201906 updates for 201 and 401

base/Dockerfile

@@ -83,7 +83,8 @@ COPY container_files/var-www-html/ /var/www/html/
 RUN cp /opt/tier-support/grouper.xml /opt/tier-support/grouper-ws.xml /opt/tomcat/conf/Catalina/localhost/ \
     && chown -R tomcat /opt/shibboleth-idp/ \
     && chmod -R 700 /opt/shibboleth-idp/ \
-    && chmod +rx /var/www/html/app/index.py
+    && chmod +rx /var/www/html/app/index.py \
+    && /opt/shibboleth-idp/bin/build.sh
 
 EXPOSE 389 3306 4443
 

base/container_files/shibboleth-idp/messages/messages.properties

@@ -0,0 +1,6 @@
+# You can define message properties here to override messages defined in
+# system/messages/ or to add your own messages.
+idp.title = InCommon Trusted Access Platform - Grouper Training Environment
+idp.logo = /images/Grouper_204px.png
+idp.logo.alt-text = Grouper
+idp.footer = InCommon Trusted Access Platform - Grouper Training Environment

docs/201/201.1.rst

@@ -57,13 +57,13 @@ to students.
 Exercise 201.1.1 All students reference group
 ---------------------------------------------
 
-*Create an all student reference group to be used in access policy and the all
-students mailing list*
+Create an all student reference group to be used in access policy and the "all
+students" mailing list.
 
-Reference groups for student by class year already exist. These are being used
-for class year mailing lists. Membership in the class year groups are updated
-automatically by the studentTermLoader job. The loader job queries the student
-information system.
+Reference groups for students by class year already exist in `ref:student`.
+These are being used for class year mailing lists. Membership in the class year
+groups are updated automatically by the studentTermLoader job. The loader job
+queries the student information system.
 
 1. Create a new group named `ref:student:students`.
    (+ Create new group)
@@ -75,7 +75,7 @@ information system.
 
 .. figure:: ../figures/201-add-ref-students.png
 
-3. Add the following class year reference groups to `..:students`.
+3. Add the following class year reference groups to `students`.
    (Members -> + Add members -> ...)
 
 * `ref:student:class2020`
@@ -84,7 +84,7 @@ information system.
 * `ref:student:class2023`
 
 4. Filter for: Has direct membership. This shows all the reference groups that
-   contribute to the '..:students' group.
+   contribute to the `students` group.
 
 .. figure:: ../figures/201-students-direct-membership.png
 
@@ -140,14 +140,16 @@ Exercise 201.1.4 Transfer Students
 Students who transfer to your campus often need access to systems well ahead
 of SIS data being fully updated.
 
-#. Create a new basis group, `basis:student:transfer_student`.
+#. Create a new basis group `basis:student:transfer_student` and add it to
+   `students`
+
 #. Add the following accounts to `transfer_student`:
 
-    * agrady901
-    * alee467
-    * ascott776
+* pmartinez921
+* cthompson287
+* agrady901
 
-#. Check how many students there are now. The number of students did not go
+3. Check how many students there are now. The number of students did not go
    up by 3 as you might have expected. Why? One of the transfer students was
    already a member of `students`. Trace the membership on each of the
    transfer students to determine which accounts already had the `students`
@@ -157,8 +159,8 @@ of SIS data being fully updated.
 Exercise 201.1.5 Change of Status
 ---------------------------------
 
-Students who leave for a variety of reasons are given a 32 day grace period
-during which they retain student access.  Basis groups for these already exist.
+Students who leave for a variety of reasons are given a 32 day grace period,
+during which they retain student access. Basis groups for these already exist.
 They include:
 
 * `basis:student:expelled_32_days`
@@ -167,6 +169,8 @@ They include:
 
 #. Add these basis groups to `students`.  How many students are there now?
 
+.. figure:: ../figures/201-students-change-of-status.png
+
 ------------------------------------------
 Exercise 201.1.6 Leave of Absence Students
 ------------------------------------------

docs/201/201.2.rst

@@ -63,19 +63,17 @@ create a new structure for our VPN service policy.
 
