diff --git a/docs/401/401.3.rst b/docs/401/401.3.rst index 240a440..92b2b35 100644 --- a/docs/401/401.3.rst +++ b/docs/401/401.3.rst @@ -6,7 +6,6 @@ Learning Objectives ------------------- - -------------- Lab Components -------------- @@ -25,41 +24,59 @@ Overview We have been asked to deploy a SaaS application called Board Effect. The service is already an InCommon member and honors an `eduPersonEntitlement` for "front door" access. Permission management within the application is -centered around "work rooms". Each work room provide access to specific -documents, chat, mailing lists, etc. The system will be used by trustees, +centered around "work rooms". Each work room provide access to specific +documents, chat, mailing lists, etc. The system will be used by trustees, executives, and various committee members. Thankfully the service is an InCommon member and using `eduPersonEntitlement` -values. However, it turns out users still need to have accounts provisioned -in order to get access. We will need two different kinds of policy groups. -The first, the account policy group, will be mapped to an `eduPersonEntitlement` -value and also be used for provisioning accounts. The second type, -authorization groups, will provide subject to role mapping, and are mapped -to work rooms created in Board Effect. This is an example of access control -model 3 described in the `Grouper Deployment Guide`_. - ----------------- -Exercise 401.3.1 ----------------- +values. However, it turns out users still need to have accounts provisioned +ahead of time in order to get access. We will need two different kinds of +policy groups. The first, the account policy group, will be mapped to an +`eduPersonEntitlement` value and also be used for provisioning accounts. The +second type, authorization groups, will provide subject to role mapping, and +are mapped to work rooms created in Board Effect. This is an example of access +control model 3 described in the `Grouper Deployment Guide`_. + +------------------------------------------------------------ +Exercise 401.3.1 Create application policy folder and groups +------------------------------------------------------------ + +#. Use the application template and the policy group template to create a new + `board_effect` application folder and policy group called + `board_effect_access`. + +.. figure:: ../figures/401-board-effect-app.png + +--------------------------------------------------- +Exercise 401.3.2 Create policy groups for workrooms +--------------------------------------------------- + +Membership in a Board Effect Workroom provides access to a number of features +and content within Board Effect. A Workroom is essentially an authorization +group. Workroom membership can be updated via a REST API provided by Board +Effect. Grouper policy groups will be mapped to Board Effect workrooms and used +to provision membership updates. -*Create a application policy folder and groups* +A new workroom call Committee on Finance has been created in Board Effect. +Create an authorization policy group in grouper and configure provisioning. -Rather than create the basic structure manually, use a -:ref:`GSH script `. +#. Using the policy template create + `app:board_effect:service:policy:workroom_finance|allow|deny`. +#. Add `workroom_finance` to `board_effect_access` ----------------- -Exercise 401.3.2 ----------------- +.. figure:: ../figures/401-board-effect-workroom.png -*Workrooms (i.e. authorization groups) can be updated via the Board Effect -REST API. Create Grouper authorization groups to manage those.