Security

Anyone got any good docs or references for mapping user roles on instant/controllers and cppm roles for airgroup?

I have just set up airgroup and the integration works great. In my scenario I would like to permit the use of an appletv to a presenter and deny it to guests.
Where im stuck is how to distiguish the presenter from the guests (guest role id was my first guess) and then how to enforce that seperation.

I know the airgroup-operator and airgroup-admin roles can do this on a seperate page, but that seems a bit clunky for this use case.

Any ideas?

Easiest way is to use the user roles. How are you determining the user is a presenter vs guest?

Well, thats what I'm trying to understand.

 

Ideally I would like the Presenter to register (using Guest Self-Registration) and have reception add them into the Presenter Role. This would give them access to the Guest network (along with everyone else) with the added function of AirPlay.

 

What I don't understand is how the mapping of the 'Presenter' role matches up to, and validates, the AirGroup shared role (which is owned by the Instant/Controller AirGroup setting).

 

Does that make sense?

Perhaps someone has a sample config?

So if you create a new guest role of presenter, then create a user role on the controller / instant called presenter, then you can select the presenter role in the AirGroup shared device registration.

You'd also need to create the necessary logic in your enforcement policy to put the user into the user role (TIPS role equals presenter --- presenter-role-enf)

I'll give that a go in the morning. Its similar to what I already had, except I was using Endpoint:Guest Role ID instead of Tips:Role and Enforcement Profiles to map back to the Roles.

You can use that too as long as you are populating/updating that in your webauth service.