HP-UX Reference (11i v2 07/12) - 5 Miscellaneous (vol 9)
r
rbac(5) rbac(5)
NAME
rbac: RBAC - Role-Based Access Control
DESCRIPTION
RBAC (Role-Based Access Control) is an alternative to the all-or-nothing security model of traditional root
user-based systems. With RBAC, an administrator can assign roles to non-root users or UNIX groups.
Each role has authorizations composed of an operation and object, where the operation is an action that can
be performed on an object, and the object is an object the user can access with a given operation. HP-UX
RBAC database files are installed in the
/etc/rbac directory.
The following is a list of the HP-UX RBAC commands, presented in the sequence they are typically used:
roleadm Creates and manages role-related information in the
roles, user_role, and
role_auth databases.
authadm Creates and manages authorization information in the
auths, role_auth, and
cmd_priv databases.
cmdprivadm Creates and manages a command’s authorization and privilege information in the
cmd_priv database.
rbacdbchk Verifies the syntax and cross references between of all the HP-UX RBAC databases and
performs cross reference checks between all the RBAC databases.
privrun Executes privileged commands for users with proper authorizations.
privedit Allows users with the proper authorization to invoke an editor for editing restricted files.
The following are the main steps in configuring roles and authorizations:
1. Create roles using the roleadm command. The roles are added to the
/etc/rbac/roles data-
base.
2. Add authorizations using the
authadm command. The authorizations are added to the
/etc/rbac/auths database.
3. Assign authorizations or subroles to the roles using the
authadm command. The roles, subroles and
authorizations are added to the
/etc/rbac/role_auth database.
4. Associate users or UNIX groups to roles using the
roleadm command. The users or groups and
their corresponding roles are added to the
/etc/rbac/user_role database.
5. Define the commands or files to edit that will be associated with authorizations using the
cmdprivadm command. The commands are added to the /etc/rbac/cmd_priv
database.
6. Check the databases using the
rbacdbchk command.
7. The authorized user can then either run privileged commands using the privrun
wrapper command
or edit restricted files using the
privedit wrapper command.
The privrun wrapper command determines what authorization is required for a given command. This
authorization-command information is defined in the
/etc/rbac/cmd_priv database file. privrun
consults the roles and auths database files to decide whether the user calling privrun has the necessary
authorization based on the roles assigned to the user directly or indirectly via a UNIX group. Refer to
privrun(1M) for details on the privrun command, and refer to the /etc/rbac/cmd_priv
section in
privrun(1M) for information about the
cmd_priv database file.
The privedit wrapper command works similarly to the privrun command by determining the
required authorization needed to edit a given file. This authorization-file information is defined in the
/etc/rbac/cmd_priv database file. privedit consults the roles and auths database files and
decides whether the user calling privedit has the necessary authorization to edit the file based on the
roles assigned to the user directly or indirectly via UNIX group. Refer to privedit(1M) for details on the
privedit command, and refer to the /etc/rbac/cmd_priv section in privedit(1M) for information
about the
cmd_priv database file.
DATABASES
In each of the HP-UX RBAC databases, white space is ignored within an entry. (This excludes the newline
(\n) character, which is used as a record separator.)
All of the fields in the HP-UX RBAC databases are case sensitive.
The following is a list of the HP-UX RBAC databases are currently provided:
• /etc/rbac/cmd_priv
• /etc/rbac/roles
344 Hewlett-Packard Company − 1 − HP-UX 11i Version 2: December 2007 Update