* +---------------------------------------------------- +Exercise 401.3.3 Configure the Grouper ESB Connector +---------------------------------------------------- -A new workroom call Committee on Finance has been created in Board Effect. -Need to create authorization group in grouper and configure provisioning. +The `Grouper ESB Connector`_ is designed to enable Grouper to interface with an +ESB in order to send and receive individual events as changes occur. We'll use +the ESB Connector to send messages to rabbitMQ for provisioning the workroom +memberships. -#. Create `app:boardeffect:wr_cmt_fin_authorized|allow|deny`. -#. Configure grouperESB to send membership changes to rabbitMQ exchange. +#. The following has already been configured for you. .. literalinclude:: examples/401.3.2-grouper-loader.properties :language: properties @@ -73,24 +90,33 @@ Need to create authorization group in grouper and configure provisioning. :caption: grouper.client.properties :linenos: -#. Write provisioner component to read rabbitMQ and update BoardEffect via REST API. +2. Write provisioner component to read rabbitMQ and update BoardEffect via REST + API. .. note:: - This step is what logically should happen next to process the messages. - You aren't expected to actually accomplish this step during the lab. + We will not actually accomplish this step during the lab. Instead, let's + make sure our messages are making their way to rabbitMQ. ----------------- -Exercise 401.3.3 ----------------- +3. Log in to http://localhost:15672/ as username `guest`, password `guest`. +4. Select the `Queues` tab, and then click on the queue named `grouper` +5. Scoll down and click on `Get Message(s)` and review the message. -*Board Effect account provisioning* +.. figure:: ../figures/401-board-effect-rabbitmq.png + +------------------------------------------------------------------------ +Exercise 401.3.4 Configure account provisioning and eduPersonEntitlement +------------------------------------------------------------------------ + +All access to Board Effect is predicated on the presenence of an +eduPersonEntitlement value, and an account within Board Effect. We will use the +`board_effect_access` policy group to both control the eduPersonEntitlement +value and also provision the account to Board Effect via rabbitMQ. -#. Create `app:boardeffect:boardeffect_authorized`. -#. Add `...:wr_cmt_fin_authorized` to `boardeffect_authorized_allow`. #. Configure PSPNG to write `eduPersonEntitlement` value - **https://college.boardeffect.com/** to LDAP and release via Shibboleth only - for Boardeffect. + **https://college.boardeffect.com/** to LDAP. This value will only be + released via the Shibboleth IdP for the Boardeffect SP. The following is + already configured for you. .. literalinclude:: examples/401.3.2-grouper-loader.properties :language: properties @@ -99,126 +125,195 @@ Exercise 401.3.3 :caption: grouper-loader.properties :linenos: -Subject to role mapping in place and provisioners working, but how do we get -reference groups for committees? Ann in President’s Office knows. +Subject to workroom mapping is now in place and the account and workroom +provisioners are working! But how do we get reference groups for committees? +Ann in President’s Office knows. + +------------------------------------------------------- +Exercise 401.3.5 Distributed Reference Group Management +------------------------------------------------------- + +Ann currently maintains list of committee members by hand. Instead, she can use +a Grouper reference group. ----------------- -Exercise 401.3.4 ----------------- +#. Create `app:board_effect:service:ref:finance_committee`. -*Distributed Reference Group Management* +#. Give Ann admin access to `app:boardeffect:ref` by adding account + **amartinez410** to `app:board_effect:security:board_effectAdmins`. -Amy maintains list of committee members. Use these to build application specific -reference groups. +.. figure:: ../figures/401-board-effect-ann-privs.png -#. Create `app:boardeffect:ref:cmt_fin`. -#. Add `...:ref:cmt_fin` to `...:wr_cmt_fin_allow`. -#. Add `ref:global_deny` to `...:wr_cmt_fin_deny`. -#. Give Ann admin access to `app:boardeffect:ref` by adding account - **amartinez410** to `app:boardeffect:etc:boardeffect_admins`. +#. Add `finance_committee` to `workroom_finance_allow`. -Log in as Ann Martinez (**amartinez410**). Under *My Groups* you should see -the reference groups and policies Ann can manage. +.. figure:: ../figures/401-board-effect-finance-committee.png ----------------- -Exercise 401.3.5 ----------------- +#. In a private browser, log in as Ann Martinez (username `amartinez410`, + password `password`). Under *My Groups* you should see the reference groups + and policies Ann can manage. -*Committee member helpers* +.. figure:: ../figures/401-board-effect-my-groups.png -Joe Trustee is on committee, but Joe’s assistant also needs access to -committee work group. +#. Add `ksmith3` to the `finance_committee` group. -#. Create app specific ref group `app:boardeffect:ref:cmt_fin_helpers`. -#. Add `...:cmt_fin_helpers. to `...:wr_cmt_fin_allow`. +Great! Ann can now manage all the committee members directly in Grouper! Board +Effect accounts and workgroup access will be automatically provisioned and stay +in sync as Ann makes changes to the committee members. + +----------------------------------------- +Exercise 401.3.6 Committee member helpers +----------------------------------------- + +Our access strategy is working great for committee members. However, many +committee members have assistants who also needs access to the committee +workrooms. Rather than have Joe share his credentials, let's extend our access +strategy to account for this addition to policy. + +#. Create app specific ref group + `app:board_effect:service:ref:finance_committee_helpers`. + +#. Add `finance_committee_helpers` to `:workroom_finance_allow`. .. note:: - By *not* adding the helper subject to `app:boardeffect:ref:cmt_fin`, - we preserve the truth of the subject attributes. Members of `cmt_fin` - *are* members of the Finance Committee. The helpers are *not* members - of the committee, but they *are* granted access to the workroom by - the policy. + By *not* adding the helper subjects directly to `finance_committee`, we + preserve the fidelity of the subject attributes. Members of + `finance_committee` *are* members of the Finance Committee. The helpers + are *not* members of the committee, but they *are* granted access to the + workroom by the policy. This works great for specific assistants, but there are also general helpers who need access to all workrooms *temporarily* during board meetings. -#. Create app specific ref group `app:boardeffect:ref:workroom_helpers`. -#. Run :ref:`GSH script ` to add age off rule - to `workroom_helpers`. -#. Add `workroom_helpers` to all workroom allow groups. +#. Create app specific ref group + `app:board_effect:service:ref:workroom_helpers`. + +#. Run the following gsh script to add a 3 day age off rule to + `workroom_helpers`. In a termimal window run "./gte-gsh 401.1.1", then paste + the following: + +.. code-block:: groovy + + group_name = "app:board_effect:service:ref:workroom_helpers"; + workroom_helpers = GroupFinder.findByName(gs, group_name); + numDays = 3; + actAs = SubjectFinder.findRootSubject(); + attribAssign = workroom_helpers.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign(); + attribValueDelegate = attribAssign.getAttributeValueDelegate(); + attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectSourceIdName(), actAs.getSourceId()); + attribValueDelegate.assignValue(RuleUtils.ruleRunDaemonName(), "F"); + attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectIdName(), actAs.getId()); + attribValueDelegate.assignValue(RuleUtils.ruleCheckTypeName(), RuleCheckType.membershipAdd.name()); + attribValueDelegate.assignValue(RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.thisGroupHasImmediateEnabledNoEndDateMembership.name()); + attribValueDelegate.assignValue(RuleUtils.ruleThenEnumName(), RuleThenEnum.assignMembershipDisabledDaysForOwnerGroupId.name()); + attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg0Name(), numDays.toString()); + attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg1Name(), "T"); -Workrooms created in Boardeffect. Grouper policy groups map to workroom, and -are kept up to date via Grouper provisioners. We could create workrooms -automatically based on policy group creation-- exercise left to student at home. +#. Add `workroom_helpers` to all `workroom_finance_allow`. ----------------- -Exercise 401.3.6 ----------------- +.. figures:: ../figures/401-board-effect-workroom_helpers.png -*Anna's Grouper Privileges* +This Grouper access governance