Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software
41424344454647484950
Table 3-8 Example Roles Configuration Using Hierarchical Roles in HP-UX RBAC B.11.23.03
AuthorizationsRole
UserOperator
NetworkOperator
(hpux.security.*, *)
Administrator
(hpux.user.*, *)UserOperator
NetworkServiceOperator
(hpux.network.device.*, *)
NetworkOperator
(hpux.network.service.*, *)NetworkServiceOperator
Changes to the authadm Command for Hierarchical Roles
In HP-UX RBAC B.11.23.03 the authadm command, which edits authorization information in
the /etc/rbac/role_auth and /etc/rbac/roles database files, includes new sub-commands
and options to support hierarchical roles. Specifically, authadm now supports the roleassign
and rolerevoke subcommands, and also supports the subrole option to the list
subcommand, as shown in the following:
Example 3-1 The authadm Command Syntax
authadm roleassign role subrole
authadm rolerevoke role=<rolename> subrole=<rolename>
authadm list subrole=<subrole_name>
NOTE: See authadm(1m) for complete information about the authadm command.
For examples of the new authadm roleassign subcommand for hierarchical roles, consider
the information in previous tables. Instead of using authadm to assign each authorization
individually to the roles in Table 3-8 (page 41), you can directly assign the sub-roles using the
following authadm commands (assuming the roles are already created and the authorizations
have been assigned to them):
Example 3-2 Example of the authadm Command Usage
# authadm roleassign Administrator UserOperator
# authadm roleassign Administrator NetworkOperator
# authadm roleassign NetworkOperator NetworkServiceOperator
NOTE: As authorizations are added or removed from the sub-role, for example, UserOperator
in the previous examples, the parent role also inherits the addition or removal of that
authorization.
Hierarchical Roles Considerations
Be aware that when you use hierarchical roles you will experience a minor performance penalty.
Specifically, each time an entry that references another role is read, the entry defining that role
must also be retrieved. This can become an issue when there is a long line of roles referencing
other roles. For example, if you view role relationships as a tree, the higher the tree, the greater
the performance penalty you will experience. However, you can avoid this minor performance
penalty by simply assigning authorizations directly to the role, rather than using a sub-role. HP
recommends limiting the role depth to three to five roles.
Configuring HP-UX RBAC 41