HP-UX Reference (11i v3 07/02) - 1M System Administration Commands N-Z (vol 4)
r
roleadm(1M) roleadm(1M)
NAME
roleadm - noninteractive editing of role-related information in RBAC databases
SYNOPSIS
roleadm add role [comments]
roleadm delete role
roleadm modify oldrolename newrolename
roleadm assign user role
roleadm revoke user [role]
roleadm list [user=username][role=
rolename][sys]
DESCRIPTION
roleadm is a noninteractive command that allows users with the appropriate authorization to modify and
list the role information in /etc/rbac/user_role
,
/etc/rbac/role_auth
, and
/etc/rbac/roles
.
See rbac(5) for information on these RBAC databases.
HP recommends that only the
authadm, cmdprivadm, and roleadm commands be used to edit and
view the RBAC databases. Do not edit the RBAC files directly.
Options
roleadm recognizes the following options:
add role [comments]
Add a role to the system list of valid roles. Appends a line in /etc/rbac/roles
file with
rolename. You can enter an optional comment after the role.
delete role
Remove a role from the system list of valid roles. If role is present in /etc/rbac/roles
, remove
entry. If role is not present, then
roleadm returns an error code; see RETURN VALUE.
modify oldrolename newrolename
Change the name of a role. This option causes a modification of the RBAC databases
(
etc/rbac/user_role
, /etc/rbac/role_auth, and /etc/rbac/roles
), replacing each
occurrence of oldrolename with newrolename.
assign user role
Assign a role to a user or a group. First verifies that the user is a valid user, and the role is present in
the /etc/rbac/roles
file. When this is the case, the role is appended to the user->role mapping
in the
/etc/rbac/user_role
file. If user argument has an ampersand at the beginning (such as
&users), then it is assumed that what follows after the ampersand is a group name - the ampersand
must be shell escaped or put in quotes such as users or "&users".
An administrator may specify a default set of roles by assigning roles to the
DEFAULT keyword. If a
user is not otherwise explicitly assigned roles in the
/etc/rbac/user_role
database, he or she
will be given roles assigned to the
DEFAULT role.
revoke user [role]
Revoke a role from the specified user. If no role is specified, then all roles are revoked for the given
user. (The user entry is removed from /etc/rbac/user_role). If user argument has an amper-
sand at the beginning (such as &users), then it is assumed that what follows after the ampersand is a
group name - the ampersand must be shell escaped or put in quotes such as users or "&users".
list [user=username][role=rolename][sys]
List user and role information from the RBAC databases, /etc/rbac/user_role and
/etc/rbac/roles.
If neither user= nor role= are specified, then list all the users with assigned roles.
If user=username is specified, then only the role(s) of the specified user will be listed. If user has an
ampersand at the beginning (such as &users), then it is assumed that what follows after the amper-
sand is a group name - the ampersand must be shell escaped or put in quotes such as users or
"&users". If only role=rolename is specified, then only list the user(s) assigned to the specified role.
If both user=username and role=rolename are specified, then the entry with the user username
and role rolename will be listed, if it exists.
270 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007