stuff is sweet! :) -Anna was added as a direct member of `app:boardeffect:etc:boardeffect_admins`, -but we can do better! Responsibility for committee member management goes to -the president's executive assistant, whoever that might be. +----------------------------------------- +Exercise 401.3.7 Ann's Grouper Privileges +----------------------------------------- -#. Create a new reference group (role), `ref:roles:president_assistant` - for president executive assistant. -#. Add Anna's account to `president_assistant`. +We added Ann to board_effectAdmin so she could manage `finance_committee` +membership. But that also gives her full administrative access to the board_effect +app folder, including the security and policy groups. We can do better! -This is better, but does Anna really need full admin privileges to -`app:boardeffect`? Probably only needs update / read. +Responsibility for committee member management always goes to +the president's executive assistant, whoever that might be. Let's create an +institutional role for that, and implement least privilege access. -#. Add `ref:roles:president_assistant` to `app:boardeffect:etc:boardeffect_managers`. -#. Remove Anna from `app:boardeffect:etc:boardeffect_admins`. +#. Create a new institutional reference group, `ref:roles:president_assistant`. +#. Add `amartinez410` to `president_assistant`. ----------------- -Exercise 401.3.7 ----------------- +#. Add `ref:roles:president_assistant` to + `app:board_effect:security:board_effectUpdaters`. -*Global Committee reference groups* +#. Review Privileges on `finance_committee`. -All working great-- new system request comes in with policy based on board -committees. Need to elevate app-specific ref groups to global ref groups. +.. figure:: ../figures/401-board-effect-finance-privs-admin.png -#. Create `ref:board` folder for board committee ref groups. -#. Move `app:boardeffect:ref:cmt_fin` to `ref:board:cmt_fin`. +5. Remove `amartinez410` from `board_effectAdmins`. + +6. Review Privileges on `finance_committee`. + +.. figure:: ../figures/401-board-effect-ann-updated-privs.png + +7. Trace privileges for Ann on `finance_committee`. + (on Privileges tab: amartinez410 -> Actions -> Trace privileges) + +.. figure:: ../figures/401-board-effect-trace-ann-updaters.png + +--------------------------------------------------------------- +Exercise 401.3.8 Institutional board committee reference groups +--------------------------------------------------------------- + +The Board Effect policy is working great when a new SaaS system deployment +request comes in that also has access policy based on board committees. We +need to elevate the Board Effect application-specific reference groups to +institutional reference groups. + +#. Create a `ref:board` folder for board committee reference groups. + +#. Move `app:board_effect:service:ref:finance_committee` to + `ref:board:finance_committee`. (finance_committee -> More actions -> + Move group -> Move to this folder: `ref:board`) .. note:: - The Board Effect policies are not impacted by moving the location of - the reference groups! + The Board Effect access policy groups are not impacted by moving the + location of the reference groups! + +#. Create a `ref:board:security` security folder. + +#. Create a `ref:board:security:boardUpdaters` security group. + +#. Assign `boardUpdaters` *UPDATE* and *READ* rights on + `ref:board:finance_committee` + +#. Add `president_assistant` to `ref:board:security:boardUpdaters`. + +#. Review `ref:board:finance_committee` privileges + +.. figure:: ../figures/401-board-effect-ref-board-privs.png + +.. warning:: -#. Create `ref:board:etc` security folder. -#. Create `ref:board:etc:board_managers` security group. -#. Assign *UPDATE* and *READ* rights on reference groups to `board_managers`. -#. Revoke *UPDATE* and *READ* rights of reference groups from `app:board_effect:etc:boardeffect_managers`. + Moving our reference groups did *not* remove the access we had granted + to them from application-specific security groups. After moving a + reference group, it is good practive to review its privilege