in the global deny group"
+
+* Navigate to _app:wiki:service:policy_
+* Create new policy template:
+ - Key: `wiki_user`
+ - Description: `Access policy for student wiki`
+* Add _ref:student:students_ as a member to _wiki\_user\_allow
+* Review he membership of _wiki\_user\_deny
+* Visualize policy definition of _wiki\_user_
+ - set visualization option *Show number of sibling objects* to 15
+
+### Configure external system for provisioning
+
+Provisioning targets depend on an external system that includes basic connection and configuration. For this lesson, the LDAP system has already been set up with config id "demo".
+
+* Navigate to Miscellaneous > External Systems.
+* Location entry for "demo"
+* Under Actions, view the details, then test the system
+
+
+### Configure (review) provisioner
+
+A provisioner has already been set up, eduPersonEntitlement. Review its properties
+
+* Go to Miscellaneous -> Provisioning -> eduPersonEntitlement -> Actions -> Edit provisioner
+
+In this provisioner, members of a group will have their user record in LDAP updated in the eduPersonEntitlement attribute. The entitlement value can be a static string, or will fall back to the group name.
+
+### Create a full sync provisioning job
+
+The provisioner exists, but needs to have either a full sync or incremental job to perform the provisioning.
+
+* Go to Miscellaneous->Daemon jobs
+* Under More actions, choose Add daemon
+* Create a job:
+ - Config id: `eduPersonEntitlement_full_sync`
+ Enable: *Yes*
+ Daemon type: *Provisioning full sync*
+ Provisioner config id: *eduPersonEntitlement*
+ Quartz cron: `0 0 4 * * ?`
+
+### Configure provisioning on group
+
+* Navigate back to the _app:wiki:service:policy:wiki\_user_ group
+* Under More actions, choose *Provisioning* and assign the new provisioner:
+ Target name: *eduPersonEntitlement*
+ Type: *Yes*
+ Provision: *Yes*
+ Entitlement String: `http://sp.example.org/wiki`
+
+### Run provisioner job
+
+* In Miscellaneous -> Daemon jobs, look for job _OTHER\_JOB\edupersonEntitlement\_full\_sync_
+* Under job actions, choose *Run job now*
+* Click on the hyperlink for the job to go to the job log
+* Click on *Apply filter* until the job completes
+
+### Verify Provisioning results
+
+* From the GTE Jump page (https://localhost:8443/) launch the LDAP manager and login.
+* Verify users in Grouper _wiki_users_ have an entitlement of http://sp.example.org/wiki (e.g. uid=aalexan2)
+
+### Configure Shib to release eduPersonEntitlement
+
+* Open a private browser, and log in to https://localhost:8443/app with username _abrown_ and password _password_
+* Look at value for _eduPersonEntitlement_
diff --git a/docs/copy-paste-markdown/201.5.md b/docs/copy-paste-markdown/201.5.md
new file mode 100644
index 0000000..eb7b256
--- /dev/null
+++ b/docs/copy-paste-markdown/201.5.md
@@ -0,0 +1,100 @@
+# Grouper Training Environment - text to copy and paste - 201.5
+
+# Policy Groups and Dynamic Application Permissions
+
+## Learning Objectives
+
+- Understand how to use policy groups with dynamic application specific roles
+- Implement delegated access control
+- Configure attestation
+
+## Hands On
+
+### Create a cognos application and policy
+
+Use the Application template to create the cognos application folder and group set in the app folder.
+
+* Navigate to the _app_ folder
+* create a new application (More actions -> New template -> Application)
+ - Key: `cognos`
+ - Description:
+ ```Manage policy roles for Cognos application```
+
+Use the Policy template to create two new policy groups in app:cognos:service:policy
+
+* Navigate to the _service:policy_ subfolder
+* Create new policy template:
+ - Key: `cg_fin_report_reader`
+ - Description: `Report Reader Access Policy`
+* Create new policy template:
+ - Key: `cg_fin_report_writer`
+ - Description: `Report Writer Access Policy`
+
+### Implement report reader access policy
+
+All Budget and Finance (dept. 10810) employees have read access to finance reports. Implement the reader policy.
+
+* Add _basis:hr:employee:dept:10810:staff_ (name _Budget & Finance staff_) to *cg_fin_report_reader_allow*
+
+### Implement report writer access policy
+
+Only employees authorized by the Finance Manager have access to write reports. This policy will require an application specific reference group. It will be used as an access control list managed by the Finance Manager.
+
+* Navigate to subfolder _service:ref_
+* Create group finance_report_writer
+* Assign object type:
+ - Type name: *ref*
+ - Type: *Yes*
+ - Data owner: `Finance Manager`
+ - Member description: `Employees authorized by the Finance Manager have access to write reports`
+* Add finance_report_writer to cg_fin_report_write_allow
+
+### Delegate access control to Finance Manager
+
+The Finance Manager will directly manage the finance_report_writer access control list.
