diff --git a/docs/201/201.1.rst b/docs/201/201.1.rst index ae055af..371268b 100644 --- a/docs/201/201.1.rst +++ b/docs/201/201.1.rst @@ -185,7 +185,7 @@ Exercise 201.1.7 What do you mean by "student"? The `student` reference group is used in access policy for student services. Being a "student" means access to a broad array of student services. This -instutionally meaning cohort is well defined, easily understood, and capable +instutionally meaningful cohort is well defined, easily understood, and capable of being extended in a rational way. Review the `students` reference group definition by using the Grouper Visualization feature. (students -> More actions -> Visualization) diff --git a/docs/201/201.2.rst b/docs/201/201.2.rst index 8e9e125..b37debd 100644 --- a/docs/201/201.2.rst +++ b/docs/201/201.2.rst @@ -1,13 +1,13 @@ - -============================== -GTE 201.2 Access Policy Groups -============================== +============================ +Access Policy Groups (201.2) +============================ ------------------- Learning Objectives ------------------- -* Translate a natural language policy group into digital policy using access policy groups. +* Translate a natural language policy group into digital policy using access + policy groups. * Understand the difference between policy groups and reference groups. -------------- @@ -23,91 +23,114 @@ Overview `NIST SP 800-162`_ describes how natural language policy, that is access policy stated in common language, must be converted to digital policy for any access -control mechanism to effectively operate. Digital policy is manifest in +control mechanism to effectively operate. Digital policy is manifest in Grouper via access policy groups. Subject membership in an access policy group -be indirect and represents a precomputed access policy decision based on subject -attributes (i.e. the subject’s membership in various reference groups). +should be indirect and represents a precomputed access policy decision based on +subject attributes (i.e. a subject’s membership in various reference groups). An **access policy** group is a composite group whose membership is composed of an include group (i.e. the allow group) minus an exclude group (i.e. the deny -group). Subject membership in both the allow group and the deny group should be -indirect (i.e. through reference groups) and have a clear mapping to the natural -language policy. When exceptions to policy are necessary, locally scoped -reference groups should be added. +group). Subject membership in both the allow group and the deny group should +be indirect (i.e. through reference groups) and have a clear mapping to the +natural language policy. When exceptions to policy are necessary, locally +scoped reference groups should be added. Limiting policy groups to indirect membership assignments via reference groups -ensures that as subject attributes change, effective membership is up to date and -access control decisions are correct. It also enables the direct mapping from -natural language policy to digital policy and vice versa. Individual exceptions to -policy, while not expressly recommended, can be accommodated by adding subjects -directly to the allow/deny groups. +ensures that as subject attributes change, effective membership is up to date +and access control decisions are correct. It also enables the direct mapping +from natural language policy to digital policy and vice versa. Individual +exceptions to policy, while not expressly recommended, can be accommodated by +adding subjects directly to the allow/deny groups. + +Membership within an access policy group is often kept in sync directly with a +target service or an intermediary like an LDAP based enterprise directory +service. Services can also query Grouper directly for membership assignment. + +-------------------------------------------- +Exercise 201.2.1 Application folder template +-------------------------------------------- + +Generally, access policy groups are organzied in a set of folders following a +common convention descripted in the Grouper Deployment Guide. A template for +this structure is available in the Grouper UI. Use the Application Template to +create a new structure for our VPN service policy. -Membership within an access policy group is often kept in sync directly with a target -service or an intermediary like an LDAP based enterprise directory service. -Services can also query Grouper directly for membership assignment. +#. Navigate to the `app` folder +#. Create a new `vpn` application structure using the Application Template + (More actions -> New template) ----------------- -Exercise 201.2.1 ----------------- +.. figure:: ../figures/201-new-vpn-app.png -*Application folder structure* +3. Navigate to the `app:vpn:service:policy` folder -#. Create `app:vpn:vpn_authorized`. -#. Create `app:vpn:vpn_allow`. -#. Create `app:vpn:vpn_deny`. -#. Make `vpn_authorized` a composite of `vpn_allow` minus `vpn_deny`. +4. Create a new vpn_authorized policy group using the Policy Group Template + (More actions -> New template) ----------------- -Exercise 201.2.2 ----------------- +.. figure:: ../figures/201-new-vpn-policy.png -*Create digital policy from natural language policy* +[ this should be replaced with policy template when ready ] -Natural language policy is "all faculty, staff have access to vpn, unless denied -by CISO or the account is in a closure state". Reference groups are already -available. +5. Create `app:vpn:vpn_authorized`. +6. Create `app:vpn:vpn_allow`. +7. Create `app:vpn:vpn_deny`. +8. Make `vpn_authorized` a composite of `vpn_allow` minus `vpn_deny`. + +.. figure:: ../figures/201-vpn-composite.png + +------------------------------------------------------------------- +Exercise 201.2.2 Create digital policy from natural language policy +------------------------------------------------------------------- + +The natural language policy is "all faculty and staff have access to vpn, +unless denied by CISO or the account is in a closure state". Reference groups +are already available. #. Add `ref:employee:fac_staff` to `vpn_allow`. #. Add `ref:security:locked_by_ciso` to `vpn_deny`. #. Add `ref:iam:closure` to `vpn_deny`. +#. Review the `vpn_authorized` policy definition + (vpn_authorized -> More actions -> Visualization) ----------------- -Exercise 201.2.3 ----------------- +.. figure:: ../figures/201-vpn-authorized.png -*Update policy to also allow institutional review board members access to VPN* +---------------------------------------------------------------------------- +Exercise 201.2.3 Update policy to include institutional review board members +---------------------------------------------------------------------------- -New natural language policy is "all faculty, staff and members of the institutional -review board have access to vpn, unless denied by CISO or the account is in a closure -state". +The new natural language policy is "all faculty, staff, and members of the +institutional review board have access to vpn, unless denied by CISO or the +account is in a closure state". #. Add `org:irb:ref:irb_members` to `vpn_allow`. #. Add *jsmith* to `org:irb:ref:irb_members`. -#. Trace membership for *jsmith* from `vpn_authorized`. -#. View the audit log on `vpn_allow`. +#. Trace membership for *jsmith* from `vpn_authorized`. (jsmith -> Choose + action -> Actions -> Trace membership) + +.. figure:: ../figures/201-jsmith-trace.png ----------------- -Exercise 201.2.4 ----------------- +4. View the audit log on `vpn_allow`. (vpn_allow -> More actions -> View audit + log) -*Create security groups for policy* +.. figure:: ../figures/201-vpn-allow-audit.png -#. Create `ref:app:vpn:etc` folder. -#. Create `ref:app:vpn:etc:vpn_admins` group. -#. Assign **ADMIN** privilege to `vpn_admins` for `ref:app:vpn`. -#. Inherit privileges to all sub folders (and objects). +5. Review policy definition for `vpn_authorized`. + (vpn_authorized -> More actions -> Visualization) - #. Navigate to `app:vpn`. - #. :guilabel:`More` |rightarrow| :guilabel:`Privileges inherited to objects in folder` - #. Click :guilabel:`Add Members`, and add `vpn_admins`. - #. Add admin privileges for folder, group, and attributes. +.. figure:: ../figures/201-vpn-authorized2.png -#. Navigate to `ref:app:vpn:ref:vpn_allow`. -#. Click :guilabel:`Privileges` |rightarrow| :guilabel:`Actions` |rightarrow| :guilabel:`Trace Priviliges`. +------------------------------------------------------------ +Exercise 201.2.4 Review Application template security groups +------------------------------------------------------------ +Adminstrative access to the application template folders and groups is +controlled by security groups in `app:vpn:security`. Security groups are +essentially policy groups for Grouper access. Review the default privileges on +`vpn_allow`. +#. Naviage to `ref:app:vpn:service:policy:vpn_allow`. +#. Click on the Privileges tab. -.. |rightarrow| unicode:: U+2192 +.. figure:: ../figures/201-vpn-allow-privileges.png .. _NIST SP 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program diff --git a/docs/201/201.3.rst b/docs/201/201.3.rst index 9d861aa..2c96a26 100644 --- a/docs/201/201.3.rst +++ b/docs/201/201.3.rst @@ -1,7 +1,7 @@ -=================================== -GTE 201.3 ACM1 eduPersonAffiliation -=================================== +======================================================= +Access Control Model 1 eduPersonAffiliation (GTE 201.3) +======================================================= ------------------- Learning Objectives @@ -27,17 +27,18 @@ Lab Components Overview -------- -`Grouper Deployment Guide`_ access control model 1 is all about subject attribute -management. This model is useful for cases where there exists a loose relationship -between the institution and the service provider. Assuming both are in a -federation like InCommon, and a locally defined notion of eduPersonAffiliation_ is -sufficient for access control, a broad set of services can be enabled fairly easily. +`Grouper Deployment Guide`_ access control model 1 (ACM1) is all about subject +attribute management. This model is useful for cases where there exists a loose +relationship between the institution and the service provider. Assuming both +are in a multilateral SAML federation like InCommon, and a locally defined +notion of eduPersonAffiliation_ is sufficient for access control, a broad set +of services can be enabled fairly easily. .. warning:: This access control model is based on making subject attributes directly available to services and allowing the service to make access control decisions - based on those attributes. This approach has several shortcomings: + based on those attributes. This approach has several shortcomings: * The subject attributes provided often lack sufficient **context** to make informed access control decisions. @@ -62,38 +63,44 @@ sufficient for access control, a broad set of services can be enabled fairly eas affiliations based on the service provider requesting authentication (*policy decisions become opaque*). * Alternatively, exceptions may be handled by configuring them directly at - the service provider (*policy decisions become opaque*). + the service provider (*policy decisions become opaque*). ----------------- -Exercise 201.3.1 ----------------- +------------------------------------------------------------------ +Exercise 201.3.1 Create app folder for eduPersonAffiliation values +------------------------------------------------------------------ +#. Navigate to the `app` folder +#. Create a new `eduPersonAffiliation` application structure using the + Application Template (More actions -> New template) -*Create app folder to master eduPersonAffiliation* +.. figure:: ../figures/201-eduPersonAffiliation-app-template.png -#. Create folder `app:eduPersonAffiliation`. -#. Create groups `...:eduPersonAffiliation:ePA_student|staff|...` to represent - eduPersonAffiliation values. +#. Create the following policy groups in + `app:eduPersonAffiliation:service:policy:` ----------------- -Exercise 201.3.2 ----------------- +* `ePA_student` +* `ePA_faculty` +* `ePA_staff` -*Add reference groups that constitute local policy for eduPersonAffiliation values* +.. figure:: ../figures/201-ePA-policy-groups.png - Therefore each institution will decide the criteria for membership in each - affiliation classification. What is desirable is that a reasonable person - should find an institution's definition of the affiliation plausible. +--------------------------------------------------------------------------- +Exercise 201.3.2 Add reference groups to eduPersonAffiliation policy groups +--------------------------------------------------------------------------- -#. Add `ref:student:students` to `...:eduPersonAffiliation:ePA_student`. +The eduPerson object class specification states: + "Therefore each institution will decide the criteria for membership in each + affiliation classification. What is desirable is that a reasonable person + should find an institution's definition of the affiliation plausible." ----------------- -Exercise 201.3.3 ----------------- +#. Add `ref:student:students` to `...:eduPersonAffiliation:ePA_student`. -*Create "member"* +---------------------------------------------------------------------- +Exercise 201.3.3 Create eduPersonAffiliation policy group for "member" +---------------------------------------------------------------------- -The "member" affiliation MUST be asserted for people carrying one or more of -the following affiliations: *faculty* or *staff* or *student* or *employee*. +The eduPerson object class specification states: + "The "member" affiliation MUST be asserted for people carrying one or more of + the following affiliations: *faculty* or *staff* or *student* or *employee*." .. note: @@ -102,17 +109,16 @@ the following affiliations: *faculty* or *staff* or *student* or *employee*. faculty, staff and students. #. Create `app:eduPersonAffiliation:ePA_member`. -#. Add `...:ePA_faculty|staff|student|employee` to `...:ePA_member`. +#. Add `...:ePA_faculty | staff | student` to `...:ePA_member`. +#. Review `ePA_member` defintion (ePA_member -> More actions -> Visualization) ----------------- -Exercise 201.3.4 ----------------- +.. figure:: ../figures/201-ePA-member-vis.png -*Configure PSPNG to reflect ePA values to LDAP* +-------------------------------------------------------------- +Exercise 201.3.4 Configure PSPNG to reflect ePA values to LDAP +-------------------------------------------------------------- -#. Assign PSPNG *provision_to* attribute to `ePA_student` with a value of - **pspng_affiliations**. -#. Configure PSPNG to sync group membership to LDAP values for +#. Configure PSPNG to sync group membership to LDAP values for **eduPersonAffiliation**. .. literalinclude:: examples/201-3-4.pspng-epa.grouper-loader.properties @@ -120,14 +126,22 @@ Exercise 201.3.4 :caption: grouper-loader.properties :linenos: ----------------- -Exercise 201.3.5 ----------------- +#. Assign PSPNG *provision_to* attribute to `ePA_member` with a value of + **pspng_affiliations**. + +.. figure:: ../figures/201-ePA-pspng.png + +3. Review and "Run job now" the PSPNG affiliations change log consumer daemon + job (Miscellaneous -> All daemon jobs) -*Releasing ePA in SAML* +.. figure:: ../figures/201-ePA-pspng-run.png -The demo shibboleth IdP has been configured to release the ePA attribute to -the demo SP. The relevant configuration is below: +--------------------------------------------------------------------- +Exercise 201.3.5 Configure Shibboleth to release eduPersonAffiliation +--------------------------------------------------------------------- + +The demo Shibboleth IdP has been configured to release the ePA attribute to +the demo SP. The relevant configuration is below: .. literalinclude:: examples/201-3-5.attribute-filter.xml :language: xml @@ -136,13 +150,9 @@ the demo SP. The relevant configuration is below: :emphasize-lines: 9 :linenos: - - - - - - +1. Log in to https://localhost:8443/app with username `aclark706` and password `password`. +.. figure:: ../figures/201-ePA-attribute-release.png .. _eduPersonAffiliation: https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-201203.html#eduPersonAffiliation .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program diff --git a/docs/figures/201-ePA-attribute-release.png b/docs/figures/201-ePA-attribute-release.png new file mode 100644 index 0000000..a762edf Binary files /dev/null and b/docs/figures/201-ePA-attribute-release.png differ diff --git a/docs/figures/201-ePA-member-vis.png b/docs/figures/201-ePA-member-vis.png new file mode 100644 index 0000000..e302e27 Binary files /dev/null and b/docs/figures/201-ePA-member-vis.png differ diff --git a/docs/figures/201-ePA-member.png b/docs/figures/201-ePA-member.png new file mode 100644 index 0000000..6042751 Binary files /dev/null and b/docs/figures/201-ePA-member.png differ diff --git a/docs/figures/201-ePA-policy-groups.png b/docs/figures/201-ePA-policy-groups.png new file mode 100644 index 0000000..80bbb27 Binary files /dev/null and b/docs/figures/201-ePA-policy-groups.png differ diff --git a/docs/figures/201-ePA-pspng-run.png b/docs/figures/201-ePA-pspng-run.png new file mode 100644 index 0000000..a610969 Binary files /dev/null and b/docs/figures/201-ePA-pspng-run.png differ diff --git a/docs/figures/201-ePA-pspng.png b/docs/figures/201-ePA-pspng.png new file mode 100644 index 0000000..6805bb4 Binary files /dev/null and b/docs/figures/201-ePA-pspng.png differ diff --git a/docs/figures/201-eduPersonAffiliation-app-template.png b/docs/figures/201-eduPersonAffiliation-app-template.png new file mode 100644 index 0000000..a1f0580 Binary files /dev/null and b/docs/figures/201-eduPersonAffiliation-app-template.png differ diff --git a/docs/figures/201-jsmith-trace.png b/docs/figures/201-jsmith-trace.png new file mode 100644 index 0000000..0898c24 Binary files /dev/null and b/docs/figures/201-jsmith-trace.png differ diff --git a/docs/figures/201-new-vpn-app.png b/docs/figures/201-new-vpn-app.png new file mode 100644 index 0000000..2f7a440 Binary files /dev/null and b/docs/figures/201-new-vpn-app.png differ diff --git a/docs/figures/201-vpn-allow-audit.png b/docs/figures/201-vpn-allow-audit.png new file mode 100644 index 0000000..7b147e2 Binary files /dev/null and b/docs/figures/201-vpn-allow-audit.png differ diff --git a/docs/figures/201-vpn-allow-privileges.png b/docs/figures/201-vpn-allow-privileges.png new file mode 100644 index 0000000..38ec2a1 Binary files /dev/null and b/docs/figures/201-vpn-allow-privileges.png differ diff --git a/docs/figures/201-vpn-authorized.png b/docs/figures/201-vpn-authorized.png new file mode 100644 index 0000000..f8774c4 Binary files /dev/null and b/docs/figures/201-vpn-authorized.png differ diff --git a/docs/figures/201-vpn-authorized2.png b/docs/figures/201-vpn-authorized2.png new file mode 100644 index 0000000..533e954 Binary files /dev/null and b/docs/figures/201-vpn-authorized2.png differ diff --git a/docs/figures/201-vpn-composite.png b/docs/figures/201-vpn-composite.png new file mode 100644 index 0000000..08b54bf Binary files /dev/null and b/docs/figures/201-vpn-composite.png differ diff --git a/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh index 5d9ce71..5d44b4c 100644 --- a/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh @@ -1,4 +1,5 @@ gs = GrouperSession.startRootSession(); +addRootStem("201.1.1", "201.1.1") addRootStem("basis", "basis"); addRootStem("ref", "ref"); addRootStem("bundle", "bundle"); @@ -18,16 +19,67 @@ setGroupAttr("etc:studentTermLoader", "grouperLoaderQuery", "select distinct id // Stub out class groups. These will be filled out by the studentTermLoader addStem("ref", "student", "student"); -addGroup("ref:student", "class2019", "class2019"); -addGroup("ref:student", "class2020", "class2020"); -addGroup("ref:student", "class2021", "class2021"); -addGroup("ref:student", "class2022", "class2022"); -addGroup("ref:student", "class2023", "class2023"); +class2019 = addGroup("ref:student", "class2019", "class2019"); +class2020 = addGroup("ref:student", "class2020", "class2020"); +class2021 = addGroup("ref:student", "class2021", "class2021"); +class2022 = addGroup("ref:student", "class2022", "class2022"); +class2023 = addGroup("ref:student", "class2023", "class2023"); + +// Set ref object type on class reference groups +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = class2019.getAttributeDelegate().hasAttribute(typeMarker) ? class2019.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : class2019.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", "Registrar"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Class of 2019"); + +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = class2020.getAttributeDelegate().hasAttribute(typeMarker) ? class2020.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : class2020.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", "Registrar"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Class of 2020"); + +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = class2021.getAttributeDelegate().hasAttribute(typeMarker) ? class2021.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : class2021.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", "Registrar"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Class of 2021"); + +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = class2022.getAttributeDelegate().hasAttribute(typeMarker) ? class2022.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : class2022.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", "Registrar"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Class of 2022"); + +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = class2023.getAttributeDelegate().hasAttribute(typeMarker) ? class2023.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : class2023.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", "Registrar"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Class of 2023"); // ex 201.1.2 addStem("basis", "student", "student"); -addGroup("basis:student", "student_no_class_year", "student_no_class_year"); -addMember("basis:student:student_no_class_year","wnielson101"); +student_no_class_year = addGroup("basis:student", "student_no_class_year", +"student_no_class_year"); + +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = student_no_class_year.getAttributeDelegate().hasAttribute(typeMarker) ? student_no_class_year.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : student_no_class_year.