configure identity-management role match-criteria inheritance

configure identity-management role match-criteria inheritance [on | off]

Description

This command enables or disables the match-criteria inheritance support. Check the current status by issuing the show identity-management command.

Syntax Description


role	User role.
match-criteria	Match criteria for the role.
inheritance	Inheriting match criteria from parent role to child role.
on \| off	Specifies whether match criteria inheritance is on or off.

Default

Off.

Usage Guidelines

From ExtremeXOS Release 15.2, child roles can inherit the match criteria of the parent role. This helps the user since the match criteria need not be duplicated in all levels of hierarchy.

When match-criteria inheritance is on, for a user to be classified under a child role, he has to satisfy the match criteria of the child role, and also all parent roles in the hierarchy.

Match criteria inheritance helps users in avoiding the need to duplicate match-criteria entries in the hierarchy.

Example

For example, there are roles called Employee, USEmployee and USSales in an organization hierarchy of a company XYZCorp.com. Till ExtremeXOS 15.1 (or with match-criteria inheritance off), the user has to create three roles like this:

* Switch.1 # create identity-management role Employee match-criteria “company == XYZCorp.com;”
* Switch.2 # create identity-management role USEmployee match-criteria “company == XYZCorp.com; AND country == USA;”
* Switch.3 # create identity-management role USSales match-criteria “company == XYZCorp.com; AND country == USA; AND department = Sales”
* Switch.4 # configure identity-management role "Employee" add child-role "USEmployee"
* Switch.5 # configure identity-management role "USEmployee" add child-role "USSales"

Now this can be simplified into the following since child role inherits parent role‘s match criteria:

* Switch.1 # configure identity-management role match-criteria inheritance on
* Switch.2 # create identity-management role Employee match-criteria “company == XYZCorp.com;”
* Switch.3 # create identity-management role USEmployee match-criteria “country == USA;”
* Switch.4 # create identity-management role USSales match-criteria “department = Sales”
* Switch.5 # configure identity-management role "Employee" add child-role "USEmployee"
* Switch.6 # configure identity-management role "USEmployee" add child-role "USSales"

History

This command was first available in ExtremeXOS 15.2

Platform Availability

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.

Switching

Routing

Wireless

Management & Automation

Analytics & Visibility

Security & Access Control

Remote

Cloud

Security

Machine Learning

Campus Fabric

Data Center Fabric

Internet of Things

Wi-Fi 6

Primary & Secondary Education (K-12)

Retail

Service Providers

Federal Government

Manufacturing

Higher Education

Healthcare

Hospitality

State & Local Government

Sports & Public Venues

Support Portal

Knowledge Base

Documentation

End of Sale

Policies & Warranties

Training & Courses

Maintenance Services

Premier Services

Professional Services

Managed Services