HP 6125XLG R2306-HP 6125XLG Blade Switch Security Command Reference - Page 29

Views Local user view, user group view Predefined user roles network-admin Parameters acl acl-number: Specifies the authorization ACL. The ACL number must be in the range of 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL. idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle period exceeds the specified idle timeout period is logged out. The minute argument must be in the range of 1 to 120 minutes. user-role role-name: Specifies the authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. The default user role for a local user created by a network-admin user is network-operator. Up to 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view. vlan vlan-id: Specifies the authorized VLAN. The vlan-id argument is in the range of 1 to 4094. After a passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN. work-directory directory-name: Specifies the work directory for FTP, SFTP, or SCP users. The directory-name argument is a case-insensitive string of 1 to 512 characters. The directory must already exist. By default, an FTP, SFTP, or SCP user can access the root directory of the device. Usage guidelines Every configurable authorization attribute has its definite application environments and purposes. Consider the service types of users when assigning authorization attributes: • For LAN users, only the authorization attributes acl, idle-cut, and vlan are effective. • For HTTP, HTTPS, Telnet, and terminal users, only the authorization attribute user-role is effective. • For SSH and FTP users, only the authorization attributes user-role and work-directory are effective. • For other types of local users, no authorization attribute is effective. Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view. To make the user have only the user role authorized by this command, use the undo authorization-attribute user-role command to remove the predefined user roles. The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the user role, use the display role name security-audit command. For more information about security log management, see Network Management and Monitoring. For more information about file system management, see Fundamentals Configuration Guide. When you configure the security-audit user role, follow these restrictions and guidelines: • If the device has local users who are assigned the security-audit user role, you cannot delete the last local user who has this user role. • The user role security-audit is mutually exclusive with other user roles. When you assign the security-audit user role to a local user, the system asks for your confirmation to delete all the other 20