+
+* Create new group under ref:role
+ - Name: `Finance Manager`
+ - Id: `financeManager`
+* Assign object type: *ref*
+* Add Daniel Riddle (`driddle`) to _ref:role:financeManager_
+
+The Finance Manager will directly manage the finance_report_writer access control list.
+
+* Navigate to *app:cognos:service:ref:finance_report_writer*
+* Go to the privilege tag
+* Add member "Finance Manager", and grant UPDATE and READ
+* Review privileges on finance_report_writer
+* Trace privileges for Daniel Riddle (Choose action -> Actions -> Trace privileges)
+
+
+### Test privileges
+
+* Open a private browser window
+* Log in with username `driddle` and password `password`
+* Note *Groups I manage* on the main page
+* Add Carrie Campbell (`ccampbe2`) to *finance_report_writer*
+* Go back to banderson browser
+* Review audit log for finance_report_writer (finance_report_writer -> More actions -> View audit log)
+
+### Add attestation to finance_report_writer
+
+Add attestation requirement for finance_report_writer.
+
+* Navigate to finance_report_writer
+* Add attestation (More actions -> Attestation -> Attestation actions -> Edit attestation settings)
+ - Attestation: *Yes*
+ - Default remaining options
+
+### Test attestation
+
+(As driddle)
+
+* Log back in as `driddle` (if the window was closed)
+* Navigate to *finance_report_writer*
+* Click button *Mark group as reviewed*
+
+(As banderson)
+
+* Go back to the banderson window
+* Review attestation audit log. (finance_report_writer -> More actions -> Attestation -> View audit log)
diff --git a/docs/201/201.1.rst b/docs/sphinx/201/201.1.rst
similarity index 100%
rename from docs/201/201.1.rst
rename to docs/sphinx/201/201.1.rst
diff --git a/docs/201/201.2.rst b/docs/sphinx/201/201.2.rst
similarity index 100%
rename from docs/201/201.2.rst
rename to docs/sphinx/201/201.2.rst
diff --git a/docs/201/201.3.rst b/docs/sphinx/201/201.3.rst
similarity index 100%
rename from docs/201/201.3.rst
rename to docs/sphinx/201/201.3.rst
diff --git a/docs/201/201.4.rst b/docs/sphinx/201/201.4.rst
similarity index 100%
rename from docs/201/201.4.rst
rename to docs/sphinx/201/201.4.rst
diff --git a/docs/201/201.5.rst b/docs/sphinx/201/201.5.rst
similarity index 100%
rename from docs/201/201.5.rst
rename to docs/sphinx/201/201.5.rst
diff --git a/docs/201/examples/201-3-4.pspng-epa.grouper-loader.properties b/docs/sphinx/201/examples/201-3-4.pspng-epa.grouper-loader.properties
similarity index 100%
rename from docs/201/examples/201-3-4.pspng-epa.grouper-loader.properties
rename to docs/sphinx/201/examples/201-3-4.pspng-epa.grouper-loader.properties
diff --git a/docs/201/examples/201-3-5.attribute-filter.xml b/docs/sphinx/201/examples/201-3-5.attribute-filter.xml
similarity index 100%
rename from docs/201/examples/201-3-5.attribute-filter.xml
rename to docs/sphinx/201/examples/201-3-5.attribute-filter.xml
diff --git a/docs/201/examples/201-4-4.pspng-epe.grouper-loader.properties b/docs/sphinx/201/examples/201-4-4.pspng-epe.grouper-loader.properties
similarity index 100%
rename from docs/201/examples/201-4-4.pspng-epe.grouper-loader.properties
rename to docs/sphinx/201/examples/201-4-4.pspng-epe.grouper-loader.properties
diff --git a/docs/201/examples/201-4-5.attribute-filter.xml b/docs/sphinx/201/examples/201-4-5.attribute-filter.xml
similarity index 100%
rename from docs/201/examples/201-4-5.attribute-filter.xml
rename to docs/sphinx/201/examples/201-4-5.attribute-filter.xml
diff --git a/docs/201/index.rst b/docs/sphinx/201/index.rst
similarity index 100%
rename from docs/201/index.rst
rename to docs/sphinx/201/index.rst
diff --git a/docs/401/401.1.rst b/docs/sphinx/401/401.1.rst
similarity index 100%
rename from docs/401/401.1.rst
rename to docs/sphinx/401/401.1.rst
diff --git a/docs/401/401.2.rst b/docs/sphinx/401/401.2.rst
similarity index 100%
rename from docs/401/401.2.rst
rename to docs/sphinx/401/401.2.rst
diff --git a/docs/401/401.3.rst b/docs/sphinx/401/401.3.rst
similarity index 100%
rename from docs/401/401.3.rst
rename to docs/sphinx/401/401.3.rst
diff --git a/docs/401/401.4-example-solution.rst b/docs/sphinx/401/401.4-example-solution.rst
similarity index 100%
rename from docs/401/401.4-example-solution.rst