 3. Navigate to the `app:vpn:service:policy` folder
 
-4. Create a new vpn_authorized policy group using the Policy Group Template
+4. Create a new vpn_access policy group using the Policy Group Template
    (More actions -> New template)
 
 .. figure:: ../figures/201-new-vpn-policy.png
 
-[ this should be replaced with policy template when ready ]
+TODO: Steps 5 through 8 should be replaced with policy template when ready
 
-5. Create `app:vpn:vpn_authorized`.
+5. Create `app:vpn:vpn_access`.
 6. Create `app:vpn:vpn_allow`.
 7. Create `app:vpn:vpn_deny`.
-8. Make `vpn_authorized` a composite of `vpn_allow` minus `vpn_deny`.
-
-.. figure:: ../figures/201-vpn-composite.png
+8. Make `vpn_access` a composite of `vpn_allow` minus `vpn_deny`.
 
 -------------------------------------------------------------------
 Exercise 201.2.2 Create digital policy from natural language policy
@@ -88,10 +86,10 @@ are already available.
 #. Add `ref:employee:fac_staff` to `vpn_allow`.
 #. Add `ref:security:locked_by_ciso` to `vpn_deny`.
 #. Add `ref:iam:closure` to `vpn_deny`.
-#. Review the `vpn_authorized` policy definition
-   (vpn_authorized -> More actions -> Visualization)
+#. Review the `vpn_access` policy definition
+   (vpn_access -> More actions -> Visualization)
 
-.. figure:: ../figures/201-vpn-authorized.png
+.. figure:: ../figures/201-vpn-access.png
 
 ----------------------------------------------------------------------------
 Exercise 201.2.3 Update policy to include institutional review board members
@@ -103,7 +101,7 @@ account is in a closure state".
 
 #. Add `org:irb:ref:irb_members` to `vpn_allow`.
 #. Add *jsmith* to `org:irb:ref:irb_members`.
-#. Trace membership for *jsmith* from `vpn_authorized`. (jsmith -> Choose
+#. Trace membership for *jsmith* from `vpn_access`. (jsmith -> Choose
    action -> Actions -> Trace membership)
 
 .. figure:: ../figures/201-jsmith-trace.png
@@ -113,10 +111,10 @@ account is in a closure state".
 
 .. figure:: ../figures/201-vpn-allow-audit.png
 
-5. Review policy definition for `vpn_authorized`.
-   (vpn_authorized -> More actions -> Visualization)
+5. Review policy definition for `vpn_access`.
+   (vpn_access -> More actions -> Visualization)
 
-.. figure:: ../figures/201-vpn-authorized2.png
+.. figure:: ../figures/201-vpn-access2.png
 
 ------------------------------------------------------------
 Exercise 201.2.4 Review Application template security groups

docs/201/201.3.rst

@@ -108,7 +108,7 @@ The eduPerson object class specification states:
     faculty, staff and students.
 
 #. Create `app:eduPersonAffiliation:ePA_member`.
-#. Add `...:ePA_faculty | staff | student` to `...:ePA_member`.
+#. Add `ePA_faculty`, `ePA_staff`, and `ePA_student` to `ePA_member`.
 #. Review `ePA_member` defintion (ePA_member -> More actions -> Visualization)
 
 .. figure:: ../figures/201-ePA-member-vis.png

docs/201/201.4.rst

@@ -19,16 +19,16 @@ Lab Components
 * OpenLDAP
 * Shibboleth
 * `Grouper Deployment Guide`_
-* `eduPerson Object Class Specification`_ 
+* `eduPerson Object Class Specification`_
 
 --------
 Overview
 --------
 
 `Grouper Deployment Guide`_ access control model 2 (ACM2) is all about
-attribute based access control (ABAC) as defined in `NIST SP 800-162`_.  ACM2 is
-applicable across a broad range of services where access control policy can be
-based on subject attributes, policy decisions can be precomputed, and simple
+attribute based access control (ABAC) as defined in `NIST SP 800-162`_.  ACM2
+is applicable across a broad range of services where access control policy can
+be based on subject attributes, policy decisions can be precomputed, and simple
 subject attributes are sufficient to drive the policy enforcement point.
 
