HP-UX Reference (11i v2 07/12) - 1M System Administration Commands A-M (vol 3)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

authadm(1M) authadm(1M)

If object is not speciﬁed, then a default object will be assigned. The default object will either be a wild

card (*) or the object speciﬁed in the security default conﬁguration ﬁle,

/etc/default/security

roleassign role subrole

Assigns a role to another different role. The role being assigned to the other different role is referred

to as a subrole. A subrole is any valid role deﬁned in the

/etc/rbac/roles

database.

The

roleassign option allows hierarchical role deﬁnition (one role can inherit other subrole).

After assigning a subrole to another role, that role will also have all the authorizations of the subrole,

and any of its subroles. More than one subrole can be assigned to other different role.

authadm

veriﬁes the role and subrole exist in

/etc/rbac/roles

. It also veriﬁes that there is no recursive

deﬁnitions of the role and subrole. (If "role1" has a subrole of "role2", and if you try to

roleassign

"role1" to "role2", this will cause a recursive deﬁnition of both "role1" and "role2").

authadm appends

the subrole to the role to authorization mapping in

/etc/rbac/role_auth

revoke role=name [operation= name [object=

name]]

Revokes an authorization from the speciﬁed role in

/etc/rbac/role_auth

. If no authorization

is speciﬁed,

authadm revokes all the authorizations for the given role. If object is not speciﬁed, then

a default object will be assumed. The default object will either be a wild card (*) or the object speciﬁed

in the security default conﬁguration ﬁle,

/etc/default/security

Note: The /etc/rbac/role_auth

ﬁle will be modiﬁed by the authadm revoke command.

rolerevoke role=name subrole=name

Revokes a subrole from the speciﬁed role in /etc/rbac/role_auth

. Note that the role speciﬁed

as the subrole is not revoked from the database, just the subrole assignment is revoked.

For instance, if these entries are in the database:

role1: (operation1, object1) role2

role2: role3 (operation2, object2), role4

authadm revoke role=role1 subrole=role2

will modify the line to:

role1: (operation1, object1)

role2: role3 (operation2, object2), role4

authadm

revokes speciﬁed the authorizations and/or subrole for the given role.

Note: The /etc/rbac/role_auth

ﬁle will be modiﬁed by the authadm rolerevoke com-

mand.

authadm list [role=name][[operation= name][object=name]| [subrole=name

]]| [sys]

Invoking the

authadm list command without any parameters lists every entry in

/etc/rbac/auth_auth

. Specifying a role name lists all the authorizations and subroles assigned

to that role name. Specifying an operation name lists all the roles witch have that operation name.

Specifying a subrole name lists all the roles which have that subrole name. Specifying

sys lists all

the authorizations in the

/etc/rbac/auths database.

Authorizations

In order to invoke

authadm, the user must either be root, (running with effective uid of 0), or have the

appropriate authorization(s). The following is a list of the required authorizations for running

authadm

with particular options:

hpux.security.access.auth.add,*

Allows user to run authadm with add option.

hpux.security.access.auth.delete,*

Allows user to run authadmwith delete option.

hpux.security.access.auth.assign,*

Allows user to run authadm with assign or roleassign option.

hpux.security.access.auth.revoke,*

Allows user to run authadm with revoke or rolerevoke option.

hpux.security.access.auth.list,*

Allows user to run authadm with list option.

HP-UX 11i Version 2: December 2007 Update − 2 − Hewlett-Packard Company 81