HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software

Figure 3-1 HP-UX RBAC Architecture

privrun

Other Policy ACPM

Local RBAC

ACPM

ACPS API

ACPS SPI



User Information

(for example )



KEY :

Privilege Wrapper

Commands

Access Control Switch

RBAC

Future

Existing Components

privedit

/usr/sbin/

cmdprivadm

/etc/passwd

Command, Auth

Privilege

Database

PAM, Name

Service Switch

PAM

Service

Modules

Valid System

Roles

Valid System

Auths

User Role

Database

Role

Authorization

Database

/usr/sbin/

rbacdbck

/usr/sbin/

roleadm

/usr/sbin/

authadm

Access Control Policy Switch (ACPS)

access - control

aware application

access - control

aware application

HP-UX RBAC Example Usage and Operation

Figure 3-2 “Example Operation After Invoking privrun” and the subsequent footnotes illustrate

a sample invocation of privrun and the configuration files that privrun uses to determine

whether a user is allowed to invoke a command.

Figure 3-2 Example Operation After Invoking privrun

Users Roles

Authorizations

Operations Objects

Privrun

Process

(shell)

1:1

Command

Privileges

Drop all but

defined privs

Cmd,

Privs

MANY:MANY MANY:MANY MANY:MANY

cmd, args, UID

via ACPS

/etc/rbac/user_role /etc/rbac/role_auth /etc/rbac/cmd_priv

32 HP-UX Role-Based Access Control