HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)
r
rbac(5) rbac(5)
SecurityOfficer
/etc/rbac/auths
The /etc/rbac/auths
database contains definitions of all valid authorizations in the form of
(operation, object) pairs in the system. An administrator must define new (operation, object) pairs in this
file before the (operation, object) pairs can be assigned to a role.
The authorizations are added and removed from the
/etc/rbac/auths
file by authorized users using
the
authadm command (see authadm(1M)).
The /etc/rbac/auths
database contains any number of entries, where each entry is defined on a sin-
gle line in the following format:
(
operation, object)[:comment]
These fields are defined as follows:
Field Description
operation Denotes an action that can be performed on an object. For example,
hpux.printer.add is the operation of adding a printer.
hpux.printer.delete
is the operation of deleting a printer.
object The object the user can access with a given operation. If * is specified, all objects can be
accessed by the operation.
[:comment] (Optional) Either an optional simple comment or an optional uri to a detailed description
of the role.
For example:
(hpux.printer.add, bldg7printer): Add printers in building 7
.
(hpux.printer.delete, *): uri=http://foo.bar.com/printerauths.htm
(hpux.fs.backup, /dev/rdsk/c0t1d0): Backup physical disk 1
Note: The operations specified in /etc/rbac/auths
file must be fully-qualified and cannot use wild-
cards; however, the objects can be be specified with a wildcard using the asterisk character (
*). Authoriza-
tions that contain wildcard operations are validated using a match operation. At least one operation must
match the wildcard to assign the authorization to the role.
/etc/rbac/user_role
The
/etc/rbac/user_role
database defines the roles allowed for each specified user or UNIX group.
The user to role definitions are added and removed in the
/etc/rbac/user_role
file by authorized
users using the
roleadm command (see roleadm(1M)).
The /etc/rbac/user_role
database contains any number of entries, where each entry is defined on a
single line in the following format:
user-name |
&group-name: role[,role...]
These fields are used as follows:
Field Description
user-name | &group-name
A valid user name or UNIX group name. Group names must begin with the ampersand
(&).
role A valid role name defined in /etc/rbac/roles. More than one role may be
specified for a user or group, if they separated by commas.
The example below shows that user Michael has roles of an administrator and a programmer. Also, it
shows user Jenny has the SecurityOfficer role assigned. Lastly, it shows that the UNIX group
users has the RegularUser role assigned:
# roleadm list
Michael: Administrator, Programmer
Jenny: SecurityOfficer
&users: RegularUser
396 Hewlett-Packard Company − 3 − HP-UX 11i Version 3: February 2007