assignments. - .. warning:: +8. Revoke *UPDATE* and *READ* rights for + `board_effectUpdaters`, `board_effectAdmins`, and `board_effectReaders`. - Moving our reference groups did *not* remove the access we had granted - on them from application-specific security groups. After moving a - reference group, it is good practive to review its permissions. +9. Review `finance_committee` privileges. -#. Add `president_assistant` to `ref:board:etc:board_managers`. +.. figure:: ../figures/401-board-effect-final-privs.png +Congrats! You have established a new set of institutional reference groups, +verified their adminstrative access. And all without impacting current +services! -------- Epilogue -------- -New request comes in for four advisory councils. Each will have their own -workroom in Board Effect. Initially you are handed a spreadsheet with the -council members and you import them into app-specific reference groups -(e.g. `app:boardeffect:ref:advisory_council_northeast`). Later you find -out that council membership is available in Banner, so you create loader -jobs for those. As it turns out, the spreadsheets were old and had the wrong -members. Thank goodness for loader jobs! Alas, not all advisory council -members have NetIDs. To get them access we add them as sponsored accounts -in COmanage. +A request comes in for four new advisory council workrooms. Initially, you are +handed a spreadsheet with the council members NetIDs. You import them into +app-specific reference groups (e.g. `advisory_council_northeast`), and set up +workroom policy groups as before. Later on, you find out that the council +membership is available in Banner, so you create loader jobs for those. As it +turns out, the spreadsheets were old and had the wrong members. Thank goodness +for loader jobs! Alas, not all advisory council members have NetIDs. But fear +not, we simply get them NetIDs using our `COmanage`_ sponsored accounts system. The End .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program +.. _Grouper ESB Connector: https://spaces.at.internet2.edu/display/Grouper/Grouper+ESB+Connector +.. _COmanage: https://www.internet2.edu/products-services/trust-identity/comanage/ \ No newline at end of file diff --git a/docs/401/examples/401.3.2-grouper-loader.properties b/docs/401/examples/401.3.2-grouper-loader.properties index 45f2b18..c9b2e21 100644 --- a/docs/401/examples/401.3.2-grouper-loader.properties +++ b/docs/401/examples/401.3.2-grouper-loader.properties @@ -94,7 +94,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ? changeLog.consumer.pspng_entitlements.ldapPoolName = demo changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement -changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : (group.name.equalsIgnoreCase('app:boardeffect:boardeffect_authorized') ? 'https://college.boardeffect.com/' : 'urn:mace:example.edu:' + group.extension) } +changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : (group.name.equalsIgnoreCase('app:board_effect:service:policy:board_effect_access') ? 'https://college.boardeffect.com/' : 'urn:mace:example.edu:' + group.extension) } changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id} changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=* diff --git a/docs/figures/401-board-effect-ann-admin-priv.png b/docs/figures/401-board-effect-ann-admin-priv.png new file mode 100644 index 0000000..64771cf Binary files /dev/null and b/docs/figures/401-board-effect-ann-admin-priv.png differ diff --git a/docs/figures/401-board-effect-ann-privs.png b/docs/figures/401-board-effect-ann-privs.png new file mode 100644 index 0000000..f9f50cf Binary files /dev/null and b/docs/figures/401-board-effect-ann-privs.png differ diff --git a/docs/figures/401-board-effect-ann-updated-privs.png b/docs/figures/401-board-effect-ann-updated-privs.png new file mode 100644 index 0000000..8f9d9b5 Binary files /dev/null and b/docs/figures/401-board-effect-ann-updated-privs.png differ diff --git a/docs/figures/401-board-effect-app.png b/docs/figures/401-board-effect-app.png new file mode 100644 index 0000000..cd778f3 Binary files /dev/null and