Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Adding and Modifying Role-Mapping Policies
This section describes how to add or modify a role mapping policy, as well as how to copy a rule, change the order of a rule, edit a rule, or remove a role-mapping rule.

To add a role-mapping policy:
1. Navigate to the Configuration > Identity > Role Mappings page.
The
page opens:Figure 1 Role Mappings Page
2. Click .
The Policy tab labels the method and defines the default role. The default role is the role to which Policy Manager defaults if the role-mapping policy does not produce a match for a given request.
Figure 2 Role Mappings > Policy Tab
3. Specify the > parameters as described in the following table:
Parameter |
Action/Description |
Policy Name |
Enter the name of the role-mapping policy. |
Description |
Enter the description that provides additional information about the role mapping policy. |
Default Role |
Select the role to which Policy Manager will default when the role-mapping policy does not produce a match. |
View Details |
To view the details of the default role, click View Details. |
Modify |
To modify the default role, click Modify. |
Add New Role |
To add a new role, click Add New Role. |

The Mapping Rules tab selects the evaluation algorithm to add, copy, edit, remove, or change the order of the selected rule (see Figure 3).
Figure 3 Role Mapping > Mapping Rules Page
Button |
Action/Description |
Add Rule |
Click the action button to bring up the Rules Editor and add a new rule. |
Copy Rule |
Select the rule you want to copy, then click the action button. The copied rule is added to the existing list of rules. |
Move Up/ Move Down |
To change the order that the rules are executed in the enforcement policy, select an enforcement policy rule you want to move, then click or as desired. |
Edit Rule |
Select the rule you want to edit, then click the action button. |
Remove Rule |
Select the rule you want to delete, then click the action button. |
To add a mapping rule:
1. Select the tab.
2. Click .
The
page opens.Figure 4 Rules Editor Page
3. Specify the > page parameters as described in the following table.
Parameter |
Action/Description |
Type |
The Rules Editor appears throughout the Policy Manager interface. It exposes different namespace dictionaries, depending on context. (Refer to Namespaces.) In the role mapping context, Policy Manager allows attributes from following namespaces: Application Application:ClearPass Authentication Authorization Authorization:<authorization_source_instance>: Policy Manager shows each instance of the authorization source for which attributes have been configured to be fetched (see Adding and Configuring Authentication Sources). Only those attributes that have been configured to be fetched are shown in the attributes drop-down list. Certificate Connection Date Device Endpoint GuestUser Host LocalUser Onboard RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. : Includes all enabled RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. vendor dictionaries. |
Name |
Displays the drop-down list of attributes present in the selected namespace. |
Operator |
Displays the drop-down list of context-appropriate (with respect to the attribute data type) operators. For more information about operators, seeOperators. |
Value |
Depending on attribute data type, this may be a free-form (one or many line) edit box, a drop-down list, or a time and date widget. |
|
The operator values that display for each type and name are based on the data type specified for the authentication source (from the Configuration > Authentication > Sources page). If, for example, you modify the UserDN Data type on the authentication sources page to be an integer rather than a string, then the list of operator values here will populate with values that are specific to integers. |