HP FlexFabric 7900 Series Command Reference Manual page 26
Security
Hide thumbs
Also See for FlexFabric 7900 Series:
- Command reference manual (294 pages) ,
- Configuration manual (165 pages) ,
- Installation manual (58 pages)
Table of Contents
Advertisement
Default
No authorization ACL, idle timeout period, or authorized VLAN is configured for the local users.
FTP, SFTP, or SCP users have the root directory of the NAS set as the working directory, but they do not
have the access permission to the root directory.
The local users created by a network-admin or level- 1 5 user are assigned the network-operator user role.
Views
Local user view, user group view
Predefined user roles
network-admin
Parameters
acl acl-number: Specifies the authorization ACL. The ACL number must be in the range of 2000 to 5999.
After passing authentication, a local user can access the network resources specified by this ACL.
idle-cut minute: Sets the idle timeout period in minutes. The value range for the minute argument is 1 to
120. When the idle cut function is enabled, an online user whose idle period exceeds the specified idle
timeout period is logged out.
user-role role-name: Specifies the authorized user role. The role-name argument is a case-sensitive string
of 1 to 63 characters. Up to 64 user roles can be specified for a user. For user role-related commands,
see Fundamentals Command Reference for RBAC commands. This option is available only in local user
view, and is not available in user group view.
vlan vlan-id: Specifies the authorized VLAN. The vlan-id argument is in the range of 1 to 4094. After a
passing authentication and being authorized a VLAN, a local user can access only the resources in this
VLAN.
work-directory directory-name: Specifies the work directory for FTP, SFTP, or SCP users. The
directory-name argument is a case-insensitive string of 1 to 512 characters. The directory must already
exist. By default, an FTP, SFTP, or SCP user can access the root directory of the device.
Usage guidelines
Every configurable authorization attribute has its definite application environments and purposes.
Consider the service types of users when assigning authorization attributes:
For Telnet and terminal users, only the authorization attribute user-role is effective.
•
•
For SSH and FTP users, only the authorization attributes user-role and work-directory are effective.
For other types of local users, no authorization attribute is effective.
•
Authorization attributes configured for a user group are intended for all local users in the group. You can
group local users to improve configuration and management efficiency. An authorization attribute
configured in local user view takes precedence over the same attribute configured in user group view.
To make the user have only the user role authorized by this command, use the undo
authorization-attribute user-role command to remove the predefined user roles.
Examples
# Configure the authorized user role of the device management user abc as network-admin.
<Sysname> system-view
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] authorization-attribute user-role network-admin
19
Advertisement
Table of Contents
