Contents
1 Introduction
This document describes how to enable the use of role aliasing or role grouping for Role-Based Access Control (RBAC). Such change can be triggered by the organization security policy.
1.1 Prerequisites
This section describes the prerequisites, which must be fulfilled before using the procedure.
1.1.1 Conditions
The following conditions must apply:
- The user has the System Security Administrator role.
- The ME is configured to connect with remote LDAP server, refer to Configure LDAP Basic Connection and Configure TLS for LDAP.
- The LDAP server is configured for the ME.
- profileFilter is set to ERICSSON_FILTER, refer to Configure Ericsson LDAP Filter.
- The Role aliases or groups were created in the LDAP server using the Ericsson schema.
- An Ericsson Command-Line Interface (ECLI) session in Exec mode is in progress.
2 Procedure
To set the roleAliasesBaseDn attribute in EricssonFilter Managed Object (MO), from where the role alias objects are reachable in LDAP server:
- Navigate to the EricssonFilter MO,
for example:
>dn ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1,EricssonFilter=1
- Enter Config mode:
(EricssonFilter=1)>configure
- Set the role aliases base Distinguished Name (DN), for
example:
(config-EricssonFilter=1)>roleAliasesBaseDn="dc=my-rbac-basedn"
- Commit the settings:
(config-EricssonFilter=1)>commit
- Verify the result:
(EricssonFilter=1)>show -r ..
The following is an example output:
Ldap=1 baseDn="dc=my-domain,dc=com" fallbackLdapIpAddress="192.168.0.11" ldapIpAddress="192.168.0.10" profileFilter=ERICSSON_FILTER EricssonFilter=1 roleAliasesBaseDn="dc=my-rbac-basedn"
- Note:
- To turn off role alias lookups, delete the attribute value
and commit.
(config-EricssonFilter=1)>no roleAliasesBaseDn
(config-EricssonFilter=1)>commit