diff --git a/docs/201/201.1.rst b/docs/201/201.1.rst index d7a207d..115970e 100644 --- a/docs/201/201.1.rst +++ b/docs/201/201.1.rst @@ -57,13 +57,13 @@ to students. Exercise 201.1.1 All students reference group --------------------------------------------- -*Create an all student reference group to be used in access policy and the all -students mailing list* +Create an all student reference group to be used in access policy and the "all +students" mailing list. -Reference groups for student by class year already exist. These are being used -for class year mailing lists. Membership in the class year groups are updated -automatically by the studentTermLoader job. The loader job queries the student -information system. +Reference groups for students by class year already exist in `ref:student`. +These are being used for class year mailing lists. Membership in the class year +groups are updated automatically by the studentTermLoader job. The loader job +queries the student information system. 1. Create a new group named `ref:student:students`. (+ Create new group) @@ -75,7 +75,7 @@ information system. .. figure:: ../figures/201-add-ref-students.png -3. Add the following class year reference groups to `..:students`. +3. Add the following class year reference groups to `students`. (Members -> + Add members -> ...) * `ref:student:class2020` @@ -84,7 +84,7 @@ information system. * `ref:student:class2023` 4. Filter for: Has direct membership. This shows all the reference groups that - contribute to the '..:students' group. + contribute to the `students` group. .. figure:: ../figures/201-students-direct-membership.png @@ -140,14 +140,16 @@ Exercise 201.1.4 Transfer Students Students who transfer to your campus often need access to systems well ahead of SIS data being fully updated. -#. Create a new basis group, `basis:student:transfer_student`. +#. Create a new basis group `basis:student:transfer_student` and add it to + `students` + #. Add the following accounts to `transfer_student`: - * agrady901 - * alee467 - * ascott776 +* pmartinez921 +* cthompson287 +* agrady901 -#. Check how many students there are now. The number of students did not go +3. Check how many students there are now. The number of students did not go up by 3 as you might have expected. Why? One of the transfer students was already a member of `students`. Trace the membership on each of the transfer students to determine which accounts already had the `students` @@ -157,8 +159,8 @@ of SIS data being fully updated. Exercise 201.1.5 Change of Status --------------------------------- -Students who leave for a variety of reasons are given a 32 day grace period -during which they retain student access. Basis groups for these already exist. +Students who leave for a variety of reasons are given a 32 day grace period, +during which they retain student access. Basis groups for these already exist. They include: * `basis:student:expelled_32_days` @@ -167,6 +169,8 @@ They include: #. Add these basis groups to `students`. How many students are there now? +.. figure:: ../figures/201-students-change-of-status.png + ------------------------------------------ Exercise 201.1.6 Leave of Absence Students ------------------------------------------ diff --git a/docs/201/201.2.rst b/docs/201/201.2.rst index e3d027b..fac71dd 100644 --- a/docs/201/201.2.rst +++ b/docs/201/201.2.rst @@ -63,19 +63,17 @@ create a new structure for our VPN service policy. 3. Navigate to the `app:vpn:service:policy` folder -4. Create a new vpn_authorized policy group using the Policy Group Template +4. Create a new vpn_access policy group using the Policy Group Template (More actions -> New template) .. figure:: ../figures/201-new-vpn-policy.png -[ this should be replaced with policy template when ready ] +TODO: Steps 5 through 8 should be replaced with policy template when ready -5. Create `app:vpn:vpn_authorized`. +5. Create `app:vpn:vpn_access`. 6. Create `app:vpn:vpn_allow`. 7. Create `app:vpn:vpn_deny`. -8. Make `vpn_authorized` a composite of `vpn_allow` minus `vpn_deny`. - -.. figure:: ../figures/201-vpn-composite.png +8. Make `vpn_access` a composite of `vpn_allow` minus `vpn_deny`. ------------------------------------------------------------------- Exercise 201.2.2 Create digital policy from natural language policy @@ -88,10 +86,10 @@ are already available. #. Add `ref:employee:fac_staff` to `vpn_allow`. #. Add `ref:security:locked_by_ciso` to `vpn_deny`. #. Add `ref:iam:closure` to `vpn_deny`. -#. Review the `vpn_authorized` policy definition - (vpn_authorized -> More actions -> Visualization) +#. Review the `vpn_access` policy definition + (vpn_access -> More actions -> Visualization) -.. figure:: ../figures/201-vpn-authorized.png +.. figure:: ../figures/201-vpn-access.png ---------------------------------------------------------------------------- Exercise 201.2.3 Update policy to include institutional review board members @@ -103,7 +101,7 @@ account is in a closure state". #. Add `org:irb:ref:irb_members` to `vpn_allow`. #. Add *jsmith* to `org:irb:ref:irb_members`. -#. Trace membership for *jsmith* from `vpn_authorized`. (jsmith -> Choose +#. Trace membership for *jsmith* from `vpn_access`. (jsmith -> Choose action -> Actions -> Trace membership) .. figure:: ../figures/201-jsmith-trace.png @@ -113,10 +111,10 @@ account is in a closure state". .. figure:: ../figures/201-vpn-allow-audit.png -5. Review policy definition for `vpn_authorized`. - (vpn_authorized -> More actions -> Visualization) +5. Review policy definition for `vpn_access`. + (vpn_access -> More actions -> Visualization) -.. figure:: ../figures/201-vpn-authorized2.png +.. figure:: ../figures/201-vpn-access2.png ------------------------------------------------------------ Exercise 201.2.4 Review Application template security groups diff --git a/docs/figures/201-jsmith-trace.png b/docs/figures/201-jsmith-trace.png index 0898c24..b3e3ff4 100644 Binary files a/docs/figures/201-jsmith-trace.png and b/docs/figures/201-jsmith-trace.png differ diff --git a/docs/figures/201-students-change-of-status.png b/docs/figures/201-students-change-of-status.png new file mode 100644 index 0000000..7b0ebf9 Binary files /dev/null and b/docs/figures/201-students-change-of-status.png differ diff --git a/docs/figures/201-vpn-access.png b/docs/figures/201-vpn-access.png new file mode 100644 index 0000000..f6d79c5 Binary files /dev/null and b/docs/figures/201-vpn-access.png differ diff --git a/docs/figures/201-vpn-access2.png b/docs/figures/201-vpn-access2.png new file mode 100644 index 0000000..71a382c Binary files /dev/null and b/docs/figures/201-vpn-access2.png differ diff --git a/docs/figures/201-vpn-authorized.png b/docs/figures/201-vpn-authorized.png deleted file mode 100644 index f8774c4..0000000 Binary files a/docs/figures/201-vpn-authorized.png and /dev/null differ diff --git a/docs/figures/201-vpn-authorized2.png b/docs/figures/201-vpn-authorized2.png deleted file mode 100644 index 533e954..0000000 Binary files a/docs/figures/201-vpn-authorized2.png and /dev/null differ diff --git a/docs/figures/201-vpn-composite.png b/docs/figures/201-vpn-composite.png deleted file mode 100644 index 08b54bf..0000000 Binary files a/docs/figures/201-vpn-composite.png and /dev/null differ diff --git a/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh index 5d44b4c..b28346d 100644 --- a/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh @@ -182,3 +182,50 @@ attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouper addMember("basis:student:loa_4_years","jprice704"); addMember("basis:student:loa_4_years","aprice705"); addMember("basis:student:loa_4_years","aclark706"); + +// setup for 201.2 +// should be a loader job? +addStem("ref", "employee", "employee") +fac_staff = addGroup("ref:employee", "fac_staff", "fac_staff") + +// Set ref object type on fac_staff reference group +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = fac_staff.getAttributeDelegate().hasAttribute(typeMarker) ? fac_staff.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : fac_staff.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"HR and Provost Office"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"All faculty and staff"); + +addStem("ref", "security", "security") +locked_by_ciso = addGroup("ref:security", "locked_by_ciso", "locked_by_ciso") +AttributeAssign attributeAssign = locked_by_ciso.getAttributeDelegate().hasAttribute(typeMarker) ? locked_by_ciso.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : locked_by_ciso.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"CISO"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Subjects denied access by CISO"); + +addStem("ref", "iam", "iam") +closure = addGroup("ref:iam", "closure", "closure") +AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"IAM"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Accounts in the process of being closed"); + +addStem("org", "irb", "irb") +addStem("org:irb", "ref", "ref") +irb_members = addGroup("org:irb:ref", "irb_members", "irb_members") +AttributeAssign attributeAssign = irb_members.getAttributeDelegate().hasAttribute(typeMarker) ? irb_members.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : irb_members.