H3C S5120-HI Security Configuration Manual page 34

password control attribute with a smaller effective range has a higher priority. For more
information about password management and global password configuration, see
password
Binding attributes.
•
Binding attributes are used to control the scope of users. They are checked during local
authentication of a user. If the attributes of a user do not match the binding attributes configured for
the local user account, the user cannot pass authentication. Binding attributes include the ISDN
calling number, IP address, access port, MAC address, and native VLAN. For more information
about binding attributes, see
binding attributes to configure for a local user.
Authorization attributes.
•
Authorization attributes indicate the rights that a user has after passing local authentication.
Authorization attributes include the ACL, idle cut function, user level, user role, user profile, VLAN,
and FTP/SFTP work directory. For more information about authorization attributes, see
"Configuring local user
Every configurable authorization attribute has its definite application environments and purposes.
When you configure authorization attributes for a local user, consider which attributes are needed
and which are not.
You can configure an authorization attribute in user group view or local user view to make the
attribute effective for all local users in the group or only for the local user. The setting of an
authorization attribute in local user view takes precedence over that in user group view.
Local user configuration task list
Task
Configuring local user attributes
Configuring user group attributes
Displaying and maintaining local users and local user groups
Configuring local user attributes
Follow these guidelines when you configure local user attributes:
If the user interface authentication mode (set by the authentication-mode command in user
•
interface view) is AAA (scheme), which commands a login user can use after login depends on the
privilege level authorized to the user. If the user interface authentication mode is password
(password) or no authentication (none), which commands a login user can use after login depends
on the level configured for the user interface (set by the user privilege level command in user
interface view). For an SSH user using public key authentication, which commands are available
depends on the level configured for the user interface. For more information about user interface
authentication mode and user interface command level, see Fundamentals Configuration Guide.
• You can configure the user profile authorization attribute in local user view, user group view, and ISP
domain view. The setting in local user view has the highest priority, and that in ISP domain view has
the lowest priority. For more information about user profiles, see
You cannot delete a local user who is the only security log manager in the system, nor can you
•
change or delete the security log manager role of the user. To do so, you must specify a new security
log manager first.
To configure local user attributes:
control."
"Configuring local user
attributes."
attributes." Be cautious when deciding which
Remarks
Required
Optional
Optional
17
"Configuring
"Configuring port security."