updates for 401.3

docs/401/401.3.rst

@@ -248,53 +248,72 @@ institutional role for that, and implement least privilege access.
 
 .. figure:: ../figures/401-board-effect-trace-ann-updaters.png
 
-----------------
-Exercise 401.3.8
-----------------
+---------------------------------------------------------------
+Exercise 401.3.8 Institutional board committee reference groups
+---------------------------------------------------------------
 
-*Global Committee reference groups*
+The Board Effect policy is working great when a new SaaS system deployment
+request comes in that also has access policy based on board committees. We
+need to elevate the Board Effect application-specific reference groups to
+institutional reference groups.
 
-All working great-- new system request comes in with policy based on board
-committees.  Need to elevate app-specific ref groups to global ref groups.
+#. Create a `ref:board` folder for board committee reference groups.
 
-#. Create `ref:board` folder for board committee ref groups.
-#. Move `app:boardeffect:ref:cmt_fin` to `ref:board:cmt_fin`.
+#. Move `app:board_effect:service:ref:finance_committee` to
+   `ref:board:finance_committee`. (finance_committee -> More actions ->
+   Move group -> Move to this folder: `ref:board`)
 
     .. note::
 
-        The Board Effect policies are not impacted by moving the location of
-        the reference groups!
+        The Board Effect access policy groups are not impacted by moving the
+        location of the reference groups!
 
-#. Create `ref:board:etc` security folder.
-#. Create `ref:board:etc:board_managers` security group.
-#. Assign *UPDATE* and *READ* rights on reference groups to `board_managers`.
-#. Revoke *UPDATE* and *READ* rights of reference groups from `app:board_effect:etc:boardeffect_managers`.
+#. Create a `ref:board:security` security folder.
 
-    .. warning::
+#. Create a `ref:board:security:boardUpdaters` security group.
 
-        Moving our reference groups did *not* remove the access we had granted
-        on them from application-specific security groups.  After moving a
-        reference group, it is good practive to review its permissions.
+#. Assign `boardUpdaters` *UPDATE* and *READ* rights on
+   `ref:board:finance_committee`
 
-#. Add `president_assistant` to `ref:board:etc:board_managers`.
+#. Add `president_assistant` to `ref:board:security:boardUpdaters`.
 
+#. Review `ref:board:finance_committee` privileges
+
+.. figure:: ../figures/401-board-effect-ref-board-privs.png
+
+.. warning::
+
+      Moving our reference groups did *not* remove the access we had granted
+      to them from application-specific security groups.  After moving a
+      reference group, it is good practive to review its privilege assignments.
+
+8. Revoke *UPDATE* and *READ* rights for
+   `board_effectUpdaters`, `board_effectAdmins`, and `board_effectReaders`.
+
+9. Review `finance_committee` privileges.
+
+.. figure:: ../figures/401-board-effect-final-privs.png
+
+Congrats! You have established a new set of institutional reference groups,
+verified their adminstrative access. And all without impacting current
+services!
 
 --------
 Epilogue
 --------
 
-New request comes in for four advisory councils. Each will have their own
-workroom in Board Effect.  Initially you are handed a spreadsheet with the
-council members and you import them into app-specific reference groups 
-(e.g. `app:boardeffect:ref:advisory_council_northeast`).  Later you find
-out that council membership is available in Banner, so you create loader
-jobs for those.  As it turns out, the spreadsheets were old and had the wrong
-members.  Thank goodness for loader jobs!  Alas, not all advisory council
-members have NetIDs.  To get them access we add them as sponsored accounts
-in COmanage.
+A request comes in for four new advisory council workrooms. Initially, you are
+handed a spreadsheet with the council members NetIDs. You import them into
+app-specific reference groups (e.g. `advisory_council_northeast`), and set up
+workroom policy groups as before. Later on, you find out that the council
+membership is available in Banner, so you create loader jobs for those. As it
+turns out, the spreadsheets were old and had the wrong members. Thank goodness
+for loader jobs! Alas, not all advisory council members have NetIDs. But fear
+not, we simply get them NetIDs using our `COmanage`_ sponsored accounts system.
 
