Manualshelf

HP-UX Role-Based Access Control B.11.23.03 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software
12345678910
HP-UX Role-Based Access Control B.11.23.03
New in HP-UX RBAC B.11.23.03
Chapter8
Changes to the authadm Command for Hierarchical Roles
In HP-UX RBAC B.11.23.03 the authadm command, which edits authorization information in
the /etc/rbac/role_auth and /etc/rbac/roles database files, includes new sub-commands
and options to support hierarchical roles. Specifically, authadm now supports the roleassign
and rolerevoke subcommands, and also supports the subrole option to the list
subcommand, as shown in the following:
authadm roleassign role subrole
authadm rolerevoke role=<rolename> subrole=<rolename>
authadm list subrole=<subrole_name>
NOTE Refer to the authadm(1m) manpage for complete information about the
authadm command.
For examples of the new authadm roleassign subcommand for hierarchical roles, consider
the information in previous tables. Instead of using authadm to assign each authorization
individually to the roles in Table 3, you can directly assign the sub-roles using the following
authadm commands (assuming the roles are already created and the authorizations have been
assigned to them):
# authadm roleassign Administrator UserOperator
# authadm roleassign Administrator NetworkOperator
# authadm roleassign NetworkOperator NetworkServiceOperator
NOTE As authorizations are added or removed from the sub-role, for example,
UserOperator in the previous examples, the parent role also inherits the
addition or removal of that authorization.
Hierarchical Roles Considerations
Be aware that when you use hierarchical roles you will experience a minor performance
penalty. Specifically, each time an entry that references another role is read, the entry
defining that role must also be retrieved. This can become an issue when there is a long line of
roles referencing other roles. For example, if you view role relationships as a tree, the higher
the tree, the greater the performance penalty you will experience. However, you can avoid this
minor performance penalty by simply assigning authorizations directly to the role, rather
than using a sub-role. HP recommends limiting the role depth to three to five roles.
Also be aware that circular role definitions are not allowed. For example, assigning RoleA to
RoleB, RoleB to RoleC, and RoleC to RoleA, is not allowed. The authadm command will detect
an attempt to perform such a circular definition and will report an error.