From 8711d81ad38d19e101184f45b9e1b41727480943 Mon Sep 17 00:00:00 2001 From: Keith Hazelton Date: Wed, 27 Jul 2022 13:48:15 -0500 Subject: [PATCH] Create sor-to-access-policy.adoc --- sor-to-access-policy.adoc | 56 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 sor-to-access-policy.adoc diff --git a/sor-to-access-policy.adoc b/sor-to-access-policy.adoc new file mode 100644 index 0000000..5b97a31 --- /dev/null +++ b/sor-to-access-policy.adoc @@ -0,0 +1,56 @@ +- - - +_2022-07-27 11:11 data/process flow from SoR/LoB data model to allow/deny decision for access to a resource_ + +==== Documenting the journey from System of Record data to access policy decisions +*Systems of Record: SoR* + +` native data that potentially plays a role in access decisions + +` processes and technologies by which native data is made available outside the system boundary + + +*Basis groups to Reference groups* + +` See https://spaces.at.internet2.edu/display/Grouper/Folder+and+Group+Design[Grouper Deployment Guide section on folder and group design] + + +` Raw *SoR* data to *Basis* groups + +` One or more *Basis* groups make up a *Reference* group + +*Examples of common Reference groups* + + +` Under the top level *App* stem: Applications (resources, services): Under this stem: access policies for the named App + +` Under the top level *Org* stem: Organizations: Under this stem are organizational units to which subjects belong and that may bear on what they have access to + +*Access Policy groups*: Composites of Reference groups plus *Include* and *Exclude* groups to refine memberships to match originally intended definitions + +*Account Policy groups*: Typically contain one *Allow* group and one *Deny* group: Membership in an Account Policy group directly specifies whether a subject is allowed access to a service or not + + +==== Policy rules + +https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+use+cases[Useful rule primitives] from Grouper wiki + +https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Composite-ng+intersection[Example Policy Rule]: To be considered IT staff a person must be *IT Staff* AND an *[Active] Employee (including hospital employees)* + + +gsh 0% grouperSession = GrouperSession.startRootSession(); + +gsh 1% *itStaff_includes* = GroupFinder.findByName(grouperSession, "penn:community:employee:itStaff_includes"); + +gsh 2% *employeeIncludingUphs* = GroupFinder.findByName(grouperSession, "penn:community:employeeIncludingUphs"); + +gsh 3% subjectActAs = SubjectFinder.findByIdAndSource("GrouperSystem", "g:isa", true); + +gsh 4% *RuleApi.groupIntersection*(subjectActAs, *itStaff_includes*, *employeeIncludingUphs*); + +- - - + +https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Veto+if+not+eligible[*Another supported policy rule*] + +``` +RuleApi.vetoMembershipIfNotInGroupInFolder( + +SubjectFinder.findRootSubject(), + +ruleGroup, mustBeInStem, Stem.Scope.SUB, +"rule.entity.must.be.in.IT.employee.to.be.in.group", +"Entity cannot be a member of group if not in the IT department org" +); +```