User Guide
OmniVista SafeGuard Manager Administration Guide
122
Chapter 5: Device Configuration
9 Select a role derivation and click Copy to clone the configuration of the selected
role derivation.
Roles
You set up users in the authentication database by assigning them a set of roles, usually
defined first by department and then by mapping a set of authentication protocol-specific
attributes and their values to a role. The attributes are obtained by user authentication
against an external RADIUS, Kerberos, or another server. Each role has a different set of
privileges. There are two hardcoded roles for the system: authenticated and
unauthenticated. Any user who is unauthenticated is assigned the unauthenticated role.
Any policies that you define for that role are assigned to all users having that role.
Any user-defined role, by default, has the authenticated role as the parent. A role can be
designated as a child of other roles, except for the authenticated and unauthenticated
roles.
Policies are applied from the bottom of the hierarchy to the top of the hierarchy. In other
words, policies are applied from the most specific to the least specific role. Figure 75
shows a simple role hierarchy.
Figure 75 Role Hierarchy
Some rules for configuring roles:
■ By establishing a role hierarchy, you can avoid having to duplicate policies
throughout each role.
■ The chain within a role hierarchy cannot be cyclical.
■ A child role can have only one parent role.
■ All user-defined roles are assumed to be children of the authenticated role, unless
the new role is designated to be a child of another role.
■ The default role of unauthenticated cannot be a parent of other user configured
roles.
Marketing
Finance
Engineering
Hardware
Software
Asia-Pac
US
Least Specific
Most Specific
Authenticated