Manualshelf

R0106-HP MSR Router Series Security Command Reference(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router
41424344454647484950
33
Syntax
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute |
user-role role-name | vlan vlan-id | work-directory directory-name } *
undo authorization-attribute { acl | callback-number | idle-cut | user-role role-name | vlan |
work-directory } *
Default
No authorization ACL, idle timeout period, or authorized VLAN is configured for the local users.
FTP, SFTP, and SCP users are authorized access to the root directory of the device, but they do not have
the access permission.
The local users created by a network-admin or level-15 user are assigned the network-operator user role.
Views
Local user view, user group view
Predefined user roles
network-admin
Parameters
acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to
5999. After passing authentication, a local user can access the network resources specified by this ACL.
callback-number callback-number: Specifies an authorized PPP callback number. The callback-number
argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the
device uses this number to call the user.
idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to
120. When the idle cut function is enabled, an online user whose idle period exceeds the specified idle
timeout period is logged out.
user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string
of 1 to 63 characters. Up to 64 user roles can be specified for a user. For user role-related commands,
see Fundamentals Command Reference for RBAC commands. This option is available only in local user
view, and is not available in user group view.
vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After
passing authentication and being authorized a VLAN, a local user can access only the resources in this
VLAN.
work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The
directory-name argument is a case-insensitive string of 1 to 512 characters. The directory must already
exist. By default, an FTP, SFTP, or SCP user can access the root directory of the device.
Usage guidelines
Configure authorization attributes according to the application environments and purposes. Support for
authorization attributes depends on the service types of users.
For PPP users, only the authorization attributes acl, callback-number, and idle-cut are effective.
For LAN and portal users, only the authorization attributes acl, idle-cut, and vlan are effective.
For Telnet and terminal users, only the authorization attribute user-role is effective.
For SSH and FTP users, only the authorization attributes user-role and work-directory are effective.
For other types of local users, no authorization attribute is effective.