Manualshelf

Securing Virtual Partitions with HP-UX Role-Based Access Control

ManualsBrandsHP ManualsSoftwareHP-UX Virtual Partitions (vPars) Software
12345678910
6
HP-UX RBAC Overview
Ideally, each user should be assigned a set of tasks they are permitted to perform. Administrative tasks
could then be performed by ordinary—but appropriately configured—user accounts. This would help
preserve the “Principle of Least Privilege” while also retaining individual accountability.
The HP-UX RBAC feature achieves these goals. It is an alternative to the traditional "all-or-nothing" root
user model, which grants permissions to the root user for all operations, and denies permissions to non-
root users for certain operations. HP-UX RBAC allows you to distribute administrative responsibilities by
creating roles with appropriate authorizations and assigning them to non-root users.
The following two sections provide a brief introduction to HP-UX RBAC. Readers unfamiliar with HP-UX
RBAC, or readers that want more information about HP-UX RBAC, are encouraged to refer to the HP-UX
RBAC product documentation referenced at the end of this paper.
Access Control Basics
The goal of an access control system is to limit access to a resource based on some set of constraints.
Typically, these constraints and their associated attributes fit into the following three categories:
Subject: The entity attempting to access the resource. In the context of an operating system, the
subject is commonly a user or a process associated with a user.
Operation: An action performed on a resource. An operation can correspond directly to an
application or command. In the case of HP-UX RBAC, the operation is a dot-separated, hierarchical
string such as hpux.user.add.
Object: The target of the operation, which may be the same as the end resource, but is sometimes
different.
An access control request can be thought of as a question combining the above elements, where the
response to the question, usually allow or deny, determines whether access to the resource is granted.
For example:
Is the user Ron authorized to perform the operation hpux.fs.mount on the object /dev/dsk/c0t1d0?
Often, the term authorization is used as a synonym for access control. In HP-UX RBAC, an authorization
is a noun that refers to the ability to perform an operation on an object.
Simplifying Access Control with Roles
Rather than assigning an authorization directly to a user, you assign authorizations to roles, which
serve as a grouping mechanism to simplify authorization assignment and auditing. As you add users to
the system, you assign them a set of roles which determine the actions they may perform and the
resources they may access.