diff --git a/docs/201/201.5.rst b/docs/201/201.5.rst index 993c642..e4afc12 100644 --- a/docs/201/201.5.rst +++ b/docs/201/201.5.rst @@ -6,7 +6,7 @@ Learning Objectives ------------------- -* Understand ACM3 and how to use grouper policy groups with application specific roles +* Understand ACM3 and how to use policy groups with application specific roles * Implement delegated access control * Configure attestation @@ -23,62 +23,120 @@ Overview In applications with sophisticated RBAC capabilities, fine-grained permission sets are typically configured via an administrative interface within the -application itself. These permission sets are then associated with a role name -that can be mapped to a set of users. In this model, the user to role mapping -is done in Grouper by pairing a normal access control group with the role name -defined at the target service. The policy indicating which subjects are mapped -to application roles (permissions sets) can be attribute based or a simple -access control list, or some combination of both. +application itself. These permission sets are then associated with a role name +that can be mapped to a set of users. In this model, the user to role mapping +is done in Grouper by pairing a access policy group with the role name +defined at the target service. The policy indicating which subjects are mapped +to application roles (permissions sets) can be attribute based, a simple access +control list, or some combination of both. -ACM3 is implemented using Grouper as follows: +In AC3, the policy adminstration point is split between Grouper and the target +service. Policy decision point and policy enforcement point are with the target +service. -* Subject |rightarrow| Role assignment is made in Grouper. Access control policies are used to represent Roles. -* Fine-grained permission sets are managed at the target service and assigned a Role Name -* Grouper access control groups are mapped to target service Role Name, completing the User |rightarrow| Role mapping -* PAP split between Grouper and target service, PDP and PEP at service +ACM3 is implemented in Grouper as follows: ----------------- -Exercise 201.5.1 ----------------- +#. Permission sets are managed at the target service and assigned a Role Name +#. Grouper policy groups are mapped to target service Role Name +#. Subject to Role assignment is made in Grouper -*Create application folder and group set* +------------------------------------------------------------------- +Exercise 201.5.1 Create a `congos` application folder and group set +------------------------------------------------------------------- -Use wizard template (or gsh script) to create new application folder/group set. +1. Use the Application template to create the `cognos` application folder and + group set in the `app` folder. +2. Use the Policy template to create two new policy groups in + `app:cognos:service` -#. Create `app:cognos:service:security:cg_adv_manager`. -#. Create `app:cognos:service:ref` folder. -#. Create `app:cognos:service:policy` folder. -#. Create `app:congos:service:policy:cg_adv_report_reader|allow|deny`. -#. Create `app:congos:service:policy:cg_adv_report_writer|allow|deny`. +------------------------------------------------------ +Exercise 201.5.2 Implement Report Reader Access Policy +------------------------------------------------------ ----------------- -Exercise 201.5.2 ----------------- +All finance employees have read access to finance reports. -*Add reference groups to policy* +1. Implement the reader policy by adding `ref:dept:finance` to + `cg_adv_report_reader_allow`. -#. Add `ref:dept:advancement` to `cg_adv_report_reader_allow`. +.. figure:: ../figures/201-fin-report-reader.png ----------------- -Exercise 201.5.3 ----------------- +------------------------------------------------------ +Exercise 201.5.3 Implement Report Writer Access Policy +------------------------------------------------------ -*Create app specific reference group for advancement report writers* +Only employees authorized by the Finance Manager have access to write reports -#. Create `app:congos:service:ref:advancement_report_writer`. -#. Add `...:ref:advancement_report_writers` to `...:cg_adv_report_writer_allow`. -#. Add read/update privileges to `cg_adv_manager` to `cg_adv_report_writer_allow`. +This policy will require an application specific reference group the we will +use as an access control list managed by the Finanance Manager. ----------------- -Exercise 201.5.4 ----------------- +1. Create a `app:congos:service:ref:finance_report_writer` group. +2. Add `finance_report_writer` to `cg_fin_report_write_allow`. -*Add attestation* +.. figure:: ../figures/201-fin-report-writer.png + +--------------------------------------------------------------- +Exercise 201.5.4 Delegate access control