content and gte updates for 201.5

docs/201/201.5.rst

@@ -6,7 +6,7 @@
 Learning Objectives
 -------------------
 
-* Understand ACM3 and how to use grouper policy groups  with application specific roles
+* Understand ACM3 and how to use policy groups with application specific roles
 * Implement delegated access control
 * Configure attestation
 
@@ -23,62 +23,120 @@ Overview
 
 In applications with sophisticated RBAC capabilities, fine-grained permission
 sets are typically configured via an administrative interface within the
-application itself.  These permission sets are then associated with a role name
-that can be mapped to a set of users.  In this model, the user to role mapping
-is done in Grouper by pairing a normal access control group with the role name
-defined at the target service.  The policy indicating which subjects are mapped
-to application roles (permissions sets) can be attribute based or a simple
-access control list, or some combination of both.
+application itself. These permission sets are then associated with a role name
+that can be mapped to a set of users. In this model, the user to role mapping
+is done in Grouper by pairing a access policy group with the role name
+defined at the target service. The policy indicating which subjects are mapped
+to application roles (permissions sets) can be attribute based, a simple access
+control list, or some combination of both.
 
-ACM3 is implemented using Grouper as follows:
+In AC3, the policy adminstration point is split between Grouper and the target
+service. Policy decision point and policy enforcement point are with the target
+service.
 
-* Subject |rightarrow| Role assignment is made in Grouper.  Access control policies are used to represent Roles.
-* Fine-grained permission sets are managed at the target service and assigned a Role Name
-* Grouper access control groups are mapped to target service Role Name, completing the User |rightarrow| Role mapping
-* PAP split between Grouper and target service, PDP and PEP at service
+ACM3 is implemented in Grouper as follows:
 
-----------------
-Exercise 201.5.1
-----------------
+#. Permission sets are managed at the target service and assigned a Role Name
+#. Grouper policy groups are mapped to target service Role Name
+#. Subject to Role assignment is made in Grouper
 
-*Create application folder and group set*
+-------------------------------------------------------------------
+Exercise 201.5.1 Create a `congos` application folder and group set
+-------------------------------------------------------------------
 
-Use wizard template (or gsh script) to create new application folder/group set.
+1. Use the Application template to create the `cognos` application folder and
+   group set in the `app` folder.
+2. Use the Policy template to create two new policy groups in 
+   `app:cognos:service`
 
-#. Create `app:cognos:service:security:cg_adv_manager`.
-#. Create `app:cognos:service:ref` folder.
-#. Create `app:cognos:service:policy` folder.
-#. Create `app:congos:service:policy:cg_adv_report_reader|allow|deny`.
-#. Create `app:congos:service:policy:cg_adv_report_writer|allow|deny`.
+------------------------------------------------------
+Exercise 201.5.2 Implement Report Reader Access Policy
+------------------------------------------------------
 
-----------------
-Exercise 201.5.2
-----------------
+All finance employees have read access to finance reports.
 
-*Add reference groups to policy*
+1. Implement the reader policy by adding `ref:dept:finance` to
+   `cg_adv_report_reader_allow`.
 
-#. Add `ref:dept:advancement` to `cg_adv_report_reader_allow`.
+.. figure:: ../figures/201-fin-report-reader.png
 
-----------------
-Exercise 201.5.3
-----------------
+------------------------------------------------------
+Exercise 201.5.3 Implement Report Writer Access Policy
+------------------------------------------------------
 
-*Create app specific reference group for advancement report writers*
+Only employees authorized by the Finance Manager have access to write reports
 
-#. Create `app:congos:service:ref:advancement_report_writer`.
-#. Add `...:ref:advancement_report_writers` to `...:cg_adv_report_writer_allow`.
-#. Add read/update privileges to `cg_adv_manager` to `cg_adv_report_writer_allow`.
+This policy will require an application specific reference group the we will
+use as an access control list managed by the Finanance Manager.
 
-----------------
-Exercise 201.5.4
-----------------
+1. Create a `app:congos:service:ref:finance_report_writer` group.
+2. Add `finance_report_writer` to `cg_fin_report_write_allow`.
 
