authorization-attribute (local user view/user group view)
Syntax
authorization-attribute { acl acl-number | idle-cut minute | level level | user-profile profile-name | user-role { guest | guest-manager | security-audit } | vlan vlan-id | work-directory directory-name } *
undo authorization-attribute { acl | idle-cut | level | user-profile | user-role | vlan | work-directory } *
View
Local user view, user group view
Default level
3: Manage level
Parameters
acl acl-number: Specifies the authorization ACL. The ACL number must be in the range of 2000 to 5999. After passing authentication, a local user is authorized to access the network resources specified by this ACL.
idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle period exceeds the specified idle timeout period is logged out. The minute argument indicates the idle timeout period, in the range of 1 to 120 minutes.
level level: Specifies the user level, which can be 0 for visit level, 1 for monitor level, 2 for system level, and 3 for manage level. A smaller number means a lower level. If the user interfaces’ authentication mode is scheme, which commands users can use after login in depends on this argument. By default, the user level is 0, and users can use only commands of level 0 after login.
user-profile profile-name: Specifies the authorization user profile. profile-name is a case-sensitive string of 1 to 32 characters. It can contain letters, digits, and underscores (_) and must start with a letter. After a user passes authentication and gets online, the switch uses the settings in the user profile to restrict the access behavior of the user. For more information about user profiles, see Security Configuration Guide.
user-role: Specifies the role for the local user. This keyword is available in only local user view. Users playing different roles can access different levels of commands. If you specify no role for a local user, the access right of the user after login depends on other authorization attributes. Supported roles include:
guest: A guest user account is usually created through the Web interface.
guest-manager: After passing authentication, a guest manager can only use the Web interface to access guest-related pages to, for example, create, modify, or change guest user accounts.
security-audit: After passing authentication, a security log administrator can manage security log files, for example, save security log files. For more information about the commands that a security log administrator can use, see Network Management and Monitoring Command Reference.
vlan vlan-id: Specifies the authorized VLAN. The vlan-id argument is in the range of 1 to 4094. After passing authentication, a local user can access the resources in this VLAN.
work-directory directory-name: Specifies the work directory, if the user or users use the FTP or SFTP service. The directory-name argument is a case-insensitive string of 1 to 135 characters. The directory must already exist. By default, an FTP or SFTP user can access the root directory of the switch.
Description
Use authorization-attribute to configure authorization attributes for the local user or user group. After the local user or a local user of the user group passes authentication, the switch assigns these attributes to the user.
Use undo authorization-attribute to remove authorization attributes and restore the defaults.
By default, no authorization attribute is configured for a local user or user group.
Every configurable authorization attribute has its definite application environments and purposes. Consider the service types of users when assigning authorization attributes.
Authorization attributes configured for a user group are effective for all local users in the group. You can group local users to improve configuration and management efficiency.
An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view. If an authorization attribute is configured in user group view but not in local user view, the setting in user group view takes effect.
If only one user is playing the role of security log administrator in the system, you cannot delete the user account, or remove or change the user’s role, unless you configure another user as a security log administrator first.
A local user can play only one role at a moment. If you execute the command multiple times, the most recent configuration takes effect.
Examples
# Configure the authorized VLAN of local user abc as VLAN 2.
<Sysname> system-view [Sysname] local-user abc [Sysname-luser-abc] authorization-attribute vlan 2
# Configure the authorized VLAN of user group abc as VLAN 3.
<Sysname> system-view [Sysname] user-group abc [Sysname-ugroup-abc] authorization-attribute vlan 3