Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
31323334353637383940
NOTE: The default configuration files delivered with HP-UX RBAC contain a single
preconfigured role: Administrator. By default, the Administrator role is assigned all HP-UX
system authorizations (hpux.*, *) and is associated with the root user.
After defining valid roles, you can assign them to one or more users or UNIX groups. Attempting
to assign a role that has not been created to users will display an error message indicating that
the role does not exist.
Assigning Roles to Users
Separating role creation from role assignment offers the following advantages:
Requiring that roles be created before they are assigned ensures that any typographical
errors are caught when specifying role names during role assignment.
Allows different users to perform each task. For example, the same user is not required to
both create the roles and assign the roles.
After creating valid roles, use the roleadm command to assign them to the appropriate users,
as shown in the following examples:
# roleadm assign luman Administrator
roleadm assign done in /etc/rbac/user_role
# roleadm assign rwang UserOperator
roleadm assign done in /etc/rbac/user_role
After using the roleadm assign command to assign roles to users, you can use the roleadm
list command to verify that the roles were assigned correctly, for example:
# roleadm list
root: Administrator
luman: Administrator
rwang: UserOperator
NOTE: HP-UX RBAC offers the ability to add a special user named DEFAULT to the
/etc/rbac/user_role database. Assigning a role to the DEFAULT user means any user that
does not exist on the system is assigned that role.
Assigning Roles to Groups
HP-UX RBAC also enables you to assign roles to UNIX groups. You can use the roleadm
command options that use the user value, such as roleadm assign <user> role and
roleadm revoke <user> role to administer groups and roles.
Assign, revoke, or list group and role information using the roleadm command by inserting an
ampersand (&) at the beginning of the user value and enclosing the user value in quotations.
The group name value and ampersand (&) must be shell escaped or enclosed in quotations to
be interpreted by roleadm. For example:
# roleadm assign "&groupname" role
Step 2: Configuring Authorizations
Configuring authorizations is similar to creating and assigning roles. However, authorizations
contain two elements: an operation and an object. The * wildcard—the most commonly used
object—is the implicit object used if you do not specify an object while invoking the authadm
command. In many cases, the object is purposely left unspecified, so that the operation applies
to all objects. Leaving the object unspecified is often used for authorizations that apply to wrapped
Configuring HP-UX RBAC 37