rename to docs/sphinx/401/401.4-example-solution.rst
diff --git a/docs/401/401.4.rst b/docs/sphinx/401/401.4.rst
similarity index 100%
rename from docs/401/401.4.rst
rename to docs/sphinx/401/401.4.rst
diff --git a/docs/401/appendix.rst b/docs/sphinx/401/appendix.rst
similarity index 100%
rename from docs/401/appendix.rst
rename to docs/sphinx/401/appendix.rst
diff --git a/docs/401/examples/401.1.3-pspng-config.properties b/docs/sphinx/401/examples/401.1.3-pspng-config.properties
similarity index 100%
rename from docs/401/examples/401.1.3-pspng-config.properties
rename to docs/sphinx/401/examples/401.1.3-pspng-config.properties
diff --git a/docs/401/examples/401.2.2-pspng-config.properties b/docs/sphinx/401/examples/401.2.2-pspng-config.properties
similarity index 100%
rename from docs/401/examples/401.2.2-pspng-config.properties
rename to docs/sphinx/401/examples/401.2.2-pspng-config.properties
diff --git a/docs/401/examples/401.2.3-general-authn.xml b/docs/sphinx/401/examples/401.2.3-general-authn.xml
similarity index 100%
rename from docs/401/examples/401.2.3-general-authn.xml
rename to docs/sphinx/401/examples/401.2.3-general-authn.xml
diff --git a/docs/401/examples/401.2.3-mfa-authn-config.xml b/docs/sphinx/401/examples/401.2.3-mfa-authn-config.xml
similarity index 100%
rename from docs/401/examples/401.2.3-mfa-authn-config.xml
rename to docs/sphinx/401/examples/401.2.3-mfa-authn-config.xml
diff --git a/docs/401/examples/401.2.4-athletics-dept.txt b/docs/sphinx/401/examples/401.2.4-athletics-dept.txt
similarity index 100%
rename from docs/401/examples/401.2.4-athletics-dept.txt
rename to docs/sphinx/401/examples/401.2.4-athletics-dept.txt
diff --git a/docs/401/examples/401.2.5-banner-netids.txt b/docs/sphinx/401/examples/401.2.5-banner-netids.txt
similarity index 100%
rename from docs/401/examples/401.2.5-banner-netids.txt
rename to docs/sphinx/401/examples/401.2.5-banner-netids.txt
diff --git a/docs/401/examples/401.3.2-grouper-loader.properties b/docs/sphinx/401/examples/401.3.2-grouper-loader.properties
similarity index 100%
rename from docs/401/examples/401.3.2-grouper-loader.properties
rename to docs/sphinx/401/examples/401.3.2-grouper-loader.properties
diff --git a/docs/401/examples/401.3.2-grouper.client.properties b/docs/sphinx/401/examples/401.3.2-grouper.client.properties
similarity index 100%
rename from docs/401/examples/401.3.2-grouper.client.properties
rename to docs/sphinx/401/examples/401.3.2-grouper.client.properties
diff --git a/docs/401/index.rst b/docs/sphinx/401/index.rst
similarity index 100%
rename from docs/401/index.rst
rename to docs/sphinx/401/index.rst
diff --git a/docs/Makefile b/docs/sphinx/Makefile
similarity index 100%
rename from docs/Makefile
rename to docs/sphinx/Makefile
diff --git a/docs/conf.py b/docs/sphinx/conf.py
similarity index 100%
rename from docs/conf.py
rename to docs/sphinx/conf.py
diff --git a/docs/figures/201-add-ref-students.png b/docs/sphinx/figures/201-add-ref-students.png
similarity index 100%
rename from docs/figures/201-add-ref-students.png
rename to docs/sphinx/figures/201-add-ref-students.png
diff --git a/docs/figures/201-anna-smith-trace-priv.png b/docs/sphinx/figures/201-anna-smith-trace-priv.png
similarity index 100%
rename from docs/figures/201-anna-smith-trace-priv.png
rename to docs/sphinx/figures/201-anna-smith-trace-priv.png
diff --git a/docs/figures/201-anna-smith-trace.png b/docs/sphinx/figures/201-anna-smith-trace.png
similarity index 100%
rename from docs/figures/201-anna-smith-trace.png
rename to docs/sphinx/figures/201-anna-smith-trace.png
diff --git a/docs/figures/201-asmith989-attest.png b/docs/sphinx/figures/201-asmith989-attest.png
similarity index 100%
rename from docs/figures/201-asmith989-attest.png
rename to docs/sphinx/figures/201-asmith989-attest.png
diff --git a/docs/figures/201-create-students-group.png b/docs/sphinx/figures/201-create-students-group.png
similarity index 100%
rename from docs/figures/201-create-students-group.png
rename to docs/sphinx/figures/201-create-students-group.png
diff --git a/docs/figures/201-ePA-attribute-release.png b/docs/sphinx/figures/201-ePA-attribute-release.png
similarity index 100%
rename from docs/figures/201-ePA-attribute-release.png
