Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software
31323334353637383940
NOTE: See cmdprivadm(1M) for information on all of the cmdprivadm arguments. Most
arguments are optional and are filled in with reasonable defaults if nothing is specified.
NOTE: To modify an existing entry in the /etc/rbac/cmd_priv file, you must first delete
the entry and then add the updated version back in. When you use cmdprivadm to delete entries,
arguments act as filters. For example, specifying the cmdprivadm delete op=foo command
removes all entries where the operation is foo. As a result of this, when you use cmdprivadm
to delete entries, be careful to ensure that you specify sufficient arguments to uniquely identify
the entries to be removed.
Hierarchical Roles
Use the following information to configure hierarchical roles and define a relationship between
roles. See authadm(1m) for additional information about hierarchical roles.
Overview
One of the primary objectives of HP-UX RBAC is to simplify user access management by grouping
users into logical roles. In enterprise environments that have a large number of users it can be
challenging to group users into roles because most users usually require slightly different sets
of authorizations to perform their tasks. In environments such as this, the number of roles can
approach the number of users, thereby negating the usefulness of roles as a way to manage users.
One way to mitigate the problem where the number of roles approaches the number of users is
to define relationships between roles. Specifically, if roles are comprised of other roles, it becomes
easier to define groups of access rights that can be assigned to individual users. To improve
usability and help limit the total number of roles, HP-UX RBAC B.11.23.03 introduces the ability
to define roles that include other roles (referred to as sub-roles). This ability is known as
hierarchical roles.
Examples of Hierarchical Roles
By assigning a sub-role to a role, you assign all the authorizations of the sub-role to that role. For
example, consider the following two tables that compare the same roles and corresponding
authorizations. Table 3-7 shows the Version B.11.23.02 model, while Table 3-8 shows how the
Version B.11.23.03 hierarchical roles simplifies the management of roles.
Table 3-7 Example Roles Configuration in HP-UX RBAC B.11.23.02
AuthorizationsRole
(hpux.user.*, *)
(hpux.network.service.*, *)
(hpux.network.device.*, *)
(hpux.security.*, *)
Administrator
(hpux.user.*, *)UserOperator
(hpux.network.service.*, *)
(hpux.network.device.*, *)
NetworkOperator
(hpux.network.service.*, *)NetworkServiceOperator
40 HP-UX Role-Based Access Control