Role Inheritance - Extreme Networks Ridgeline Guide Manual

Figure 200: Role Hierarchy
Children roles

Role Inheritance

Child roles inherit the policies of the parent role in the hierarchy. When an identity is assigned to a role,
the policies and rules defined by that role and all higher roles in the hierarchy are applied.
When the parent role is deleted or when the parent-child relationship is deleted, the child role no longer
inherits the parent role's policies and the policies are immediately removed from all identities mapped
to the child role.
Since the maximum role hierarchy depth allowed is 5 levels, the maximum number of policies and
dynamic ACLs that can be applied to a role is 40 (5 role levels x 8 policies/rules per role).
NOTE
The LDAP query can be disabled for specific types of netlogin users.
When the software makes the final determination of which default or user configured role applies to the
identity, the policies and rules configured for that role are applied to the port to which the identity is
attached. This feature supports up to 8 policies and dynamic ACL rules per role.
The identity's IP address is used to apply the dynamic ACLs and policies. The dynamic ACLs or
policies that are associated to roles should not have any source IP address specified because the identity
management feature will dynamically insert the identity's IP address as the source IP address. When a
dynamic ACL or policy is added to a role, it is immediately installed for all identities mapped to that
role. Effective configuration of the dynamic ACLs and policies will ensure that intruders are avoided at
the port of entry on the edge switch, thereby reducing noise in the network.
Ridgeline Concepts and Solutions Guide
Parent role
Supports
five levels
EX_roles_01
253
17