rename to docs/sphinx/figures/201-ePA-attribute-release.png
diff --git a/docs/figures/201-ePA-member-vis.png b/docs/sphinx/figures/201-ePA-member-vis.png
similarity index 100%
rename from docs/figures/201-ePA-member-vis.png
rename to docs/sphinx/figures/201-ePA-member-vis.png
diff --git a/docs/figures/201-ePA-member.png b/docs/sphinx/figures/201-ePA-member.png
similarity index 100%
rename from docs/figures/201-ePA-member.png
rename to docs/sphinx/figures/201-ePA-member.png
diff --git a/docs/figures/201-ePA-policy-groups.png b/docs/sphinx/figures/201-ePA-policy-groups.png
similarity index 100%
rename from docs/figures/201-ePA-policy-groups.png
rename to docs/sphinx/figures/201-ePA-policy-groups.png
diff --git a/docs/figures/201-ePA-pspng-run.png b/docs/sphinx/figures/201-ePA-pspng-run.png
similarity index 100%
rename from docs/figures/201-ePA-pspng-run.png
rename to docs/sphinx/figures/201-ePA-pspng-run.png
diff --git a/docs/figures/201-ePA-pspng.png b/docs/sphinx/figures/201-ePA-pspng.png
similarity index 100%
rename from docs/figures/201-ePA-pspng.png
rename to docs/sphinx/figures/201-ePA-pspng.png
diff --git a/docs/figures/201-ePE-value.png b/docs/sphinx/figures/201-ePE-value.png
similarity index 100%
rename from docs/figures/201-ePE-value.png
rename to docs/sphinx/figures/201-ePE-value.png
diff --git a/docs/figures/201-eduPersonAffiliation-app-template.png b/docs/sphinx/figures/201-eduPersonAffiliation-app-template.png
similarity index 100%
rename from docs/figures/201-eduPersonAffiliation-app-template.png
rename to docs/sphinx/figures/201-eduPersonAffiliation-app-template.png
diff --git a/docs/figures/201-fin-report-attest-audit-log.png b/docs/sphinx/figures/201-fin-report-attest-audit-log.png
similarity index 100%
rename from docs/figures/201-fin-report-attest-audit-log.png
rename to docs/sphinx/figures/201-fin-report-attest-audit-log.png
diff --git a/docs/figures/201-fin-report-reader.png b/docs/sphinx/figures/201-fin-report-reader.png
similarity index 100%
rename from docs/figures/201-fin-report-reader.png
rename to docs/sphinx/figures/201-fin-report-reader.png
diff --git a/docs/figures/201-fin-report-write-audit.png b/docs/sphinx/figures/201-fin-report-write-audit.png
similarity index 100%
rename from docs/figures/201-fin-report-write-audit.png
rename to docs/sphinx/figures/201-fin-report-write-audit.png
diff --git a/docs/figures/201-fin-report-writer-attestation.png b/docs/sphinx/figures/201-fin-report-writer-attestation.png
similarity index 100%
rename from docs/figures/201-fin-report-writer-attestation.png
rename to docs/sphinx/figures/201-fin-report-writer-attestation.png
diff --git a/docs/figures/201-fin-report-writer.png b/docs/sphinx/figures/201-fin-report-writer.png
similarity index 100%
rename from docs/figures/201-fin-report-writer.png
rename to docs/sphinx/figures/201-fin-report-writer.png
diff --git a/docs/figures/201-jsmith-trace.png b/docs/sphinx/figures/201-jsmith-trace.png
similarity index 100%
rename from docs/figures/201-jsmith-trace.png
rename to docs/sphinx/figures/201-jsmith-trace.png
diff --git a/docs/figures/201-new-vpn-app.png b/docs/sphinx/figures/201-new-vpn-app.png
similarity index 100%
rename from docs/figures/201-new-vpn-app.png
rename to docs/sphinx/figures/201-new-vpn-app.png
diff --git a/docs/figures/201-new-vpn-policy.png b/docs/sphinx/figures/201-new-vpn-policy.png
similarity index 100%
rename from docs/figures/201-new-vpn-policy.png
rename to docs/sphinx/figures/201-new-vpn-policy.png
diff --git a/docs/figures/201-priv-grant-fin-mgr.png b/docs/sphinx/figures/201-priv-grant-fin-mgr.png
similarity index 100%
rename from docs/figures/201-priv-grant-fin-mgr.png
rename to docs/sphinx/figures/201-priv-grant-fin-mgr.png
diff --git a/docs/figures/201-pspng-entitlements-run-job.png b/docs/sphinx/figures/201-pspng-entitlements-run-job.png
similarity index 100%
rename from docs/figures/201-pspng-entitlements-run-job.png
rename to docs/sphinx/figures/201-pspng-entitlements-run-job.png
diff --git a/docs/figures/201-review-priv-fin-mgr.png b/docs/sphinx/figures/201-review-priv-fin-mgr.png
similarity index 100%
rename from docs/figures/201-review-priv-fin-mgr.png
rename to docs/sphinx/figures/201-review-priv-fin-mgr.png