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"Institutional Review Board"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Members of the IRB"); + diff --git a/ex201/ex201.1.1/container_files/seed-data/sisData.sql b/ex201/ex201.1.1/container_files/seed-data/sisData.sql index 53103d6..9c90392 100644 --- a/ex201/ex201.1.1/container_files/seed-data/sisData.sql +++ b/ex201/ex201.1.1/container_files/seed-data/sisData.sql @@ -3324,7 +3324,6 @@ INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','ACCT101' INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','ENGL101','80000902'); INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','MATH100','80000902'); INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','HIST101','80000902'); -INSERT INTO SIS_STUDENT_TERMS (id, term) VALUES ('80000902','2019'); INSERT INTO SIS_STUDENT_TERMS (id, term) VALUES ('80000902','2022'); INSERT INTO HR_PEOPLE(id, surname, givenName) VALUES ('80000903','Gasper','Mark'); INSERT INTO HR_PEOPLE_ROLES(id, role) VALUES ('80000903','staff'); diff --git a/ex201/ex201.2.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.2.1/container_files/seed-data/bootstrap.gsh index 4d92526..22e0ba1 100644 --- a/ex201/ex201.2.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.2.1/container_files/seed-data/bootstrap.gsh @@ -1,49 +1,3 @@ GrouperSession.startRootSession() delStem("201.1.end") addRootStem("201.2.1", "201.2.1") - -// should be a loader job? -addStem("ref", "employee", "employee") -fac_staff = addGroup("ref:employee", "fac_staff", "fac_staff") - -// Set ref object type on fac_staff reference group -AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); -AttributeAssign attributeAssign = fac_staff.getAttributeDelegate().hasAttribute(typeMarker) ? fac_staff.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : fac_staff.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", -"HR and Provost Office"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", -"All faculty and staff"); - -addStem("ref", "security", "security") -locked_by_ciso = addGroup("ref:security", "locked_by_ciso", "locked_by_ciso") -AttributeAssign attributeAssign = locked_by_ciso.getAttributeDelegate().hasAttribute(typeMarker) ? locked_by_ciso.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : locked_by_ciso.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", -"CISO"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", -"Subjects denied access by CISO"); - -addStem("ref", "iam", "iam") -closure = addGroup("ref:iam", "closure", "closure") -AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", -"IAM"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", -"Accounts in the process of being closed"); - -addStem("org", "irb", "irb") -addStem("org:irb", "ref", "ref") -irb_members = addGroup("org:irb:ref", "irb_members", "irb_members") -AttributeAssign attributeAssign = irb_members.getAttributeDelegate().hasAttribute(typeMarker) ? irb_members.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : irb_members.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", -"Institutional Review Board"); -attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", -"Members of the IRB"); - diff --git a/ex201/ex201.2.end/container_files/seed-data/bootstrap.gsh b/ex201/ex201.2.end/container_files/seed-data/bootstrap.gsh index c06c515..82075a7 100644 --- a/ex201/ex201.2.end/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.2.end/container_files/seed-data/bootstrap.gsh @@ -9,16 +9,20 @@ addStem("app:vpn:service", "policy", "policy") addStem("app:vpn:service", "ref", "ref") addStem("app:vpn:service", "attributes", "attributes") -addGroup("app:vpn:service:policy", "vpn_authorized", "vpn_authorized") +addGroup("app:vpn:service:policy", "vpn_access", "vpn_access") addGroup("app:vpn:service:policy", "vpn_allow", "vpn_allow") addGroup("app:vpn:service:policy", "vpn_deny", "vpn_deny") -addComposite("app:vpn:service:policy:vpn_authorized", CompositeType.COMPLEMENT, "app:vpn:service:policy:vpn_allow", "app:vpn:service:policy:vpn_deny") +addComposite("app:vpn:service:policy:vpn_access", CompositeType.COMPLEMENT, "app:vpn:service:policy:vpn_allow", "app:vpn:service:policy:vpn_deny") addGroup("app:vpn:security", "vpnAdmins", "vpnAdmins") addGroup("app:vpn:security", "vpnReaders", "vpnReaders") addGroup("app:vpn:security", "vpnUpdaters", "vpnUpdaters") grantPriv("app:vpn", "app:vpn:security:vpnAdmins", NamingPrivilege.STEM) +grantPriv("app:vpn:service:policy:vpn_allow", "app:vpn:security:vpnAdmins", AccessPrivilege.ADMIN) +grantPriv("app:vpn:service:policy:vpn_allow", "app:vpn:security:vpnUpdaters", AccessPrivilege.UPDATE) +grantPriv("app:vpn:service:policy:vpn_allow", "app:vpn:security:vpnReaders", AccessPrivilege.READ) + //ex 201.2.2 addMember("app:vpn:service:policy:vpn_allow", "ref:employee:fac_staff") addMember("app:vpn:service:policy:vpn_deny", "ref:security:locked_by_ciso")