From 88437a0d005116b4e8d5e019c18714fbf771f5e2 Mon Sep 17 00:00:00 2001 From: "William G. Thompson, Jr" Date: Sun, 9 Jun 2019 21:24:18 -0400 Subject: [PATCH] 201.5 updates --- docs/201/201.5.rst | 19 +++++++++++-------- .../container_files/seed-data/bootstrap.gsh | 8 +++++++- .../container_files/seed-data/bootstrap.gsh | 6 ------ 3 files changed, 18 insertions(+), 15 deletions(-) diff --git a/docs/201/201.5.rst b/docs/201/201.5.rst index e4afc12..4fdaab3 100644 --- a/docs/201/201.5.rst +++ b/docs/201/201.5.rst @@ -46,8 +46,11 @@ Exercise 201.5.1 Create a `congos` application folder and group set 1. Use the Application template to create the `cognos` application folder and group set in the `app` folder. -2. Use the Policy template to create two new policy groups in - `app:cognos:service` +2. Use the Policy template to create two new policy groups in + `app:cognos:service:policy` + +* `app:cognos:service:policy:cg_fin_report_reader` +* `app:cognos:service:policy:cp_fin_report_writer` ------------------------------------------------------ Exercise 201.5.2 Implement Report Reader Access Policy @@ -66,10 +69,10 @@ Exercise 201.5.3 Implement Report Writer Access Policy Only employees authorized by the Finance Manager have access to write reports -This policy will require an application specific reference group the we will -use as an access control list managed by the Finanance Manager. +This policy will require an application specific reference group. It will be +will used as an access control list managed by the Finanance Manager. -1. Create a `app:congos:service:ref:finance_report_writer` group. +1. Create reference group `app:congos:service:ref:finance_report_writer`. 2. Add `finance_report_writer` to `cg_fin_report_write_allow`. .. figure:: ../figures/201-fin-report-writer.png @@ -114,10 +117,10 @@ Exercise 201.5.4 Add attestation for finance_report_writer ABAC policy groups are kept in sync automatically as subject attributes change in the underlying business systems. Access control lists, on the otherhand, tend to drift as soon as they are created. Grouper provides an attestation -feature that reminds group managers and owners to review group memberships and +feature that reminds group managers and owners to review group memberships, and keeps an audit of attestation actions. -#. Add attestation requirement for `advancement_report_writer`. +#. Add attestation requirement for `finance_report_writer`. (finance_report_writer -> More actions -> Attestation -> Attestation actions -> Edit attestation settings) @@ -137,6 +140,6 @@ keeps an audit of attestation actions. Congrats! Your Congos access policy is clear, consistent, automated, delegated, auditable, and attestable! -Welcome to Grouper Guru Level 7! :) +Welcome to Grouper Guru Level 2! :) .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program diff --git a/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh index a75487f..e785b77 100644 --- a/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh @@ -238,4 +238,10 @@ attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouper attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", "Identity and Access Management"); attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", -"Global deny group"); \ No newline at end of file +"Global deny group"); + +// setup for 201.5 +// should be a loader job? +addStem("ref", "dept", "dept") +addGroup("ref:dept", "finance", "finance") +addMember("ref:dept:finance", "asmith989") \ No newline at end of file diff --git a/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh index 7d156d3..eaeeb76 100644 --- a/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh @@ -1,9 +1,3 @@ GrouperSession.startRootSession() delStem("201.4.end") addRootStem("201.5.1", "201.5.1") - -// should be a loader job? -addStem("ref", "dept", "dept") -addGroup("ref:dept", "finance", "finance") -addMember("ref:dept:finance", "asmith989") -