diff --git a/docs/figures/201-students-change-of-status.png b/docs/sphinx/figures/201-students-change-of-status.png
similarity index 100%
rename from docs/figures/201-students-change-of-status.png
rename to docs/sphinx/figures/201-students-change-of-status.png
diff --git a/docs/figures/201-students-direct-membership.png b/docs/sphinx/figures/201-students-direct-membership.png
similarity index 100%
rename from docs/figures/201-students-direct-membership.png
rename to docs/sphinx/figures/201-students-direct-membership.png
diff --git a/docs/figures/201-students-end-date.png b/docs/sphinx/figures/201-students-end-date.png
similarity index 100%
rename from docs/figures/201-students-end-date.png
rename to docs/sphinx/figures/201-students-end-date.png
diff --git a/docs/figures/201-students-indirect-membership.png b/docs/sphinx/figures/201-students-indirect-membership.png
similarity index 100%
rename from docs/figures/201-students-indirect-membership.png
rename to docs/sphinx/figures/201-students-indirect-membership.png
diff --git a/docs/figures/201-students-visualization.png b/docs/sphinx/figures/201-students-visualization.png
similarity index 100%
rename from docs/figures/201-students-visualization.png
rename to docs/sphinx/figures/201-students-visualization.png
diff --git a/docs/figures/201-vpn-access.png b/docs/sphinx/figures/201-vpn-access.png
similarity index 100%
rename from docs/figures/201-vpn-access.png
rename to docs/sphinx/figures/201-vpn-access.png
diff --git a/docs/figures/201-vpn-access2.png b/docs/sphinx/figures/201-vpn-access2.png
similarity index 100%
rename from docs/figures/201-vpn-access2.png
rename to docs/sphinx/figures/201-vpn-access2.png
diff --git a/docs/figures/201-vpn-allow-audit.png b/docs/sphinx/figures/201-vpn-allow-audit.png
similarity index 100%
rename from docs/figures/201-vpn-allow-audit.png
rename to docs/sphinx/figures/201-vpn-allow-audit.png
diff --git a/docs/figures/201-vpn-allow-privileges.png b/docs/sphinx/figures/201-vpn-allow-privileges.png
similarity index 100%
rename from docs/figures/201-vpn-allow-privileges.png
rename to docs/sphinx/figures/201-vpn-allow-privileges.png
diff --git a/docs/figures/201-wiki-app.png b/docs/sphinx/figures/201-wiki-app.png
similarity index 100%
rename from docs/figures/201-wiki-app.png
rename to docs/sphinx/figures/201-wiki-app.png
diff --git a/docs/figures/201-wiki-policy.png b/docs/sphinx/figures/201-wiki-policy.png
similarity index 100%
rename from docs/figures/201-wiki-policy.png
rename to docs/sphinx/figures/201-wiki-policy.png
diff --git a/docs/figures/201-wiki-user-pspng.png b/docs/sphinx/figures/201-wiki-user-pspng.png
similarity index 100%
rename from docs/figures/201-wiki-user-pspng.png
rename to docs/sphinx/figures/201-wiki-user-pspng.png
diff --git a/docs/figures/401-banderson-mfa-enabled.png b/docs/sphinx/figures/401-banderson-mfa-enabled.png
similarity index 100%
rename from docs/figures/401-banderson-mfa-enabled.png
rename to docs/sphinx/figures/401-banderson-mfa-enabled.png
diff --git a/docs/figures/401-board-effect-ann-admin-priv.png b/docs/sphinx/figures/401-board-effect-ann-admin-priv.png
similarity index 100%
rename from docs/figures/401-board-effect-ann-admin-priv.png
rename to docs/sphinx/figures/401-board-effect-ann-admin-priv.png
diff --git a/docs/figures/401-board-effect-ann-privs.png b/docs/sphinx/figures/401-board-effect-ann-privs.png
similarity index 100%
rename from docs/figures/401-board-effect-ann-privs.png
rename to docs/sphinx/figures/401-board-effect-ann-privs.png
diff --git a/docs/figures/401-board-effect-ann-updated-privs.png b/docs/sphinx/figures/401-board-effect-ann-updated-privs.png
similarity index 100%
rename from docs/figures/401-board-effect-ann-updated-privs.png
rename to docs/sphinx/figures/401-board-effect-ann-updated-privs.png
diff --git a/docs/figures/401-board-effect-app.png b/docs/sphinx/figures/401-board-effect-app.png
similarity index 100%
rename from docs/figures/401-board-effect-app.png
rename to docs/sphinx/figures/401-board-effect-app.png
diff --git a/docs/figures/401-board-effect-final-privs.png b/docs/sphinx/figures/401-board-effect-final-privs.png
similarity index 100%
rename from docs/figures/401-board-effect-final-privs.png