-*Add attestation*
+.. figure:: ../figures/201-fin-report-writer.png
+
+---------------------------------------------------------------
+Exercise 201.5.4 Delegate access control to the Finance Manager
+---------------------------------------------------------------
+
+The Finance Manager will directly managed the `finance_report_writer` access
+control list.
+
+1. Create a `ref:role:Finanance Manager` institutional reference group
+2. Grant UPDATE and READ on `finance_report_writer` to `Finance Manager`
+
+.. figure:: ../figures/201-priv-grant-fin-mgr.png
+
+3. Add `asmith989` to `ref:role:Finance Manager`
+4. Review privileges on `finance_report_writer`
+
+.. figure:: ../figures/201-review-priv-fin-mgr.png
+
+5. Trace privileges for Anna Smith
+   (Choose action -> Actions -> Trace privileges)
+
+.. figure:: ../figures/201-anna-smith-trace-priv.png
+
+.. figure:: ../figures/201-anna-smith-trace.png
+
+6. Open a seperate browser and log in with username `asmith989` and password
+   `password`. Add `bthompson392` to `finance_report_writer`
+
+7. Go back to `banderson` browser and review audit log for
+   `finance_report_writer` (finance_report_writer -> More actions -> View audit
+   log)
+
+.. figure:: ../figures/201-fin-report-write-audit.png
+
+----------------------------------------------------------
+Exercise 201.5.4 Add attestation for finance_report_writer
+----------------------------------------------------------
+
+ABAC policy groups are kept in sync automatically as subject attributes change
+in the underlying business systems. Access control lists, on the otherhand,
+tend to drift as soon as they are created. Grouper provides an attestation
+feature that reminds group managers and owners to review group memberships and
+keeps an audit of attestation actions.
 
 #. Add attestation requirement for `advancement_report_writer`.
+   (finance_report_writer -> More actions -> Attestation ->
+   Attestation actions -> Edit attestation settings)
+
+.. figure:: ../figures/201-fin-report-writer-attestation.png
+
+2. Log back in as `asmith989`. Review and attest the
+   `finance_report_writer` membership.
+
+.. figure:: ../figures/201-asmith989-attest.png
+
+3. Log back in as `bandereson`. Review attestation audit log.
+   (finance_report_writer -> More actions -> Attestation ->
+   View audit log)
 
+.. figure:: ../figures/201-fin-report-attest-audit-log.png
 
+Congrats! Your Congos access policy is clear, consistent, automated,
+delegated, auditable, and attestable!
 
-.. |rightarrow| unicode:: U+2192
+Welcome to Grouper Guru Level 7! :)
 
 .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program

ex201/ex201.5.1/container_files/seed-data/bootstrap.gsh

@@ -1 +1,9 @@
 GrouperSession.startRootSession()
+delStem("201.4.end")
+addRootStem("201.5.1", "201.5.1")
+
+// should be a loader job?
+addStem("ref", "dept", "dept")
+addGroup("ref:dept", "finance", "finance")
+addMember("ref:dept:finance", "asmith989")
+

ex201/ex201.5.end/container_files/seed-data/bootstrap.gsh

@@ -1,38 +1,43 @@
 gs = GrouperSession.startRootSession()
+delStem("201.5.1")
+addRootStem("201.5.end", "201.5.end")
 
 //ex201.5.1
 addStem("app", "cognos", "cognos");
+addStem("app:cognos" , "security", "security");
 addStem("app:cognos", "service", "service");
-addStem("app:cognos:service" , "security", "security");
-addGroup("app:cognos:service:security", "cg_adv_manager", "cg_adv_manager");
-
 addStem("app:cognos:service", "ref", "ref");
 addStem("app:cognos:service", "policy", "policy");
 