 In cases where the SAML Service Provider will accept an
@@ -49,20 +49,11 @@ Exercise 201.4.1 Create policy for wiki application
 
 .. figure:: ../figures/201-wiki-app.png
 
-[ use new policy template to create wiki_user]
-`app:wiki:service:policy:wiki_authorized|allow|deny`.
-Edit composite `wiki_authorized` to make it `wiki_allow` minus `wiki_deny`.
-
----------------------------------------------------
-Exercise 201.4.2 Review application security groups
----------------------------------------------------
-
-`app:wiki:security`
-
-.. figure:: ../figures/201-wiki-security.png
+3. Navigate to `app:wiki:service:policy:` and use the new policy template to
+   create `wiki_user`
 
 -----------------------------------------------
-Exercise 201.4.3 Add reference groups to policy
+Exercise 201.4.2 Add reference groups to policy
 -----------------------------------------------
 
 `wiki_user` is an application-secific role. Subjects in this role have general
@@ -76,7 +67,7 @@ to the student wiki, unless they are in the global deny group".
 .. figure:: ../figures/201-wiki-policy.png
 
 -------------------------------------------------------------------------------
-Exercise 201.4.4 Configure PSPNG to provision wiki_user to eduPersonEntitlement
+Exercise 201.4.3 Configure PSPNG to provision wiki_user to eduPersonEntitlement
 -------------------------------------------------------------------------------
 
 #. Assign PSPNG attribute, **provision_to**  to `wiki_user` with a value
@@ -92,13 +83,13 @@ Exercise 201.4.4 Configure PSPNG to provision wiki_user to eduPersonEntitlement
         :caption: grouper-loader.properties
         :linenos:
 
-2. Run CHANGE_LOG_consumer_pspng_entitlements
+3. Run CHANGE_LOG_consumer_pspng_entitlements
    (Miscellaneous -> All daemon jobs -> Job actions -> Run job now)
 
 .. figure:: ../figures/201-pspng-entitlements-run-job.png
 
 ---------------------------------------------------------------
-Exercise 201.4.5 Configure Shib to release ePE value for our SP
+Exercise 201.4.4 Configure Shib to release ePE value for our SP
 ---------------------------------------------------------------
 
 The demo Shibboleth IdP has been configured to release the
@@ -119,7 +110,7 @@ is below:
 .. figure:: ../figures/201-ePE-value.png
 
 ----------------------------------------------------------------
-Exercise 201.4.6 Thought exercise! Create accounts at target SP?
+Exercise 201.4.5 Thought exercise! Create accounts at target SP?
 ----------------------------------------------------------------
 Can we use policy groups to create/manage accounts at target SP?
 

docs/201/201.5.rst

@@ -46,8 +46,11 @@ Exercise 201.5.1 Create a `congos` application folder and group set
 
 1. Use the Application template to create the `cognos` application folder and
    group set in the `app` folder.
-2. Use the Policy template to create two new policy groups in 
-   `app:cognos:service`
+2. Use the Policy template to create two new policy groups in
+   `app:cognos:service:policy`
+
+* `app:cognos:service:policy:cg_fin_report_reader`
+* `app:cognos:service:policy:cp_fin_report_writer`
 
 ------------------------------------------------------
 Exercise 201.5.2 Implement Report Reader Access Policy
@@ -66,10 +69,10 @@ Exercise 201.5.3 Implement Report Writer Access Policy
 
 Only employees authorized by the Finance Manager have access to write reports
 
-This policy will require an application specific reference group the we will
-use as an access control list managed by the Finanance Manager.
+This policy will require an application specific reference group. It will be
+will used as an access control list managed by the Finanance Manager.
 
-1. Create a `app:congos:service:ref:finance_report_writer` group.
+1. Create reference group `app:congos:service:ref:finance_report_writer`.
 2. Add `finance_report_writer` to `cg_fin_report_write_allow`.
 
 .. figure:: ../figures/201-fin-report-writer.png
@@ -114,10 +117,10 @@ Exercise 201.5.4 Add attestation for finance_report_writer
 ABAC policy groups are kept in sync automatically as subject attributes change
 in the underlying business systems. Access control lists, on the otherhand,
 tend to drift as soon as they are created. Grouper provides an attestation
-feature that reminds group managers and owners to review group memberships and
+feature that reminds group managers and owners to review group memberships, and
 keeps an audit of attestation actions.
 