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "basis"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", "Registrar"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Students with no class year. Part-time students, employees taking classes, etc"); + +student_no_class_year.addMember(findSubject("wnielson101")); addMember("basis:student:student_no_class_year","ahenderson105"); addMember("basis:student:student_no_class_year","mnielson106"); addMember("basis:student:student_no_class_year","mclark114"); @@ -54,7 +106,14 @@ addMember("basis:student:student_no_class_year","mdavis164"); addMember("basis:student:student_no_class_year","dlopez166"); // ex 201.1.3 -addGroup("basis:student", "exchange_students", "exchange_students"); +exchange_students = addGroup("basis:student", "exchange_students", "exchange_students"); +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = exchange_students.getAttributeDelegate().hasAttribute(typeMarker) ? exchange_students.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : exchange_students.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "basis"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", "Registrar"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Exchange students who are not in SIS"); addMember("basis:student:exchange_students","jnielson201"); addMember("basis:student:exchange_students","aprice205"); addMember("basis:student:exchange_students","cmorrison212"); @@ -67,21 +126,44 @@ addMember("basis:student:exchange_students","agasper233"); addMember("basis:student:exchange_students","jpeterson243"); // ex 201.1.5 -addGroup("basis:student", "expelled_32_days", "expelled_32_days"); +expelled_32_days = addGroup("basis:student", "expelled_32_days", "expelled_32_days"); +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = expelled_32_days.getAttributeDelegate().hasAttribute(typeMarker) ? expelled_32_days.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : expelled_32_days.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "basis"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", "Registrar"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Expelled students with a 32 day grace period"); addMember("basis:student:expelled_32_days","ewilliams400"); addMember("basis:student:expelled_32_days","dwalters404"); addMember("basis:student:expelled_32_days","ldoe407"); addMember("basis:student:expelled_32_days","mhenderson421"); addMember("basis:student:expelled_32_days","mgonazles423"); -addGroup("basis:student", "resigned_32_days", "resigned_32_days"); +resigned_32_days = addGroup("basis:student", "resigned_32_days", +"resigned_32_days"); +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = resigned_32_days.getAttributeDelegate().hasAttribute(typeMarker) ? resigned_32_days.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : resigned_32_days.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "basis"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", "Registrar"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Students who have resigned with a 32 day grace period"); addMember("basis:student:resigned_32_days","enielson500"); addMember("basis:student:resigned_32_days","sgrady501"); addMember("basis:student:resigned_32_days","sgasper513"); addMember("basis:student:resigned_32_days","swilliams516"); addMember("basis:student:resigned_32_days","jmorrison517"); -addGroup("basis:student", "transfered_32_days", "transfered_32_days"); +transfered_32_days = addGroup("basis:student", "transfered_32_days", +"transfered_32_days"); +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = transfered_32_days.getAttributeDelegate().hasAttribute(typeMarker) ? transfered_32_days.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : transfered_32_days.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "basis"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", "Registrar"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Students who have tranfered out with a 32 day grace period"); addMember("basis:student:transfered_32_days","ppeterson609"); addMember("basis:student:transfered_32_days","nthompson612"); addMember("basis:student:transfered_32_days","sanderson613"); @@ -89,7 +171,14 @@ addMember("basis:student:transfered_32_days","mwhite617"); addMember("basis:student:transfered_32_days","mwalters618"); // ex 201.1.6 -addGroup("basis:student", "loa_4_years", "loa_4_years"); +loa_4_years = addGroup("basis:student", "loa_4_years", "loa_4_years"); +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = loa_4_years.getAttributeDelegate().hasAttribute(typeMarker) ? loa_4_years.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : loa_4_years.