configure identity-management role match-criteria inheritance

configure identity-management role match-criteria inheritance [on | off]

Description

This command enables or disables the match-criteria inheritance support. Check the current status by issuing the show identity-management command.

Syntax Description

role

User role.

match-criteria

Match criteria for the role.

inheritance

Inheriting match criteria from parent role to child role.

on | off

Specifies whether match criteria inheritance is on or off.

Default

Off.

Usage Guidelines

From ExtremeXOS Release 15.2, child roles can inherit the match criteria of the parent role. This helps the user since the match criteria need not be duplicated in all levels of hierarchy.

When match-criteria inheritance is on, for a user to be classified under a child role, he has to satisfy the match criteria of the child role, and also all parent roles in the hierarchy.

Match criteria inheritance helps users in avoiding the need to duplicate match-criteria entries in the hierarchy.

Example

For example, there are roles called Employee, USEmployee and USSales in an organization hierarchy of a company XYZCorp.com. Till ExtremeXOS 15.1 (or with match-criteria inheritance off), the user has to create three roles like this:

* Switch.1 # create identity-management role Employee match-criteria “company == XYZCorp.com;”
* Switch.2 # create identity-management role USEmployee match-criteria “company == XYZCorp.com; AND country == USA;”
* Switch.3 # create identity-management role USSales match-criteria “company == XYZCorp.com; AND country == USA; AND department = Sales”
* Switch.4 # configure identity-management role "Employee" add child-role "USEmployee"
* Switch.5 # configure identity-management role "USEmployee" add child-role "USSales"

Now this can be simplified into the following since child role inherits parent role‘s match criteria:

* Switch.1 # configure identity-management role match-criteria inheritance on
* Switch.2 # create identity-management role Employee match-criteria “company == XYZCorp.com;”
* Switch.3 # create identity-management role USEmployee match-criteria “country == USA;”
* Switch.4 # create identity-management role USSales match-criteria “department = Sales”
* Switch.5 # configure identity-management role "Employee" add child-role "USEmployee"
* Switch.6 # configure identity-management role "USEmployee" add child-role "USSales"

History

This command was first available in ExtremeXOS 15.2

Platform Availability

This command is available on ExtremeSwitching 5320, 5420, 5520, and 5720 series switches.