HP FlexNetwork MSR Series Command Reference Manual page 69

•
For PPP users, only the following authorization attributes take effect: callback-number,
idle-cut, ip, ip-pool, ipv6-pool, ipv6-prefix, primary-dns, secondary-dns,
session-timeout, url, user-profile, and vpn-instance.
•
For IPoE users, only the following authorization attributes take effect: acl, idle-cut, ip-pool,
ipv6-pool, ipv6-prefix, primary-dns, secondary-dns, session-timeout, user-profile, and
vpn-instance. If the IPoE users access the network through leased lines, the vpn-instance
authorization attribute does not take effect.
•
For portal users, only the following authorization attributes take effect: acl, idle-cut, ip-pool,
ipv6-pool, session-timeout, and user-profile.
•
For LAN users, only the following authorization attributes take effect: acl, idle-cut,
session-timeout, user-profile, and vlan. The idle-cut authorization attribute takes effect only
on wireless users.
•
For Telnet and terminal users, only the user-role and work-directory authorization attributes
take effect.
•
For HTTP and HTTPS users, only the user-role authorization attribute takes effect.
•
For SSH and FTP users, only the user-role and work-directory authorization attributes take
effect.
•
For IKE users, only the ip-pool authorization attribute takes effect.
•
For other types of local users, no authorization attribute takes effect.
Authorization attributes configured for a user group are intended for all local users in the group. You
can group local users to improve configuration and management efficiency. An authorization
attribute configured in local user view takes precedence over the same attribute configured in user
group view.
To make sure FTP, SFTP, and SCP users can access the directory after a master/subordinate or
active/standby switchover, do not specify chassis or slot information for the working directory.
To make sure a user has only the user roles authorized by using this command, use the undo
authorization-attribute user-role command to remove the default user role.
The security-audit user role has access to the commands for managing security log files and security
log file system. To display all the accessible commands of the security-audit user role, use the
display role name security-audit command. For more information about security log management,
see Network Management and Monitoring Configuration Guide. For more information about file
system management, see Fundamentals Configuration Guide.
You cannot delete a local user if the local user is the only local user who has the security-audit user
role.
The security-audit user role is mutually exclusive with other user roles.
•
When you assign the security-audit user role to a local user, the system requests confirmation
for deleting all the other user roles of the user.
•
When you assign other user roles to a local user who has the security-audit user role, the
system requests confirmation for deleting the security-audit user role for the local user.
Examples
# Configure the authorized VLAN of network access user abc as VLAN 2.
<Sysname> system-view
[Sysname] local-user abc class network
[Sysname-luser-network-abc] authorization-attribute vlan 2
# Configure the authorized VLAN of user group abc as VLAN 3.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc] authorization-attribute vlan 3
51