Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances
131132133134135136137138139140
Dell Networking W-ClearPass Policy Manager 6.2 | User Guide 136
Chapter 9
Identity: Users, Endpoints, Roles and
Role Mapping
A Role Mapping Policy reduces client (user or device) identity or attributes associated with the request to Role(s) for
Enforcement Policy evaluation. The roles ultimately determine differentiated access.
Architecture and Flow
Roles range in complexity from a simple user group (e.g., Finance, Engineering, or Human Resources) to a combination
of a user group with some dynamic constraints (e.g., San Jose Night Shift Worker”- - An employee in the Engineering
department who logs in through the San Jose network device between 8 PM and 5 AM on weekdays). It can also
apply to a list users. A role can be:
l Discovered by Policy Manager through role mapping (Adding and Modifying Role Mapping Policies ). Roles are
typically discovered by Policy Manager by retrieving attributes from the authentication source. Filter rules
associated with the authentication source tell Policy Manager where to retrieve these attributes.
l Assigned automatically when retrieving attributes from the authentication source. Any attribute in the
authentication source can be mapped directly to a role. ("Adding and Modifying Authentication Sources " on page
107)
l Associated directly with a user in the Policy Manager local user database ("Adding and Modifying Local Users "
on page 141 and "Adding and Modifying Guest Users " on page 142).
l Associated directly with a static host list, again through role mapping ("Adding and Modifying Static Host Lists "
on page 147).
Figure 96 Role Mapping Process
Configuring a Role Mapping Policy
After authenticating a request, an Policy Manager Service invokes its Role Mapping Policy, resulting in assignment of
a role(s) to the client. This role becomes the identity component of Enforcement Policy decisions.
A service can be configured without a Role Mapping Policy, but only one Role Mapping Policy can be configured for
each service.
Policy Manager ships with the following pre-configured roles:
l [Contractor] - Default role for a Contractor