6 authorization command, Shell profile, Viewing the shell profile list – H3C Technologies H3C Intelligent Management Center User Manual
Page 53
44
6 Authorization command
An authorization policy consists of the authorization conditions and the authorization command. Users
can log in to manage devices in different conditions.
The authorization command defines the rights that can be authorized for a user. The authorization
conditions and the authorization command work together to authorize a user when the user logs in to
manage devices in different conditions.
The authorization command consists of shell profiles and command sets. A shell profile controls the ACL,
automatically executed command, authorization level, custom attributes, idle time, and session lifetime
for device user login. A command set defines the commands that a device user can execute after login.
Shell profile
To implement shell profile control on login users, configure a shell profile on the TAM server and enable
authorization on the device.
Before a device user logs in to the device, the user is authenticated. After the user passes the
authentication, if login authorization is enabled on the device, the TAM server controls the ACL,
automatically executed command, authorization level, custom attributes, idle time, and session lifetime
for the user by shell profile.
An ACL controls whether a user can log in to the device. ACL rules must be configured on the device.
TAM deploys only the ACL number or name. If the request sent by a user to log in to the device matches
the permit rule of the ACL, the user can log in to the device. If it matches the deny rule of the ACL, the user
cannot log in to the device.
When a shell profile works with an authorized time range to control device users, the login time applies.
When a device user logs in to the device, the TAM server determines the authorized time range
according to the login time of the user, and then uses the shell profile that corresponds to this authorized
time range to control the user.
The shell profile always applies until the user logs out. Assume that you have configured two authorized
time ranges A (08:00 to 10:00) and B (10:30 to 11:00). When a user logs in to the device at 09:00, the
shell profile that corresponds to authorized time range A applies as long as the user stays online. If the
user logs off at 10:45 and logs on again, the shell profile that corresponds to authorized time range B
applies.
For more information about authorized time range configuration, see "
Viewing the shell profile list
To view the shell profile list:
1.
Click the User tab.
2.
On the navigation tree, select Device User Policy > Authorization Command > Shell Profiles.
The Shell Profile list displays all shell profiles. It includes the following columns:
{
Shell Profile Name—Name of the shell profile. Click the name to view its details.