b/docs/figures/401-board-effect-app.png differ diff --git a/docs/figures/401-board-effect-final-privs.png b/docs/figures/401-board-effect-final-privs.png new file mode 100644 index 0000000..015f865 Binary files /dev/null and b/docs/figures/401-board-effect-final-privs.png differ diff --git a/docs/figures/401-board-effect-finance-committee.png b/docs/figures/401-board-effect-finance-committee.png new file mode 100644 index 0000000..2e901a4 Binary files /dev/null and b/docs/figures/401-board-effect-finance-committee.png differ diff --git a/docs/figures/401-board-effect-finance-privs-admin.png b/docs/figures/401-board-effect-finance-privs-admin.png new file mode 100644 index 0000000..9306c1d Binary files /dev/null and b/docs/figures/401-board-effect-finance-privs-admin.png differ diff --git a/docs/figures/401-board-effect-my-groups.png b/docs/figures/401-board-effect-my-groups.png new file mode 100644 index 0000000..2c94de5 Binary files /dev/null and b/docs/figures/401-board-effect-my-groups.png differ diff --git a/docs/figures/401-board-effect-rabbitmq.png b/docs/figures/401-board-effect-rabbitmq.png new file mode 100644 index 0000000..8782eb1 Binary files /dev/null and b/docs/figures/401-board-effect-rabbitmq.png differ diff --git a/docs/figures/401-board-effect-ref-board-privs.png b/docs/figures/401-board-effect-ref-board-privs.png new file mode 100644 index 0000000..d3f74cc Binary files /dev/null and b/docs/figures/401-board-effect-ref-board-privs.png differ diff --git a/docs/figures/401-board-effect-trace-ann-updaters.png b/docs/figures/401-board-effect-trace-ann-updaters.png new file mode 100644 index 0000000..c9066a3 Binary files /dev/null and b/docs/figures/401-board-effect-trace-ann-updaters.png differ diff --git a/docs/figures/401-board-effect-workroom-helpers.png b/docs/figures/401-board-effect-workroom-helpers.png new file mode 100644 index 0000000..cb9b159 Binary files /dev/null and b/docs/figures/401-board-effect-workroom-helpers.png differ diff --git a/docs/figures/401-board-effect-workroom.png b/docs/figures/401-board-effect-workroom.png new file mode 100644 index 0000000..f7f1edd Binary files /dev/null and b/docs/figures/401-board-effect-workroom.png differ diff --git a/ex401/ex401.1.1/container_files/grouper-loader.properties b/ex401/ex401.1.1/container_files/grouper-loader.properties index 3887673..5144557 100644 --- a/ex401/ex401.1.1/container_files/grouper-loader.properties +++ b/ex401/ex401.1.1/container_files/grouper-loader.properties @@ -94,7 +94,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ? changeLog.consumer.pspng_entitlements.ldapPoolName = demo changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement -changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:service:policy:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension} +changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:service:policy:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : (group.name.equalsIgnoreCase('app:board_effect:service:policy:board_effect_access') ? 'https://college.boardeffect.com/' : 'urn:mace:example.edu:' + group.extension)} changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id} changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=* diff --git a/ex401/ex401.3.1/container_files/seed-data/bootstrap.gsh b/ex401/ex401.3.1/container_files/seed-data/bootstrap.gsh index 0c07f9d..48bbb2c 100644 --- a/ex401/ex401.3.1/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.3.1/container_files/seed-data/bootstrap.gsh @@ -1 +1,3 @@ gs = GrouperSession.startRootSession(); +delStem("401.2.end") +addRootStem("401.3.1", "401.3.1") \ No newline at end of file diff --git a/ex401/ex401.3.end/Dockerfile b/ex401/ex401.3.end/Dockerfile index cebfd9d..40ad125 100644 --- a/ex401/ex401.3.end/Dockerfile +++ b/ex401/ex401.3.end/Dockerfile @@ -1,5 +1,5 @@ ARG VERSION_TAG -FROM tier/gte:401.3.7-$VERSION_TAG +FROM tier/gte:401.3.1-$VERSION_TAG LABEL author="tier-packaging@internet2.edu " \ Vendor="TIER" \ diff --git a/ex401/ex401.3.end/container_files/seed-data/bootstrap.gsh b/ex401/ex401.3.end/container_files/seed-data/bootstrap.gsh