Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
30 changed files
with
2,846 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,174 @@ | ||
| ==================================== | ||
| GTE 201.1 Basis and Reference Groups | ||
| ==================================== | ||
|
|
||
| ------------------- | ||
| Learning Objectives | ||
| ------------------- | ||
|
|
||
| * Create and manage reference and basis groups | ||
| * Understand the difference between reference groups and basis groups | ||
| * Implement lifecycle requirements for subject attributes | ||
|
|
||
| -------------- | ||
| Lab Components | ||
| -------------- | ||
|
|
||
| * Grouper | ||
| * `Grouper Deployment Guide`_ | ||
|
|
||
| -------- | ||
| Overview | ||
| -------- | ||
|
|
||
| Often the best source of data for building institutional meaningful cohorts is a | ||
| combination of arcane employee/payroll/student codes from multiple source systems. | ||
| To leverage the power of Grouper these groups should be brought in as raw **basis groups**. | ||
|
|
||
| Basis groups are used by the IAM analyst to construct institutional meaningful | ||
| cohorts that are required for access policy. Access policy does not reference | ||
| basis groups directly, rather the basis groups are used to build up reference | ||
| groups. This indirection provides the IAM analyst the ability to adjust to | ||
| changing source systems and business practices while keeping reference groups | ||
| and access policy relatively stable. Basis groups are typically only visible to | ||
| the IAM analyst, and would not normally be reflected out to applications and | ||
| directories. | ||
|
|
||
| Reference groups tend to be organized in particular folder locations for convenience | ||
| and ease of use, but what makes a group a reference group is not its name or folder | ||
| location, but rather its intended use, definition and scope, and data management | ||
| expectations. | ||
|
|
||
| A **reference group** is a set of subjects that is largely intended to be used by | ||
| reference within access policy. Reference groups can be thought of as labels or | ||
| tags that identify institutional meaningful cohorts. In this way, they can also | ||
| be viewed as subject attributes from an ABAC perspective. Access policies often | ||
| require cohorts organized via institutional affiliation (faculty, staff, student), | ||
| a particular office or department (president's office, finance division, chaplain), | ||
| program (chemistry students), and even residence or class year. All of these are | ||
| good examples of reference groups. | ||
|
|
||
| This module will focus on creating and using basis and reference groups related to | ||
| students. | ||
|
|
||
| ---------------- | ||
| Exercise 201.1.1 | ||
| ---------------- | ||
|
|
||
| *Create an all student reference group to be used in access policy and the all | ||
| students mailing list* | ||
|
|
||
| Reference groups for student by class year already exist. These are being | ||
| used for class year mailing lists. Membership in these are updated | ||
| automatically by loader jobs: | ||
|
|
||
| * `ref:student:class2019` | ||
| * `ref:student:class2020` | ||
| * `ref:student:class2021` | ||
| * `ref:student:class2022` | ||
|
|
||
| #. Create a new reference group representing all students, `ref:student:students`. | ||
| #. Add the class year reference groups as direct members to `students`. How | ||
| many students are there? Filter by *indirect membership*. | ||
| #. You remember that recently graduated students have a grace period of 6 months | ||
| during which they retain full student access. Add `ref:student:class2018` to | ||
| `ref:student:students`, and set the membership end date to Dec. 31, 2018. How | ||
| many students are there now? | ||
|
|
||
| .. note:: | ||
|
|
||
| In this case, recently graduated students are still considered to be students | ||
| for the purpose of access control. If recent graduates only retained a few | ||