to the Finance Manager +--------------------------------------------------------------- + +The Finance Manager will directly managed the `finance_report_writer` access +control list. + +1. Create a `ref:role:Finanance Manager` institutional reference group +2. Grant UPDATE and READ on `finance_report_writer` to `Finance Manager` + +.. figure:: ../figures/201-priv-grant-fin-mgr.png + +3. Add `asmith989` to `ref:role:Finance Manager` +4. Review privileges on `finance_report_writer` + +.. figure:: ../figures/201-review-priv-fin-mgr.png + +5. Trace privileges for Anna Smith + (Choose action -> Actions -> Trace privileges) + +.. figure:: ../figures/201-anna-smith-trace-priv.png + +.. figure:: ../figures/201-anna-smith-trace.png + +6. Open a seperate browser and log in with username `asmith989` and password + `password`. Add `bthompson392` to `finance_report_writer` + +7. Go back to `banderson` browser and review audit log for + `finance_report_writer` (finance_report_writer -> More actions -> View audit + log) + +.. figure:: ../figures/201-fin-report-write-audit.png + +---------------------------------------------------------- +Exercise 201.5.4 Add attestation for finance_report_writer +---------------------------------------------------------- + +ABAC policy groups are kept in sync automatically as subject attributes change +in the underlying business systems. Access control lists, on the otherhand, +tend to drift as soon as they are created. Grouper provides an attestation +feature that reminds group managers and owners to review group memberships and +keeps an audit of attestation actions. #. Add attestation requirement for `advancement_report_writer`. + (finance_report_writer -> More actions -> Attestation -> + Attestation actions -> Edit attestation settings) + +.. figure:: ../figures/201-fin-report-writer-attestation.png + +2. Log back in as `asmith989`. Review and attest the + `finance_report_writer` membership. + +.. figure:: ../figures/201-asmith989-attest.png + +3. Log back in as `bandereson`. Review attestation audit log. + (finance_report_writer -> More actions -> Attestation -> + View audit log) +.. figure:: ../figures/201-fin-report-attest-audit-log.png +Congrats! Your Congos access policy is clear, consistent, automated, +delegated, auditable, and attestable! -.. |rightarrow| unicode:: U+2192 +Welcome to Grouper Guru Level 7! :) .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program diff --git a/docs/figures/201-anna-smith-trace-priv.png b/docs/figures/201-anna-smith-trace-priv.png new file mode 100644 index 0000000..d92a96c Binary files /dev/null and b/docs/figures/201-anna-smith-trace-priv.png differ diff --git a/docs/figures/201-anna-smith-trace.png b/docs/figures/201-anna-smith-trace.png new file mode 100644 index 0000000..064d287 Binary files /dev/null and b/docs/figures/201-anna-smith-trace.png differ diff --git a/docs/figures/201-asmith989-attest.png b/docs/figures/201-asmith989-attest.png new file mode 100644 index 0000000..1b5fff5 Binary files /dev/null and b/docs/figures/201-asmith989-attest.png differ diff --git a/docs/figures/201-fin-report-attest-audit-log.png b/docs/figures/201-fin-report-attest-audit-log.png new file mode 100644 index 0000000..8073343 Binary files /dev/null and b/docs/figures/201-fin-report-attest-audit-log.png differ diff --git a/docs/figures/201-fin-report-reader.png b/docs/figures/201-fin-report-reader.png new file mode 100644 index 0000000..67f55ca Binary files /dev/null and b/docs/figures/201-fin-report-reader.png differ diff --git a/docs/figures/201-fin-report-write-audit.png b/docs/figures/201-fin-report-write-audit.png new file mode 100644 index 0000000..729207e Binary files /dev/null and b/docs/figures/201-fin-report-write-audit.png differ diff --git a/docs/figures/201-fin-report-writer-attestation.png b/docs/figures/201-fin-report-writer-attestation.png new file mode 100644 index 0000000..2aac0db Binary files /dev/null and b/docs/figures/201-fin-report-writer-attestation.png differ diff --git a/docs/figures/201-fin-report-writer.png b/docs/figures/201-fin-report-writer.png new file mode 100644 index 0000000..a223473 Binary files /dev/null and b/docs/figures/201-fin-report-writer.png differ diff --git a/docs/figures/201-priv-grant-fin-mgr.png b/docs/figures/201-priv-grant-fin-mgr.png new file mode 100644 index 0000000..8973d2d Binary files /dev/null and b/docs/figures/201-priv-grant-fin-mgr.png differ diff --git a/docs/figures/201-review-priv-fin-mgr.png b/docs/figures/201-review-priv-fin-mgr.png new file mode 100644 index 0000000..4660567 Binary files /dev/null and b/docs/figures/201-review-priv-fin-mgr.png differ diff --git a/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh index 3cf57fd..7d156d3 100644 --- a/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh @@ -1 +1,9 @@ GrouperSession.startRootSession() +delStem("201.4.end") +addRootStem("201.5.1", "201.5.1") + +// should be a loader job? +addStem("ref", "dept", "dept") +addGroup("ref:dept", "finance", "finance") +addMember("ref:dept:finance", "asmith989") + diff --git a/ex201/ex201.5.end/container_files/seed-data/bootstrap.gsh b/ex201/ex201.5.end/container_files/seed-data/bootstrap.gsh index e77f62f..d082ae3 100644 --- a/ex201/ex201.5.end/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.5.end/container_files/seed-data/bootstrap.gsh @@ -1,38 +1,43 @@ gs = GrouperSession.startRootSession() +delStem("201.5.1") +addRootStem("201.5.end", "201.5.end") //ex201.5.1 addStem("app", "cognos", "cognos"); +addStem("app:cognos" , "security", "security"); addStem("app:cognos", "service", "service"); -addStem("app:cognos:service" , "security", "security"); -addGroup("app:cognos:service:security", "cg_adv_manager", "cg_adv_manager"); - addStem("app:cognos:service", "ref", "ref"); addStem("app:cognos:service", "policy", "policy"); -addGroup("app:cognos:service:policy", "cg_adv_report_reader", "cg_adv_report_reader"); -addGroup("app:cognos:service:policy", "cg_adv_report_reader_allow", "cg_adv_report_reader_allow"); -addGroup("app:cognos:service:policy", "cg_adv_report_reader_deny", "cg_adv_report_reader_deny"); +addGroup("app:cognos:service:policy", "cg_fin_report_reader", "cg_fin_report_reader"); +addGroup("app:cognos:service:policy", "cg_fin_report_reader_allow", "cg_fin_report_reader_allow"); +addGroup("app:cognos:service:policy", "cg_fin_report_reader_deny", "cg_fin_report_reader_deny"); +addComposite("app:cognos:service:policy:cg_fin_report_reader", CompositeType.COMPLEMENT, "app:cognos:service:policy:cg_fin_report_reader_allow", "app:cognos:service:policy:cg_fin_report_reader_deny") + +addGroup("app:cognos:service:policy", "cg_fin_report_writer", "cg_fin_report_writer"); +addGroup("app:cognos:service:policy", "cg_fin_report_writer_allow", "cg_fin_report_writer_allow"); +addGroup("app:cognos:service:policy", "cg_fin_report_writer_deny", "cg_fin_report_writer_deny"); +addComposite("app:cognos:service:policy:cg_fin_report_writer", CompositeType.COMPLEMENT, "app:cognos:service:policy:cg_fin_report_writer_allow", "app:cognos:service:policy:cg_fin_report_writer_deny") -addGroup("app:cognos:service:policy", "cg_adv_report_writer", "cg_adv_report_writer"); -addGroup("app:cognos:service:policy", "cg_adv_report_writer_allow", "cg_adv_report_writer_allow"); -addGroup("app:cognos:service:policy", "cg_adv_report_writer_deny", "cg_adv_report_writer_deny"); +//ex201.5.2 part 1 +addMember("app:cognos:service:policy:cg_fin_report_reader_allow", "ref:dept:finance"); -//ex201.5.2 -addStem("ref", "dept", "dept"); -addGroup("ref:dept", "advancement", "advancement"); -addMember("app:cognos:service:policy:cg_adv_report_writer_allow", "ref:dept:advancement"); +//ex201.5.2 part 2 +finance_report_writer = addGroup("app:cognos:service:ref", "finance_report_writer", "finance_report_writer") +addMember("app:cognos:service:policy:cg_fin_report_writer_allow", "app:cognos:service:ref:finance_report_writer"); +addStem("ref", "role", "role") +addGroup("ref:role", "Finance Manager", "Finance Manager") +grantPriv("app:cognos:service:ref:finance_report_writer", "ref:role:Finance Manager", AccessPrivilege.READ) +grantPriv("app:cognos:service:ref:finance_report_writer", "ref:role:Finance Manager", AccessPrivilege.UPDATE) +addMember("ref:role:Finance Manager", "asmith989") -//ex201.5.3 -group = addGroup("app:cognos:service:ref", "advancement_report_writer", "advancement_report_writer"); -addMember("app:cognos:service:policy:cg_adv_report_writer_allow", "app:cognos:service:ref:advancement_report_writer"); -grantPriv("app:cognos:service:security:cg_adv_manager", "app:cognos:service:policy:cg_adv_report_writer_allow", AccessPrivilege.READ); -grantPriv("app:cognos:service:security:cg_adv_manager", "app:cognos:service:policy:cg_adv_report_writer_allow", AccessPrivilege.UPDATE); //ex201.5.4 +// add attestation to finance_report_writer attribute = AttributeDefNameFinder.findByName("etc:attribute:attestation:attestation", true); attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true); attributeAssignSave.assignAttributeDefName(attribute); -attributeAssignSave.assignOwnerGroup(group); +attributeAssignSave.assignOwnerGroup(finance_report_writer); attributeAssignOnAssignSave = new AttributeAssignSave(gs); attributeAssignOnAssignSave.assignAttributeAssignType(AttributeAssignType.group_asgn); @@ -49,3 +54,7 @@ attributeAssignOnAssignSave.addValue("true"); attributeAssignSave.addAttributeAssignOnThisAssignment(attributeAssignOnAssignSave); attributeAssign = attributeAssignSave.save(); + +// 201.5.4 step 6 +GrouperSession.start(findSubject("asmith989")) +addMember("app:cognos:service:ref:finance_report_writer", "bthompson392")