HP-UX Reference (11i v2 07/12) - 1M System Administration Commands N-Z (vol 4)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

251

252

253

254

255

256

257

258

259

260

roleadm(1M) roleadm(1M)

NAME

roleadm - non-interactive editing of role-related information in RBAC databases

SYNOPSIS

roleadm add role [comments]

roleadm delete role

roleadm modify oldrolename newrolename

roleadm assign user role

roleadm revoke user [role]

roleadm list [user=username][role=

rolename][sys]

DESCRIPTION

roleadm is a non-interactive command that allows users with the appropriate authorization to modify and

list the role information in /etc/rbac/user_role

/etc/rbac/role_auth

, and

/etc/rbac/roles

See rbac(5) for information on these RBAC databases.

HP recommends that only the

authadm, cmdprivadm , and roleadm commands be used to edit and

view the RBAC databases; do not edit the RBAC ﬁles directly.

Options

roleadm recognizes the following options:

add role [comments]

Add a role to the system list of valid roles. Appends a line in /etc/rbac/roles

ﬁle with

rolename. You can enter an optional comment after the role.

delete role

Remove a role from the system list of valid roles. If role is present in /etc/rbac/roles

, remove

entry. If role is not present, then

roleadm returns an error code; see RETURN VALUE.

modify oldrolename newrolename

Change the name of a role. This option causes a modiﬁcation of the RBAC databases

(

etc/rbac/user_role

, /etc/rbac/role_auth, and /etc/rbac/roles

), replacing each

occurrence of oldrolename with newrolename.

assign user role

Assign a role to a user or a group. First veriﬁes that the user is a valid user, and the role is present in

the /etc/rbac/roles

ﬁle. When this is the case, the role is appended to the user->role mapping

in the

/etc/rbac/user_role

ﬁle. If user argument has an ampersand at the beginning (such as

&users), then it is assumed that what follows after the ampersand is a group name; the ampersand

must be shell escaped or put in quotes such as \&users or "&users".

An administrator may specify a default set of roles by assigning roles to the

DEFAULT keyword. If a

user is not otherwise explicitly assigned roles in the

/etc/rbac/user_role

database, he or she

will be given roles assigned to the

DEFAULT role.

revoke user [role]

Revoke a role from the speciﬁed user. If no role is speciﬁed, then all roles are revoked for the given

user. (The user entry is removed from /etc/rbac/user_role). If user argument has an amper-

sand at the beginning (such as &users), then it is assumed that what follows after the ampersand is a

group name; the ampersand must be shell escaped or put in quotes such as \&users or "&users".

list [user=username][role=rolename][sys]

List user and role information from the RBAC databases, /etc/rbac/user_role and

/etc/rbac/roles.

If neither user= nor role= are speciﬁed, then list all the users with assigned roles.

If user=username is speciﬁed, then only the role(s) of the speciﬁed user will be listed. If user has an

ampersand at the beginning (such as &users), then it is assumed that what follows after the amper-

sand is a group name; the ampersand must be shell escaped or put in quotes such as \&users or

"&users". If only role=rolename is speciﬁed, then only list the user(s) assigned to the speciﬁed role.

If both user=username and role=rolename are speciﬁed, then the entry with the user username

and role rolename will be listed, if it exists.

HP-UX 11i Version 2: December 2007 Update − 1 − Hewlett-Packard Company 253