| services, it might make more sense to add these former students to individual | ||
| allow policies for the services in question. | ||
|
|
||
| ---------------- | ||
| Exercise 201.1.2 | ||
| ---------------- | ||
|
|
||
| *Other Students* | ||
|
|
||
| You remember that not all students have class years assigned. This includes part-time | ||
| students, employees taking courses, and non-matriculated students. Fortunately data | ||
| about these students is available in the SIS and a basis group has already been created | ||
| for us. | ||
|
|
||
| #. Add `basis:student:student_no_class_year` to `ref:student:students`. How many | ||
| students are there, now? | ||
|
|
||
| ---------------- | ||
| Exercise 201.1.3 | ||
| ---------------- | ||
|
|
||
| *Exchange Students* | ||
|
|
||
| You campus participates in an exchange program with a sister school. Students | ||
| from the sister school can take classes at your institution, but never have | ||
| official records in your SIS. They do however, have a local NetID. Registration | ||
| is done directly with the registrar and the student's home institution maintains | ||
| the student records. | ||
|
|
||
| #. Add `basis:student:exchange_students` to `ref:student:students`. How many | ||
| students are there now? | ||
|
|
||
| ---------------- | ||
| Exercise 201.1.4 | ||
| ---------------- | ||
|
|
||
| *Transfer Students* | ||
|
|
||
| Students who transfer into your campus often need access to systems well ahead | ||
| of SIS data being fully updated. | ||
|
|
||
| #. Create a new basis group, `basis:student:transfer_student`. | ||
| #. Add `transfer_student` to `students` with an expiration 60 days out. | ||
| #. Add the following accounts to `transfer_student`: | ||
|
|
||
| * agrady901 | ||
| * alee467 | ||
| * ascott776 | ||
|
|
||
| #. Check how many students there are, now. The number of students did not go up | ||
| by 3 as you might have expected. Why? One of the transfer students was | ||
| already a member of `students`. Trace the membership on each of the transfer | ||
| students to determine which accounts already had the `students` subject | ||
| attribute, and why. | ||
|
|
||
| ---------------- | ||
| Exercise 201.1.5 | ||
| ---------------- | ||
|
|
||
| *Change of Status* | ||
|
|
||
| Students who leave for a variety of reasons are given a 32 day grace period | ||
| during which they retain student access. Basis groups for these already exist. | ||
| They include: | ||
|
|
||
| * `basis:student:expelled_32_days` | ||
| * `basis:student:resigned_32_days` | ||
| * `basis_student_transferred_32_days` | ||
|
|
||
| #. Add these basis groups to `students`. How many students are there, now? | ||
|
|
||
| ---------------- | ||
| Exercise 201.1.6 | ||
| ---------------- | ||
|
|
||
| *Leave of Absence Students* | ||
|
|
||
| Student may also obtain a leave of absence for a variety of reasons. These | ||
| students may or may not return, but retain student access for an extend period | ||
| of time. Basis groups for leave of absence students already exists: | ||
|
|
||
| * `basis:student:loa_4_years` (leave of absence within the last 4 years) | ||
|
|
||
| #. Add `loa_4_years` to `students`. How many students are there, now? | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
| .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,114 @@ | ||
|
|
||
| ============================== | ||
| GTE 201.2 Access Policy Groups | ||
| ============================== | ||
|
|
||
| ------------------- | ||
| Learning Objectives | ||
| ------------------- | ||
|
|
||
| * Translate a natural language policy group into digital policy using access policy groups. | ||
| * Understand the difference between policy groups and reference groups. | ||
|
|
||
| -------------- | ||
| Lab Components | ||
| -------------- | ||
|
|
||
| * Grouper | ||
| * `Grouper Deployment Guide`_ | ||
|
|
||
| -------- | ||
| Overview | ||
| -------- | ||
|
|
||
| `NIST SP 800-162`_ describes how natural language policy, that is access policy | ||
| stated in common language, must be converted to digital policy for any access | ||