rename to docs/sphinx/figures/401-board-effect-final-privs.png
diff --git a/docs/figures/401-board-effect-finance-committee.png b/docs/sphinx/figures/401-board-effect-finance-committee.png
similarity index 100%
rename from docs/figures/401-board-effect-finance-committee.png
rename to docs/sphinx/figures/401-board-effect-finance-committee.png
diff --git a/docs/figures/401-board-effect-finance-privs-admin.png b/docs/sphinx/figures/401-board-effect-finance-privs-admin.png
similarity index 100%
rename from docs/figures/401-board-effect-finance-privs-admin.png
rename to docs/sphinx/figures/401-board-effect-finance-privs-admin.png
diff --git a/docs/figures/401-board-effect-my-groups.png b/docs/sphinx/figures/401-board-effect-my-groups.png
similarity index 100%
rename from docs/figures/401-board-effect-my-groups.png
rename to docs/sphinx/figures/401-board-effect-my-groups.png
diff --git a/docs/figures/401-board-effect-rabbitmq.png b/docs/sphinx/figures/401-board-effect-rabbitmq.png
similarity index 100%
rename from docs/figures/401-board-effect-rabbitmq.png
rename to docs/sphinx/figures/401-board-effect-rabbitmq.png
diff --git a/docs/figures/401-board-effect-ref-board-privs.png b/docs/sphinx/figures/401-board-effect-ref-board-privs.png
similarity index 100%
rename from docs/figures/401-board-effect-ref-board-privs.png
rename to docs/sphinx/figures/401-board-effect-ref-board-privs.png
diff --git a/docs/figures/401-board-effect-trace-ann-updaters.png b/docs/sphinx/figures/401-board-effect-trace-ann-updaters.png
similarity index 100%
rename from docs/figures/401-board-effect-trace-ann-updaters.png
rename to docs/sphinx/figures/401-board-effect-trace-ann-updaters.png
diff --git a/docs/figures/401-board-effect-workroom-helpers.png b/docs/sphinx/figures/401-board-effect-workroom-helpers.png
similarity index 100%
rename from docs/figures/401-board-effect-workroom-helpers.png
rename to docs/sphinx/figures/401-board-effect-workroom-helpers.png
diff --git a/docs/figures/401-board-effect-workroom.png b/docs/sphinx/figures/401-board-effect-workroom.png
similarity index 100%
rename from docs/figures/401-board-effect-workroom.png
rename to docs/sphinx/figures/401-board-effect-workroom.png
diff --git a/docs/figures/401-bsmith458-trace-membership.png b/docs/sphinx/figures/401-bsmith458-trace-membership.png
similarity index 100%
rename from docs/figures/401-bsmith458-trace-membership.png
rename to docs/sphinx/figures/401-bsmith458-trace-membership.png
diff --git a/docs/figures/401-bsmith458-trace.png b/docs/sphinx/figures/401-bsmith458-trace.png
similarity index 100%
rename from docs/figures/401-bsmith458-trace.png
rename to docs/sphinx/figures/401-bsmith458-trace.png
diff --git a/docs/figures/401-ldap-loader-diag.png b/docs/sphinx/figures/401-ldap-loader-diag.png
similarity index 100%
rename from docs/figures/401-ldap-loader-diag.png
rename to docs/sphinx/figures/401-ldap-loader-diag.png
diff --git a/docs/figures/401-ldap-loader-logs.png b/docs/sphinx/figures/401-ldap-loader-logs.png
similarity index 100%
rename from docs/figures/401-ldap-loader-logs.png
rename to docs/sphinx/figures/401-ldap-loader-logs.png
diff --git a/docs/figures/401-legacy-ldap-vpn.png b/docs/sphinx/figures/401-legacy-ldap-vpn.png
similarity index 100%
rename from docs/figures/401-legacy-ldap-vpn.png
rename to docs/sphinx/figures/401-legacy-ldap-vpn.png
diff --git a/docs/figures/401-lms-solution.png b/docs/sphinx/figures/401-lms-solution.png
similarity index 100%
rename from docs/figures/401-lms-solution.png
rename to docs/sphinx/figures/401-lms-solution.png
diff --git a/docs/figures/401-mfa-amber-join.png b/docs/sphinx/figures/401-mfa-amber-join.png
similarity index 100%
rename from docs/figures/401-mfa-amber-join.png
rename to docs/sphinx/figures/401-mfa-amber-join.png
diff --git a/docs/figures/401-mfa-amber-leave.png b/docs/sphinx/figures/401-mfa-amber-leave.png
similarity index 100%
rename from docs/figures/401-mfa-amber-leave.png
rename to docs/sphinx/figures/401-mfa-amber-leave.png
diff --git a/docs/figures/401-mfa-athletics.png b/docs/sphinx/figures/401-mfa-athletics.png
similarity index 100%
rename from docs/figures/401-mfa-athletics.png
rename to docs/sphinx/figures/401-mfa-athletics.png
