HP 6125XLG Command Reference Manual page 29

Views
Local user view, user group view
Predefined user roles
network-admin
Parameters
acl acl-number: Specifies the authorization ACL. The ACL number must be in the range of 2000 to 5999.
After passing authentication, a local user can access the network resources specified by this ACL.
idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle
period exceeds the specified idle timeout period is logged out. The minute argument must be in the range
of 1 to 120 minutes.
user-role role-name: Specifies the authorized user role. The role-name argument is a case-sensitive string
of 1 to 63 characters. The default user role for a local user created by a network-admin user is
network-operator. Up to 64 user roles can be specified for a user. For user role-related commands, see
Fundamentals Command Reference for RBAC commands. This option is available only in local user view,
and is not available in user group view.
vlan vlan-id: Specifies the authorized VLAN. The vlan-id argument is in the range of 1 to 4094. After a
passing authentication and being authorized a VLAN, a local user can access only the resources in this
VLAN.
work-directory directory-name: Specifies the work directory for FTP, SFTP, or SCP users. The
directory-name argument is a case-insensitive string of 1 to 512 characters. The directory must already
exist. By default, an FTP, SFTP, or SCP user can access the root directory of the device.
Usage guidelines
Every configurable authorization attribute has its definite application environments and purposes.
Consider the service types of users when assigning authorization attributes:
For LAN users, only the authorization attributes acl, idle-cut, and vlan are effective.
•
For HTTP, HTTPS, Telnet, and terminal users, only the authorization attribute user-role is effective.
•
• For SSH and FTP users, only the authorization attributes user-role and work-directory are effective.
For other types of local users, no authorization attribute is effective.
•
Authorization attributes configured for a user group are intended for all local users in the group. You can
group local users to improve configuration and management efficiency. An authorization attribute
configured in local user view takes precedence over the same attribute configured in user group view.
To make the user have only the user role authorized by this command, use the undo
authorization-attribute user-role command to remove the predefined user roles.
The security-audit user role has access to the commands for managing security log files and security log
file system. To display all the accessible commands of the user role, use the display role name
security-audit command. For more information about security log management, see Network
Management and Monitoring. For more information about file system management, see Fundamentals
Configuration Guide.
When you configure the security-audit user role, follow these restrictions and guidelines:
If the device has local users who are assigned the security-audit user role, you cannot delete the last
•
local user who has this user role.
The user role security-audit is mutually exclusive with other user roles. When you assign the
•
security-audit user role to a local user, the system asks for your confirmation to delete all the other
20