HP-UX Reference (11i v2 07/12) - 5 Miscellaneous (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

341

342

343

344

345

346

347

348

349

350

rbac(5) rbac(5)

The authorizations are added and removed from the

/etc/rbac/auths

ﬁle by authorized users using

the

authadm command (see authadm(1M)).

The /etc/rbac/auths

database contains any number of entries, where each entry is deﬁned on a sin-

gle line in the following format:

(operation

, object)[:comment]

These ﬁelds are deﬁned as follows:

Field Description

operation Denotes an action that can be performed on an object. For example,

hpux.printer.add

is the operation of adding a printer. hpux.printer.delete

is the operation of deleting a printer.

object The object the user can access with a given operation. If

* is speciﬁed, all objects can be

accessed by the operation.

[

:comment] (Optional) Either an optional simple comment or an optional uri to a detailed description

of the role.

For example:

(hpux.printer.add, bldg7printer): Add printers in building 7

(hpux.printer.delete, *): uri=http://foo.bar.com/printerauths.htm

(hpux.fs.backup, /dev/rdsk/c0t1d0): Backup physical disk 1

Note: The operations speciﬁed in /etc/rbac/auths

ﬁle must be fully-qualiﬁed and cannot use wild-

cards, however, the objects can be be speciﬁed with a wildcard using the asterisk character (

*). Authoriza-

tions that contain wildcard operations are validated using a match operation. At least one operation must

match the wildcard to assign the authorization to the role.

/etc/rbac/user_role

The

/etc/rbac/user_role

database deﬁnes the roles allowed for each speciﬁed user or UNIX group.

The user to role deﬁnitions are added and removed in the

/etc/rbac/user_role

ﬁle by authorized

users using the

roleadm command (see roleadm(1M)).

/etc/rbac/user_role

database contains any number of entries, where each entry is deﬁned on a sin-

gle line in the following format:

user name | &group name

: role[,role...]

These ﬁelds are used as follows:

Field Description

user name | &group name

A valid user name or UNIX group name -- group names must begin with the ampersand

(&).

role A valid role name deﬁned in /etc/rbac/roles.

More than one role may be

speciﬁed for a user or group, if they separated by commas.

The example below shows that user

Michael has roles of an administrator and a programmer. Also, it

shows user Jenny has the SecurityOfﬁcer role assigned. Lastly, it shows that the UNIX group users has

the RegularUser role assigned:

# roleadm list

Michael: Administrator, Programmer

Jenny: SecurityOfficer

&users: RegularUser

/etc/rbac/role_auth

The /etc/rbac/role_auth ﬁle deﬁnes the authorizations and/or subroles for each speciﬁed role.

Each authorization is speciﬁed in the form of (operation, object) pairs. The authorization pairs are deﬁned

in the /etc/rbac/auths database ﬁle.

A subrole is just another role with authorizations. When a subrole is assigned to a role, the role inherits all

the authorizations of the subrole. The subrole name must be deﬁned in the /etc/rbac/roles database

ﬁle. No recursive role deﬁnition is permitted. For example, if "role1" has a subrole of "role2", and if user

roleassign "role1" to "role2", this will cause a recursive deﬁnition of both "role1" and "role2", and the

346 Hewlett-Packard Company − 3 − HP-UX 11i Version 2: December 2007 Update