index 65c0386..2a2969b 100644 --- a/ex401/ex401.3.end/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.3.end/container_files/seed-data/bootstrap.gsh @@ -1,26 +1,94 @@ gs = GrouperSession.startRootSession(); +delStem("401.3.1") +addRootStem("401.3.end", "401.3.end") -addStem("ref", "board", "board"); +// 401.3.1 +parent_stem_path = "app"; +app_extension = "board_effect"; +app_name = "board_effect"; -group = GroupFinder.findByName(gs, "app:boardeffect:ref:cmt_fin", true); -stem = StemFinder.findByName(gs, "ref:board", true); -group.move(stem); +stem = addStem(parent_stem_path, app_extension, app_name); +security = addStem(stem.name, "security", "security"); +service = addStem(stem.name, "service", "service"); +policy = addStem(service.name, "policy", "policy"); +ref = addStem(service.name, "ref", "ref"); + +admin_group_name = "${app_extension}Admins"; +admin_group = addGroup(security.name, admin_group_name, admin_group_name); +mgr_group_name = "${app_extension}Updaters"; +mgr_group = addGroup(security.name, mgr_group_name, mgr_group_name); +view_group_name = "${app_extension}Readers"; +view_group = addGroup(security.name, view_group_name, view_group_name); + +addGroup("app:board_effect:service:policy", "board_effect_access", "board_effect_access"); +addGroup("app:board_effect:service:policy", "board_effect_access_allow", "board_effect_access_allow"); +addGroup("app:board_effect:service:policy", "board_effect_access_deny", "board_effect_access_deny"); +addComposite("app:board_effect:service:policy:board_effect_access", CompositeType.COMPLEMENT, "app:board_effect:service:policy:board_effect_access_allow", "app:board_effect:service:policy:board_effect_access_deny"); + +// 401.3.2 +addGroup("app:board_effect:service:policy", "workroom_finance", "workroom_finance"); +addGroup("app:board_effect:service:policy", "workroom_finance_allow", "workroom_finance_allow"); +addGroup("app:board_effect:service:policy", "workroom_finance_deny", "workroom_finance_deny"); +addComposite("app:board_effect:service:policy:workroom_finance", CompositeType.COMPLEMENT, "app:board_effect:service:policy:workroom_finance_allow", "app:board_effect:service:policy:workroom_finance_deny"); +addMember("app:board_effect:service:policy:board_effect_access_allow", "app:board_effect:service:policy:workroom_finance"); + +// 401.3.3 nothing to do +// 401.3.4 nothing to do -addStem("ref:board", "etc", "etc"); -group2 = addGroup("ref:board:etc", "board_managers", "board_managers"); +// 401.3.5 +addGroup("app:board_effect:service:ref", "finance_committee", "finance_committee"); +grantPriv("app:board_effect:service:ref:finance_committee", "app:board_effect:security:board_effectAdmins", AccessPrivilege.ADMIN); +addMember("app:board_effect:service:policy:workroom_finance_allow", "app:board_effect:service:ref:finance_committee"); +addMember("app:board_effect:security:board_effectAdmins", "amartinez410"); -addMember("ref:board:etc:board_managers", "ref:roles:president_assistant"); +GrouperSession.start(findSubject("amartinez410")) +addMember("app:board_effect:service:ref:finance_committee", "ksmith3") +gs = GrouperSession.startRootSession(); + +// 401.3.6 +addGroup("app:board_effect:service:ref", "finance_committee_helpers", "finance_committee_helpers"); +addMember("app:board_effect:service:policy:workroom_finance_allow", "app:board_effect:service:ref:finance_committee_helpers"); +addGroup("app:board_effect:service:ref", "workroom_helpers", "workroom_helpers"); +addMember("app:board_effect:service:policy:workroom_finance_allow", "app:board_effect:service:ref:workroom_helpers"); + +group_name = "app:board_effect:service:ref:workroom_helpers"; +workroom_helpers = GroupFinder.findByName(gs, group_name); +numDays = 3; +actAs = SubjectFinder.findRootSubject(); +attribAssign = workroom_helpers.