Contents

1   Description

This instruction describes how to enable the use of role aliasing or role grouping for Role-Based Access Control (RBAC). Such change can be triggered by the organization security policy.

2   Procedure

2.1   Configure Role Aliases for RBAC

Prerequisites

• This instruction references the following documents:
  • Configure Ericsson LDAP Filter
  • Configure LDAP Basic Connection
  • Configure TLS for LDAP
• No tools are required.
• The following conditions must apply:
  • The user has the System Security Administrator role.
  • The Managed Element (ME) is configured to connect with remote LDAP server, refer to Configure LDAP Basic Connection and Configure TLS for LDAP.
  • The LDAP server is configured for the ME.
  • profileFilter is set to ERICSSON_FILTER, refer to Configure Ericsson LDAP Filter.
  • The Role aliases or groups were created in the LDAP server using the Ericsson schema.
  • An Ericsson Command-Line Interface (ECLI) session in Exec mode is in progress.

Steps

1. Navigate to the EricssonFilter managed object, for example:

   >dn ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,UserManagement=1,LdapAuthenticationMethod=1,Ldap=1,EricssonFilter=1

2. Enter Config mode:

   (EricssonFilter=1)>configure

3. Set the role aliases base Distinguished Name (DN), for example:

   (config-EricssonFilter=1)>roleAliasesBaseDn="dc=my-rbac-basedn"

4. Commit the settings:

   (config-EricssonFilter=1)>commit

5. Verify the result:

   (EricssonFilter=1)>show -r ..

   The following is an example output:

   Ldap=1 baseDn="dc=my-domain,dc=com" fallbackLdapIpAddress="192.168.0.11" ldapIpAddress="192.168.0.10" profileFilter=ERICSSON_FILTER EricssonFilter=1 roleAliasesBaseDn="dc=my-rbac-basedn"

   Note:  

   To turn off role alias lookups, delete the attribute value and commit:

   (config-EricssonFilter=1)>no roleAliasesBaseDn

   (config-EricssonFilter=1)>commit