authadm.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

authadm(1M) authadm(1M)

NAME

authadm - non-interactive command for administrating the authorization information in the RBAC data-

bases

SYNOPSIS

authadm add operation [object [comments]]

authadm delete operation [object ]

authadm assign role operation [object ]

authadm roleassign role subrole

authadm revoke role=name [operation=name [

object=name]]

authadm rolerevoke role=name subrole=name

authadm list [role=name][[

operation=name][object=name]| [subrole=name]]| [sys]

DESCRIPTION

authadm is a non-interactive command that allows users with the appropriate privileges to modify and

list authorization information in the

/etc/rbac/roles

and /etc/rbac/auths

RBAC databases

ﬁles.

HP recommends using only the

authadm, cmdprivadm

, and roleadm commands to edit and view the

RBAC databases -- do not edit the RBAC ﬁles without these commands.

See rbac (5) for more information on these RBAC databases.

Options

With the exception of the

list option, all options recognize a default object. If the parameter

RBAC_DEFAULT_OBJECT

is speciﬁed with a non-empty value in the security default ﬁle,

/etc/default/security,

then the value of this parameter will be the default object. However, if

the parameter

RBAC_DEFAULT_OBJECT

does not exist or is set to an empty value, then the default

object will be set to a wild card (*).

Here is how to specify a value to the

RBAC_DEFAULT_OBJECT

parameter in

/etc/default/security:

RBAC_DEFAULT_OBJECT

=value

For example: In

/etc/default/security

, RBAC_DEFAULT_OBJECT=lj8 sets the default object

lj8. If line RBAC_DEFAULT_OBJECT

is not present or is commented out, then the default object will

be set to "*".

authadm recognizes the following options:

add operation [object[comments]]

Adds an authorization pair (operation , object ) to the system list of valid authorizations by append-

ing a line to the

/etc/rbac/auths

ﬁle.

If object is not speciﬁed, then a default object will be assigned. The default object will either be a

wild card (*) or the object speciﬁed in the security default conﬁguration ﬁle,

/etc/default/security. A comment may not be speciﬁed when adding an entry that refers to

the default object in /etc/default/security. The only way to add a comment to an entry

with the add option is to specify the object explicitly.

delete operation [object]

Deletes an authorization from the system list of valid authorizations. If object is not speciﬁed, then

a default object will be assumed. The default object will either be a wild card (*) or the object

speciﬁed in the security default conﬁguration ﬁle,

/etc/default/security

If the authorization exists in

/etc/rbac/auths, authadm

deletes the entry. If the speciﬁed

authorization is assigned to any roles in

/etc/rbac/role_auth, authadm will remove the

authorization from the role. If the speciﬁed authorization exists in an entry in

/etc/rbac/cmd_priv, authadm will remove the entire entry. If the authorization does not

exist in /etc/rbac/auths, authadm returns an error message. See the RETURN VALUE sec-

tion below for more information.

assign role operation [object]

Assigns an authorization pair (operation , object) to a role. authadm veriﬁes the role exists in

/etc/rbac/roles before verifying the authorization pair (operation, object) exists in

/etc/rbac/auths. authadm appends the authorization to the role to authorization mapping in

/etc/rbac/role_auth if the role and authorization pair exists.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
authadm(1M) authadm(1M) NAME authadm - non-interactive command for administrating the authorization information in the RBAC databases SYNOPSIS authadm authadm authadm authadm authadm authadm authadm add operation [object [comments ]] delete operation [object ] assign role operation [object ] roleassign role subrole revoke role=name [operation=name [object=name]] rolerevoke role=name subrole=name list [role=name] [[operation=name] [object=name]| [subrole=name]]| [sys] A DESCRIPTION authadm is a non-int
PAGE 2
authadm(1M) authadm(1M) If object is not specified, then a default object will be assigned. The default object will either be a wild card (*) or the object specified in the security default configuration file, /etc/default/security. roleassign role subrole Assigns a role to another different role. The role being assigned to the other different role is referred to as a subrole. A subrole is any valid role defined in the /etc/rbac/roles database.
PAGE 3
authadm(1M) authadm(1M) EXTERNAL INFLUENCES Environment Variables LC_MESSAGES determines the language in which messages are displayed. International Code Set Support Single-byte character code set is supported. RETURN VALUE 0 Success. If authadm is successful, it returns 0. 1 Failure. authadm returns 1 and prints an appropriate error message to stderr. A EXAMPLES The following commands each add an authorization (operation , object ) entry in the /etc/rbac/auths database file: # authadm add hpux.
PAGE 4
authadm(1M) /etc/rbac/role_auth authadm(1M) Database defining the authorizations for each specified role. SEE ALSO cmdprivadm(1M), privrun(1M), rbacdbchk(1M), roleadm(1M), rbac(5).