Configuring attributes for device management users

Restrictions and guidelines

If password control is enabled globally by using the password-control enable command, the device does not display local user passwords or retain them in the running configuration. When you globally disable the password control feature, local user passwords are restored to the running configuration. To display the running configuration, use the display current-configuration command.

You can configure authorization attributes and password control attributes in local user view or user group view. The setting in local user view takes precedence over the setting in user group view.

Procedure

  1. Enter system view.

    system-view

  2. Add a device management user and enter device management user view.

    local-user user-name class manage

  3. Configure a password for the device management user.

    In non-FIPS mode:

    password [ { hash | simple } string ]

    In FIPS mode:

    password

    In non-FIPS mode, a non-password-protected user passes authentication if the user provides the correct username and passes attribute checks. To enhance security, configure a password for each local user.

    In FIPS mode, only password-protected users can pass authentication. For a device management user, you must set the password in interactive mode.

  4. Assign services to the device management user.

    In non-FIPS mode:

    service-type { ftp | { http | https | ssh | telnet | terminal } * }

    In FIPS mode:

    service-type { https | ssh | terminal } *

    By default, no services are authorized to a device management user.

  5. (Optional.) Set the status of the device management user.

    state { active | block }

    By default, a device management user is in active state and can request network services.

  6. (Optional.) Set the upper limit of concurrent logins using the device management username.

    access-limit max-user-number

    By default, the number of concurrent logins is not limited for a device management user.

    This command takes effect only when local accounting is configured for device management users. This command does not apply to FTP, SFTP, or SCP users that do not support accounting.

  7. (Optional.) Configure authorization attributes for the device management user.

    authorization-attribute { idle-cut minutes | user-role role-name | work-directory directory-name } *

    The following default settings apply:

    • The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.

    • The network-operator user role is assigned to local users that are created by a network-admin or level-15 user.

  8. (Optional.) Configure password control attributes for the device management user. Choose the following tasks as needed:

    • Set the password aging time.

      password-control aging aging-time

    • Set the minimum password length.

      password-control length length

    • Configure the password composition policy.

      password-control composition type-number type-number [ type-length type-length ]

    • Configure the password complexity checking policy.

      password-control complexity { same-character | user-name } check

    • Configure the maximum login attempts and the action to take if there is a login failure.

      password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]

    By default, a device management user uses password control attributes of the user group to which the user belongs.

  9. (Optional.) Assign the device management user to a user group.

    group group-name

    By default, a device management user belongs to user group system.