Tam user types, Condition-based authorization, Login authorization and command authorization – H3C Technologies H3C Intelligent Management Center User Manual

3

A device user is a network maintainer that uses an account name and password to log in to manage a

device. An authorization policy is a set of rules that control device user privileges.
An authorization policy defines multiple access conditions, which correspond to different authorization

rules. When a device user logs in to manage a device, TAM authorizes the device user according to the

authorization rule defined in the access condition that the device user matches.
An authorization policy can be applied to a device user or a device user group. A device user preferably
uses the authorization policy specified for it. If no authorization policy is specified for the device user, it

uses the authorization policy of the user group to which it belongs.

TAM user types

TAM contains the following user types:

•

Common device users—A common device user that uses an account name and password for
authentication. TAM saves and maintains user information.

•

LDAP users—An LDAP user is a TAM device user bound with an LDAP policy. When TAM receives
a user authentication request, the account name and password are sent to the LDAP server for

authentication.

Condition-based authorization

TAM supports access condition-based authorization. An authorization policy defines multiple access

conditions. When a device user logs in to manage a device, if the device user matches a condition, TAM
authorizes the device user according to the rule defined in the matching condition.

Login authorization and command authorization

TAM assigns an authorization policy to perform login authorization and command authorization for a
device user.

•

Login authorization—TAM uses shell profiles to control the login behaviors of device users. A shell
profile specifies the following authorization items: ACL, autorun command, privilege level,

user-defined attributes, idle time, and session lifetime.

•

Command authorization—TAM uses command sets to control the commands that a user can
execute. When a user executes a command, TAM determines whether to allow the user to execute

the command according to the command set that the user matches.

Online user management

Use this function to view basic information about users that have logged in to a device, and to trace the
online behaviors of the users.

Log management

Logs include authentication logs, authorization logs, and audit logs. These logs record the device login,
usage, and logoff behaviors of device users. Operators can query the logs to audit device users.