updates for 201.1 and 201.2

docs/201/201.1.rst

@@ -57,13 +57,13 @@ to students.
 Exercise 201.1.1 All students reference group
 ---------------------------------------------
 
-*Create an all student reference group to be used in access policy and the all
-students mailing list*
+Create an all student reference group to be used in access policy and the "all
+students" mailing list.
 
-Reference groups for student by class year already exist. These are being used
-for class year mailing lists. Membership in the class year groups are updated
-automatically by the studentTermLoader job. The loader job queries the student
-information system.
+Reference groups for students by class year already exist in `ref:student`.
+These are being used for class year mailing lists. Membership in the class year
+groups are updated automatically by the studentTermLoader job. The loader job
+queries the student information system.
 
 1. Create a new group named `ref:student:students`.
    (+ Create new group)
@@ -75,7 +75,7 @@ information system.
 
 .. figure:: ../figures/201-add-ref-students.png
 
-3. Add the following class year reference groups to `..:students`.
+3. Add the following class year reference groups to `students`.
    (Members -> + Add members -> ...)
 
 * `ref:student:class2020`
@@ -84,7 +84,7 @@ information system.
 * `ref:student:class2023`
 
 4. Filter for: Has direct membership. This shows all the reference groups that
-   contribute to the '..:students' group.
+   contribute to the `students` group.
 
 .. figure:: ../figures/201-students-direct-membership.png
 
@@ -140,14 +140,16 @@ Exercise 201.1.4 Transfer Students
 Students who transfer to your campus often need access to systems well ahead
 of SIS data being fully updated.
 
-#. Create a new basis group, `basis:student:transfer_student`.
+#. Create a new basis group `basis:student:transfer_student` and add it to
+   `students`
+
 #. Add the following accounts to `transfer_student`:
 
-    * agrady901
-    * alee467
-    * ascott776
+* pmartinez921
+* cthompson287
+* agrady901
 
-#. Check how many students there are now. The number of students did not go
+3. Check how many students there are now. The number of students did not go
    up by 3 as you might have expected. Why? One of the transfer students was
    already a member of `students`. Trace the membership on each of the
    transfer students to determine which accounts already had the `students`
@@ -157,8 +159,8 @@ of SIS data being fully updated.
 Exercise 201.1.5 Change of Status
 ---------------------------------
 
-Students who leave for a variety of reasons are given a 32 day grace period
-during which they retain student access.  Basis groups for these already exist.
+Students who leave for a variety of reasons are given a 32 day grace period,
+during which they retain student access. Basis groups for these already exist.
 They include:
 
 * `basis:student:expelled_32_days`
@@ -167,6 +169,8 @@ They include:
 
 #. Add these basis groups to `students`.  How many students are there now?
 
+.. figure:: ../figures/201-students-change-of-status.png
+
 ------------------------------------------
 Exercise 201.1.6 Leave of Absence Students
 ------------------------------------------

docs/201/201.2.rst

@@ -63,19 +63,17 @@ create a new structure for our VPN service policy.
 
 3. Navigate to the `app:vpn:service:policy` folder
 
-4. Create a new vpn_authorized policy group using the Policy Group Template
+4. Create a new vpn_access policy group using the Policy Group Template
    (More actions -> New template)
 
 .. figure:: ../figures/201-new-vpn-policy.png
 
-[ this should be replaced with policy template when ready ]
+TODO: Steps 5 through 8 should be replaced with policy template when ready
 
-5. Create `app:vpn:vpn_authorized`.
+5. Create `app:vpn:vpn_access`.
 6. Create `app:vpn:vpn_allow`.
 7. Create `app:vpn:vpn_deny`.
-8. Make `vpn_authorized` a composite of `vpn_allow` minus `vpn_deny`.
-
-.. figure:: ../figures/201-vpn-composite.png
+8. Make `vpn_access` a composite of `vpn_allow` minus `vpn_deny`.
 
