HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software

HP-UX RBAC addresses these issues by grouping users with common authorization needs into

roles. Roles serve as a grouping mechanism to simplify authorization assignment and auditing.

Rather than assigning an authorization directly to a user, you assign authorizations to roles. As

you add users to the system, you assign them a set of roles, which determine the actions they

can perform and the resources they can access.

Compare Table 3-2 “Example of Authorizations Per Role”, which lists authorizations assigned

to roles, to Table 3-1 “Example of Authorizations Per User”, which lists the authorizations assigned

to each user. By comparing these two tables, you can see how roles simplify authorization

assignment.

Table 3-2 Example of Authorizations Per Role

RoleOperation Component of Authorization

AdminBackupOperNetworkAdminUserAdmin

••

hpux.user.add

••

hpux.user.delete

••

hpux.user.modify

•

hpux.user.password.modify

••

hpux.network.nfs.start

••

hpux.network.nfs.stop

••

hpux.network.nfs.config

••

hpux.fs.backup

••

hpux.fs.restore

NOTE: Table 3-2 “Example of Authorizations Per Role” shows only the operation element of

the authorizations—not the object element of the authorization.

NOTE: HP-UX RBAC B.11.23.02 and higher versions also allow UNIX groups to be assigned

to roles. Refer to “Assigning Roles to Groups” for more information.

HP-UX RBAC Components

The following is a list of the primary HP-UX RBAC components:

privilege shells

Privilege shells (privsh, privksh, and privcsh) that

allow a non-root user to automatically invoke privrun

when needed by simply configuring a privilege shell as

their default shell.

RBAC System Management

Homepage

Integration with HP System Management Homepage

(SMH), allowing for the management of local RBAC roles,

authorizations, and commands through the Web interface

of SMH Version 2.2 and higher.

privrun wrapper command Based on authorizations associated with a user, privrun

invokes existing legacy applications with privileges after

performing authorization checks and optionally

re-authenticating the user and without modifying the

application.

privedit command

Based on the authorizations associated with a user,

privedit allows users to edit files they usually would

not be able to edit because of file permissions or Access

Control Lists (ACL).

HP-UX RBAC Components 29