The CMP system assigns two attributes to a user, a role and a scope. Users that authenticate against a RADIUS server are assigned roles and scopes by matching against the attribute values returned by the RADIUS server.
The best practice is to provide role and scope values using the VSA dictionary, by defining the attributes Oracle-MI-role and Oracle-MI-scope. The flexibility of roles and scopes can be supported by the RADIUS server if the VSA dictionary is integrated.
The following example defines users who have access at different role levels:
Jeff Cleartext-Password:="garbage"
Class="Administrator",
Oracle-MI-role="Administrator",
Oracle-MI-scope="Global"
Paul Cleartext-Password:="apr6279"
Class="Viewer",
Oracle-MI-role="Viewer",
Oracle-MI-scope="Global"
However, if Oracle VSAs are not included in the RADIUS dictionary, then they cannot be defined in the user file, and only a Class attribute can be returned on a RADIUS authentication. The CMP system can use the Class attribute for RADIUS authentication.
To accept the Class attribute for CMP login, define a scope and a role that matches what the RADIUS server returns as the Class attribute. The CMP system uses the Class attribute for both of the required role and scope credentials. For example, consider this user defined in the RADIUS server:
Dawn Cleartext-Password:="kkmk4813"
Class="Viewer"
Dawn can get access to the CMP system if you have defined both a role named Viewer and a scope named Viewer; the user interface matches the one returned Class value to both of the required role and scope credentials.