 -------------------------------------------------------------------
 Exercise 201.2.2 Create digital policy from natural language policy
@@ -88,10 +86,10 @@ are already available.
 #. Add `ref:employee:fac_staff` to `vpn_allow`.
 #. Add `ref:security:locked_by_ciso` to `vpn_deny`.
 #. Add `ref:iam:closure` to `vpn_deny`.
-#. Review the `vpn_authorized` policy definition
-   (vpn_authorized -> More actions -> Visualization)
+#. Review the `vpn_access` policy definition
+   (vpn_access -> More actions -> Visualization)
 
-.. figure:: ../figures/201-vpn-authorized.png
+.. figure:: ../figures/201-vpn-access.png
 
 ----------------------------------------------------------------------------
 Exercise 201.2.3 Update policy to include institutional review board members
@@ -103,7 +101,7 @@ account is in a closure state".
 
 #. Add `org:irb:ref:irb_members` to `vpn_allow`.
 #. Add *jsmith* to `org:irb:ref:irb_members`.
-#. Trace membership for *jsmith* from `vpn_authorized`. (jsmith -> Choose
+#. Trace membership for *jsmith* from `vpn_access`. (jsmith -> Choose
    action -> Actions -> Trace membership)
 
 .. figure:: ../figures/201-jsmith-trace.png
@@ -113,10 +111,10 @@ account is in a closure state".
 
 .. figure:: ../figures/201-vpn-allow-audit.png
 
-5. Review policy definition for `vpn_authorized`.
-   (vpn_authorized -> More actions -> Visualization)
+5. Review policy definition for `vpn_access`.
+   (vpn_access -> More actions -> Visualization)
 
-.. figure:: ../figures/201-vpn-authorized2.png
+.. figure:: ../figures/201-vpn-access2.png
 
 ------------------------------------------------------------
 Exercise 201.2.4 Review Application template security groups

ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh

@@ -182,3 +182,50 @@ attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouper
 addMember("basis:student:loa_4_years","jprice704");
 addMember("basis:student:loa_4_years","aprice705");
 addMember("basis:student:loa_4_years","aclark706");
+
+// setup for 201.2
+// should be a loader job?
+addStem("ref", "employee", "employee")
+fac_staff = addGroup("ref:employee", "fac_staff", "fac_staff")
+
+// Set ref object type on fac_staff reference group
+AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true);
+AttributeAssign attributeAssign = fac_staff.getAttributeDelegate().hasAttribute(typeMarker) ? fac_staff.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : fac_staff.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
+"HR and Provost Office");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
+"All faculty and staff");
+
+addStem("ref", "security", "security")
+locked_by_ciso = addGroup("ref:security", "locked_by_ciso", "locked_by_ciso")
+AttributeAssign attributeAssign = locked_by_ciso.getAttributeDelegate().hasAttribute(typeMarker) ? locked_by_ciso.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : locked_by_ciso.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
+"CISO");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
+"Subjects denied access by CISO");
+
+addStem("ref", "iam", "iam")
+closure = addGroup("ref:iam", "closure", "closure")
+AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
+"IAM");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
+"Accounts in the process of being closed");
+
+addStem("org", "irb", "irb")
+addStem("org:irb", "ref", "ref")
+irb_members = addGroup("org:irb:ref", "irb_members", "irb_members")
+AttributeAssign attributeAssign = irb_members.getAttributeDelegate().hasAttribute(typeMarker) ? irb_members.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : irb_members.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
+"Institutional Review Board");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
+"Members of the IRB");
+

ex201/ex201.1.1/container_files/seed-data/sisData.sql

@@ -3324,7 +3324,6 @@ INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','ACCT101'
 INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','ENGL101','80000902');
 INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','MATH100','80000902');
 INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','HIST101','80000902');
-INSERT INTO SIS_STUDENT_TERMS (id, term) VALUES ('80000902','2019');
 INSERT INTO SIS_STUDENT_TERMS (id, term) VALUES ('80000902','2022');
 INSERT INTO HR_PEOPLE(id, surname, givenName) VALUES ('80000903','Gasper','Mark');
 INSERT INTO HR_PEOPLE_ROLES(id, role) VALUES ('80000903','staff');

