GTE 201.2 Access Policy Groups

Learning Objectives

  • Translate a natural language policy group into digital policy using access policy groups.
  • Understand the difference between policy groups and reference groups.

Lab Components


NIST SP 800-162 describes how natural language policy, that is access policy stated in common language, must be converted to digital policy for any access control mechanism to effectively operate. Digital policy is manifest in Grouper via access policy groups. Subject membership in an access policy group be indirect and represents a precomputed access policy decision based on subject attributes (i.e. the subject’s membership in various reference groups).

An access policy group is a composite group whose membership is composed of an include group (i.e. the allow group) minus an exclude group (i.e. the deny group). Subject membership in both the allow group and the deny group should be indirect (i.e. through reference groups) and have a clear mapping to the natural language policy. When exceptions to policy are necessary, locally scoped reference groups should be added.

Limiting policy groups to indirect membership assignments via reference groups ensures that as subject attributes change, effective membership is up to date and access control decisions are correct. It also enables the direct mapping from natural language policy to digital policy and vice versa. Individual exceptions to policy, while not expressly recommended, can be accommodated by adding subjects directly to the allow/deny groups.

Membership within an access policy group is often kept in sync directly with a target service or an intermediary like an LDAP based enterprise directory service. Services can also query Grouper directly for membership assignment.

Exercise 201.2.1

Application folder structure

  1. Create app:vpn:vpn_authorized.
  2. Create app:vpn:vpn_allow.
  3. Create app:vpn:vpn_deny.
  4. Make vpn_authorized a composite of vpn_allow minus vpn_deny.

Exercise 201.2.2

Create digital policy from natural language policy

Natural language policy is “all faculty, staff have access to vpn, unless denied by CISO or the account is in a closure state”. Reference groups are already available.

  1. Add ref:employee:fac_staff to vpn_allow.
  2. Add ref:security:locked_by_ciso to vpn_deny.
  3. Add ref:iam:closure to vpn_deny.

Exercise 201.2.3

Update policy to also allow institutional review board members access to VPN

New natural language policy is “all faculty, staff and members of the institutional review board have access to vpn, unless denied by CISO or the account is in a closure state”.

  1. Add org:irb:ref:irb_members to vpn_allow.
  2. Add jsmith to org:irb:ref:irb_members.
  3. Trace membership for jsmith from vpn_authorized.
  4. View the audit log on vpn_allow.

Exercise 201.2.4

Create security groups for policy

  1. Create ref:app:vpn:etc folder.

  2. Create ref:app:vpn:etc:vpn_admins group.

  3. Assign ADMIN privilege to vpn_admins for ref:app:vpn.

  4. Inherit privileges to all sub folders (and objects).

    1. Navigate to app:vpn.
    2. MorePrivileges inherited to objects in folder
    3. Click Add Members, and add vpn_admins.
    4. Add admin privileges for folder, group, and attributes.
  5. Navigate to ref:app:vpn:ref:vpn_allow.

  6. Click PrivilegesActionsTrace Priviliges.