HP Intelligent Management Center v5.1 TACACS+ Authentication Manager Administrator Guide
36
TAM applies an authorized time range policy to a device user if the device user accesses and manages
the device at a time after the policy takes effect, before the policy expires, and within a time range
defined in the policy.
For example, if an authorized time range policy takes effect on 2012-1-1 and expires on 2013-12-31,
and the time range is 10:00 to 12:00 every morning, a device user who accesses the network from
10:00 to 12:00 every morning in 2012 will be controlled by the policy.
The following describes how the authorized time range works with the shell profile and the command set
to control device user behaviors:
• A device user's login time determines the shell profile to be applied to the device user. Each time a
device user logs in to the device, TAM determines the authorized time range of the user according
to the login time, and applies to the user the shell profile corresponding to the authorized time
range until the user logs off.
For example, if you configure two authorized time ranges, A (8:00 to 10:00 every morning) and
B (10:30 to 11:00 every morning), when a device user logs in to the device at 9:00 a.m., TAM
applies the shell profile configured for authorized time range A to the user.
TAM continues to use authorized time range A as long as the device stays online, even after
authorized time range A expires (10:40, for example). However, if the user logs off and then
re-logs in at 10:45, the shell profile configured for authorized time range B applies. For
information about shell profiles, see "Shell profile."
• A command's execution time determines the command set to be applied. Each time a device user
issues a command, TAM determines the authorized time range of the operation according to the
command execution time, and allows or denies the user according to the command set configured
for the authorized time range.
For example, if you configure two authorized time ranges, A (8:00 to 10:00 every morning) and
B (10:30 to 11:00 every morning), when a device user issues a command at 9:00, TAM
determines whether to carry out this command according to the command set configured in
authorized time range A.
If a user issues a command at 10:40, TAM determines whether to carry out this command
according to the command set configured in authorized time range B. For more information about
command sets, see "Command set."
Viewing the authorized time range policy list
To view the authorized time range policy list:
1. Click the Service tab.
2. Select TACACS+ AuthN Manager > Authorization Scenarios > Authorized Time Range Policies
from the navigation tree.
The Authorized Time Range Policy List displays all authorized time range policies.
Authorized time range policy list contents
Policy Name—Authorized time range policy name, which must be unique in TAM. Click the
name link of an authorized time range policy to enter the authorized time range policy details
page.
Effective Time/Expiration Time—Effective time range of the authorized time range policy.
Modify—Click the Modify icon for an authorized time range policy to modify the policy.
Delete—Click the Delete icon for an authorized time range policy to delete the policy.