create identity-management role

create identity-management role role_name match-criteria match_criteria {priority pri_value}

Description

Creates and configures an identity management role.

Syntax Description

role_name Specifies a name for the new role (up to 32 characters).
match_criteria Specifies an expression that identifies the users to be assigned to the new role.
pri_value Specifies the role priority; the lower the priority number, the higher the priority. The range of values is 1 to 255. Value 1 represents the highest priority, and value 255 represents the lowest priority.

Default

Priority=255.

Usage Guidelines

The identity management feature supports a maximum of 64 roles.

The role name can include up to 32 characters. Role names must begin with an alphabetical letter, and only alphanumeric, underscore (_), and hyphen (-) characters are allowed in the remainder of the name. Role names cannot match reserved keywords, or the default role names reserved by identity manager. For more information on role name requirements and a list of reserved keywords, see Object Names in the Switch Engine v33.1.1 User Guide . The role names reserved by identity manager are:
  • authenticated.
  • blacklist.
  • unauthenticated.
  • whitelist.

The match-criteria is an expression or group of expressions consisting of identity attributes, operators and attribute values. The maximum number of attribute value pairs in a role match criteria is 16. The variables in the match criteria can be matched to attributes retrieved for the identity from an LDAP server, or they can be matched to attributes learned locally by identity manager.

LDAP Match Criteria Attributes lists match criteria attributes that can be retrieved from an LDAP server.

Locally Learned Match Criteria Attributes lists locally learned attributes that can be used for match criteria.

Match Criteria Operators lists the match criteria operators.

Table 1. LDAP Match Criteria Attributes
LDAP Attribute Name Value Type
l or location String
company String
co or country String
department String
employeeID String
st or state String
title String
mail or email String
memberOf String
Table 2. Locally Learned Match Criteria Attributes
Attribute Description Attribute Name Value Type Example
LLDP device name device-model String
device-name == Avaya4300
LLDP device capabilities device-capability String:OtherRepeaterBridgeWLAN access portRouterPhoneDOCSIS cable deviceStation only
device-capability == Telephone
LLDP device manufacturer name device-manufacturer-name String
device-manufacturer-name == Avaya
LLPD system description device-description String
device-description==Dell EqualLogic Storage Array
MAC address mac MAC
mac == 00:01:e6:00:00:00/ff:ff:ff:00:00:00
MAC OUI mac-oui MAC
mac-oui == 00:04:96
IP address ip-address IP
ip-address == 10.1.1.0/20
User name username String
userName == adam
Port list ports Portlist
ports == 1,5-8
Table 3. Match Criteria Operators
Operator Description
== Equal. Creates a match when the value returned for the specified attribute matches the value specified in the role.
!= Not equal. Creates a match when the value returned for the specified attribute does not match the value specified in the role.
AND And. Creates a match when the two expressions joined by this operator are both true.
contains Contains. Creates a match when the specified attribute contains the text specified in the role definition.
; Semicolon. This delimiter separates expressions within the match criteria.

The role priority determines which role a user is mapped to when the user‘s attributes match the match-criteria of more than 1 role. If the user‘s attributes match multiple roles, the highest priority (lowest numerical value) role applies. If the priority is the same for all matching roles, the role for which the priority was most recently set or modified is used.

Example

The following examples create roles for the conditions described in the comments that precede the commands:
# Creates a role named "India-Engr" that matches employees from the Engineering
# department who work in India
* Switch.22 # create identity-management role "India-Engr" match-criteria "country==India; AND department==Engineering;"
# Creates a role named “US-Engr” that matches employees whose title is Engineer and
# who work in United States
* Switch.23 # create identity-management role US-Engr match-criteria "title contains Engineer; AND country == US;" priority 100
# Creates a role named "Avaya4300Device" for Avaya phones of type 4300 that are
# manufactured by Avaya
* Switch.24 # create identity-management role "Avaya4300Device" match-criteria "device-capability == Phone; AND device-name == Avaya4300; AND device-manufacturer-name == Avaya;"
# Creates a role for all Extreme Networks switches with MAC-OUI "00:04:96"
* Switch.25 # create identity-management role "ExtremeSwitch" match-criteria "mac-oui == 00:04:96;"
# Creates a role for all identities with IP address 1.2.3.1 - 1.2.3.255
* Switch.26 # create identity-management role "EngineeringDomain" match-criteria "ip-Address == 1.2.3.0/255.255.255.0;"
# Creates a role for all phone devices with MAC_OUI of "00:01:e6"
* Switch.27 # create identity-management role "Printer" match-criteria "mac == 00:01:e6:00:00:00/ff:ff:ff:00:00:00; device-capability == Phone;"
# Creates a role for the user name "adam" when he logs in from IP address 1.2.3.1 -
# 1.2.3.255.
* Switch.28 # create identity-management role "NotAccessibleUser" match-criteria "userName == adam; AND "ip-Address == 1.2.3.0/24;"
# Creates a role named "secureAccess" for users who log in on ports 1, 5, 6, 7, and 8
# with IP addresses in the range of 10.1.1.1 to 10.1.1.255
create identity-management role "SecureAccess" match-criteria "ports == 1,5-8; AND ip-address == 10.1.1.0/20;"
# Creates a role named “Prod-Engineers” for all the engineers who are under LDAP group 'Production'.
Create identity-management role “Prod-Engineers” match-criteria “title==Engineer; AND memberOf==Production;”

History

This command was first available in ExtremeXOS 12.5.

Support for matching locally learned attributes was added in ExtremeXOS 12.7.

Platform Availability

This command is available on all Universal switches supported in this document.