HP-UX Reference (11i v2 07/12) - 1M System Administration Commands A-M (vol 3)
a
authadm(1M) authadm(1M)
NAME
authadm - non-interactive command for administrating the authorization information in the RBAC data-
bases.
SYNOPSIS
authadm add operation [object [comments]]
authadm delete operation [object]
authadm assign role operation [object]
authadm roleassign role subrole
authadm revoke role=name [operation= name [
object=name]]
authadm rolerevoke role=name subrole=name
authadm list [role=name][[operation=
name][object=name]| [subrole=name]]| [sys]
DESCRIPTION
authadm is a non-interactive command that allows users with the appropriate privileges to modify and list
authorization information in the
/etc/rbac/roles
and /etc/rbac/auths
RBAC databases files.
HP recommends using only the
authadm,
cmdprivadm , and roleadm commands to edit and view the
RBAC databases -- do not edit the RBAC files without these commands.
See rbac(5) for more information on these RBAC databases.
Options
With the exception of the
list option, all options recognize a default object. If the parameter
RBAC_DEFAULT_OBJECT
is specified with a non-empty value in the security default file,
/etc/default/security,
then the value of this parameter will be the default object. However, if
the parameter
RBAC_DEFAULT_OBJECT
does not exist or is set to an empty value, then the default
object will be set to a wild card (*).
Here is how to specify a value to the
RBAC_DEFAULT_OBJECT
parameter in
/etc/default/security:
RBAC_DEFAULT_OBJECT
=value
For example: In
/etc/default/security
, RBAC_DEFAULT_OBJECT=lj8 sets the default object
to
lj8. If line RBAC_DEFAULT_OBJECT
is not present or is commented out, then the default object will
be set to "*".
authadm recognizes the following options:
add operation [object[comments]]
Adds an authorization pair (operation, object) to the system list of valid authorizations by appending a
line to the
/etc/rbac/auths
file.
If object is not specified, then a default object will be assigned. The default object will either be a wild
card (*) or the object specified in the security default configuration file,
/etc/default/security
. A comment may not be specified when adding an entry that refers to
the default object in
/etc/default/security
. The only way to add a comment to an entry with
the
add option is to specify the object explicitly.
delete operation [object]
Deletes an authorization from the system list of valid authorizations. If object is not specified, then a
default object will be assumed. The default object will either be a wild card (*) or the object specified
in the security default configuration file,
/etc/default/security.
If the authorization exists in /etc/rbac/auths, authadm
deletes the entry. If the specified
authorization is assigned to any roles in
/etc/rbac/role_auth, authadm will remove the
authorization from the role. If the specified authorization exists in an entry in
/etc/rbac/cmd_priv, authadm will remove the entire entry.
If the authorization does not exist in /etc/rbac/auths
, authadm returns an error message.
See the RETURN VALUE section below for more information.
assign role operation [object]
Assigns an authorization pair (operation, object) to a role. authadm verifies the role exists in
/etc/rbac/roles before verifying the authorization pair (operation, object) exists in
/etc/rbac/auths. authadm appends the authorization to the role to authorization mapping in
/etc/rbac/role_auth if the role and authorization pair exists.
80 Hewlett-Packard Company − 1 − HP-UX 11i Version 2: December 2007 Update