HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

391

392

393

394

395

396

397

398

399

400

rbac(5) rbac(5)

/etc/rbac/role_auth

The /etc/rbac/role_auth

ﬁle deﬁnes the authorizations and/or subroles for each speciﬁed role.

Each authorization is speciﬁed in the form of (operation, object) pairs. The authorization pairs are deﬁned

in the

/etc/rbac/auths

database ﬁle.

A subrole is just another role with authorizations. When a subrole is assigned to a role, the role inherits all

the authorizations of the subrole. The subrole name must be deﬁned in the

/etc/rbac/roles

database

ﬁle. No recursive role deﬁnition is permitted. For example, if "role1" has a subrole of "role2", and if users

roleassign "role1" to "role2", this will cause a recursive deﬁnition of both "role1" and "role2", and the

roleassign command will fail.

Authorized users can use the authadm command to specify the authorizations and/or subroles for each

role in /etc/rbac/role_auth

(Refer to authadm(1M) for more information).

All authorizations and/or subroles associated with a role must be speciﬁed in a single entry. This entry can

be more than one line; however, each individual authorization pair must not exceed one line. Lines that

begin with alphanumeric characters followed by semicolons (:) are considered new entries. The entries are

in the following format:

role: (operation, object) subrole...

role: (operation, object)...

role: subrole (operation, object)...

role: subrole subrole...

These ﬁelds are deﬁned as follows:

Field Description

role A valid role, as deﬁned in

/etc/rbac/roles

operation A speciﬁc operation that can be performed on an object. For example,

hpux.printer.add

is the operation of adding a printer. Or, hpux.printer.* is

the operation of either adding or deleting a printer.

object The object the user can access. If

* is speciﬁed, all objects can be accessed by the opera-

tion.

More than one (operation, object) pair may be speciﬁed for a role.

subrole A valid role, as deﬁned in /etc/rbac/roles

. It is assigned to another role.

The following line states that the role of

SecurityOfficer

has authorization of

(

hpux.passwd , /etc/passwd ) which means that the operation, hpux.passwd , can access the

object, /etc/passwd . SecurityOfficer

also has the ability to add and delete system users.

SecurityOfficer: (hpux.passwd, /etc/passwd)

(hpux.user.add, *)

(hpux.user.del, *)

The

PrinterAdm has authorization to perform

hpux.printer.add on all objects.

PrinterAdm: (hpux.printer.add, *)

The Administrator has subroles SecurityOfﬁcer and PrinterAdm, and therefore, has all the authorizations

of both subroles as shown in the preceding examples.

Administrator: SecurityOfficer PrinterAdm

/etc/rbac/aud_ﬁlter

The

/etc/rbac/aud_filter ﬁle deﬁnes role and authorization audit ﬁltering. Audit records will be

generated for users whose role and associated authorization is found in this ﬁle. If a user’s role and associ-

ated authorization is not found in the ﬁle, then no audit records speciﬁc to role and authorization will be

generated. Each authorization is speciﬁed in the form of operation, object pairs.

Authorized users (as speciﬁed in /etc/rbac/cmd_priv database ﬁle) can edit

/etc/rbac/aud_filter to specify the role and authorization to be audited.

All authorizations associated with a role must be speciﬁed in a single entry. Only one authorization may be

speciﬁed per role. The entries are of the following format:

HP-UX 11i Version 3: February 2007 − 4 − Hewlett-Packard Company 397