 The End
 
 
 .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program
-.. _`Grouper ESB Connector`: https://spaces.at.internet2.edu/display/Grouper/Grouper+ESB+Connector
+.. _Grouper ESB Connector: https://spaces.at.internet2.edu/display/Grouper/Grouper+ESB+Connector
+.. _COmanage: https://www.internet2.edu/products-services/trust-identity/comanage/

ex401/ex401.3.end/container_files/seed-data/bootstrap.gsh

@@ -66,29 +66,29 @@ attribValueDelegate.assignValue(RuleUtils.ruleThenEnumName(), RuleThenEnum.assig
 attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg0Name(), numDays.toString());
 attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg1Name(), "T");
 
-
-
+// 401.3.7
+addStem("ref", "role", "role");
+addGroup("ref:role", "president_assistant", "president_assistant");
+addMember("ref:role:president_assistant", "amartinez410");
+addMember("app:board_effect:security:board_effectUpdaters", "ref:role:president_assistant");
+delMember("app:board_effect:security:board_effectAdmins", "amartinez410");
+
+// 401.3.8
 addStem("ref", "board", "board");
-
-group = GroupFinder.findByName(gs, "app:boardeffect:ref:cmt_fin", true);
+group = GroupFinder.findByName(gs, "app:board_effect:service:ref:finance_committee", true);
 stem = StemFinder.findByName(gs, "ref:board", true);
 group.move(stem);
 
-addStem("ref:board", "etc", "etc");
-group2 = addGroup("ref:board:etc", "board_managers", "board_managers");
-
-addMember("ref:board:etc:board_managers", "ref:roles:president_assistant");
-
-grantPriv("ref:board:cmt_fin", group2.toSubject().id, AccessPrivilege.UPDATE);
-grantPriv("ref:board:cmt_fin", group2.toSubject().id, AccessPrivilege.READ);
-
-boardeffect_admins = GroupFinder.findByName(gs, "app:boardeffect:etc:boardeffect_admins", true);
-boardeffect_mgr = GroupFinder.findByName(gs, "app:boardeffect:etc:boardeffect_mgr", true);
-boardeffect_viewers = GroupFinder.findByName(gs, "app:boardeffect:etc:boardeffect_viewers", true);
+addStem("ref:board", "security", "security");
+group2 = addGroup("ref:board:security", "boardUpdaters", "boardUpdaters");
+grantPriv("ref:board:finance_committee", group2.toSubject().id, AccessPrivilege.UPDATE);
+grantPriv("ref:board:finance_committee", group2.toSubject().id, AccessPrivilege.READ);
+addMember("ref:board:security:boardUpdaters", "ref:role:president_assistant");
 
-revokePriv("ref:board:cmt_fin", boardeffect_admins.toSubject().id, AccessPrivilege.ADMIN);
-revokePriv("ref:board:cmt_fin", boardeffect_mgr.toSubject().id, AccessPrivilege.UPDATE);
-revokePriv("ref:board:cmt_fin", boardeffect_mgr.toSubject().id, AccessPrivilege.READ);
+boardeffectAdmins = GroupFinder.findByName(gs, "app:board_effect:security:boardeffectAdmins", true);
+boardeffectUpdaters = GroupFinder.findByName(gs, "app:board_effect:security:boardeffectUpdaters", true);
 
-revokePriv("ref:board:cmt_fin", boardeffect_viewers.toSubject().id, AccessPrivilege.READ);
+revokePriv("ref:board:finance_committee", boardeffectAdmins.toSubject().id, AccessPrivilege.ADMIN);
+revokePriv("ref:board:finance_committee", boardeffectUpdaters.toSubject().id, AccessPrivilege.UPDATE);
+revokePriv("ref:board:finance_committee", boardeffectUpdaters.toSubject().id, AccessPrivilege.READ);