authorization-attribute (local user view/user group view)

Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.

Use undo authorization-attribute to restore the default of an authorization attribute.


authorization-attribute { idle-cut minutes | user-role role-name | work-directory directory-name } *

undo authorization-attribute { idle-cut | user-role role-name | work-directory } *


The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.

The local users created by a network-admin or level-15 user on the default MDC are assigned the network-operator user role. The local users created by an mdc-admin or level-15 user on a non-default MDC are assigned the mdc-operator user role.


Local user view

User group view

Predefined user roles




idle-cut minutes: Specifies an idle timeout period in minutes. The value range for the minutes argument is 1 to 120. An online user is logged out if its idle period exceeds the specified idle timeout period.

user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. A maximum of 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.

work-directory directory-name: Specifies the working directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.

Usage guidelines

Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

For SSH, Telnet, and terminal users, only authorization attributes idle-cut and user-role take effect.

For HTTP and HTTPS users, only authorization attribute user-role takes effect.

For FTP users, only authorization attributes user-role and work-directory take effect.

For other types of local users, no authorization attribute takes effect.

Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.

To make sure FTP, SFTP, and SCP users can access the directory after an active/standby switchover, do not specify chassis or slot information for the working directory.

To make sure the user have only the user roles authorized by using this command, use the undo authorization-attribute user-role command to remove the default user role.

The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.

You cannot delete a local user if the local user is the only user that has the security-audit user role.

The security-audit user role is mutually exclusive with other user roles.


# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc] authorization-attribute vlan 3

# Assign the security-audit user role to device management user xyz as the authorized user role.

<Sysname> system-view
[Sysname] local-user xyz class manage
[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit
This operation will delete all other roles of the user. Are you sure? [Y/N]:y

Related commands

display local-user

display user-group