401.3 Board Effect Provisioning

Learning Objectives

Lab Components

Overview

We have been asked to deploy a SaaS application called Board Effect. The service is already an InCommon member and honors an eduPersonEntitlement for “front door” access. Permission management within the application is centered around “work rooms”. Each work room provide access to specific documents, chat, mailing lists, etc. The system will be used by trustees, executives, and various committee members.

Thankfully the service is an InCommon member and using eduPersonEntitlement values. However, it turns out users still need to have accounts provisioned in order to get access. We will need two different kinds of policy groups. The first, the account policy group, will be mapped to an eduPersonEntitlement value and also be used for provisioning accounts. The second type, authorization groups, will provide subject to role mapping, and are mapped to work rooms created in Board Effect. This is an example of access control model 3 described in the Grouper Deployment Guide.

Exercise 401.3.1

Create a application policy folder and groups

Rather than create the basic structure manually, use a GSH script.

Exercise 401.3.2

Workrooms (i.e. authorization groups) can be updated via the Board Effect REST API. Create Grouper authorization groups to manage those.

A new workroom call Committee on Finance has been created in Board Effect. Need to create authorization group in grouper and configure provisioning.

  1. Create app:boardeffect:wr_cmt_fin_authorized|allow|deny.

  2. Configure grouperESB to send membership changes to rabbitMQ exchange.

    grouper-loader.properties
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
    #####################################
## Messaging integration with change log
#####################################
changeLog.consumer.rabbitMqMessagingSample.quartzCron = 0 * * * * ?                                                          

# note, change "messagingSample" in key to be the name of the consumer.  e.g. changeLog.consumer.someNameAnyName.class
changeLog.consumer.rabbitMqMessagingSample.class = edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer

changeLog.consumer.rabbitMqMessagingSample.publisher.class = edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbMessagingPublisher
changeLog.consumer.rabbitMqMessagingSample.publisher.messagingSystemName = rabbitmq
# note, routingKey property is valid only for rabbitmq. For other messaging systems, it is ignored.
changeLog.consumer.rabbitMqMessagingSample.publisher.routingKey = 
## queue or topic
changeLog.consumer.rabbitMqMessagingSample.publisher.messageQueueType = queue
changeLog.consumer.rabbitMqMessagingSample.publisher.queueOrTopicName = grouper
## this is optional if not using "id" for subjectId, need to be a subject attribute in the sources.xml
#changeLog.consumer.rabbitMqMessagingSample.publisher.addSubjectAttributes = email
    grouper.client.properties
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
    ################################
## Grouper Messaging System
################################
 
# name of messaging system which is the default
grouper.messaging.default.name.of.messaging.system = rabbitmq
 
# name of a messaging system.  note, "grouperBuiltinMessaging" can be arbitrary
# grouper.messaging.system.grouperBuiltinMessaging.name = grouperBuiltinMessaging
 
# class that implements edu.internet2.middleware.grouperClient.messaging.GrouperMessagingSystem
# grouper.messaging.system.grouperBuiltinMessaging.class = edu.internet2.middleware.grouper.messaging.GrouperBuiltinMessagingSystem
 
# name of a messaging system.  note, "grouperBuiltinMessaging" can be arbitrary
grouper.messaging.system.rabbitmqSystem.name = rabbitmqSystem
 
# class that implements edu.internet2.middleware.grouperClient.messaging.GrouperMessagingSystem
grouper.messaging.system.rabbitmqSystem.class = edu.internet2.middleware.grouperMessagingRabbitmq.GrouperMessagingRabbitmqSystem
 
# host address of rabbitmq queue
grouper.messaging.system.rabbitmqSystem.host = rabbitmq
 
# virtual host of rabbitmq queue
grouper.messaging.system.rabbitmqSystem.virtualhost =
 
# port of rabbitmq queue
grouper.messaging.system.rabbitmqSystem.port =
 
grouper.messaging.system.rabbitmqSystem.defaultPageSize = 10
 
grouper.messaging.system.rabbitmqSystem.maxPageSize = 50
 
 
# name of a messaging system, required
grouper.messaging.system.rabbitmq.name = rabbitmq
 
# default system settings to this messaging system, note, there is only one level of inheritance
grouper.messaging.system.rabbitmq.defaultSystemName = rabbitmqSystem

grouper.messaging.system.rabbitmq.user = guest

#pass
grouper.messaging.system.rabbitmq.password.elConfig = guest
# set the following three properties if you want to use TLS connection to rabbitmq. All three need to be populated.
# TLS Version
#grouper.messaging.system.rabbitmqSystem.tlsVersion = TLSv1.1
 
# path to trust store file
#grouper.messaging.system.rabbitmqSystem.pathToTrustStore =
 
# trust passphrase
#grouper.messaging.system.rabbitmqSystem.trustPassphrase =

  3. Write provisioner component to read rabbitMQ and update BoardEffect via REST API.

    Note

    This step is what logically should happen next to process the messages. You aren’t expected to actually accomplish this step during the lab.

