Table of Contents
Advertisement
Default level
3: Manage level
Parameters
acl acl-number: Specifies the authorization ACL. The ACL number must be in the range 2000 to 5999.
After passing authentication, a local user is authorized to access the network resources specified by this
ACL.
callback-number callback-number: Specifies the authorization PPP callback number. callback-number is
a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this
number to call the user.
idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle
period exceeds the specified idle timeout period will be logged out. minute indicates the idle timeout
period, in the range 1 to 120 minutes.
level level: Specifies the user level, which can be 0 for visit level, 1 for monitor level, 2 for system level,
and 3 for manage level. A smaller number means a lower level. If the user interfaces' authentication
mode is scheme, which commands users can use after login in depends on this argument. By default, the
user level is 0, and users can use only commands of level 0 after login.
user-profile profile-name: Specifies the authorization user profile. profile-name is a case-sensitive string
of 1 to 32 characters. It can consist of English letters, digits, and underlines and must start with an English
letter. After a user passes authentication and gets online, the device uses the settings in the user profile
to restrict the access behavior of the user. For more information about user profiles, see Security
Configuration Guide. Support for the user-profile keyword depends on the device model.
vlan vlan-id: Specifies the authorized VLAN. vlan-id is in the range 1 to 4094. After passing
authentication, a local user can access the resources in this VLAN.
work-directory directory-name: Specifies the work directory, if the user or users use the FTP or SFTP
service. directory-name is a case-insensitive string of 1 to 135 characters. The directory must already exist.
By default, an FTP or SFTP user can access the root directory of the device.
Description
Use the authorization-attribute command to configure authorization attributes for the local user or user
group. After the local user or a local user of the user group passes authentication, the device will assign
these attributes to the user.
Use the undo authorization-attribute command to remove authorization attributes and restore the
defaults.
By default, no authorization attribute is configured for a local user or user group.
Every configurable authorization attribute has its definite application environments and purposes.
Consider the service types of users when assigning authorization attributes.
Authorization attributes configured for a user group are effective for all local users in the group. You can
group local users to improve configuration and management efficiency.
An authorization attribute configured in local user view takes precedence over the same attribute
configured in user group view. If an authorization attribute is configured in user group view but not in
local user view, the setting in user group view takes effect.
If only one user is playing the role of security log administrator in the system, you cannot delete the user
account, or remove or change the user's role, unless you configure another user as a security log
administrator first.
81
Advertisement
Table of Contents
