Creates and configures an identity management role.
role_name | Specifies a name for the new role (up to 32 characters). |
match_criteria | Specifies an expression that identifies the users to be assigned to the new role. |
pri_value | Specifies the role priority; the lower the priority number, the higher the priority. The range of values is 1 to 255. Value 1 represents the highest priority, and value 255 represents the lowest priority. |
Priority=255.
The identity management feature supports a maximum of 64 roles.
The match-criteria is an expression or group of expressions consisting of identity attributes, operators and attribute values. The maximum number of attribute value pairs in a role match criteria is 16. The variables in the match criteria can be matched to attributes retrieved for the identity from an LDAP server, or they can be matched to attributes learned locally by identity manager.
LDAP Match Criteria Attributes lists match criteria attributes that can be retrieved from an LDAP server.
Locally Learned Match Criteria Attributes lists locally learned attributes that can be used for match criteria.
Match Criteria Operators lists the match criteria operators.
LDAP Attribute Name | Value Type |
---|---|
l or location | String |
company | String |
co or country | String |
department | String |
employeeID | String |
st or state | String |
title | String |
mail or email | String |
memberOf | String |
Attribute Description | Attribute Name | Value Type | Example |
---|---|---|---|
LLDP (Link Layer Discovery Protocol) device name | device-model | String |
device-name == Avaya4300 |
LLDP device capabilities | device-capability | String:OtherRepeaterBridgeWLAN access portRouterPhoneDOCSIS cable deviceStation only |
device-capability == Telephone |
LLDP device manufacturer name | device-manufacturer-name | String |
device-manufacturer-name == Avaya |
LLPD system description | device-description | String |
device-description==Dell EqualLogic Storage Array |
MAC address | mac | MAC |
mac == 00:01:e6:00:00:00/ff:ff:ff:00:00:00 |
MAC OUI | mac-oui | MAC |
mac-oui == 00:04:96 |
IP address | ip-address | IP |
ip-address == 10.1.1.0/20 |
User name | username | String |
userName == adam |
Port list | ports | Portlist |
ports == 1,5-8 |
Operator | Description |
---|---|
== | Equal. Creates a match when the value returned for the specified attribute matches the value specified in the role. |
!= | Not equal. Creates a match when the value returned for the specified attribute does not match the value specified in the role. |
AND | And. Creates a match when the two expressions joined by this operator are both true. |
contains | Contains. Creates a match when the specified attribute contains the text specified in the role definition. |
; | Semicolon. This delimiter separates expressions within the match criteria. |
The role priority determines which role a user is mapped to when the user‘s attributes match the match-criteria of more than 1 role. If the user‘s attributes match multiple roles, the highest priority (lowest numerical value) role applies. If the priority is the same for all matching roles, the role for which the priority was most recently set or modified is used.
# Creates a role named "India-Engr" that matches employees from the Engineering # department who work in India * Switch.22 # create identity-management role "India-Engr" match-criteria "country==India; AND department==Engineering;" # Creates a role named “US-Engr” that matches employees whose title is Engineer and # who work in United States * Switch.23 # create identity-management role US-Engr match-criteria "title contains Engineer; AND country == US;" priority 100 # Creates a role named "Avaya4300Device" for Avaya phones of type 4300 that are # manufactured by Avaya * Switch.24 # create identity-management role "Avaya4300Device" match-criteria "device-capability == Phone; AND device-name == Avaya4300; AND device-manufacturer-name == Avaya;" # Creates a role for all Extreme Networks switches with MAC-OUI "00:04:96" * Switch.25 # create identity-management role "ExtremeSwitch" match-criteria "mac-oui == 00:04:96;" # Creates a role for all identities with IP address 1.2.3.1 - 1.2.3.255 * Switch.26 # create identity-management role "EngineeringDomain" match-criteria "ip-Address == 1.2.3.0/255.255.255.0;" # Creates a role for all phone devices with MAC_OUI of "00:01:e6" * Switch.27 # create identity-management role "Printer" match-criteria "mac == 00:01:e6:00:00:00/ff:ff:ff:00:00:00; device-capability == Phone;" # Creates a role for the user name "adam" when he logs in from IP address 1.2.3.1 - # 1.2.3.255. * Switch.28 # create identity-management role "NotAccessibleUser" match-criteria "userName == adam; AND "ip-Address == 1.2.3.0/24;" # Creates a role named "secureAccess" for users who log in on ports 1, 5, 6, 7, and 8 # with IP addresses in the range of 10.1.1.1 to 10.1.1.255 create identity-management role "SecureAccess" match-criteria "ports == 1,5-8; AND ip-address == 10.1.1.0/20;" # Creates a role named “Prod-Engineers” for all the engineers who are under LDAP group 'Production'. Create identity-management role “Prod-Engineers” match-criteria “title==Engineer; AND memberOf==Production;”
This command was first available in ExtremeXOS 12.5.
Support for matching locally learned attributes was added in ExtremeXOS 12.7.