This command enables or disables the match-criteria inheritance support. Check the current status by issuing the show identity-management command.
| role |
User role. |
| match-criteria |
Match criteria for the role. |
| inheritance |
Inheriting match criteria from parent role to child role. |
| on | off |
Specifies whether match criteria inheritance is on or off. |
Off.
From ExtremeXOS Release 15.2, child roles can inherit the match criteria of the parent role. This helps the user since the match criteria need not be duplicated in all levels of hierarchy.
When match-criteria inheritance is on, for a user to be classified under a child role, he has to satisfy the match criteria of the child role, and also all parent roles in the hierarchy.
Match criteria inheritance helps users in avoiding the need to duplicate match-criteria entries in the hierarchy.
For example, there are roles called Employee, USEmployee and USSales in an organization hierarchy of a company XYZCorp.com. Till ExtremeXOS 15.1 (or with match-criteria inheritance off), the user has to create three roles like this:
* Switch.1 # create identity-management role Employee match-criteria “company == XYZCorp.com;” * Switch.2 # create identity-management role USEmployee match-criteria “company == XYZCorp.com; AND country == USA;” * Switch.3 # create identity-management role USSales match-criteria “company == XYZCorp.com; AND country == USA; AND department = Sales” * Switch.4 # configure identity-management role "Employee" add child-role "USEmployee" * Switch.5 # configure identity-management role "USEmployee" add child-role "USSales"
Now this can be simplified into the following since child role inherits parent role‘s match criteria:
* Switch.1 # configure identity-management role match-criteria inheritance on * Switch.2 # create identity-management role Employee match-criteria “company == XYZCorp.com;” * Switch.3 # create identity-management role USEmployee match-criteria “country == USA;” * Switch.4 # create identity-management role USSales match-criteria “department = Sales” * Switch.5 # configure identity-management role "Employee" add child-role "USEmployee" * Switch.6 # configure identity-management role "USEmployee" add child-role "USSales"
This command was first available in ExtremeXOS 15.2
This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.