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign(); +attribValueDelegate = attribAssign.getAttributeValueDelegate(); +attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectSourceIdName(), actAs.getSourceId()); +attribValueDelegate.assignValue(RuleUtils.ruleRunDaemonName(), "F"); +attribValueDelegate.assignValue(RuleUtils.ruleActAsSubjectIdName(), actAs.getId()); +attribValueDelegate.assignValue(RuleUtils.ruleCheckTypeName(), RuleCheckType.membershipAdd.name()); +attribValueDelegate.assignValue(RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.thisGroupHasImmediateEnabledNoEndDateMembership.name()); +attribValueDelegate.assignValue(RuleUtils.ruleThenEnumName(), RuleThenEnum.assignMembershipDisabledDaysForOwnerGroupId.name()); +attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg0Name(), numDays.toString()); +attribValueDelegate.assignValue(RuleUtils.ruleThenEnumArg1Name(), "T"); + +// 401.3.7 +addStem("ref", "role", "role"); +addGroup("ref:role", "president_assistant", "president_assistant"); +addMember("ref:role:president_assistant", "amartinez410"); +addMember("app:board_effect:security:board_effectUpdaters", "ref:role:president_assistant"); +delMember("app:board_effect:security:board_effectAdmins", "amartinez410"); -grantPriv("ref:board:cmt_fin", group2.toSubject().id, AccessPrivilege.UPDATE); -grantPriv("ref:board:cmt_fin", group2.toSubject().id, AccessPrivilege.READ); +// 401.3.8 +addStem("ref", "board", "board"); +group = GroupFinder.findByName(gs, "app:board_effect:service:ref:finance_committee", true); +stem = StemFinder.findByName(gs, "ref:board", true); +group.move(stem); -boardeffect_admins = GroupFinder.findByName(gs, "app:boardeffect:etc:boardeffect_admins", true); -boardeffect_mgr = GroupFinder.findByName(gs, "app:boardeffect:etc:boardeffect_mgr", true); -boardeffect_viewers = GroupFinder.findByName(gs, "app:boardeffect:etc:boardeffect_viewers", true); +addStem("ref:board", "security", "security"); +group2 = addGroup("ref:board:security", "boardUpdaters", "boardUpdaters"); +grantPriv("ref:board:finance_committee", group2.toSubject().id, AccessPrivilege.UPDATE); +grantPriv("ref:board:finance_committee", group2.toSubject().id, AccessPrivilege.READ); +addMember("ref:board:security:boardUpdaters", "ref:role:president_assistant"); -revokePriv("ref:board:cmt_fin", boardeffect_admins.toSubject().id, AccessPrivilege.ADMIN); -revokePriv("ref:board:cmt_fin", boardeffect_mgr.toSubject().id, AccessPrivilege.UPDATE); -revokePriv("ref:board:cmt_fin", boardeffect_mgr.toSubject().id, AccessPrivilege.READ); +boardeffectAdmins = GroupFinder.findByName(gs, "app:board_effect:security:board_effectAdmins", true); +boardeffectUpdaters = GroupFinder.findByName(gs, "app:board_effect:security:board_effectUpdaters", true); -revokePriv("ref:board:cmt_fin", boardeffect_viewers.toSubject().id, AccessPrivilege.READ); +revokePriv("ref:board:finance_committee", boardeffectAdmins.toSubject().id, AccessPrivilege.ADMIN); +revokePriv("ref:board:finance_committee", boardeffectUpdaters.toSubject().id, AccessPrivilege.UPDATE); +revokePriv("ref:board:finance_committee", boardeffectUpdaters.toSubject().id, AccessPrivilege.READ); diff --git a/ex401/manualBuild.sh b/ex401/manualBuild.sh index f759d6b..6f070c9 100755 --- a/ex401/manualBuild.sh +++ b/ex401/manualBuild.sh @@ -5,12 +5,6 @@ docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.1.1-${VER && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.1-${VERSION_TAG} ex401.2.1 \ && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.2.end-${VERSION_TAG} ex401.2.end \ && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.1-${VERSION_TAG} ex401.3.1 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.2-${VERSION_TAG} ex401.3.2 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.3-${VERSION_TAG} ex401.3.3 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.4-${VERSION_TAG} ex401.3.4 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.5-${VERSION_TAG} ex401.3.5 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.6-${VERSION_TAG} ex401.3.6 \ -&& docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.7-${VERSION_TAG} ex401.3.7 \ && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.3.end-${VERSION_TAG} ex401.3.end \ && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.4.1-${VERSION_TAG} ex401.4.1 \ && docker build --build-arg VERSION_TAG=${VERSION_TAG} --tag=tier/gte:401.4.end-${VERSION_TAG} ex401.4.end