diff --git a/docs/figures/401-mfa-banner-2days-review.png b/docs/sphinx/figures/401-mfa-banner-2days-review.png
similarity index 100%
rename from docs/figures/401-mfa-banner-2days-review.png
rename to docs/sphinx/figures/401-mfa-banner-2days-review.png
diff --git a/docs/figures/401-mfa-banner-2days.png b/docs/sphinx/figures/401-mfa-banner-2days.png
similarity index 100%
rename from docs/figures/401-mfa-banner-2days.png
rename to docs/sphinx/figures/401-mfa-banner-2days.png
diff --git a/docs/figures/401-mfa-banner-minus-faculty.png b/docs/sphinx/figures/401-mfa-banner-minus-faculty.png
similarity index 100%
rename from docs/figures/401-mfa-banner-minus-faculty.png
rename to docs/sphinx/figures/401-mfa-banner-minus-faculty.png
diff --git a/docs/figures/401-mfa-clean-policy.png b/docs/sphinx/figures/401-mfa-clean-policy.png
similarity index 100%
rename from docs/figures/401-mfa-clean-policy.png
rename to docs/sphinx/figures/401-mfa-clean-policy.png
diff --git a/docs/figures/401-mfa-enabled.png b/docs/sphinx/figures/401-mfa-enabled.png
similarity index 100%
rename from docs/figures/401-mfa-enabled.png
rename to docs/sphinx/figures/401-mfa-enabled.png
diff --git a/docs/figures/401-mfa-opt-in-privs.png b/docs/sphinx/figures/401-mfa-opt-in-privs.png
similarity index 100%
rename from docs/figures/401-mfa-opt-in-privs.png
rename to docs/sphinx/figures/401-mfa-opt-in-privs.png
diff --git a/docs/figures/401-mfa-opt-in-security.png b/docs/sphinx/figures/401-mfa-opt-in-security.png
similarity index 100%
rename from docs/figures/401-mfa-opt-in-security.png
rename to docs/sphinx/figures/401-mfa-opt-in-security.png
diff --git a/docs/figures/401-mfa-policy.png b/docs/sphinx/figures/401-mfa-policy.png
similarity index 100%
rename from docs/figures/401-mfa-policy.png
rename to docs/sphinx/figures/401-mfa-policy.png
diff --git a/docs/figures/401-other-cohorts.png b/docs/sphinx/figures/401-other-cohorts.png
similarity index 100%
rename from docs/figures/401-other-cohorts.png
rename to docs/sphinx/figures/401-other-cohorts.png
diff --git a/docs/figures/401-vpn-acls-visual.png b/docs/sphinx/figures/401-vpn-acls-visual.png
similarity index 100%
rename from docs/figures/401-vpn-acls-visual.png
rename to docs/sphinx/figures/401-vpn-acls-visual.png
diff --git a/docs/figures/401-vpn-add-jsmith.png b/docs/sphinx/figures/401-vpn-add-jsmith.png
similarity index 100%
rename from docs/figures/401-vpn-add-jsmith.png
rename to docs/sphinx/figures/401-vpn-add-jsmith.png
diff --git a/docs/figures/401-vpn-ajohnson409-privs.png b/docs/sphinx/figures/401-vpn-ajohnson409-privs.png
similarity index 100%
rename from docs/figures/401-vpn-ajohnson409-privs.png
rename to docs/sphinx/figures/401-vpn-ajohnson409-privs.png
diff --git a/docs/figures/401-vpn-attest.png b/docs/sphinx/figures/401-vpn-attest.png
similarity index 100%
rename from docs/figures/401-vpn-attest.png
rename to docs/sphinx/figures/401-vpn-attest.png
diff --git a/docs/figures/401-vpn-audit-list.png b/docs/sphinx/figures/401-vpn-audit-list.png
similarity index 100%
rename from docs/figures/401-vpn-audit-list.png
rename to docs/sphinx/figures/401-vpn-audit-list.png
diff --git a/docs/figures/401-vpn-authorized-ldap.png b/docs/sphinx/figures/401-vpn-authorized-ldap.png
similarity index 100%
rename from docs/figures/401-vpn-authorized-ldap.png
rename to docs/sphinx/figures/401-vpn-authorized-ldap.png
diff --git a/docs/figures/401-vpn-blee172-pit-query.png b/docs/sphinx/figures/401-vpn-blee172-pit-query.png
similarity index 100%
rename from docs/figures/401-vpn-blee172-pit-query.png
rename to docs/sphinx/figures/401-vpn-blee172-pit-query.png
diff --git a/docs/figures/401-vpn-legacy-members.png b/docs/sphinx/figures/401-vpn-legacy-members.png
similarity index 100%
rename from docs/figures/401-vpn-legacy-members.png
rename to docs/sphinx/figures/401-vpn-legacy-members.png
diff --git a/docs/figures/401-vpn-misc-attest.png b/docs/sphinx/figures/401-vpn-misc-attest.png
similarity index 100%
rename from docs/figures/401-vpn-misc-attest.png
rename to docs/sphinx/figures/401-vpn-misc-attest.png
diff --git a/docs/figures/401-vpn-policy.png b/docs/sphinx/figures/401-vpn-policy.png
similarity index 100%
rename from docs/figures/401-vpn-policy.png
