Manualshelf

HP MSR2000/3000/4000 Router Series Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router
31323334353637383940
27
see Fundamentals Command Reference for RBAC commands. This option is available only in local user
view, and is not available in user group view.
vlan vlan-id: Specifies the authorized VLAN. The vlan-id argument is in the range of 1 to 4094. After a
passing authentication and being authorized a VLAN, a local user can access only the resources in this
VLAN.
work-directory directory-name: Specifies the work directory for FTP users. The directory-name argument
is a case-insensitive string of 1 to 512 characters. The directory must already exist. By default, an FTP user
can access the root directory of the device.
Usage guidelines
Every configurable authorization attribute has its definite application environments and purposes.
Consider the service types of users when assigning authorization attributes:
For LAN and portal users, only the authorization attributes acl, idle-cut, and vlan are effective.
For Telnet and terminal users, only the authorization attribute user-role is effective.
For SSH and FTP users, only the authorization attributes user-role and work-directory are effective.
For other types of local users, no authorization attribute is effective.
Authorization attributes configured for a user group are intended for all local users in the group. You can
group local users to improve configuration and management efficiency. An authorization attribute
configured in local user view takes precedence over the same attribute configured in user group view.
To make sure FTP users can access the directory after a switchover between the active MPU and the
standby MPU, do not specify slot information for the work directory. Only the MSR4000 router supports
switchover.
To make the user have only the user role authorized by this command, use the undo
authorization-attribute user-role command to remove the predefined user roles.
The security-audit user role has access to the commands for managing security log files and security log
file system. To display all the accessible commands of the user role, use the display role name
security-audit command. For more information about security log management, see Network
Management and Monitoring. For more information about file system management, see Fundamentals
Configuration Guide.
When you configure the security-audit user role, follow these restrictions and guidelines:
If the device has local users authorized the security-audit user role, you cannot delete the last local
user who has this user role.
The user role security-audit is mutually exclusive with other user roles. When you assign the
security-audit user role to a local user, the system asks for your confirmation to delete all the other
user roles of the user. When you assign other user roles to a local user who has the security-audit
user role, the system asks for your confirmation to delete the security-audit user role for the local
user.
Examples
# Configure the authorized VLAN of the network access user abc as VLAN 2.
<Sysname> system-view
[Sysname] local-user abc class network
[Sysname-luser-network-abc] authorization-attribute vlan 2
# Configure the authorized VLAN of user group abc as VLAN 3.
<Sysname> system-view
[Sysname] user-group abc