new-user
Function
The new-user add-temporary group command configures the authentication option of new users as Use It as a Temporary One and Do Not Add It to the Local User List Then new users are only temporary users after being authenticated and are not added to the local user list. However, they have the rights of the specified local user group.
The new-user deny-authentication command configures the authentication option of new users as Prohibit New User Login. That is, new users are not allowed to authenticate.
The new-user parent-security-group command grants new users the right of a parent security group temporarily.
The undo new-user command restores the authentication option for new users to the default value.
undo new-user parent-security-group command deletes the parent security group of a new user.
Format
new-user { add-temporary group group-name [ auto-import policy-name ] | deny-authentication }
undo new-user
new-user parent-security-group parent-security-group-name
undo new-user parent-security-group { parent-security-group-name | all }
Parameters
| Parameter | Description | Value |
|---|---|---|
group-name |
Specifies the local user group name. |
The group-name value must be the name (with the group path) of an existing user group. |
auto-import policy-name |
add-temporary newly-authenticated users will preferentially use the rights of the user groups and security groups on the server. The configured import policy is used to obtain the organizational structure from the server. If the organizational structure exists on the server, the permissions of user groups on the server apply. Otherwise, the permissions of local user groups or security groups apply. NOTE:
This parameter takes effect only on AD/LDAP/Agile Controller server. Only the default authentication domain supports Agile Controller server import policies, which need to be used by new Agile Controller SSO users. |
The policy-name value must be the name of an existing import policy. |
deny-authentication |
Prohibits new users from being authenticated. NOTE:
When deny-authentication is configured:
|
- |
parent-security-group-name |
Specifies the local security group name. |
The value must be the name of an existing security group in the current authentication domain. When a security group in a non-default authentication domain is specified, the group name must carry @authentication-domain-name. For example, secgroup1@test indicates secgroup1 in the test authentication domain. |
all |
Deletes all the parent security groups of new users. |
- |
Usage Guidelines
No default authentication option is configured for new users. The FW processes new users as follows:
- Internet access online user list: The FW does not allow new users to log in.
- Remote access online user list: New users can go online for VPN access. However, the FW cannot complete user-based policy control. To implement user-based policy control, you must configure new user options so that the users going online are included in the online user list.
If an authentication option is configured, the authentication option takes effect on both Internet access and remote access online user lists.
new-user parent-security-group must be used with new-user add-temporary group group-name [ auto-import policy-name ]. If add-temporary group has been configured to take users as temporary users, configuring new-user parent-security-group allows the users to use the permissions of a local security group but does not add them to a local security group.
Example
# Configure the authentication option of new users for authentication domain domain1. New users are only temporary users after being authenticated and have the rights of the user group /domain1/engineer.
<sysname> system-view [sysname] aaa [sysname-aaa] domain domain1 [sysname-aaa-domain-domain1] new-user add-temporary group /domain1/engineer