H3C S6812 Series Command Reference Manual page 1677

session-timeout minutes: Sets the session timeout timer for the user, in minutes. The value range
for the minutes argument is 1 to 1440. The device logs off the user after the timer expires.
user-profile profile-name: Specifies an authorization user profile by its name. The profile-name
argument is a case-sensitive string of 1 to 31 characters. The name can contain only letters, digits,
and underscores (_). The user profile restricts the behavior of authenticated users. For more
information, see Security Configuration Guide.
user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive
string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user
role-related commands, see Fundamentals Command Reference for RBAC commands. This option
is available only in local user view, and is not available in user group view.
vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094.
After passing authentication and being authorized a VLAN, a local user can access only the
resources in this VLAN.
work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The
directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must
already exist.
Usage guidelines
Configure authorization attributes according to the application environments and purposes. Support
for authorization attributes depends on the service types of users.
For portal users, only the following authorization attributes take effect: acl, ip-pool, ipv6-pool,
user-profile, and session-timeout.
For LAN users, only the following authorization attributes take effect: acl, session-timeout,
user-profile, and vlan.
For SSH, Telnet, and terminal users, only the authorization attributes idle-cut and user-role take
effect.
For HTTP and HTTPS users, only the authorization attribute user-role takes effect.
For FTP users, only the authorization attributes user-role and work-directory take effect.
For other types of local users, no authorization attribute takes effect.
Authorization attributes configured for a user group are intended for all local users in the group. You
can group local users to improve configuration and management efficiency. An authorization
attribute configured in local user view takes precedence over the same attribute configured in user
group view.
To make sure FTP, SFTP, and SCP users can access the directory after an IRF master/subordinate
switchover, do not specify slot information for the working directory.
To make sure the user have only the user roles authorized by using this command, use the undo
authorization-attribute user-role command to remove the default user role.
The security-audit user role has access to the commands for managing security log files and security
log file system. To display all the accessible commands of the security-audit user role, use the
display role name security-audit command. For more information about security log management,
see Network Management and Monitoring Configuration Guide. For more information about file
system management, see Fundamentals Configuration Guide.
When you configure the security-audit user role, follow these restrictions and guidelines:
•
If the device has local users authorized as the security-audit user role, you cannot delete the
only local user who has this user role.
•
The user role security-audit is mutually exclusive with other user roles.
When you assign the security-audit user role to a local user, the system requests

confirmation for deleting all the other user roles of the user.
36