configure identity-management list-precedence

configure identity-management list-precedence listname1 listname2 listname3

Description

This command allows you to configure the precedence of list types. You must specify the list-names in the desired order of precedence. Listname1 will take precedence of all lists (i.e., highest precedence). Listname2 will take precedence over Listname3. When the user/device logs in, entries present in Listname1 will be searched at first to find matching role. Entries present in Listname2 will be searched after Listname1 and entries in Listname3 will be searched at last.

Syntax Description

listname1 Specifies the list type which has precedence over all list types.
listname2 Specifies the list type which has next precedence, after listname1.
listname3 Specifies the list type which has least precedence of all.

Default

greylist, blacklist, whitelist

Usage Guidelines

By default, greylist entries have higher precedence over blacklist and whitelist entries.

This means that IDM consults with greylist first upon detection of user, and then decides if identity needs to be created. If there is a greylist entry matching the incoming username, user identity is not created. If there is no matching greylist entry, IDM proceeds with role identification for the user. However, greylist precedence is configurable. Following are three possibilities for greylist precedence configuration.

1. greylist, blacklist, whitelist

2. blacklist, greylist, whitelist

3. blacklist, whitelist, greylist

It is important to notice that blackist always has higher precedence over whitelist for EXOS 15.1.2. In order to change the list precedence, Identity Management should be disabled first. Disabling IDM is required since there may be many users/devices already mapped to some roles and policies/ACLs applied. Considering the processing load of unmapping the roles and removing policies, changing precedence isn't allowed when IDM is enabled. When precedence configuration is changed, each entry present in the list with lower precedence (new precedence) is checked with each entry present in all the lists with higher precedence.

Example

The following example instructs that blacklist has precedence over all lists. Greylist has precedence over whitelist. Whitelist has least precedence.

configure identity-management list-precedence blacklist greylist whitelist

History

This command was first available in ExtremeXOS 15.1.

Platform Availability

This command is available on all platforms.