Users Guide
Dell Networking W-ClearPass Policy Manager 6.4 | User Guide Identity | 191
Chapter 8
Identity
Roles can range in complexity from a simple user group (e.g., Finance, Engineering, or Human Resources) to a
combination of a user group with some dynamic constraints (e.g., “San Jose Night Shift Worker”- An employee
in the Engineering department who logs in through the San Jose network device between 8 PM and 5 AM on
weekdays). It can also apply to a list of users.
A Role Mapping Policy reduces client (user or device) identity or attributes associated with the request to Role(s)
for Enforcement Policy evaluation. The roles ultimately determine differentiated access.
Figure 148: Role Mapping Process
A role can be:
l Authenticated through predefined Single Sign-On rules.
l Associated directly with a user in the Policy Manager local user database.
l Authenticated based on predefined allowed endpoints.
l Associated directly with a static host list, again through role mapping.
l Discovered by Policy Manager through role mapping. Roles are typically discovered by Policy Manager by
retrieving attributes from the authentication source. Filter rules associated with the authentication source
tell Policy Manager where to retrieve these attributes.
l Assigned automatically when retrieving attributes from the authentication source. Any attribute in the
authentication source can be mapped directly to a role.
For more information, see:
l Configuring Single Sign-On, Local Users, Endpoints, and Static Host Lists on page 192
l Configuring a Role and Role Mapping Policy on page 202