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "basis"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", "Registrar"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Students on leave of absence less than 4 years"); addMember("basis:student:loa_4_years","jprice704"); addMember("basis:student:loa_4_years","aprice705"); addMember("basis:student:loa_4_years","aclark706"); diff --git a/ex201/ex201.1.end/container_files/seed-data/bootstrap.gsh b/ex201/ex201.1.end/container_files/seed-data/bootstrap.gsh index 8084d28..ed00c7b 100644 --- a/ex201/ex201.1.end/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.1.end/container_files/seed-data/bootstrap.gsh @@ -1,4 +1,6 @@ gs = GrouperSession.startRootSession(); +delStem("201.1.1") +addRootStem("201.1.end", "201.1.end") // ex201.1.1 // addStem("ref", "student", "student") diff --git a/ex201/ex201.2.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.2.1/container_files/seed-data/bootstrap.gsh index 0025a4e..4d92526 100644 --- a/ex201/ex201.2.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.2.1/container_files/seed-data/bootstrap.gsh @@ -1,9 +1,49 @@ - GrouperSession.startRootSession() +delStem("201.1.end") +addRootStem("201.2.1", "201.2.1") + +// should be a loader job? +addStem("ref", "employee", "employee") +fac_staff = addGroup("ref:employee", "fac_staff", "fac_staff") + +// Set ref object type on fac_staff reference group +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = fac_staff.getAttributeDelegate().hasAttribute(typeMarker) ? fac_staff.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : fac_staff.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"HR and Provost Office"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"All faculty and staff"); + +addStem("ref", "security", "security") +locked_by_ciso = addGroup("ref:security", "locked_by_ciso", "locked_by_ciso") +AttributeAssign attributeAssign = locked_by_ciso.getAttributeDelegate().hasAttribute(typeMarker) ? locked_by_ciso.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : locked_by_ciso.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"CISO"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Subjects denied access by CISO"); + +addStem("ref", "iam", "iam") +closure = addGroup("ref:iam", "closure", "closure") +AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"IAM"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Accounts in the process of being closed"); -addStem("app", "vpn", "vpn") -addGroup("app:vpn", "vpn_authorized", "vpn_authorized") -addGroup("app:vpn", "vpn_allow", "vpn_allow") -addGroup("app:vpn", "vpn_deny", "vpn_deny") +addStem("org", "irb", "irb") +addStem("org:irb", "ref", "ref") +irb_members = addGroup("org:irb:ref", "irb_members", "irb_members") +AttributeAssign attributeAssign = irb_members.getAttributeDelegate().hasAttribute(typeMarker) ? irb_members.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : irb_members.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"Institutional Review Board"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Members of the IRB"); -addComposite("app:vpn:vpn_authorized", CompositeType.COMPLEMENT, "app:vpn:vpn_allow", "app:vpn:vpn_deny") \ No newline at end of file diff --git a/ex201/ex201.2.end/container_files/seed-data/bootstrap.gsh b/ex201/ex201.2.end/container_files/seed-data/bootstrap.gsh index d1ce2b9..c06c515 100644 --- a/ex201/ex201.2.end/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.2.end/container_files/seed-data/bootstrap.gsh @@ -1,30 +1,29 @@ - GrouperSession.startRootSession() +delStem("201.2.1") +addRootStem("201.2.end", "201.2.end") -//ex 201.2.2 -addStem("ref", "employee", "employee") -addGroup("ref:employee", "fac_staff", "fac_staff") -addMember("app:vpn:vpn_allow", "ref:employee:fac_staff") +addStem("app", "vpn", "vpn") +addStem("app:vpn", "service", "service") +addStem("app:vpn", "security", "security") +addStem("app:vpn:service", "policy", "policy") +addStem("app:vpn:service", "ref", "ref") +addStem("app:vpn:service", "attributes", "attributes") + +addGroup("app:vpn:service:policy", "vpn_authorized", "vpn_authorized") +addGroup("app:vpn:service:policy", "vpn_allow", "vpn_allow") +addGroup("app:vpn:service:policy", "vpn_deny", "vpn_deny") +addComposite("app:vpn:service:policy:vpn_authorized", CompositeType.COMPLEMENT, "app:vpn:service:policy:vpn_allow", "app:vpn:service:policy:vpn_deny") -addStem("ref", "security", "security") -addGroup("ref:security", "locked_by_cisco", "locked_by_cisco") -addMember("app:vpn:vpn_deny", "ref:security:locked_by_cisco") +addGroup("app:vpn:security", "vpnAdmins", "vpnAdmins") +addGroup("app:vpn:security", "vpnReaders", "vpnReaders") +addGroup("app:vpn:security", "vpnUpdaters", "vpnUpdaters") +grantPriv("app:vpn", "app:vpn:security:vpnAdmins", NamingPrivilege.STEM) -addStem("ref", "iam", "iam") -addGroup("ref:iam", "closure", "closure") -addMember("app:vpn:vpn_deny", "ref:iam:closure") +//ex 201.2.2 +addMember("app:vpn:service:policy:vpn_allow", "ref:employee:fac_staff") +addMember("app:vpn:service:policy:vpn_deny", "ref:security:locked_by_ciso") +addMember("app:vpn:service:policy:vpn_deny", "ref:iam:closure") //ex 201.2.3 -addStem("org", "irb", "irb") -addStem("org:irb", "ref", "ref") -addGroup("org:irb:ref", "irb_members", "irb_members") -addMember("app:vpn:vpn_allow", "org:irb:ref:irb_members") +addMember("app:vpn:service:policy:vpn_allow", "org:irb:ref:irb_members") addMember("org:irb:ref:irb_members", "jsmith") - -//ex 201.2.4 -addStem("ref", "app", "app") -addStem("ref:app", "vpn", "vpn") -addStem("ref:app:vpn", "etc", "etc") -addGroup("ref:app:vpn:etc", "vpn_admins", "vpn_admins") - -grantPriv("ref:app:vpn", "ref:app:vpn:etc:vpn_admins", NamingPrivilege.STEM) \ No newline at end of file diff --git a/ex201/ex201.3.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.3.1/container_files/seed-data/bootstrap.gsh index 3cf57fd..4fb816e 100644 --- a/ex201/ex201.3.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.3.1/container_files/seed-data/bootstrap.gsh @@ -1 +1,3 @@ GrouperSession.startRootSession() +delStem("201.2.end") +addRootStem("201.3.1", "201.3.1") diff --git a/ex201/ex201.3.end/container_files/seed-data/bootstrap.gsh b/ex201/ex201.3.end/container_files/seed-data/bootstrap.gsh index c93caa7..5af8a0b 100644 --- a/ex201/ex201.3.end/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.3.end/container_files/seed-data/bootstrap.gsh @@ -1,29 +1,33 @@ gs = GrouperSession.startRootSession() +delStem("201.3.1") +addRootStem("201.3.end", "201.3.end") //ex201.3.1 addStem("app", "eduPersonAffiliation", "eduPersonAffiliation"); -addGroup("app:eduPersonAffiliation", "ePA_student", "ePA_student"); -addGroup("app:eduPersonAffiliation", "ePA_staff", "ePA_staff"); -addGroup("app:eduPersonAffiliation", "ePA_alum", "ePA_alum"); -addGroup("app:eduPersonAffiliation", "ePA_member", "ePA_member"); -addGroup("app:eduPersonAffiliation", "ePA_affiliate", "ePA_affiliate"); -addGroup("app:eduPersonAffiliation", "ePA_employee", "ePA_employee"); -addGroup("app:eduPersonAffiliation", "ePA_library-walk-in", "ePA_library-walk-in"); +addStem("app:eduPersonAffiliation", "service", "service"); +addStem("app:eduPersonAffiliation:service", "policy", "policy"); +addGroup("app:eduPersonAffiliation:service:policy", "ePA_student", "ePA_student"); +addGroup("app:eduPersonAffiliation:service:policy", "ePA_staff", "ePA_staff"); +addGroup("app:eduPersonAffiliation:service:policy", "ePA_alum", "ePA_alum"); +addGroup("app:eduPersonAffiliation:service:policy", "ePA_member", "ePA_member"); +addGroup("app:eduPersonAffiliation:service:policy", "ePA_affiliate", "ePA_affiliate"); +addGroup("app:eduPersonAffiliation:service:policy", "ePA_employee", "ePA_employee"); +addGroup("app:eduPersonAffiliation:service:policy", "ePA_library-walk-in", "ePA_library-walk-in"); //ex201.3.2 -addMember("app:eduPersonAffiliation:ePA_student", "ref:student:students"); +addMember("app:eduPersonAffiliation:service:policy:ePA_student", "ref:student:students"); //ex201.3.3 -addMember("app:eduPersonAffiliation:ePA_member", "app:eduPersonAffiliation:ePA_student"); -addMember("app:eduPersonAffiliation:ePA_member", "app:eduPersonAffiliation:ePA_staff"); -addMember("app:eduPersonAffiliation:ePA_member", "app:eduPersonAffiliation:ePA_alum"); -addMember("app:eduPersonAffiliation:ePA_member", "app:eduPersonAffiliation:ePA_affiliate"); -addMember("app:eduPersonAffiliation:ePA_member", "app:eduPersonAffiliation:ePA_employee"); +addMember("app:eduPersonAffiliation:service:policy:ePA_member", "app:eduPersonAffiliation:service:policy:ePA_student"); +addMember("app:eduPersonAffiliation:service:policy:ePA_member", "app:eduPersonAffiliation:service:policy:ePA_staff"); +addMember("app:eduPersonAffiliation:service:policy:ePA_member", "app:eduPersonAffiliation:service:policy:ePA_alum"); +addMember("app:eduPersonAffiliation:service:policy:ePA_member", "app:eduPersonAffiliation:service:policy:ePA_affiliate"); +addMember("app:eduPersonAffiliation:service:policy:ePA_member", "app:eduPersonAffiliation:service:policy:ePA_employee"); //ex201.3.4 //Assign the PSPNG attribute for the standard groups -group = GroupFinder.findByName(gs, "app:eduPersonAffiliation:ePA_student"); +group = GroupFinder.findByName(gs, "app:eduPersonAffiliation:service:policy:ePA_member"); # Auto create the PSPNG attributes edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_affiliations"); @@ -36,3 +40,4 @@ attributeAssignSave.addValue("pspng_affiliations"); attributeAssignSave.save(); //ex201.3.5 +// nothing to do here \ No newline at end of file