Add access rule to restrict to officially enrolled students

[mwest1066]

We've previously enforced official enrollment checking only within the CBTF, by having the scheduler check official enrollments to allow reservations and then having PL check with the scheduler.

For remote exams, it would be great to also have PL check the official enrollments directly.

[trombonekenny]

What's your tolerance for the right way vs the quick way?

[mwest1066]

I'd be happy to consider quick. What are you thinking for the options here?

[trombonekenny]

The AD group we'd match against looks roughly like: PHYS 211 A3 2019 Fall CRN34566

Do we care about assessment access or course instance access for this? Seems more CI and directly attached to enrollment? Either something we add in the infoCourseInstance.json options? Or access control rules?

[mwest1066]

I guess the fastest hacky fix would be a courseInstance allowAccess rule like ADGroupRegexp that we'd match against?

And the proper way to fix it would be to add CRNs to the course instance and set enrollments to be verified=true or something like that? And then add a courseInstance allowAccess rule to only permit verified enrollments?

[trombonekenny]

Maybe leave allowAccess the same and create a new allowEnrollment section that has its own access-like rules for dates allowed, or roster metadata (rubric, section, term, CRN) that we match on the backend based on institution?

[mwest1066]

Do we want to check the AD groups for enrollment on every access? Or does that leave us vulnerable to failing AD setups?

[trombonekenny]

Thinking more about this, I think we'd need to switch some sort of server session storage to make it happen. We'd only have the group memberships list on Shib auth (not subsequent calls in the header), and it's too large to make sense in the pl_authn cookie.

Or else we'd have to do all of the enrolling in authCallbackShib.js - which is good for being "auto enrolled" in all of your courses, I guess?

[nwalters512]

Is it fair to say we're not going to implement this, at least not as described here with AD groups?

[mwest1066]

Yep, this will be wrapped up in the new enrollment systems that are coming.

[nwalters512]

Closing in favor of #9217, which will achieve the same goal but via explicit roster management instead of checking AD group membership.