Configuring Role Mapping Rules (NSM Procedure)

You create a role mapping rule on the Role Mapping tab of an authentication realm. (For administrators, to create role mapping rules, select Administrators > Admin Realms > Realm> Role Mapping . For users, select Users > User Realms > Realm> Role Mapping.) When you click New Rule on the Role Mapping tab, the Role Mapping Rule page appears with an inline editor for defining the rule.

To specify role mapping rules for an authentication realm:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the Infranet Controller device for which you want to configure role mapping rules.
  3. Click the Configuration tab. In the configuration tree, select Administrators > Admin Realms or Users > User Realms.
  4. Add or modify settings on the Role Mapping Rules tab as specified in Table 26.
  5. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 26: Role Mapping Rules Configuration Details

Option

Function

Your Action

Name

Specifies the rule name.

Enter the name.

Assign these roles if the rule matches

Specifies the list of eligible roles that matches the rule.

Select the role from the Non-members list, and click Add to move them to the members list.

Stop processing rules when this rule matches

Stops evaluating role mapping rules if the user meets the conditions specified for this rule.

Select this option to stop evaluating role mapping rules when specific conditions are met.

Role mapping rule type

Specifies the parameters based on which the role mapping is created.

  • Select If user name if the role mapping parameter must be based on the user name. Select is/is not conditional expressions for the rule, click the Add button, and enter the new user names.
  • Select If certificate has any of the attributes if the role mapping parameter must be based on the certificate attributes. Select is/is not conditional expressions for the rule, click the Add button, and enter the new values.
  • Select If user has any of these custom expressions if the role mapping parameter must be based on the custom expressions. The collection-of-expressions button appears.
    1. Click the collection-of-expressions button to assign expressions. The expressions that were created for the selected authentication server appears.
    2. Select an existing expression from the Non-members area and click Add to assign the expression to the role-mapping rule.
    3. Click New (+) and create an expression to assign a new expression to the role-mapping rule. For information on creating custom expressions and using the Expression Dictionary, refer to “Creating a Custom Expression for an Authentication Server (NSM Procedure).”

    Note: You can create a custom expression in a device template, but you cannot validate the custom expression. The Validate button is not enabled in the Custom Expressions editor for device templates.

is/is not

Specifies the conditional expression used in the rule.

Select this option to specify conditional expression.

User must select from among assigned roles

Specifies that the rule is based on assigned roles.

Select this option to specify that the rule is based on assigned roles.

User must select the sets of merged roles assigned by each rule

Specifies that the rule is based on sets of merged roles.

Select this option to specify that the rule is based on sets of merged roles.

Related Documentation