HP VPN Firewall Appliances Access Control Configuration Guide
200
Authorization attributes indicate the rights that a user has after passing local authentication.
Authorization attributes include the ACL, PPP callback number, idle cut function, user level, user
role, VLAN, and FTP/SFTP work directory. For more information about authorization attributes,
see "Configuring local user attributes."
Every c
onfigurable authorization attribu
te has its definite application environments and purposes.
When you configure authorization attributes for a local user, consider which attributes are needed
and which are not. For example, for PPP users, you do not need to configure the work directory
attribute.
You can configure an authorization attribute in user group view or local user view to make the
attribute effective for all local users in the group or for only the local user. The setting of an
authorization attribute in local user view takes precedence over that in user group view.
Local user configuration task list
Task Remarks
Configuring local user attributes Required.
Configuring user group attributes Optional.
Displaying and maintaining local users and local user groups Optional.
Configuring local user attributes
Follow these guidelines when you configure local user attributes:
• When the password control feature is enabled globally by using the password-control enable
command, local user passwords are not displayed and the password hash cipher command does
not take effect.
• If the user interface authentication mode set by the authentication-mode command in user interface
view is AAA (scheme), which commands a login user can use after login depends on the privilege
level authorized to the user. If the user interface authentication mode is password (password) or no
authentication (none), which commands a login user can use after login depends on the level
configured for the user interface by using the user privilege level command in user interface view.
For an SSH user using public key authentication, which commands are available depends on the
level configured for the user interface. For more information about user interface authentication
mode and user interface command level, see Fundamentals Configuration Guide.
• You cannot delete a local user who is the only security log manager in the system, nor can you
change or delete the security log manager role of the user. To do so, you must specify a new security
log manager first.
To configure local user attributes:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Add a local user and enter
local user view.
local-user user-name [ vd
vd-name ]
By default, the local user named
admin exists.