2022-07-27 11:11 data/process flow from SoR/LoB data model to allow/deny decision for access to a resource
Documenting the journey from System of Record data to access policy decisions
Systems of Record: SoR
` native data that potentially plays a role in access decisions
` processes and technologies by which native data is made available outside the system boundary
Basis groups to Reference groups
` Raw SoR data to Basis groups
` One or more Basis groups make up a Reference group
Examples of common Reference groups
` Under the top level App stem: Applications (resources, services): Under this stem: access policies for the named App
` Under the top level Org stem: Organizations: Under this stem are organizational units to which subjects belong and that may bear on what they have access to
Access Policy groups: Composites of Reference groups plus Include and Exclude groups to refine memberships to match originally intended definitions
Account Policy groups: Typically contain one Allow group and one Deny group: Membership in an Account Policy group directly specifies whether a subject is allowed access to a service or not
Policy rules
Useful rule primitives from Grouper wiki
Example Policy Rule: To be considered IT staff a person must be IT Staff AND an [Active] Employee (including hospital employees)
gsh 0% grouperSession = GrouperSession.startRootSession();
gsh 1% itStaff_includes = GroupFinder.findByName(grouperSession, "penn:community:employee:itStaff_includes");
gsh 2% employeeIncludingUphs = GroupFinder.findByName(grouperSession, "penn:community:employeeIncludingUphs");
gsh 3% subjectActAs = SubjectFinder.findByIdAndSource("GrouperSystem", "g:isa", true);
gsh 4% RuleApi.groupIntersection(subjectActAs, itStaff_includes, employeeIncludingUphs);
RuleApi.vetoMembershipIfNotInGroupInFolder(
SubjectFinder.findRootSubject(),
ruleGroup, mustBeInStem, Stem.Scope.SUB,
"rule.entity.must.be.in.IT.employee.to.be.in.group",
"Entity cannot be a member of group if not in the IT department org"
);