| control mechanism to effectively operate. Digital policy is manifest in | ||
| Grouper via access policy groups. Subject membership in an access policy group | ||
| be indirect and represents a precomputed access policy decision based on subject | ||
| attributes (i.e. the subject’s membership in various reference groups). | ||
|
|
||
| An **access policy** group is a composite group whose membership is composed of | ||
| an include group (i.e. the allow group) minus an exclude group (i.e. the deny | ||
| group). Subject membership in both the allow group and the deny group should be | ||
| indirect (i.e. through reference groups) and have a clear mapping to the natural | ||
| language policy. When exceptions to policy are necessary, locally scoped | ||
| reference groups should be added. | ||
|
|
||
| Limiting policy groups to indirect membership assignments via reference groups | ||
| ensures that as subject attributes change, effective membership is up to date and | ||
| access control decisions are correct. It also enables the direct mapping from | ||
| natural language policy to digital policy and vice versa. Individual exceptions to | ||
| policy, while not expressly recommended, can be accommodated by adding subjects | ||
| directly to the allow/deny groups. | ||
|
|
||
| Membership within an access policy group is often kept in sync directly with a target | ||
| service or an intermediary like an LDAP based enterprise directory service. | ||
| Services can also query Grouper directly for membership assignment. | ||
|
|
||
| ---------------- | ||
| Exercise 201.2.1 | ||
| ---------------- | ||
|
|
||
| *Application folder structure* | ||
|
|
||
| #. Create `app:vpn:vpn_authorized`. | ||
| #. Create `app:vpn:vpn_allow`. | ||
| #. Create `app:vpn:vpn_deny`. | ||
| #. Make `vpn_authorized` a composite of `vpn_allow` minus `vpn_deny`. | ||
|
|
||
| ---------------- | ||
| Exercise 201.2.2 | ||
| ---------------- | ||
|
|
||
| *Create digital policy from natural language policy* | ||
|
|
||
| Natural language policy is "all faculty, staff have access to vpn, unless denied | ||
| by CISO or the account is in a closure state". Reference groups are already | ||
| available. | ||
|
|
||
| #. Add `ref:employee:fac_staff` to `vpn_allow`. | ||
| #. Add `ref:security:locked_by_ciso` to `vpn_deny`. | ||
| #. Add `ref:iam:closure` to `vpn_deny`. | ||
|
|
||
| ---------------- | ||
| Exercise 201.2.3 | ||
| ---------------- | ||
|
|
||
| *Update policy to also allow institutional review board members access to VPN* | ||
|
|
||
| New natural language policy is "all faculty, staff and members of the institutional | ||
| review board have access to vpn, unless denied by CISO or the account is in a closure | ||
| state". | ||
|
|
||
| #. Add `org:irb:ref:irb_members` to `vpn_allow`. | ||
| #. Add *jsmith* to `org:irb:ref:irb_members`. | ||
| #. Trace membership for *jsmith* from `vpn_authorized`. | ||
| #. View the audit log on `vpn_allow`. | ||
|
|
||
| ---------------- | ||
| Exercise 201.2.4 | ||
| ---------------- | ||
|
|
||
| *Create security groups for policy* | ||
|
|
||
| #. Create `ref:app:vpn:etc` folder. | ||
| #. Create `ref:app:vpn:etc:vpn_admins` group. | ||
| #. Assign **ADMIN** privilege to `vpn_admins` for `ref:app:vpn`. | ||
| #. Inherit privileges to all sub folders (and objects). | ||
|
|
||
| #. Navigate to `app:vpn`. | ||
| #. :guilabel:`More` |rightarrow| :guilabel:`Privileges inherited to objects in folder` | ||
| #. Click :guilabel:`Add Members`, and add `vpn_admins`. | ||
| #. Add admin privileges for folder, group, and attributes. | ||
|
|
||
| #. Navigate to `ref:app:vpn:ref:vpn_allow`. | ||
| #. Click :guilabel:`Privileges` |rightarrow| :guilabel:`Actions` |rightarrow| :guilabel:`Trace Priviliges`. | ||
|
|
||
|
|
||
|
|
||
| .. |rightarrow| unicode:: U+2192 | ||
|
|
||
| .. _NIST SP 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final | ||
| .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program | ||
|
|
Oops, something went wrong.