Authorization-Attribute - HPE FlexFabric 7900 Series Security Command Reference

authorization-attribute

Use authorization-attribute to configure authorization attributes for a local user or user group. After
the local user or a local user in the user group passes authentication, the device assigns these
attributes to the user.
Use undo authorization-attribute to restore the default.
Syntax
authorization-attribute { acl acl-number | idle-cut minute | user-role role-name | vlan vlan-id |
work-directory directory-name } *
undo authorization-attribute { acl | idle-cut | user-role role-name | vlan | work-directory } *
Default
FTP, SFTP, and SCP users have the root directory of the NAS set as the working directory. However,
the users do not have permission to access the root directory.
The network-operator user role is assigned to local users that are created by a network-admin or
level-15 user on the default MDC.
The mdc-operator user role is assigned to local users that are created by an mdc-admin or level-15
user on a non-default MDC.
Views
Local user view, user group view
Predefined user roles
network-admin
mdc-admin
Parameters
acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is
2000 to 5999. After passing authentication, a local user can access the network resources specified
by this ACL.
idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1
to 120. When the idle cut feature is enabled, an online user whose idle period exceeds the specified
idle timeout period is logged out.
user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive
string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user
role-related commands, see Fundamentals Command Reference for RBAC commands. This option
is available only in local user view, and is not available in user group view.
vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094.
After passing authentication and being authorized a VLAN, a local user can access only the
resources in this VLAN.
work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The
directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must
already exist.
Usage guidelines
Configure authorization attributes according to the application environments and purposes. Support
for authorization attributes depends on the service types of users.
•
For Telnet and terminal users, only the authorization attributes idle-cut and user-role are
effective.
•
For SSH users, only the authorization attributes idle-cut, user-role, and work-directory are
effective.
17