Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.

Configuring a Role and Role-Mapping Policy

This section includes the following information:

Preconfigured Roles

Adding and Modifying Roles

Adding and Modifying Role-Mapping Policies

After authenticating a request, a Policy Manager service invokes its role-mapping policy, resulting in assignment of a role(s) to the client. This role becomes the identity component of enforcement policy decisions.

A service can be configured without a role-mapping policy, but only one role-mapping policy can be configured for each service.

Preconfigured Roles

Roles exist independently of an individual service. Roles can be accessed globally through the role-mapping policy of any service.

To view the set of preconfigured roles in Policy Manager, navigate to Configuration > Identity > Roles. The Roles page opens.

Figure 1 Roles Page

Policy Manager provides the following preconfigured roles:

Table 1: Preconfigured Roles in ClearPass Policy Manager
Parameter	Action/Description
AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. v1	Role for an AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. protocol version 1 request
AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. v2	Role for an AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. protocol version 2 request
Aruba TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. read-only Admin	Default role for read-only access to an Aruba device.
Aruba TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. root Admin	Default role for root access to an Aruba device
BYOD Bring Your Own Device. BYOD refers to the use of personal mobile devices within an enterprise network infrastructure. Operator	Operators with this profile can view and manage their own provisioned devices.
Contractor	Default role for a contractor
Device Registration	Operators with this profile can self-provision their devices for MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication and AirGroup The application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. sharing.
Employee	Default role for an employee.
Guest	Default role for guest access.
MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Caching	Default role applied during MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. caching.
Onboard Android	Role for an Android devicethat is being provisioned.
Onboard Chromebook	Role for a ChromeOS device that is being provisioned.
Onboard iOS	Role for an iOS device that is being provisioned.
Onboard Linux	Role for a Linux device that is being provisioned.
Onboard macOS	Role for a macOS device that is being provisioned.
Onboard Windows	Role for a Windows device that is being provisioned.
Other	Default role for another user or device
TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. Admin	API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. administrator role for Policy Manager Admin
TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. Help Desk	Admin role, limited to views of the Monitoring screens
TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. Network Admin	Policy Manager Admin role, limited to Configuration and Monitoring screens
TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. Read-only Admin	Read-only administrator role for Policy Manager Admin
TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. Receptionist	Policy Manager Guest provisioning role
TACACS+ Terminal Access Controller Access Control System+. TACACS+ provides separate authentication, authorization, and accounting services. It is derived from, but not backward compatible with, TACACS. Super Admin	Policy Manager Admin role with unlimited access to all user interface screens