Exercise 401.3.3

Board Effect account provisioning

  1. Create app:boardeffect:boardeffect_authorized.

  2. Add …:wr_cmt_fin_authorized to boardeffect_authorized_allow.

  3. Configure PSPNG to write eduPersonEntitlement value https://college.boardeffect.com/ to LDAP and release via Shibboleth only for Boardeffect.

    grouper-loader.properties
    1
2
3
4
5
6
7
8
9
    changeLog.consumer.pspng_entitlements.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner
changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_entitlements.ldapPoolName = demo
changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement
changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : (group.name.equalsIgnoreCase('app:boardeffect:boardeffect_authorized') ? 'https://college.boardeffect.com/' : 'urn:mace:example.edu:' + group.extension) }
changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=*

Subject to role mapping in place and provisioners working, but how do we get reference groups for committees? Ann in President’s Office knows.

Exercise 401.3.4

Distributed Reference Group Management

Amy maintains list of committee members. Use these to build application specific reference groups.

  1. Create app:boardeffect:ref:cmt_fin.
  2. Add …:ref:cmt_fin to …:wr_cmt_fin_allow.
  3. Add ref:global_deny to …:wr_cmt_fin_deny.
  4. Give Ann admin access to app:boardeffect:ref by adding account amartinez410 to app:boardeffect:etc:boardeffect_admins.

Log in as Ann Martinez (amartinez410). Under My Groups you should see the reference groups and policies Ann can manage.

Exercise 401.3.5

Committee member helpers

Joe Trustee is on committee, but Joe’s assistant also needs access to committee work group.

  1. Create app specific ref group app:boardeffect:ref:cmt_fin_helpers.
  2. Add …:cmt_fin_helpers. to `…:wr_cmt_fin_allow.

Note

By not adding the helper subject to app:boardeffect:ref:cmt_fin, we preserve the truth of the subject attributes. Members of cmt_fin are members of the Finance Committee. The helpers are not members of the committee, but they are granted access to the workroom by the policy.

This works great for specific assistants, but there are also general helpers who need access to all workrooms temporarily during board meetings.

  1. Create app specific ref group app:boardeffect:ref:workroom_helpers.
  2. Run GSH script to add age off rule to workroom_helpers.
  3. Add workroom_helpers to all workroom allow groups.

Workrooms created in Boardeffect. Grouper policy groups map to workroom, and are kept up to date via Grouper provisioners. We could create workrooms automatically based on policy group creation– exercise left to student at home.

Exercise 401.3.6

Anna’s Grouper Privileges

Anna was added as a direct member of app:boardeffect:etc:boardeffect_admins, but we can do better! Responsibility for committee member management goes to the president’s executive assistant, whoever that might be.

  1. Create a new reference group (role), ref:roles:president_assistant for president executive assistant.
  2. Add Anna’s account to president_assistant.

This is better, but does Anna really need full admin privileges to app:boardeffect? Probably only needs update / read.

  1. Add ref:roles:president_assistant to app:boardeffect:etc:boardeffect_managers.
  2. Remove Anna from app:boardeffect:etc:boardeffect_admins.

Exercise 401.3.7

Global Committee reference groups

All working great– new system request comes in with policy based on board committees. Need to elevate app-specific ref groups to global ref groups.

  1. Create ref:board folder for board committee ref groups.

  2. Move app:boardeffect:ref:cmt_fin to ref:board:cmt_fin.

    Note

    The Board Effect policies are not impacted by moving the location of the reference groups!

  3. Create ref:board:etc security folder.

  4. Create ref:board:etc:board_managers security group.

  5. Assign UPDATE and READ rights on reference groups to board_managers.

  6. Revoke UPDATE and READ rights of reference groups from app:board_effect:etc:boardeffect_managers.

    Warning

    Moving our reference groups did not remove the access we had granted on them from application-specific security groups. After moving a reference group, it is good practive to review its permissions.

  7. Add president_assistant to ref:board:etc:board_managers.

Epilogue

New request comes in for four advisory councils. Each will have their own workroom in Board Effect. Initially you are handed a spreadsheet with the council members and you import them into app-specific reference groups (e.g. app:boardeffect:ref:advisory_council_northeast). Later you find out that council membership is available in Banner, so you create loader jobs for those. As it turns out, the spreadsheets were old and had the wrong members. Thank goodness for loader jobs! Alas, not all advisory council members have NetIDs. To get them access we add them as sponsored accounts in COmanage.

The End