Table of Contents
Advertisement
authorization-attribute (local user view/user group view)
Use authorization-attribute to configure authorization attributes for a local user or user group. After
the local user or a local user in the user group passes authentication, the device assigns these
attributes to the user.
Use undo authorization-attribute to restore the default of an authorization attribute.
Syntax
authorization-attribute { acl acl-number | idle-cut minutes | ip-pool ipv4-pool-name | ipv6-pool
ipv6-pool-name | session-timeout minutes | user-role role-name | vlan vlan-id | work-directory
directory-name } *
undo authorization-attribute { acl | idle-cut | ip-pool | ipv6-pool | session-timeout | user-role
role-name | vlan | work-directory } *
Default
The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the
users do not have permission to access the root directory.
The local users created by a network-admin or level-15 user on the default MDC are assigned the
network-operator user role. The local users created by an mdc-admin or level-15 user on a
non-default MDC are assigned the mdc-operator user role.
Views
Local user view
User group view
Predefined user roles
network-admin
mdc-admin
Parameters
acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is
2000 to 5999. After passing authentication, a local user can access the network resources specified
by this ACL. For portal users, only basic ACLs (ACL 2000 to ACL 2999) and advanced ACLs (ACL
3000 to ACL 3999) take effect.
idle-cut minutes: Specifies an idle timeout period in minutes. The value range for the minutes
argument is 1 to 120. An online user is logged out if its idle period exceeds the specified idle timeout
period.
ip-pool ipv4-pool-name: Specifies an IPv4 address pool for the user. The ipv4-pool-name argument
is a case-insensitive string of 1 to 63 characters.
ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for the user. The ipv6-pool-name
argument is a case-insensitive string of 1 to 63 characters.
session-timeout minutes: Specifies the session timeout timer for the user, in minutes. The value
range for the minutes argument is 1 to 1440. The device logs off the user after the timer expires.
user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive
string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user
role-related commands, see Fundamentals Command Reference for RBAC commands. This option
is available only in local user view, and is not available in user group view.
vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094.
After passing authentication and being authorized a VLAN, a local user can access only the
resources in this VLAN.
38
Advertisement
Table of Contents