-addGroup("app:cognos:service:policy", "cg_adv_report_reader", "cg_adv_report_reader");
-addGroup("app:cognos:service:policy", "cg_adv_report_reader_allow", "cg_adv_report_reader_allow");
-addGroup("app:cognos:service:policy", "cg_adv_report_reader_deny", "cg_adv_report_reader_deny");
+addGroup("app:cognos:service:policy", "cg_fin_report_reader", "cg_fin_report_reader");
+addGroup("app:cognos:service:policy", "cg_fin_report_reader_allow", "cg_fin_report_reader_allow");
+addGroup("app:cognos:service:policy", "cg_fin_report_reader_deny", "cg_fin_report_reader_deny");
+addComposite("app:cognos:service:policy:cg_fin_report_reader", CompositeType.COMPLEMENT, "app:cognos:service:policy:cg_fin_report_reader_allow", "app:cognos:service:policy:cg_fin_report_reader_deny")
+
+addGroup("app:cognos:service:policy", "cg_fin_report_writer", "cg_fin_report_writer");
+addGroup("app:cognos:service:policy", "cg_fin_report_writer_allow", "cg_fin_report_writer_allow");
+addGroup("app:cognos:service:policy", "cg_fin_report_writer_deny", "cg_fin_report_writer_deny");
+addComposite("app:cognos:service:policy:cg_fin_report_writer", CompositeType.COMPLEMENT, "app:cognos:service:policy:cg_fin_report_writer_allow", "app:cognos:service:policy:cg_fin_report_writer_deny")
 
-addGroup("app:cognos:service:policy", "cg_adv_report_writer", "cg_adv_report_writer");
-addGroup("app:cognos:service:policy", "cg_adv_report_writer_allow", "cg_adv_report_writer_allow");
-addGroup("app:cognos:service:policy", "cg_adv_report_writer_deny", "cg_adv_report_writer_deny");
+//ex201.5.2 part 1
+addMember("app:cognos:service:policy:cg_fin_report_reader_allow", "ref:dept:finance");
 
-//ex201.5.2
-addStem("ref", "dept", "dept");
-addGroup("ref:dept", "advancement", "advancement");
-addMember("app:cognos:service:policy:cg_adv_report_writer_allow", "ref:dept:advancement");
+//ex201.5.2 part 2
+finance_report_writer = addGroup("app:cognos:service:ref", "finance_report_writer", "finance_report_writer")
+addMember("app:cognos:service:policy:cg_fin_report_writer_allow", "app:cognos:service:ref:finance_report_writer");
+addStem("ref", "role", "role")
+addGroup("ref:role", "Finance Manager", "Finance Manager")
+grantPriv("app:cognos:service:ref:finance_report_writer", "ref:role:Finance Manager", AccessPrivilege.READ)
+grantPriv("app:cognos:service:ref:finance_report_writer", "ref:role:Finance Manager", AccessPrivilege.UPDATE)
+addMember("ref:role:Finance Manager", "asmith989")
 
-//ex201.5.3
-group = addGroup("app:cognos:service:ref", "advancement_report_writer", "advancement_report_writer");
-addMember("app:cognos:service:policy:cg_adv_report_writer_allow", "app:cognos:service:ref:advancement_report_writer");
-grantPriv("app:cognos:service:security:cg_adv_manager", "app:cognos:service:policy:cg_adv_report_writer_allow", AccessPrivilege.READ);
-grantPriv("app:cognos:service:security:cg_adv_manager", "app:cognos:service:policy:cg_adv_report_writer_allow", AccessPrivilege.UPDATE);
 
 //ex201.5.4
+// add attestation to finance_report_writer
 attribute = AttributeDefNameFinder.findByName("etc:attribute:attestation:attestation", true);
 attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true);
 attributeAssignSave.assignAttributeDefName(attribute);
-attributeAssignSave.assignOwnerGroup(group);
+attributeAssignSave.assignOwnerGroup(finance_report_writer);
 
 attributeAssignOnAssignSave = new AttributeAssignSave(gs);
 attributeAssignOnAssignSave.assignAttributeAssignType(AttributeAssignType.group_asgn);
@@ -49,3 +54,7 @@ attributeAssignOnAssignSave.addValue("true");
 attributeAssignSave.addAttributeAssignOnThisAssignment(attributeAssignOnAssignSave);
 
 attributeAssign = attributeAssignSave.save();
+
+// 201.5.4 step 6
+GrouperSession.start(findSubject("asmith989"))
+addMember("app:cognos:service:ref:finance_report_writer", "bthompson392")