HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software

Access Control Policy Switch

(ACPS)

Determines whether a subject is authorized to perform an

operation on an object.

Access Control Policy Module Evaluates HP-UX RBAC databases files and applies

mapping policies to service access control requests.

management commands Edits and validates HP-UX RBAC database files.

HP-UX RBAC Access Control Policy Switch

The HP-UX RBAC Access Control Policy Switch is a customizeable interface between applications

that must make access control decisions and the access control policy modules that provide

decision responses after interpreting policy information in RBAC databases. As shown in

Figure 3-1 “HP-UX RBAC Architecture”, from its location in the HP-UX RBAC architecture, the

ACPS provides a layer of abstraction between the access control policy modules and the

applications that make access control decisions.

The ACPS has the following interfaces, described in detail in each of their respective manpages:

• ACPS Application Programming Interface (API)

• ACPS Service Provider Interface (SPI)

• /etc/acps.conf

The administrative interface for the ACPS is the /etc/acps.conf configuration file. The

/etc/acps.conf configuration file determines which policy modules the ACPS consults, the

sequence in which the modules are consulted, and the rules for combining the module's responses

to deliver a result to the applications that need access control decisions. This ACPS implementation

allows you to create a module to enforce custom policy without modifying existing role-based

access control applications.

NOTE: Refer to the following manpages for more information on the ACPS and its interfaces:

• acps(3)

• acps.conf(4)

• acps_api(3)

• acps_spi(3)

HP-UX RBAC Configuration Files

Table 3-3 “HP-UX RBAC Configuration Files” lists and briefly describes the HP-UX RBAC files.

Table 3-3 HP-UX RBAC Configuration Files

DescriptionConfiguration File

Database file containing all valid authorizations.

/etc/rbac/auths

privrun database file containing command and file authorizations and privileges./etc/rbac/cmd_priv

Database file defining the authorizations for each role.

/etc/rbac/role_auth

Database file defining all configured roles.

/etc/rbac/roles

Database file defining the roles for each user.

/etc/rbac/user_role

Configuration file for the ACPS.

/etc/acps.conf

Audit filter file identifying specific HP-UX RBAC roles, operations, and objects to audit.

/etc/rbac/aud_filter

HP-UX RBAC Commands

Table 3-4 “HP-UX RBAC Commands” lists and briefly describes the HP-UX RBAC commands.

30 HP-UX Role-Based Access Control