Thanks again for clarifying the process! It makes much more senes now, especially since you pointed out that roles in CPPM and controller are two separate things - I had got them mixed up!
One question remains for me. In the configuration I have inherited, it seems like the same condition is defined both in role mappings and under enforcement policy (see enforcementrule.jpg)!? If I understand you correctly, I should devise one condition to authorize (as per my previous screenshot), but make sure to "tag" and pass on sufficient information to the enforcement engine to make the correct call on which Aruba User Role to return to the controller (see new_mappingrule.jpg).
so if I'm right so far, rather than checking the same condition (twice?) how would I use the tags appended in the role mapping in my enforcement policy? Which rule type (under Policy) would I use to read the roles passed on from the role mapping process?
The rules in my enforcement policy would then reference Enforcement Profile, one for each role that I would like to return to the controller?
I'm working my way through the documentation as I write this, but if you have time for a few more hints and would be greatly appreciated!
Cheers
Fredrik