rename to docs/sphinx/figures/401-vpn-policy.png
diff --git a/docs/figures/401-vpn-provision-to.png b/docs/sphinx/figures/401-vpn-provision-to.png
similarity index 100%
rename from docs/figures/401-vpn-provision-to.png
rename to docs/sphinx/figures/401-vpn-provision-to.png
diff --git a/docs/figures/401-vpn-trace-blee172.png b/docs/sphinx/figures/401-vpn-trace-blee172.png
similarity index 100%
rename from docs/figures/401-vpn-trace-blee172.png
rename to docs/sphinx/figures/401-vpn-trace-blee172.png
diff --git a/docs/index.rst b/docs/sphinx/index.rst
similarity index 100%
rename from docs/index.rst
rename to docs/sphinx/index.rst
diff --git a/docs/make.bat b/docs/sphinx/make.bat
similarity index 100%
rename from docs/make.bat
rename to docs/sphinx/make.bat
diff --git a/ex201/ex201.end/container_files/seed-data/bootstrap.gsh b/ex201/ex201.end/container_files/seed-data/bootstrap.gsh
index 3232b3e..7e6748b 100644
--- a/ex201/ex201.end/container_files/seed-data/bootstrap.gsh
+++ b/ex201/ex201.end/container_files/seed-data/bootstrap.gsh
@@ -15,7 +15,7 @@ import java.text.SimpleDateFormat;
Range ACTIVE_CLASS_YEARS = 2022..2025
int RECENT_GRADUATE_YEAR = 2021
java.util.Calendar cal = Calendar.getInstance()
-cal.set(2021, Calendar.DECEMBER, 31, 17, 0, 0)
+cal.set(2022, Calendar.MARCH, 31, 17, 0, 0)
java.util.Date RECENT_GRAD_END_DATE = cal.time
/***** END Defaults that may need to be changed for each class *****/
@@ -199,10 +199,12 @@ HelperMethods.addSubjectWithCount(studentGroup, classSubject)
/* Create adhoc transfer student group and add members */
-Stem xferStudentStem = new StemSave(gs).assignName("basis:adhoc:student").save()
-Group xferStudentGroup = new GroupSave(gs).assignName("${xferStudentStem.name}:transfer_student").save()
-HelperMethods.assignObjectTypeForGroup(xferStudentGroup, "basis")
-HelperMethods.assignObjectTypeForGroup(xferStudentGroup, "manual")
+Group xferStudentGroup = new GroupSave(gs).assignName("ref:student:transfer_student").
+ assignDisplayExtension("Transfer Student").
+ assignDescription($/Students recently transfered but not yet in SIS/$).
+ save()
+
+HelperMethods.assignObjectTypeForGroup(xferStudentGroup, "manual", "Registrar", "Ad-hoc recent transfer students not yet in SIS")
['whawkins', 'hyoung', 'jmejia'].each {
Subject s = SubjectFinder.findByIdentifier(it, true)
@@ -213,7 +215,7 @@ HelperMethods.assignObjectTypeForGroup(xferStudentGroup, "manual")
classSubject = xferStudentGroup.toSubject()
HelperMethods.addSubjectWithCount(studentGroup, classSubject)
-/* Add transfer students to All Students */
+/* Add leave of absence students to All Students */
classSubject = GroupFinder.findByName(gs, "basis:sis:prog_status:all:la", true).toSubject()
HelperMethods.addSubjectWithCount(studentGroup, classSubject)
@@ -226,7 +228,7 @@ HelperMethods.addSubjectWithCount(studentGroup, classSubject)
HelperMethods.newApplicationTemplate(StemFinder.findByName(gs, "app", true),
"gitlab",
"GitLab",
- "Access policy for the ITS GitLab version control system",
+ "Access policies for the ITS GitLab version control system",
null)
@@ -251,18 +253,24 @@ ArrayList myServiceActionIds = [
HelperMethods.newPolicyTemplate(policyStem,
"gitlab_access",
- "GitLab",
- "Access policy for the ITS GitLab version control system",
+ "GitLab Access",
+ "Overall access policy for the ITS GitLab version control system",
myServiceActionIds
)
/* Add members to gitlab_access_allow */
Group gitlabAccessAllow = GroupFinder.findByName(gs, "app:gitlab:service:policy:gitlab_access_allow", true)
-["ref:role:emp:staff", "ref:role:emp:faculty", "basis:hr:employee:dept:10901:affiliate"].each {
+["ref:role:all_facstaff", "basis:hr:employee:dept:10901:affiliate"].each {
Subject s = SubjectFinder.findByIdentifierAndSource(it, "g:gsa", true)
HelperMethods.addSubjectWithCount(gitlabAccessAllow, s)
}
+/* Grant update to Infrastructure staff */
+
+Group gitlabUpdaters = GroupFinder.findByName(gs, "app:gitlab:security:gitlabUpdaters", true)
+Group infrastructureStaff = GroupFinder.findByName(gs, "basis:hr:employee:dept:10903:staff", true)
+HelperMethods.addSubjectWithCount(gitlabUpdaters, infrastructureStaff.toSubject())
+
/***** 201.3 eduPersonAffiliation *****/