authadm.1m (2011 03)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

authadm(1M) authadm(1M)

If object is not speciﬁed, then a default object will be assigned. The default object will either be a

wild card (*) or the object speciﬁed in the security default conﬁguration ﬁle,

/etc/default/security

roleassign role subrole

Assigns a role to another different role. The role being assigned to the other different role is

referred to as a subrole. A subrole is any valid role deﬁned in the

/etc/rbac/roles

database.

The

roleassign option allows hierarchical role deﬁnition (one role can inherit other subrole).

After assigning a subrole to another role, that role will also have all the authorizations of the

subrole, and any of its subroles. More than one subrole can be assigned to other different role.

authadm veriﬁes the role and subrole exist in

/etc/rbac/roles

. It also veriﬁes that there is no

recursive deﬁnitions of the role and subrole. (If "role1" has a subrole of "role2", and if you try to

roleassign "role1" to "role2", this will cause a recursive deﬁnition of both "role1" and "role2").

authadm appends the subrole to the role to authorization mapping in

/etc/rbac/role_auth

revoke role=name [operation=name [

object=name]]

Revokes an authorization from the speciﬁed role in

/etc/rbac/role_auth

. If no authorization

is speciﬁed,

authadm revokes all the authorizations for the given role. If object is not speciﬁed,

then a default object will be assumed. The default object will either be a wild card (*) or the object

speciﬁed in the security default conﬁguration ﬁle,

/etc/default/security

Note: The /etc/rbac/role_auth

ﬁle will be modiﬁed by the authadm revoke command.

rolerevoke role=name subrole=name

Revokes a subrole from the speciﬁed role in /etc/rbac/role_auth

. Note that the role speciﬁed

as the subrole is not revoked from the database, just the subrole assignment is revoked.

For instance, if these entries are in the database:

role1: (operation1, object1) role2

role2: role3 (operation2, object2), role4

authadm revoke role=role1 subrole=role2

will modify the line to:

role1: (operation1, object1)

role2: role3 (operation2, object2), role4

authadm revokes speciﬁed the authorizations and/or subrole for the given role.

Note: The

/etc/rbac/role_auth

ﬁle will be modiﬁed by the authadm rolerevoke com-

mand.

authadm list [role=name][[operation=name][object=name]| [subrole=name

]]| [sys]

Invoking the

authadm list command without any parameters lists every entry in

/etc/rbac/auth_auth

. Specifying a role name lists all the authorizations and subroles

assigned to that role name. Specifying an operation name lists all the roles witch have that opera-

tion name. Specifying a subrole name lists all the roles which have that subrole name. Specifying

sys lists all the authorizations in the /etc/rbac/auths

database.

Authorizations

In order to invoke

authadm, the user must either be root, (running with effective uid of 0), or have the

appropriate authorization(s). The following is a list of the required authorizations for running

authadm

with particular options:

hpux.security.access.auth.add,*

Allows user to run authadm with add option.

hpux.security.access.auth.delete,*

Allows user to run authadmwith delete option.

hpux.security.access.auth.assign,*

Allows user to run authadm with assign or roleassign option.

hpux.security.access.auth.revoke,*

Allows user to run authadm with revoke or rolerevoke option.

hpux.security.access.auth.list,*

Allows user to run authadm with list option.

2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: March 2011