HPE FlexNetwork HSR6800 Security Command Reference page 50

callback-number callback-number: Specifies the authorized PPP callback number. The
callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes
authentication, the device uses this number to call the user.
idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user
whose idle period exceeds the specified idle timeout period is logged out. The minute argument
indicates the idle timeout period, ranging from 1 to 120 minutes.
level level: Specifies the user level, which can be 0 for visit level, 1 for monitor level, 2 for system
level, and 3 for manage level. A smaller number means a lower level. This parameter determines the
command level for login users whose user interfaces perform AAA authentication. By default, the
user level is 0, and users can use only commands of level 0 after login.
user-profile profile-name: Specifies the authorization user profile. The profile-name argument is a
case-sensitive string of 1 to 32 characters. It can contain letters, digits, and underscores (_), and
must start with a letter. After a user passes authentication and gets online, the device uses the
settings in the user profile to restrict the access behavior of the user. For more information about user
profiles, see Security Configuration Guide.
user-role: Specifies the role for the local user. This keyword is available in only local user view.
Users playing different roles can access different levels of commands. If you specify no role for a
local user, the access right of the user after login depends on other authorization attributes.
Supported roles include:
•
guest: Specifies the guest user account.
•
guest-manager: Specifies the guest manager.
•
security-audit: Specifies the security log administrator. An authenticated security log
administrator can manage security log files. The commands that a security log administrator
can use are described in the information center commands. For more information, see Network
Management and Monitoring Command Reference.
vlan vlan-id: Specifies the authorized VLAN, where vlan-id ranges from 1 to 4094. After passing
authentication, a local user can access the resources in this VLAN.
work-directory directory-name: Specifies the work directory, if the user or users use the FTP or
SFTP service. The directory-name argument is a case-insensitive string of 1 to 135 characters. The
directory must already exist. By default, an FTP or SFTP user can access the root directory of the
device.
Usage guidelines
Every configurable authorization attribute has its definite application environments and purposes.
Consider the service types of users when assigning authorization attributes.
Authorization attributes configured for a user group are effective for all local users in the group. You
can group local users to improve configuration and management efficiency.
An authorization attribute configured in local user view takes precedence over the same attribute
configured in user group view. If an authorization attribute is configured in user group view but not in
local user view, the setting in user group view takes effect.
To make sure that FTP and SFTP users can access the directory after a switchover between the
main MPU and the backup MPU, do not specify slot information for the work directory.
If only one user is playing the role of security log administrator in the system, you cannot delete the
user account or remove or change the user's role, unless you first configure another user as a
security log administrator.
A local user can play only one role at a time. If you perform the role configuration repeatedly, only the
last role configuration takes effect.
Examples
# Configure the authorized VLAN of local user abc as VLAN 2.
<Sysname> system-view
37