ex201/ex201.2.1/container_files/seed-data/bootstrap.gsh

@@ -1,49 +1,3 @@
 GrouperSession.startRootSession()
 delStem("201.1.end")
 addRootStem("201.2.1", "201.2.1")
-
-// should be a loader job?
-addStem("ref", "employee", "employee")
-fac_staff = addGroup("ref:employee", "fac_staff", "fac_staff")
-
-// Set ref object type on fac_staff reference group
-AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true);
-AttributeAssign attributeAssign = fac_staff.getAttributeDelegate().hasAttribute(typeMarker) ? fac_staff.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : fac_staff.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
-"HR and Provost Office");
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
-"All faculty and staff");
-
-addStem("ref", "security", "security")
-locked_by_ciso = addGroup("ref:security", "locked_by_ciso", "locked_by_ciso")
-AttributeAssign attributeAssign = locked_by_ciso.getAttributeDelegate().hasAttribute(typeMarker) ? locked_by_ciso.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : locked_by_ciso.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
-"CISO");
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
-"Subjects denied access by CISO");
-
-addStem("ref", "iam", "iam")
-closure = addGroup("ref:iam", "closure", "closure")
-AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
-"IAM");
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
-"Accounts in the process of being closed");
-
-addStem("org", "irb", "irb")
-addStem("org:irb", "ref", "ref")
-irb_members = addGroup("org:irb:ref", "irb_members", "irb_members")
-AttributeAssign attributeAssign = irb_members.getAttributeDelegate().hasAttribute(typeMarker) ? irb_members.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : irb_members.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
-"Institutional Review Board");
-attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
-"Members of the IRB");
-

ex201/ex201.2.end/container_files/seed-data/bootstrap.gsh

@@ -9,16 +9,20 @@ addStem("app:vpn:service", "policy", "policy")
 addStem("app:vpn:service", "ref", "ref")
 addStem("app:vpn:service", "attributes", "attributes")
 
-addGroup("app:vpn:service:policy", "vpn_authorized", "vpn_authorized")
+addGroup("app:vpn:service:policy", "vpn_access", "vpn_access")
 addGroup("app:vpn:service:policy", "vpn_allow", "vpn_allow")
 addGroup("app:vpn:service:policy", "vpn_deny", "vpn_deny")
-addComposite("app:vpn:service:policy:vpn_authorized", CompositeType.COMPLEMENT, "app:vpn:service:policy:vpn_allow", "app:vpn:service:policy:vpn_deny")
+addComposite("app:vpn:service:policy:vpn_access", CompositeType.COMPLEMENT, "app:vpn:service:policy:vpn_allow", "app:vpn:service:policy:vpn_deny")
 
 addGroup("app:vpn:security", "vpnAdmins", "vpnAdmins")
 addGroup("app:vpn:security", "vpnReaders", "vpnReaders")
 addGroup("app:vpn:security", "vpnUpdaters", "vpnUpdaters")
 grantPriv("app:vpn", "app:vpn:security:vpnAdmins", NamingPrivilege.STEM)
 
+grantPriv("app:vpn:service:policy:vpn_allow", "app:vpn:security:vpnAdmins", AccessPrivilege.ADMIN)
+grantPriv("app:vpn:service:policy:vpn_allow", "app:vpn:security:vpnUpdaters", AccessPrivilege.UPDATE)
+grantPriv("app:vpn:service:policy:vpn_allow", "app:vpn:security:vpnReaders", AccessPrivilege.READ)
+
 //ex 201.2.2
 addMember("app:vpn:service:policy:vpn_allow", "ref:employee:fac_staff")
 addMember("app:vpn:service:policy:vpn_deny", "ref:security:locked_by_ciso")