User Guide

ManualsBrandsAlcatel-Lucent ManualsOtherOMNIACCESS SAFEGUARD CONTROLLER

281

282

283

284

285

286

287

288

289

290

OmniAccess SafeGuard OS Administration Guide

290

Chapter 6: Configuring Authentication and Role Derivation

The following example, defines a rule-map called execStaff and creates two match

statements for that rule-map.

(SafeGuardOS) (config) # aaa rule-map execStaff

(SafeGuardOS) (rulemap) # description “The top brass of the company”

(SafeGuardOS) (rulemap) # match ad.distinguishedName contains “Finance”

(SafeGuardOS) (rulemap) # match ad.distinguishedName contains “Exec”

(SafeGuardOS) (rulemap) # set system.roleName “HIGHPOWER”

(SafeGuardOS) (rulemap) # end

(SafeGuardOS) (config) #

The no form of the statement removes the match statement from the rule map. If you

wanted to remove the only match statement for Finance in the last example, change it as

follows:

(SafeGuardOS) (config) # aaa rule-map execStaff

(SafeGuardOS) (rulemap) # no match ad.distinguishedName contains “Finance”

(SafeGuardOS) (rulemap) # end

(SafeGuardOS) (config) #

After specifying the no statement, it is equivalent to:

(SafeGuardOS) (config) # aaa rule-map execStaff

(SafeGuardOS) (rulemap) # description “The top brass of the company”

(SafeGuardOS) (rulemap) # match ad.distinguishedName contains “Exec”

(SafeGuardOS) (rulemap) # set system.roleName “HIGHPOWER”

(SafeGuardOS) (rulemap) # end

(SafeGuardOS) (config) #

Setting the Role

After defining the matching criteria, you set the role. The role information is sent to the

policy component for enforcement. Use the set system.roleName statement in rule map

submode using this syntax:

set system.roleName (value | value of attribute_name)

Examples

In the following example, we select a role based on membership in a particular group.

Because the value is in a list, we use the contains operation to see if a user is a member of

a particular group before assigning a role.

(SafeGuardOS) (config) # aaa rule-map specialGroups

(SafeGuardOS) (rulemap) # operation or

(SafeGuardOS) (rulemap) # match ad.memberOf contains “specialGroup1”

(SafeGuardOS) (rulemap) # match ad.memberOf contains “specialGroup2”

Syntax Description value A string literal such as “Marketing”.

attribute_name The value of another attribute in the

attribute map, such as the value of

ad.department.