-#. Add attestation requirement for `advancement_report_writer`.
+#. Add attestation requirement for `finance_report_writer`.
    (finance_report_writer -> More actions -> Attestation ->
    Attestation actions -> Edit attestation settings)
 
@@ -137,6 +140,6 @@ keeps an audit of attestation actions.
 Congrats! Your Congos access policy is clear, consistent, automated,
 delegated, auditable, and attestable!
 
-Welcome to Grouper Guru Level 7! :)
+Welcome to Grouper Guru Level 2! :)
 
 .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program

docs/401/401.4-example-solution.rst

@@ -23,4 +23,4 @@ scholars reference group.
 
 .. figure:: ../figures/401-lms-solution.png
 
-Congrats! You are now a certified Grouper Guru associate level 1!
+Congrats! You are now a certified Grouper Guru level 4!

ex201/ex201.1.1/container_files/seed-data/bootstrap.gsh

@@ -182,3 +182,66 @@ attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouper
 addMember("basis:student:loa_4_years","jprice704");
 addMember("basis:student:loa_4_years","aprice705");
 addMember("basis:student:loa_4_years","aclark706");
+
+// setup for 201.2
+// should be a loader job?
+addStem("ref", "employee", "employee")
+fac_staff = addGroup("ref:employee", "fac_staff", "fac_staff")
+
+// Set ref object type on fac_staff reference group
+AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true);
+AttributeAssign attributeAssign = fac_staff.getAttributeDelegate().hasAttribute(typeMarker) ? fac_staff.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : fac_staff.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
+"HR and Provost Office");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
+"All faculty and staff");
+
+addStem("ref", "security", "security")
+locked_by_ciso = addGroup("ref:security", "locked_by_ciso", "locked_by_ciso")
+AttributeAssign attributeAssign = locked_by_ciso.getAttributeDelegate().hasAttribute(typeMarker) ? locked_by_ciso.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : locked_by_ciso.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
+"CISO");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
+"Subjects denied access by CISO");
+
+addStem("ref", "iam", "iam")
+closure = addGroup("ref:iam", "closure", "closure")
+AttributeAssign attributeAssign = closure.getAttributeDelegate().hasAttribute(typeMarker) ? closure.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : closure.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
+"IAM");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
+"Accounts in the process of being closed");
+
+addStem("org", "irb", "irb")
+addStem("org:irb", "ref", "ref")
+irb_members = addGroup("org:irb:ref", "irb_members", "irb_members")
+AttributeAssign attributeAssign = irb_members.getAttributeDelegate().hasAttribute(typeMarker) ? irb_members.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : irb_members.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
+"Institutional Review Board");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
+"Members of the IRB");
+
+// setup for 201.4
+global_deny = addGroup("ref:iam", "global_deny", "global_deny");
+AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true);
+AttributeAssign attributeAssign = global_deny.getAttributeDelegate().hasAttribute(typeMarker) ? global_deny.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : global_deny.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
+"Identity and Access Management");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
+"Global deny group");
+
+// setup for 201.5
+// should be a loader job?
+addStem("ref", "dept", "dept")
+addGroup("ref:dept", "finance", "finance")
+addMember("ref:dept:finance", "asmith989")

ex201/ex201.1.1/container_files/seed-data/sisData.sql

@@ -3324,7 +3324,6 @@ INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','ACCT101'
 INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','ENGL101','80000902');
 INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','MATH100','80000902');
 INSERT INTO SIS_COURSES (termId, courseId, studentId) VALUES ('201810','HIST101','80000902');
-INSERT INTO SIS_STUDENT_TERMS (id, term) VALUES ('80000902','2019');
 INSERT INTO SIS_STUDENT_TERMS (id, term) VALUES ('80000902','2022');
 INSERT INTO HR_PEOPLE(id, surname, givenName) VALUES ('80000903','Gasper','Mark');
 INSERT INTO HR_PEOPLE_ROLES(id, role) VALUES ('80000903','staff');