authorization-attribute (local user view/user group view)
Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.
Use undo authorization-attribute to restore the default of an authorization attribute.
Syntax
authorization-attribute { idle-cut minutes | user-role role-name | work-directory directory-name } *
undo authorization-attribute { idle-cut | user-role role-name | work-directory } *
Default
The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.
The local users created by a network-admin or level-15 user on the default MDC are assigned the network-operator user role. The local users created by an mdc-admin or level-15 user on a non-default MDC are assigned the mdc-operator user role.
Views
Local user view
User group view
Predefined user roles
network-admin
mdc-admin
Parameters
idle-cut minutes: Specifies an idle timeout period in minutes. The value range for the minutes argument is 1 to 120. An online user is logged out if its idle period exceeds the specified idle timeout period.
user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.
work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.
Usage guidelines
Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.
For SSH, Telnet, and terminal users, only authorization attributes idle-cut and user-role take effect.
For HTTP and HTTPS users, only authorization attribute user-role takes effect.
For FTP users, only authorization attributes user-role and work-directory take effect.
For other types of local users, no authorization attribute takes effect.
Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.
To make sure FTP, SFTP, and SCP users can access the directory after an active/standby switchover, do not specify chassis or slot information for the working directory.
To make sure the user have only the user roles authorized by using this command, use the undo authorization-attribute user-role command to remove the default user role.
The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.
You cannot delete a local user if the local user is the only user that has the security-audit user role.
The security-audit user role is mutually exclusive with other user roles.
When you assign the security-audit user role to a local user, the system requests confirmation for deleting all the other user roles of the user.
When you assign other user roles to a local user that has the security-audit user role, the system requests confirmation for deleting the security-audit user role for the local user.
Examples
# Configure the authorized VLAN of user group abc as VLAN 3.
<Sysname> system-view [Sysname] user-group abc [Sysname-ugroup-abc] authorization-attribute vlan 3
# Assign the security-audit user role to device management user xyz as the authorized user role.
<Sysname> system-view [Sysname] local-user xyz class manage [Sysname-luser-manage-xyz] authorization-attribute user-role security-audit This operation will delete all other roles of the user. Are you sure? [Y/N]:y
Related commands
display local-user
display user-group